setting authoritative time server in compliance to pcidss

Hello folks.I want to impliment the authoritative time server in compliance to pcdiss standard.I have my the enviroment as follows.A Dc running server 2008r2 and application servers runing server 2012 and 2008r2.I want to make a member server on dmz as the time source for the Server with PDC emulator role.the challenge is I am simulating this on a virtual enviroment using vmware.after using the following commands on the pdc
C:\\>net stop w32time
Configure the external time sources, type: C:\\> w32tm /config /syncfromflags:manual /manualpeerlist:adressofserver on dmz
Make your PDC a reliable time source for the clients. Type: C:\\>w32tm /config /reliable:yes.I have this same command on the server on dmz with the exception of this commandC:\\>w32tm /config /reliable:yes

The commands run sucessfully but when I run the command w32tm /query source,I get the result"free-running System Clock".even after running the command w32tm /resync /rediscover.
As I didn't get the desired result,I enabled the ntp server setting on the local group policy on the server on the dmz. And set the ntp client setting on the pdc emulator role.
Pls any ideas on fixing the problem and getting the pdc emulator to sync with the server to be on dmz?thank you in advance.

First of all, for PCI DSS you need to make sure that the source servers are trusted and are specific IPs - an any outbound rule for NTP won't please an auditor I can tell you that! Try some of these if you're US-based: http://tf.nist.gov/tf-cgi/servers.cgi

I assume you're following this guide: http://defaultreasoning.com/2009/11...xternal-ntp-server-on-windows-server-2008-r2/ - If so, are you restarting w32time?

P.S., You can have the primary DC as the server to get NTP (in fact I'd recommend it to remove headaches). I've set this up in a PCI environment before on advice from a QSA, it's only contacting outbound on UDP/123 so no need to have a DMZ server do it!

Not that guide actually but the same content with the guide I used.i have restarted the w32time couple of time but no desired result.how ever,I will actually prefer the pdc syncing with the external ntp servers.so I presume you got the pcidss certification on this sstated model of using the pdc syncing with the external source,to save me the headache of the dmz model.secondly can u post a link to global trusted servers as I am not in USA but west africa.thank you PABLOTEK

Hmm, reading up the DMZ model (which you're implementing) seems to be the one most QSA-approved companies propose. Although it seems to depend on what is classed as the network segment! I've had no complaints from QSAs or ISO 27001 auditors over either model, so long as the server that contacts the internet can't contact the CDE.

In all honesty, those commands should work and it looks to be similar for DCs regardless. Can you confirm your DC can definitely contact that DMZ server on UDP/123? It should be:

Windows PDC -- UDP/123 --> DMZ time server -- UDP/123 outbound ONLY --> Trusted NTP servers

Finally, using a domain member in the DMZ is also not the greatest idea ever, a Linux/UNIX server properly configured with local accounts is a better bet.

A link to some NTP servers in SA for you: http://www.time.org.za/

Ok I will try that mate and give you feedback

PabloTeK said:

Hmm, reading up the DMZ model (which you're implementing) seems to be the one most QSA-approved companies propose. Although it seems to depend on what is classed as the network segment! I've had no complaints from QSAs or ISO 27001 auditors over either model, so long as the server that contacts the internet can't contact the CDE.

In all honesty, those commands should work and it looks to be similar for DCs regardless. Can you confirm your DC can definitely contact that DMZ server on UDP/123? It should be:

Windows PDC -- UDP/123 --> DMZ time server -- UDP/123 outbound ONLY --> Trusted NTP servers

Finally, using a domain member in the DMZ is also not the greatest idea ever, a Linux/UNIX server properly configured with local accounts is a better bet.

A link to some NTP servers in SA for you: http://www.time.org.za/

Click to expand...

Thnks mate.I have implimented the pdc to external time source model.sothe pdc can synchronize with external time source,however the domain servers are not syncing with its domain controller peers as well as some other
Member servers.the clients machines can sync with it too.I noticed the other servers are not conecting on port 123 as well as the pdc.what I find confusing is how the clients are syncing if 123 is not listening because when I run "netstat -aon"I dnt see udp123 listed.any advice on how to enable the port 123 manually on other servers?thnk you