Security Basics mailing list archives
Re: Windows time and PCI compliance
From: Chris Teodorski <chris.teodorski () gmail com>
Date: Mon, 20 Oct 2008 18:48:00 -0400
Kevin Tunison wrote:
On Mon, Oct 20, 2008 at 4:12 PM, Chris Teodorski <chris.teodorski () gmail com> wrote:Hello all, The PCI/DSS section 10.4 has pretty specific requirements for clock synchronization. Our experience with the Windows Time service has been less than stellar. Can anyone recommend a good reliable windows NTP client? I imagine several others of you out there are fighting with PCI/DSS compliance. Thanks, ChrisBy the windows time service being less than stellar, surely you are referring to the default links within the ntp client and not the software itself, as it conforms to RFC 1769. Those links are easily modified (and any good administrator will do such), especially in a domain environment. If it is the changing of a system time you are worried about, get GPO involved (and any good administrator will do such) at both the domain and workstation level where appropriate. On the domain one can set time-changing restrictions at the following Group Policy location: Local Computer, Computer Config, Windows Settings, Security Settings, Local Policies, User rights assignment, change system time. Stick with Stratum 1 ntp servers. The U.S. navy is a good choice, but there are others. Read this: http://support.ntp.org/bin/view/Servers/RulesOfEngagement where you will also find a list of open, registration, and restricted NTP servers in the 1st stratum. Regards, KevinT
Actually, we are syncing our clients with our domain controllers and our DC's sync against an internal Unix ntp server. The issue we have seen is that the variation between client (being servers in this case) and DC seems to drift. I was told off-handedly by a Microsoft person that Windows Time Service only keeps the clients within five minutes as that is the tolerance for kerberos. I don't put too much stock in that, since it was off-handed, but the variation between client and DC seems enough (not always, but fairly regularly) that I don't know that I would consider it a "reliable" time service. Given our experience, I was hoping someone could suggest a client aside from the Windows Time Service.
Current thread:
- Windows time and PCI compliance Chris Teodorski (Oct 20)
- Re: Windows time and PCI compliance Kevin Tunison (Oct 21)
- Re: Windows time and PCI compliance Chris Teodorski (Oct 21)
- RE: Windows time and PCI compliance Prodigi Child (Oct 22)
- RE: Windows time and PCI compliance Murda Mcloud (Oct 21)
- <Possible follow-ups>
- Re: Windows time and PCI compliance dgonzalez (Oct 20)
- Re: Windows time and PCI compliance CCC (Oct 21)
- Re: Windows time and PCI compliance Kevin Tunison (Oct 21)