Last time, I discussed the importance of synchronizing the
time on your network and devices, and I explained why accurate time is even
more important for security logs (“Make sure
security logs exhibit accurate time with NTP”). In the article, I reviewed
the different types of timing sources and looked at methods you can use to coordinate
the time on your network security devices.
However, it’s not enough to simply synchronize the time on
your network devices—this effort should extend all the way to the desktop. Applying
a single, consistent time source throughout
your network can boost both network efficiency and security.
Synchronizing time on your Windows domain requires following
the Active Directory domain hierarchy to find a reliable time source for your
entire domain. In a Windows Server 2003 Active Directory forest, the server
that holds the primary
domain controller (PDC) emulator role acts as the default time source for
your entire network.
Each workstation and server in this network will try to
locate a time source for synchronization. Using an internal algorithm designed
to reduce network traffic, systems will make up to six attempts to find a time
source. Here’s a look at the order of these attempts:
- Parent
domain controller (on-site) - Local
domain controller (on-site) - Local
PDC emulator (on-site) - Parent
domain controller (off-site) - Local
domain controller (off-site) - Local
PDC emulator (off-site)
To ensure that your servers are finding the proper time, you
must configure your PDC emulator to receive the time from a valid and accurate
time source. To configure this role, follow these steps:
- Log on
to the domain controller. - Enter
the following at the command line:
W32tm /config /manualpeerlist:<timeserver> /syncfromflags:manual
<timeserver>
is a space-delimited list of DNS and/or IP addresses. When specifying multiple time
servers, enclose the list in quotation marks.
- Update the Windows Time Service configuration. At the command line,
you can either enter W32tm
/config /update, or you can
enter the following:
Net stop w32time Net start w32time
If a system isn’t a member of a domain, you must manually configure
it to synchronize with a specified time source. Follow these steps:
- Go to
Start | Control Panel, and double-click Date And Time. - On the
Internet Time tab, select a time server from the drop-down list, or enter the
DNS name of your network’s internal time source. - Click
Update Now, click Apply, and click OK.
Note: It’s
important to make sure that any access control lists on your network allow UDP
port 123 to and from systems to the selected time source. For more information,
see Microsoft’s Windows Time Service Tools and Settings
documentation.
Final thoughts
Properly synchronizing your network with a consistent and
accurate time source will pay big dividends when it comes down to tracking
anomalies and security problems within your network. Setting and distributing the
accurate time for your network is an easy process—you just need to find the
time to do it.
Miss a column?
Check out the Security Solutions Archive,
and catch up on the most recent editions of Mike Mullins’ column.
Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.
Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security
Center.