Security Basics mailing list archives
RE: Windows time and PCI compliance
From: "Prodigi Child" <prodigi.child () gmail com>
Date: Wed, 22 Oct 2008 15:28:48 -0500
I agree with KevinT. Using Group Policy one can change the tolerances with the time drift. There are some 1U rack-mounted NTP servers that use satellite + atomic (radium? Cesium? Can't remember) that you can point all of your systems to. Last I checked I think I saw some for around 5k. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Kevin Tunison Sent: Monday, October 20, 2008 4:58 PM To: Chris Teodorski Cc: security-basics () securityfocus com Subject: Re: Windows time and PCI compliance On Mon, Oct 20, 2008 at 4:12 PM, Chris Teodorski <chris.teodorski () gmail com> wrote:
Hello all, The PCI/DSS section 10.4 has pretty specific requirements for clock synchronization. Our experience with the Windows Time service has been less than stellar. Can anyone recommend a good reliable windows NTP client? I imagine several others of you out there are fighting with PCI/DSS
compliance.
Thanks, Chris
By the windows time service being less than stellar, surely you are referring to the default links within the ntp client and not the software itself, as it conforms to RFC 1769. Those links are easily modified (and any good administrator will do such), especially in a domain environment. If it is the changing of a system time you are worried about, get GPO involved (and any good administrator will do such) at both the domain and workstation level where appropriate. On the domain one can set time-changing restrictions at the following Group Policy location: Local Computer, Computer Config, Windows Settings, Security Settings, Local Policies, User rights assignment, change system time. Stick with Stratum 1 ntp servers. The U.S. navy is a good choice, but there are others. Read this: http://support.ntp.org/bin/view/Servers/RulesOfEngagement where you will also find a list of open, registration, and restricted NTP servers in the 1st stratum. Regards, KevinT
Current thread:
- Windows time and PCI compliance Chris Teodorski (Oct 20)
- Re: Windows time and PCI compliance Kevin Tunison (Oct 21)
- Re: Windows time and PCI compliance Chris Teodorski (Oct 21)
- RE: Windows time and PCI compliance Prodigi Child (Oct 22)
- RE: Windows time and PCI compliance Murda Mcloud (Oct 21)
- <Possible follow-ups>
- Re: Windows time and PCI compliance dgonzalez (Oct 20)
- Re: Windows time and PCI compliance CCC (Oct 21)
- Re: Windows time and PCI compliance Kevin Tunison (Oct 21)