To prevent "replay attacks" which are attacks in which an authentication credential is resubmitted by a malicious user or program to gain access to a protected resource , the Kerberos protocol uses time stamps as part of its definition.
For time stamps to work properly, the clocks of the client computer and the domain controller need to be closely synchronized. Because the clocks of two computers are often not synchronized, administrators can use this policy to establish the maximum acceptable difference to the Kerberos protocol between a client computer clock and a domain controller clock.
If the difference between the client computer clock and the domain controller clock is less than the maximum time difference specified in this setting, any time stamp that is used in a session between the two computers is considered to be authentic.
Configure the Maximum tolerance for computer clock synchronization setting to 5 minutes. Skip to main content. This browser is no longer supported. On the local computer, the Security Configuration Engine will refresh this setting in about five minutes.
Settings are applied in the following order through a Group Policy Object GPO , which will overwrite settings on the local computer at the next Group Policy update:. This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
To prevent "replay attacks" which are attacks in which an authentication credential is resubmitted by a malicious user or program to gain access to a protected resource , the Kerberos protocol uses time stamps as part of its definition. For time stamps to work properly, the clocks of the client computer and the domain controller need to be closely synchronized. Because the clocks of two computers are often not synchronized, administrators can use this policy to establish the maximum acceptable difference to the Kerberos protocol between a client computer clock and a domain controller clock.
If the difference between the client computer clock and the domain controller clock is less than the maximum time difference specified in this setting, any time stamp that is used in a session between the two computers is considered to be authentic.
Configure the Maximum tolerance for computer clock synchronization setting to 5 minutes. Kerberos Policy security settings are not registry keys. Navigation Microsoft security bulletins.
Windows event ID encyclopedia. Net time—which is used to configure the time service and the synchronization hierarchy. The following net time command will change the time server on the local machine to mytimeserver. For example, to monitor and analyze the time synchronization in the hp.
Both tools allow you to configure the time hierarchy to use the Windows defaults as explained earlier in this section or to use special designated time servers.
Previous page. Table of content. Next page. It contains the following GPO entries: Figure 5. This process is repeated at the next interval check until either: The local time and target time remain within 2 seconds of each other. The interval frequency is reduced to the minimum setting of 45 minutes. The default time convergence hierarchy constructed in a Windows and Windows Server forest follows the following rules: All client desktops and member servers nominate as their inbound time partner the authenticating domain controller.
Configuring the windows time service Microsoft provides two tools to configure and diagnose the Windows Time service: Net time—which is used to configure the time service and the synchronization hierarchy. Authors: Jan De Clercq. MySQL Clustering. Java Concurrency in Practice. Python Programming for the Absolute Beginner, 3rd Edition. If you may any questions please contact us: flylib qtcs.
Privacy policy. This website uses cookies.
0コメント