An error occurred:

Check: WN12-AD-000007-DC

Microsoft Windows Server 2012/2012 R2 Domain Controller STIG: WN12-AD-000007-DC (in versions v3 r7 through v2 r7)

Title

Time synchronization must be enabled on the domain controller. (Cat II impact)

Discussion

When a directory service using multi-master replication (such as AD) executes on computers that do not have synchronized time, directory data may be corrupted or updated invalidly. The lack of synchronized time could lead to audit log data that is misleading, inconclusive, or unusable. In cases of intrusion this may invalidate the audit data as a source of forensic evidence in an incident investigation. In AD, the lack of synchronized time could prevent clients from logging on or accessing server resources as a result of Kerberos requirements related to time variance.

Check Content

Determine if a time synchronization tool has been implemented on the Windows domain controller. If the Windows Time Service is used, verify the following registry values. If they are not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\ Value Name: Enabled Type: REG_DWORD Value: 1 Registry Path: \System\CurrentControlSet\Services\W32Time\Parameters\ Value Name: Type Type: REG_SZ Value: NT5DS (preferred), NTP or Allsync If these Windows checks indicate a finding because the NtpClient is not enabled, determine if an alternate time synchronization tool is installed and enabled. If the Windows Time Service is not enabled and no alternate tool is enabled, this is a finding.

Fix Text

Ensure the Windows Time Service is configured as follows or install and enable another time synchronization tool. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\ Value Name: Enabled Type: REG_DWORD Value: 1 Registry Path: \System\CurrentControlSet\Services\W32Time\ Parameters\ Value Name: Type Type: REG_SZ Value: NT5DS (preferred), NTP or Allsync

Additional Identifiers

Rule ID: SV-226076r877038_rule

Vulnerability ID: V-226076

Group Title: SRG-OS-000355-GPOS-00143

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001891

The information system compares internal information system clocks on an organization-defined frequency with an organization-defined authoritative time source.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-8 (1)

Synchronization With Authoritative Time Source