Discussion:
Windows time and PCI compliance
Chris Teodorski
2008-10-20 15:12:56 UTC
Permalink
Hello all,

The PCI/DSS section 10.4 has pretty specific requirements for clock
synchronization. Our experience with the Windows Time service has
been less than stellar. Can anyone recommend a good reliable windows
NTP client?

I imagine several others of you out there are fighting with PCI/DSS compliance.


Thanks,
Chris
d***@nationalstoresinc.com
2008-10-20 18:12:11 UTC
Permalink
Just went through this also and agree that Windows Time Service was not very reliable.

We ended up pointing our domain controller to time.nist.gov instead and its working like a charm.

Cheers!
CCC
2008-10-21 00:45:35 UTC
Permalink
http://www.arachnoid.com/abouttime/index.html

By far the best NTP server-client that i have found. Works flawlessly in
all versions of windows.

Regards

Carlos Manuel De La Concha Canedo
Consultor en sistemas
Post by d***@nationalstoresinc.com
Just went through this also and agree that Windows Time Service was not very reliable.
We ended up pointing our domain controller to time.nist.gov instead and its working like a charm.
Cheers!
Chris Teodorski
2008-10-20 22:48:00 UTC
Permalink
On Mon, Oct 20, 2008 at 4:12 PM, Chris Teodorski
Post by Chris Teodorski
Hello all,
The PCI/DSS section 10.4 has pretty specific requirements for clock
synchronization. Our experience with the Windows Time service has
been less than stellar. Can anyone recommend a good reliable windows
NTP client?
I imagine several others of you out there are fighting with PCI/DSS compliance.
Thanks,
Chris
By the windows time service being less than stellar, surely you are
referring to the default links within the ntp client and not the
software itself, as it conforms to RFC 1769. Those links are easily
modified (and any good administrator will do such), especially in a
domain environment.
If it is the changing of a system time you are worried about, get GPO
involved (and any good administrator will do such) at both the domain
and workstation level where appropriate. On the domain one can set
Local Computer, Computer Config, Windows Settings, Security Settings,
Local Policies, User rights assignment, change system time.
Stick with Stratum 1 ntp servers. The U.S. navy is a good choice, but
there are others.
Read this: http://support.ntp.org/bin/view/Servers/RulesOfEngagement
where you will also find a list of open, registration, and restricted
NTP servers in the 1st stratum.
Regards,
KevinT
Actually, we are syncing our clients with our domain controllers and our
DC's sync against an internal Unix ntp server. The issue we have seen is
that the variation between client (being servers in this case) and DC
seems to drift. I was told off-handedly by a Microsoft person that
Windows Time Service only keeps the clients within five minutes as that
is the tolerance for kerberos. I don't put too much stock in that,
since it was off-handed, but the variation between client and DC seems
enough (not always, but fairly regularly) that I don't know that I would
consider it a "reliable" time service.

Given our experience, I was hoping someone could suggest a client aside
from the Windows Time Service.
Kevin Tunison
2008-10-20 21:58:01 UTC
Permalink
On Mon, Oct 20, 2008 at 4:12 PM, Chris Teodorski
Post by Chris Teodorski
Hello all,
The PCI/DSS section 10.4 has pretty specific requirements for clock
synchronization. Our experience with the Windows Time service has
been less than stellar. Can anyone recommend a good reliable windows
NTP client?
I imagine several others of you out there are fighting with PCI/DSS compliance.
Thanks,
Chris
By the windows time service being less than stellar, surely you are
referring to the default links within the ntp client and not the
software itself, as it conforms to RFC 1769. Those links are easily
modified (and any good administrator will do such), especially in a
domain environment.

If it is the changing of a system time you are worried about, get GPO
involved (and any good administrator will do such) at both the domain
and workstation level where appropriate. On the domain one can set
time-changing restrictions at the following Group Policy location:
Local Computer, Computer Config, Windows Settings, Security Settings,
Local Policies, User rights assignment, change system time.

Stick with Stratum 1 ntp servers. The U.S. navy is a good choice, but
there are others.

Read this: http://support.ntp.org/bin/view/Servers/RulesOfEngagement

where you will also find a list of open, registration, and restricted
NTP servers in the 1st stratum.

Regards,

KevinT
Prodigi Child
2008-10-22 20:28:48 UTC
Permalink
I agree with KevinT. Using Group Policy one can change the tolerances with
the time drift. There are some 1U rack-mounted NTP servers that use
satellite + atomic (radium? Cesium? Can't remember) that you can point all
of your systems to. Last I checked I think I saw some for around 5k.

-----Original Message-----
From: ***@securityfocus.com [mailto:***@securityfocus.com] On
Behalf Of Kevin Tunison
Sent: Monday, October 20, 2008 4:58 PM
To: Chris Teodorski
Cc: security-***@securityfocus.com
Subject: Re: Windows time and PCI compliance

On Mon, Oct 20, 2008 at 4:12 PM, Chris Teodorski
Post by Chris Teodorski
Hello all,
The PCI/DSS section 10.4 has pretty specific requirements for clock
synchronization. Our experience with the Windows Time service has
been less than stellar. Can anyone recommend a good reliable windows
NTP client?
I imagine several others of you out there are fighting with PCI/DSS compliance.
Thanks,
Chris
By the windows time service being less than stellar, surely you are
referring to the default links within the ntp client and not the
software itself, as it conforms to RFC 1769. Those links are easily
modified (and any good administrator will do such), especially in a
domain environment.

If it is the changing of a system time you are worried about, get GPO
involved (and any good administrator will do such) at both the domain
and workstation level where appropriate. On the domain one can set
time-changing restrictions at the following Group Policy location:
Local Computer, Computer Config, Windows Settings, Security Settings,
Local Policies, User rights assignment, change system time.

Stick with Stratum 1 ntp servers. The U.S. navy is a good choice, but
there are others.

Read this: http://support.ntp.org/bin/view/Servers/RulesOfEngagement

where you will also find a list of open, registration, and restricted
NTP servers in the 1st stratum.

Regards,

KevinT

Murda Mcloud
2008-10-21 00:34:02 UTC
Permalink
Hi Chris,
How about NIST?
http://tf.nist.gov/timefreq/service/time-computer.html
-----Original Message-----
On Behalf Of Chris Teodorski
Sent: Tuesday, October 21, 2008 1:13 AM
Subject: Windows time and PCI compliance
Hello all,
The PCI/DSS section 10.4 has pretty specific requirements for clock
synchronization. Our experience with the Windows Time service has
been less than stellar. Can anyone recommend a good reliable windows
NTP client?
I imagine several others of you out there are fighting with PCI/DSS compliance.
Thanks,
Chris
Continue reading on narkive:
Loading...