Time Synchronization Based on Operating Systems

Introduction

This paper guides users, particularly System and Network Administrators on how to synchronize time based on the operating systems that being administered.
It is important for the security of networks, systems, communication and application protocols that require synchronized or accurate time on the computers on which they run.
A good practise of any computer security system is regular review and analysis of both certain standard system log files as well as the log files created by firewalls and intrusion detection systems. If time is not synchronized on different computers within a network, it will be difficult to accurately match actions logged on different computers. During an intrusion, even if your computers all have the same time, it might be difficult to correlate logged activities with outside actions if your computers' times are wrong.
This is very crucial should an incident occur to your organization and if you are reporting the incident to your CERT Team. Log analysis would become difficult and uncertain if the times on all systems are not synchronized.

Network Time Protocol (NTP)

NTP synchronizes clocks to the Universal Time Coordinated (UTC) standard, the international time standard.
NTP functions as part of the UDP protocol suite, which in turn is part of the TCP/IP protocol suite. Therefore, a computer using NTP must have the TCP/IP protocol suite loaded. Any computers on your network with Internet access can get time from NTP servers on the Internet.
NTP introduces the concept of a stratum. A stratum-1 server has an attached accurate time piece such as a radio clock or an atomic clock. A stratum-2 server gets time from a stratum-1 server, and so on.
For this purpose, MyCERT has produced a document cum guideline on time synchronization for various Operating Systems. It is hoped that this guideline would assist System Adminitrators to have one synchronized time stamp for all devices within their network.

1) Microsoft Windows 2000

This guide applies to:

Microsoft Windows 2000 Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows XP Professional

1.1 Requirement

If you have firewall installed, it must allow UDP packet port 123

All machines must be installed with Microsoft operating system

NTP will be using an Internet-based time server from "jaring.my"

1.2 Configuring NTP to use a Time Server

This is done at the machine, usually at the Domain Controller that has been elected as an authoritative time server to synchronize from an external server.

At the command prompt, type net time /setsntp:jaring.my

This will configure your Domain Controller (DC) to use Jaring's ntp server at its time source.

1.3 Synchronize the System Time with a time source

At a command prompt, type net stop w32time then press ENTER to stop the Windows Time service

Synchronize the system time with the time server 9source) using the w32time -once command. You can redirect the synchronization output to a file by using >filename.txt (ie w32time -once > c:\timesync.txt)
For more information on options, type w32 -?
Option -period set the sync period just as in the registry. Such as:

0 = once a day
65535 = once every 2 days
65534 = once every 3 days
65533 = once every week
65532 = once every 45 min until we get 3 good syncs, then once every 8 hours
65531 = once every 45 min until we get 1 good sync, then once every day
Otherwise, times per day

Check the output of the command successful setting of the system time.

W32Time: BEGIN:SetTimeNow

W32Time: Time 10/15/2002 7:55:12:809

W32Time: END Line 1258

W32Time: Time was 54min 57.346s --- here

W32Time: Time is 55min 12.809s --- here

W32Time: Error -15463 ms

Use the net start w32time command to start the Windows Time Service

1.4 Configure clients to Synchronize to the Time Server

If computers are part of Domain Controller, the time will automatically synchronize during system startup or log on to the domain.

If computers are not part of the domain, run net time / setcommand on all computers to reset the local computers' time against the authoritative time server.

Note: Issue a command net time /? for more option

2) Windows NT

This guide applies to:

Microsoft Windows NT Server versions 3.5, 3.51, 4.0
Microsoft Windows NT Workstation versions 3.5, 3.51, 4.0

For computers/servers running Windows NT Server and Windows NT Workstation, Timeserv.exe is a utility that can be used to set and synchronize time in a network environment. For this purpose, Timeserv.ini file must be configured on each computers/servers running Timeserv.exe.

Steps to Configure:

Set the time accurately by obtaining the time from sources that specialize in providing this service such as your ISP. This can be done by dialling through a modem to obtain the time.

The Timeserv.ini file tells the computer who and what number to call.

After adding the ISP's phone number at the INI file, then set the 'timesource=yes' value so this server can provide time information to other domain servers on your network.'

The above serve need to pass the correct time to servers in different loctaions so these domain servers become themselves time sources for their domain workstations.

These servers obtain the time from the 'master source' by specifying 'type=primary' and 'primarysource=\\master's UNC' in the INI file.

Set 'timesource=yes' so workstations in local sites can obtain time from these servers.

Workstations can then have a 'type=secondary' in their INI file so they obtain the time from a domain time source.

'Timesource=no' should be set because they do not need to provide the time to other workstations.

More Information

Type=primary means the computer synchronizes with a specific computer. PRIMARYSOURCE gives that computer name, which may be a list.

Type=secondary means the computersynchronizes with a domain time source and SECONDARYDOMAIN can give the domain names(s). If not, then the computer's domain is used. So, each workstation can be of type SECONDARY. The value PRIMARYSOURCE is ignored.

To obtain the time just once each day, set 'period=1' in the INI file.

3) SUN Solaris

All Solaris systems, Solaris 2.6 release above is included with the NTP public domain software.The xntpd daemon sets and maintains the system time-of-day. The xntpd daemon is a complete implementation of the version 3 standard, as defined by RFC 1305.

Remember the following when using NTP in your network:

The xntpd daemon uses minimal system resources.

An NTP client synchronizes automatically with an NTP server when it boots. If the client becomes unsynchronized, the client resynchronizes again when the client contacts a time server.

Another way to synchronize clocks is to run rdate while using cron.

How to Set Up an NTP Server

Become superuser.

Create the ntp.conf file.

To ensure proper execution of the xntpd daemon, the ntp.conf file must first be created. The ntp.server file can be used as a template.

# cd /etc/inet
# cp ntp.server ntp.conf

Start the xntpd daemon.

# /etc/init.d/xntpd start

How to Set Up an NTP Client

Become superuser.

Create the ntp.conf file.

To activate the xntpd daemon, the ntp.conf file must first be created.

# cd /etc/inet
# cp ntp.client ntp.conf

Start the xntpd daemon.

# /etc/init.d/xntpd start

How to Synchronize Date and Time From Another System

Become superuser.

Reset the date and time to synchronize with another system, by using the rdate command.

# rdate another-system

Note: another-system - Name of the another system

Verify that you have reset your system's date correctly by using the date command.

The output should show a date and time that matches that of the other system.

Example--Synchronizing Date and Time From Another System

The following example shows how to use rdate to synchronize the date and time of one system with another. In this example, the system earth, running several hours behind, is reset to match the date and time of the server starbug.

earth# date
Tue Jun 5 11:08:27 MDT 2001
earth# rdate starbug
Tue Jun 5 14:06:37 2001
earth# date
Tue Jun 5 14:06:40 MDT 2001

4. UNIX systems

The guidelines below applies to all flavors of UNIX including Linux and OpenBSD. A basic simple step to install the NTP is as follows.

More detail instruction is available at:
Building and Installing the Distribution.
http://www.eecis.udel.edu/~ntp/ntp_spool/html/build.html

Download a latest version of NTP which is available at:
http://www.eecis.udel.edu/~ntp/index.html

The newest releases are at the bottom of the linked to page.

cd to one directory above where you plan to make the software untar the source package into your working directory such as /usr/local/tools/ntp-4.0.99k. If you have GNU tar

tar -zxvf tarfile

(where tarfile is the complete path and filename to wherever you saved the downloaded source package) will work. The z option is for uncompressing a .gz or .tgz file. Then cd to the newly created directory such as ntp-4.0.99k and type:

./configure

Then:

make

On systems using gcc, lots of warnings will scroll by. Then if you want to install the binaries into the default install directory, /usr/local/bin, type:

make install

If you want a different install directory for the executables, you'll need to edit the install script. If your install is successful, you'll be able to run ntptrace to help you select public NTP servers to use as your time sources.

You could start ntpd with only command line options but you'll want to create a configuration file, typically ntp.conf. The simplest configuration file is:

server servername

where servername is the public NTP server that you are using as a time source. Names or IP addresses will work but names are preferred as the IP addresses are much more likely to change than the names.

Ntpd will work with a single time source but for accuracy you should add two or more public NTP servers as discussed previously. If you're going to run multiple coordinated NTP servers as recommend, you'll be adding "peer servername" lines as you bring other NTP servers online. You'll also want to include:

driftfile /etc/ntp.drift

so ntpd will save the calculated drift and not have to recompute it from scratch each time it restarts. You could pick another location but /etc/ntp.drift is the usual location.

You may start ntpd for the first time with the following command:

ntpd -A -c /etc/ntp.conf -l /var/log/ntp.log

In addition, you may put the commands to start ntpd in startup script so that it will start automatically everytime the machine reboots.

By default, ntpd runs with encrypted authentication enabled. The "-A" turns it off. Only a few of the public servers list the authentication options. The -c to specify the configuration file is probably not necessary when using the default location but it's easier to put in than to try to figure out what's wrong if it is required. You may use the -l to specify an NTP specific log rather than the default system log.

After a few minutes, ntpd will adjust your servers time, you may check/verify the time against Jaring's Time for accuracy. Then you need to verify all computers/servers are synchronized with each other and remain that way, accurately.

References

http://www.microsoft.com
http://geodsoft.com/howto/timesync/unixinstall.htm
http://www.pdc.kth.se/doc/SP/manuals/pssp-3.1/html/admin/spa1mst15.html
http://www.eecis.udel.edu/~ntp/documentation.html
http://www.eecis.udel.edu/~ntp/ntp_spool/html/build.html
http://docs.sun.com/db/doc/805-0078/6j0555os7?a=view

All Rights Reserved
Copyright© 2003 MyCERT, NISER
Technology Park Malaysia, 57000 Kuala Lumpur, Malaysia.
Last Modified : 15th April 2003
Developed and maintained by MyCERT WebMaster
Feedback

Disclaimer:

MyCERT page serves as a source of information, extracted from various other sources focusing on computer security issues for the Internet community in Malaysia. Therefore, MyCERT is not responsible for any outcomes resulted in the misuse of the information given on this page. In addition, MyCERT also denies liability for any consequences of applying the technical solutions given here.