From Active Directory Forest Security Technical Implementation Guide (STIG)
Part of Time Synchronization-Authoritative Source
Associated with IA controls: ECTM-2, ECTM-1
Associated with: CCI-001891
When the Windows Time service is used to synchronize time on client computers (workstations and servers) throughout an AD forest, the forest root domain PDC Emulator is the normal default to provide the authoritative time source for the entire forest. To obtain an accurate time for itself, the forest root domain PDC Emulator acts as a client to an external time source.
1. Use Registry Editor to navigate to the following: HLM\System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient 2. If the value for “Enabled” is not “1”, then this is a finding. 3. Use Registry Editor to navigate to the following: HKLM\System\CurrentControlSet\Services\W32Time\Parameters 4. If the value for “Type” is not “NTP”, then this is a finding. Note: If these checks indicate a finding because the NtpClient is not enabled, ask the SA to demonstrate that a) an alternate time synchronization tool is installed and enabled and that b) a DoD-authorized external time source is being used. 5. If the Windows Time service is not enabled or no alternate tool is installed and enabled in its place, then this is a finding.
Configure the Windows Time service on the forest root PDC Emulator to acquire its time from an external time source.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer