STIGQter: STIG Summary: Windows 2008 Domain Controller Security Technical Implementation Guide Version: 6 Release: 44 Benchmark Date: 26 Jul 2019: Time synchronization must be enabled on the domain controller.

DISA Rule

SV-31548r2_rule

Vulnerability Number

V-8322

Group Title

Time Synchronization

Rule Version

DS00.0150_2008

Severity

CAT II

CCI(s)

• CCI-001891 - The information system compares internal information system clocks on an organization-defined frequency with an organization-defined authoritative time source.

Weight

10

Fix Recommendation

Ensure the Windows Time Service is configured as follows or install and enable another time synchronization tool.

Registry Hive: HKEY_LOCAL_MACHINE

Registry Path: \System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\
Value Name: Enabled
Type: REG_DWORD
Value: 1

Registry Path: \System\CurrentControlSet\Services\W32Time\ Parameters\
Value Name: Type
Type: REG_SZ
Value: NT5DS (preferred), NTP, or Allsync

Check Contents

Determine if a time synchronization tool has been implemented on the Windows domain controller.

If the Windows Time Service is used, verify the following registry values. If they are not configured as specified, this is a finding.

Registry Hive: HKEY_LOCAL_MACHINE

Registry Path: \System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\
Value Name: Enabled
Type: REG_DWORD
Value: 1

Registry Path: \System\CurrentControlSet\Services\W32Time\Parameters\
Value Name: Type
Type: REG_SZ
Value: NT5DS (preferred), NTP, or Allsync

If these Windows checks indicate a finding because the NtpClient is not enabled, determine if an alternate time synchronization tool is installed and enabled.

If the Windows Time Service is not enabled and no alternate tool is enabled, this is a finding.

Vulnerability Number

V-8322

Documentable

False

Rule Version

DS00.0150_2008

Severity Override Guidance

Determine if a time synchronization tool has been implemented on the Windows domain controller.

If the Windows Time Service is used, verify the following registry values. If they are not configured as specified, this is a finding.

Registry Hive: HKEY_LOCAL_MACHINE

Registry Path: \System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\
Value Name: Enabled
Type: REG_DWORD
Value: 1

Registry Path: \System\CurrentControlSet\Services\W32Time\Parameters\
Value Name: Type
Type: REG_SZ
Value: NT5DS (preferred), NTP, or Allsync

If these Windows checks indicate a finding because the NtpClient is not enabled, determine if an alternate time synchronization tool is installed and enabled.

If the Windows Time Service is not enabled and no alternate tool is enabled, this is a finding.

Check Content Reference

M

Responsibility

System Administrator

Target Key

1340

Comments