[ntp:questions] Secure W32Time

Danny Mayer mayer at ntp.isc.org
Tue Mar 21 03:30:53 UTC 2006


Prenard wrote:
> Dear all,
> 
> Is their a possibility in Windows XP or 2003 to make a secure
> connection to one of the public pool time servers?
> If a secure connection to my Windows and to the a public server is
> possible, what kind of authentication method should i configure on my
> 2003 server? Windows can communicate with different security methods:
> - Ecryption and integrity
> - Integrity only
> - Custom: AH and/or ESP (ntegrity with SHA1 or MD5 and Encryption
> algorithm with 3DES or DES)
> 
> I want to pay more attention on the security leaks from my server to
> the public connection.
> 

You have a lot of basic misunderstandings on how to secure a server. If
you want to deal with w32time you should be asking in a Microsoft news
group as noone in this newsgroup can give you much in the way of advice
on dealing with w32time. In any case w32time violates the requirements
of the sntp protocol and it is certainly not ntp protocol compliant.

NTP uses UDP and you cannot realistically encrypt any UDP packets since
it is a connectless protocol. You really need TCP for that. It is even
worse when you deal with time itself since you need to worry about the
time taken to encrypt and decrypt packets, how encryption depends on a
good accurate time source, and a whole variety of other issues. The best
that NTP can do is authenticate the server sending the NTP packets, but
you need the reference implementation of ntp or another protocol
compliant implementation for that since w32time cannot do that.

Ignoring all of these issues what has this got to do with security leaks
from your server? Windows is full of security problems. If you want to
secure your server you need to spent time learning how to do it, worry
about the services you are running and how secure they are, viruses,
worms, spyware, etc.

Danny



More information about the questions mailing list