STIGQter: STIG Summary: Microsoft Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide Version: 3 Release: 2 Benchmark Date: 04 May 2021:

Time synchronization must be enabled on the domain controller.

DISA Rule

SV-226076r569184_rule

Vulnerability Number

V-226076

Group Title

SRG-OS-000355-GPOS-00143

Rule Version

WN12-AD-000007-DC

Severity

CAT II

CCI(s)

• CCI-001891 - The information system compares internal information system clocks on an organization-defined frequency with an organization-defined authoritative time source.

Weight

10

Fix Recommendation

Ensure the Windows Time Service is configured as follows or install and enable another time synchronization tool.

Registry Hive: HKEY_LOCAL_MACHINE

Registry Path: \System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\
Value Name: Enabled
Type: REG_DWORD
Value: 1

Registry Path: \System\CurrentControlSet\Services\W32Time\ Parameters\
Value Name: Type
Type: REG_SZ
Value: NT5DS (preferred), NTP or Allsync

Check Contents

Determine if a time synchronization tool has been implemented on the Windows domain controller.

If the Windows Time Service is used, verify the following registry values. If they are not configured as specified, this is a finding.

Registry Hive: HKEY_LOCAL_MACHINE

Registry Path: \System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\
Value Name: Enabled
Type: REG_DWORD
Value: 1

Registry Path: \System\CurrentControlSet\Services\W32Time\Parameters\
Value Name: Type
Type: REG_SZ
Value: NT5DS (preferred), NTP or Allsync

If these Windows checks indicate a finding because the NtpClient is not enabled, determine if an alternate time synchronization tool is installed and enabled.

If the Windows Time Service is not enabled and no alternate tool is enabled, this is a finding.

Vulnerability Number

V-226076

Documentable

False

Rule Version

WN12-AD-000007-DC

Severity Override Guidance

Determine if a time synchronization tool has been implemented on the Windows domain controller.

If the Windows Time Service is used, verify the following registry values. If they are not configured as specified, this is a finding.

Registry Hive: HKEY_LOCAL_MACHINE

Registry Path: \System\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\
Value Name: Enabled
Type: REG_DWORD
Value: 1

Registry Path: \System\CurrentControlSet\Services\W32Time\Parameters\
Value Name: Type
Type: REG_SZ
Value: NT5DS (preferred), NTP or Allsync

If these Windows checks indicate a finding because the NtpClient is not enabled, determine if an alternate time synchronization tool is installed and enabled.

If the Windows Time Service is not enabled and no alternate tool is enabled, this is a finding.

Check Content Reference

M

Target Key

4217

Comments