Title

The time synchronization tool must be configured to enable logging of time source switching. (Cat III impact)

Discussion

When a time synchronization tool executes, it may switch between time sources according to network or server contention. If switches between time sources are not logged, it may be difficult or impossible to detect malicious activity or availability problems.

Check Content

Verify logging is configured to capture time source switches. If the Windows Time Service is used, verify the following registry value. If it is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\W32Time\Config\ Value Name: EventLogFlags Type: REG_DWORD Value: 2 or 3 If another time synchronization tool is used, review the available configuration options and logs. If the tool has time source logging capability and it is not enabled, this is a finding.

Fix Text

Configure the time synchronization tool to log time source switching. If the Windows Time Service is used, configure the following registry value. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\W32Time\Config\ Value Name: EventLogFlags Type: REG_DWORD Value: 2 or 3

Additional Identifiers

Rule ID: SV-8819r2_rule

Vulnerability ID: V-8324

Group Title: Time Synchronization Source Logging

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.