[ntp:questions] Re: Secure W32Time

malayter at gmail.com malayter at gmail.com
Mon Mar 20 19:24:35 UTC 2006


According to:
http://tinyurl.com/ft435
  and
http://tinyurl.com/fh8uz

In Windows 2003 SP1 and later, a full NTPv3 implementation with NTPv4
algoritmic enhancements is used. Windows Time Service is apparently no
longer just SNTP, at least on the servier side.

However, it appears the only Windows servers in the same domain can
share authenticated time (they use their existing Kerberos session keys
as a shared secret). There does not seem to be a way to configure the
Windows Time Service to use a specific pre-shared key with a
manually-defined server.  I base this on a the list of command-line
switches and registry settings provided in the links above. There may
be undocumented ways of accomplishing this with Windows Time. This
omission appears to be "okay" as far as NTP standards are concerned,
because authentication is an optional part of RFC-1305 and RFC-2030.

Incidentally, I recently configured a Windows 2003 SP1 server with the
same time sources as I use for ntpd, and set up monitoring. It seems to
maintain accuracy within a couple of milliseconds relative to my NTP v4
box after a few hours. This surprises me. Perhaps Windows 2003 SP1
finally provides "real" NTP. I am planning on a more thorough test of
Windows 2003's Time Service soon. I don't have a local refclock, so I
will probably be doing a long term test comparing ntpd and Windows Time
using the same set of Stratum-1 servers.




More information about the questions mailing list