3.3.7 has a weight of -1 points

System Security Plan (SSP) for [Company Name]

Control Number: 3.3.7

Control Title: Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate timestamps for audit records.

II. Implementation at [Company Name]:

A. SIEM Tool Time Synchronization: Our SIEM tool synchronizes its time with public time servers. This ensures that the timestamps provided are consistent with universally accepted time standards.

B. Azure-Joined Computers: Computers integrated with Azure synchronize automatically with public time servers. This adds a layer of consistency and accuracy to our timestamp recording.

C. Domain Controller as the Authoritative Time Source: Group policies designate the domain controller as the authoritative time source for the domain. This controller sources its time from internal Microsoft time servers, which in turn derive their time from Microsoft’s Stratum 1 devices equipped with GPS antennas.

D. Time Synchronization Service: Every host computer boasts a time synchronization service. This service, familiar with the designated time servers, checks periodically if computer clocks need adjustment. Should discrepancies arise, the service makes the necessary corrections. This meticulous synchronization process ensures that our audit logs bear consistent timestamps.

E. Time Measurement & Granularity: Internal system clocks generate timestamps, capturing both date and time. These timestamps are presented in Coordinated Universal Time (UTC)—a contemporary iteration of Greenwich Mean Time (GMT)—or as local time adjusted from UTC. The granularity of our time measurement synchronizes our system clocks with reference clocks. Different granularities are set for different system components to guarantee timestamp precision.

IV. Compliance with IETF Standards: Our dedication to time synchronization complies with the standards delineated by the IETF, as outlined in IETF 5905. This ensures our synchronization methods align with globally accepted best practices.

Plan of Action and Milestones (POA&M) for [Company Name] Control Number: 3.3.7

1. Objective: Ensure the accuracy and consistency of timestamps by synchronizing internal system clocks with an authoritative source for audit record purposes.

2. Milestones:

M1: SIEM Tool Time Synchronization Review

• Action: Verify that the SIEM tool’s synchronization with public time servers is functioning as expected.
• Completion Date: [Date]
• Responsible Party: IT Department

M2: Azure-Joined Computers Synchronization Check

• Action: Conduct an audit to ensure that all Azure-joined computers are correctly synchronizing with public time servers.
• Completion Date: [Date]
• Responsible Party: Azure Admin Team

M3: Domain Controller Time Source Verification

• Action: Validate that the domain controller is indeed acting as the authoritative time source and is synchronizing with the internal Microsoft time servers.
• Completion Date: [Date]
• Responsible Party: Domain Admin Team

M4: Time Synchronization Service Audit

• Action: Assess each host computer’s time synchronization service to guarantee that they are functioning correctly and making adjustments when required.
• Completion Date: [Date]
• Responsible Party: IT Department

M5: Time Measurement & Granularity Assessment

• Action: Confirm that the timestamps generated are in the proper formats (UTC or local time with UTC offset) and that granularity settings are appropriately applied for different system components.
• Completion Date: [Date]
• Responsible Party: IT Department

Here’s a step-by-step guide to configuring time synchronization using group policies in Azure:

Azure VMs (virtual machines) are typically synchronized with time servers by default (thanks to the Azure infrastructure), these steps ensure that VMs within your Azure AD Domain Services-managed domain adhere to the time settings you specify in group policies.

1. Setup Azure AD Domain Services:

   • If you haven’t already, set up Azure AD Domain Services following Azure’s documentation.

2. Access the Group Policy Management Console:

   • From an Azure VM joined to your managed domain or a domain-joined computer, sign in using a user account that’s a member of the AAD DC Administrators group.
   • Open the Server Manager. From the “Tools” menu, select “Group Policy Management.”

3. Create or Edit a Group Policy Object (GPO):

   • In the Group Policy Management Console, navigate to Forest: your domain > Domains > your domain.
   • Right-click on the “Default Domain Policy” or another GPO of your choice and select “Edit.”

4. Navigate to Time Service Settings:

   • In the Group Policy Management Editor, navigate to: Computer Configuration > Policies > Administrative Templates > System > Windows Time Service.
   • You’ll find several configurations here related to time service.

5. Configure the Time Service:

   • Double-click on “Configure Windows NTP Client”.
   • Set it to “Enabled”.
   • Under options, set the “Type” to “NT5DS” to synchronize time from the domain hierarchy.
   • If you want to specify an external time source, you can use the “NtpServer” field. Enter the DNS name or IP address of the external time source followed by ,0x1 (e.g., time.windows.com,0x1).

6. Additional Time Service Settings:

   • While still in the Windows Time Service folder, you may want to configure other settings such as:
     • “Enable Windows NTP Client”: Ensure it’s set to “Enabled”.
     • “Enable Windows NTP Server”: If you want the machine to act as an NTP server for other devices, set this to “Enabled”.

7. Close the Group Policy Management Editor.

8. Link the GPO:

   • If you’ve created a new GPO instead of editing the default, make sure to link it to an Organizational Unit (OU) containing the computer objects you want the policy to apply to.

9. Force Group Policy Update:

   • On the affected machines, you can force a group policy update by running the command: gpupdate /force in the Command Prompt or PowerShell.

10. Verify the Configuration:

• After the policy has been applied, you can verify the time source on a client machine by running the command: w32tm /query /status in Command Prompt or PowerShell.

Google Cloud Platform (GCP) steps overview:

1. Understand Default Behavior:
   • Google Compute Engine VM instances synchronize with Google’s internal time servers by default, which are highly reliable and use multiple redundant servers and data sources.
   • This default behavior typically ensures that VMs maintain accurate time.
2. Set Custom Time Servers (if needed):
   • If you need VMs to synchronize with a different time server, perhaps to be consistent with other systems in your organization, you can configure them to use the NTP (Network Time Protocol) servers of your choice.
3. Configuring NTP on VMs:
   • On Linux VMs:
     1. Edit the /etc/ntp.conf file.
     2. Add or change the server lines to point to your NTP servers.
     3. Restart the NTP service.
   • On Windows VMs:
     1. Open the “Date and Time” control panel.
     2. Navigate to the “Internet Time” tab.
     3. Click “Change settings…”
     4. Change the server to your NTP server and then click “Update now.”
4. Group Policies for Google Cloud VMs:
   • Google Cloud does not have the same group policy mechanism as Azure AD. If you need to ensure consistent settings across multiple VMs, you might need to use configuration management tools such as Puppet, Chef, or Ansible, or use startup scripts to ensure VMs have the correct time settings when they start up.
5. Monitoring & Logging:
   • Ensure that your monitoring solution checks for time drift on VMs. This will alert you if a VM’s time starts to diverge significantly from the expected time.
   • Google Cloud’s operations suite (formerly Stackdriver) can be used to monitor and log time synchronization status.

Remember that the exact steps or tools might vary based on your organization’s unique requirements and the specific configurations of your VMs. Always consult Google Cloud’s official documentation or support channels when making changes to production systems.