STIGQter: STIG Summary: Active Directory Forest Security Technical Implementation Guide (STIG) Version: 2 Release: 8 Benchmark Date: 27 Jul 2018: STIGQter: STIG Summary: Active Directory Forest Security Technical Implementation Guide (STIG) Version: 2 Release: 8 Benchmark Date: 27 Jul 2018:SV-9054r3_rule
V-8557
Time Synchronization-Authoritative Source
AD.0295
CAT II
10
Configure the forest root PDC Emulator to acquire its time from an external time source.
The Windows Time Service can be configured by setting the policy value for Computer Configuration >> Administrative Templates >> System >> Windows Time Service >> Time Providers >> "Configure Windows NTP Client" to "Enabled", and configure the "NtpServer" field to point to an authorized time server.
This applies to the domain controller with the PDC emulator role in forest root domain; it is NA for other domain controllers in the forest.
Determine the domain controller with the PDC Emulator role in the forest root domain:
Windows 2008 R2 or later:
Open "Windows PowerShell".
Enter "Get-ADDomain -Identity [Forest Root Domain] | FT PDCEmulator", where [Forest Root Domain] is the forest root domain name, such as "example.mil". (This can also be entered without the -Identity parameter if running within the forest root domain.)
Windows 2008:
Open "Active Directory Users and Computers" from a domain controller in or connected to the forest root (available from various menus or run "dsa.msc").
Select "Action" in the menu, then "All Tasks >> Operations Masters".
Select the "PDC" tab.
On the system with the PDC Emulator role, open "Windows PowerShell" or an elevated "Command Prompt" (run as administrator).
Enter "W32tm /query /configuration".
Under the "NtpClient" section:
If the value for "Type" is not "NTP", this is a finding.
If the value for "NtpServer" is not an external DoD time source, this is a finding.
If an alternate time synchronization tool is used and is not enabled or not configured to a synchronize with an external DoD time source, this is a finding.
The US Naval Observatory operates stratum 1 time servers, identified at http://tycho.usno.navy.mil/ntp.html. Time synchronization will occur through a hierarchy of time servers down to the local level. Clients and lower-level servers will synchronize with an authorized time server in the hierarchy.
V-8557
False
AD.0295
This applies to the domain controller with the PDC emulator role in forest root domain; it is NA for other domain controllers in the forest.
Determine the domain controller with the PDC Emulator role in the forest root domain:
Windows 2008 R2 or later:
Open "Windows PowerShell".
Enter "Get-ADDomain -Identity [Forest Root Domain] | FT PDCEmulator", where [Forest Root Domain] is the forest root domain name, such as "example.mil". (This can also be entered without the -Identity parameter if running within the forest root domain.)
Windows 2008:
Open "Active Directory Users and Computers" from a domain controller in or connected to the forest root (available from various menus or run "dsa.msc").
Select "Action" in the menu, then "All Tasks >> Operations Masters".
Select the "PDC" tab.
On the system with the PDC Emulator role, open "Windows PowerShell" or an elevated "Command Prompt" (run as administrator).
Enter "W32tm /query /configuration".
Under the "NtpClient" section:
If the value for "Type" is not "NTP", this is a finding.
If the value for "NtpServer" is not an external DoD time source, this is a finding.
If an alternate time synchronization tool is used and is not enabled or not configured to a synchronize with an external DoD time source, this is a finding.
The US Naval Observatory operates stratum 1 time servers, identified at http://tycho.usno.navy.mil/ntp.html. Time synchronization will occur through a hierarchy of time servers down to the local level. Clients and lower-level servers will synchronize with an authorized time server in the hierarchy.
M
Information Assurance Officer
871