Check: AD.4033_2008_R2
Win2k8 R2 Audit:
AD.4033_2008_R2
(in version v1 r8)
Title
The computer clock synchronization tolerance must meet minimum standards. (Cat II impact)
Discussion
This setting determines the maximum time difference (in minutes) that Kerberos will tolerate between the time on a client's clock and the time on a server's clock while still considering the two clocks synchronous. In order to prevent replay attacks, Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server need to be in sync as much as possible.
Check Content
Fix Text
Configure the Kerberos policy option Maximum tolerance for computer clock synchronization to a maximum of 5 minutes or less.
Additional Identifiers
Rule ID: SV-36186r1_rule
Vulnerability ID: V-2380
Group Title: Kerberos - Computer Clock Sync
Expert Comments
Expert comments are only available to logged-in users.
CCIs
CCIs tied to check.
| Number | Definition |
|---|---|
| No CCIs are assigned to this check |
Controls
Controls tied to check. These are derived from the CCIs shown above.
| Number | Title |
|---|---|
| No controls are assigned to this check |