Security Basics mailing list archives

Re: Windows time and PCI compliance

From: Chris Teodorski <chris.teodorski () gmail com>
Date: Mon, 20 Oct 2008 18:48:00 -0400

Kevin Tunison wrote:

On Mon, Oct 20, 2008 at 4:12 PM, Chris Teodorski
<chris.teodorski () gmail com> wrote:

Hello all,

The PCI/DSS section 10.4 has pretty specific requirements for clock
synchronization.   Our experience with the Windows Time service has
been less than stellar. Can anyone recommend a good reliable windows
NTP client?

I imagine several others of you out there are fighting with PCI/DSS compliance.


Thanks,
Chris


By the windows time service being less than stellar, surely you are
referring to the default links within the ntp client and not the
software itself, as it conforms to RFC 1769.  Those links are easily
modified (and any good administrator will do such), especially in a
domain environment.

If it is the changing of a system time you are worried about, get GPO
involved (and any good administrator will do such) at both the domain
and workstation level where appropriate.  On the domain one can set
time-changing restrictions at the following Group Policy location:
Local Computer, Computer Config, Windows Settings, Security Settings,
Local Policies, User rights assignment, change system time.

Stick with Stratum 1 ntp servers.  The U.S. navy is a good choice, but
there are others.

Read this:  http://support.ntp.org/bin/view/Servers/RulesOfEngagement

where you will also find a list of open, registration, and restricted
NTP servers in the 1st stratum.

Regards,

KevinT


Actually, we are syncing our clients with our domain controllers and our
DC's sync against an internal Unix ntp server. The issue we have seen is
that the variation between client (being servers in this case) and DC
seems to drift.  I was told off-handedly by a Microsoft person that
Windows Time Service only keeps the clients within five minutes as that
is the tolerance for kerberos.  I don't put too much stock in that,
since it was off-handed, but the variation between client and DC seems
enough (not always, but fairly regularly) that I don't know that I would
consider it a "reliable" time service. 

Given our experience, I was hoping someone could suggest a client aside
from the Windows Time Service.

Current thread:

Windows time and PCI compliance Chris Teodorski (Oct 20)
- Re: Windows time and PCI compliance Kevin Tunison (Oct 21)
  - Re: Windows time and PCI compliance Chris Teodorski (Oct 21)
  - RE: Windows time and PCI compliance Prodigi Child (Oct 22)
- RE: Windows time and PCI compliance Murda Mcloud (Oct 21)
- <Possible follow-ups>
- Re: Windows time and PCI compliance dgonzalez (Oct 20)
  - Re: Windows time and PCI compliance CCC (Oct 21)