Re: Windows time and PCI compliance

["Kevin Tunison" <ktunison () gmail com>]

On Mon, Oct 20, 2008 at 4:12 PM, Chris Teodorski
<chris.teodorski () gmail com> wrote:
> Hello all,
>
> The PCI/DSS section 10.4 has pretty specific requirements for clock
> synchronization.   Our experience with the Windows Time service has
> been less than stellar. Can anyone recommend a good reliable windows
> NTP client?
>
> I imagine several others of you out there are fighting with PCI/DSS compliance.
>
>
> Thanks,
> Chris

By the windows time service being less than stellar, surely you are
referring to the default links within the ntp client and not the
software itself, as it conforms to RFC 1769.  Those links are easily
modified (and any good administrator will do such), especially in a
domain environment.

If it is the changing of a system time you are worried about, get GPO
involved (and any good administrator will do such) at both the domain
and workstation level where appropriate.  On the domain one can set
time-changing restrictions at the following Group Policy location:
Local Computer, Computer Config, Windows Settings, Security Settings,
Local Policies, User rights assignment, change system time.

Stick with Stratum 1 ntp servers.  The U.S. navy is a good choice, but
there are others.

Read this:  http://support.ntp.org/bin/view/Servers/RulesOfEngagement

where you will also find a list of open, registration, and restricted
NTP servers in the 1st stratum.

Regards,

KevinT