STIGQter: STIG Summary: Microsoft Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide Version: 3 Release: 2 Benchmark Date: 04 May 2021:

The computer clock synchronization tolerance must be limited to 5 minutes or less.

DISA Rule

SV-226069r569184_rule

Vulnerability Number

V-226069

Group Title

SRG-OS-000112-GPOS-00057

Rule Version

WN12-AC-000014-DC

Severity

CAT II

CCI(s)

CCI-001941 - The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.
CCI-001942 - The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.

Weight

Fix Recommendation

Configure the policy value in the Default Domain Policy for Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Kerberos Policy -> "Maximum tolerance for computer clock synchronization" to a maximum of 5 minutes or less.

Check Contents

Verify the following is configured in the Default Domain Policy.

Open "Group Policy Management".
Navigate to "Group Policy Objects" in the Domain being reviewed (Forest > Domains > Domain).
Right click on the "Default Domain Policy".
Select Edit.
Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Kerberos Policy.

If the "Maximum tolerance for computer clock synchronization" is greater than 5 minutes, this is a finding.

The computer clock synchronization tolerance must be limited to 5 minutes or less.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments