An error occurred:

Check: DS00.0150_2008

Windows 2008 Domain Controller STIG: DS00.0150_2008 (in versions v6 r47 through v6 r35)

Title

Time synchronization must be enabled on the domain controller. (Cat II impact)

Discussion

When a directory service using multi-master replication (such as AD) executes on computers that do not have synchronized time, directory data may be corrupted or updated invalidly. The lack of synchronized time could lead to audit log data that is misleading, inconclusive, or unusable. In cases of intrusion, this may invalidate the audit data as a source of forensic evidence in an incident investigation. In AD, the lack of synchronized time could prevent clients from logging on or accessing server resources as a result of Kerberos requirements related to time variance.

Check Content

Determine if a time synchronization tool has been implemented on the Windows domain controller. If the Windows Time Service is used, verify the following registry values. If they are not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\ Value Name: Enabled Type: REG_DWORD Value: 1 Registry Path: \System\CurrentControlSet\Services\W32Time\Parameters\ Value Name: Type Type: REG_SZ Value: NT5DS (preferred), NTP, or Allsync If these Windows checks indicate a finding because the NtpClient is not enabled, determine if an alternate time synchronization tool is installed and enabled. If the Windows Time Service is not enabled and no alternate tool is enabled, this is a finding.

Fix Text

Ensure the Windows Time Service is configured as follows or install and enable another time synchronization tool. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\ Value Name: Enabled Type: REG_DWORD Value: 1 Registry Path: \System\CurrentControlSet\Services\W32Time\ Parameters\ Value Name: Type Type: REG_SZ Value: NT5DS (preferred), NTP, or Allsync

Additional Identifiers

Rule ID: SV-31548r2_rule

Vulnerability ID: V-8322

Group Title: Time Synchronization

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001891

The information system compares internal information system clocks on an organization-defined frequency with an organization-defined authoritative time source.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-8(1)

Synchronization with Authoritative Time Source