UCF STIG Viewer Logo

If the time service is configured, it must use an authorized time server.


Overview

Finding ID Version Rule ID IA Controls Severity
V-3472 WN12-CC-000069 SV-52919r1_rule ECSC-1 Low
Description
The Windows Time Service controls time synchronization settings. Time synchronization is essential for authentication and auditing purposes. If the Windows Time Service is used, it must synchronize with a secure, authorized time source. Domain-joined systems are automatically configured to synchronize with domain controllers. If an NTP server is configured, it must synchronize with a secure, authorized time source.
STIG Date
Windows Server 2012 Member Server Security Technical Implementation Guide 2014-01-07

Details

Check Text ( C-47224r2_chk )
Review the following registry values:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Microsoft\W32time\Parameters\

Value Name: Type
Type: REG_SZ
Value: Possible values are NoSync, NTP, NT5DS, AllSync

and

Value Name: NTPServer
Type: REG_SZ
Value: "address of the time server"

The following would be a finding:
"Type" has a value of "NTP" or "Allsync" AND the "NTPServer" value is set to "time.windows.com" or other unauthorized server.

The following would not be a finding:
The referenced registry values do not exist.
"Type" has a value of "NoSync" or "NT5DS".
"Type" has a value of "NTP" or "Allsync" AND the "NTPServer" is blank or configured to an authorized time server.

For DoD organizations, the US Naval Observatory operates stratum 1 time servers, identified at http://tycho.usno.navy.mil/ntp.html. Time synchronization will occur through a hierarchy of time servers down to the local level. Clients and lower-level servers will synchronize with an authorized time server in the hierarchy.

Domain-joined systems are automatically configured to synchronize with domain controllers, and it would not be a finding unless this is changed.
Fix Text (F-45845r1_fix)
If the system needs to be configured to an NTP server, configure the system to point to an authorized time server by setting the policy value for Computer Configuration -> Administrative Templates -> System -> Windows Time Service -> Time Providers -> "Configure Windows NTP Client" to "Enabled", and configure the "NtpServer" field to point to an authorized time server.