v1.116.0: NTP clock-tamper protection + auth audit#52
Merged
Conversation
Add NTP Configuration [8] Clock-Tamper Protection plus a read-only CLI action. Targets the real Windows Time security knobs rather than a Unix-style symmetric-key file (which does not exist on Windows). - NtpHardeningAudit (read-only): reports sync type (NT5DS/NTP/NoSync), whether the source is authenticated (domain MS-SNTP) or unauthenticated (manual NTP), the MaxPos/MaxNegPhaseCorrection limits (decoding 0xFFFFFFFF as Unbounded), and RequireSecureTimeSyncRequests. JSON-aware. - Clock-Tamper Protection (reversible): bounds MaxPos/MaxNegPhaseCorrection to a chosen cap (default 48h = the DC default; closes the unbounded default domain members ship with, so a wrong/hostile time source cannot jump the clock arbitrarily and break Kerberos). Prior values captured for undo; Dry-Run aware; corrections past the cap are logged not applied. Windows has no standalone ntp.keys file; authenticated NTP is MS-SNTP keyed from the machine account via the domain hierarchy (legacy MD5-derived). The feature audits that path instead of exposing a keys file that does not exist. Addition to 19-NTPConfiguration. CLI actions 197 -> 198. Section 183 added; 5099 structural tests green.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
v1.116.0 — NTP clock-tamper protection + time-authentication audit
NTP Configuration → [8] Clock-Tamper Protection plus a read-only CLI action. Targets the real W32Time security knobs rather than a Unix-style keys file (which does not exist on Windows).
NtpHardeningAudit(read-only) — sync type (NT5DS/NTP/NoSync), authenticated (domain MS-SNTP) vs unauthenticated (manual NTP) source,MaxPos/MaxNegPhaseCorrection(decoding0xFFFFFFFFas "Unbounded"), andRequireSecureTimeSyncRequests. JSON-aware.MaxPos/MaxNegPhaseCorrectionto a chosen cap (default 48 h = the DC default). Closes the unbounded default domain members ship with, so a wrong/hostile time source cannot jump the clock arbitrarily and break Kerberos. Prior values captured for undo; Dry-Run aware; corrections past the cap are logged, not applied.Platform note: Windows has no standalone
ntp.keysfile — authenticated NTP is MS-SNTP, keyed from the machine account via the domain hierarchy (legacy MD5-derived). The feature audits that path instead of exposing a keys file that does not exist.CLI actions 197 → 198. Section 183 added (5099 structural tests, all green).