3.3.7 has a weight of -1 points
(Audit and Accountability Family) 7/9
Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate timestamps for audit records.
Video
Example of Sysytem Security Plan (SSP):
System Security Plan (SSP) for [Company Name]
Control Number: 3.3.7
Control Title: Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate timestamps for audit records.
II. Implementation at [Company Name]:
A. SIEM Tool Time Synchronization: Our SIEM tool synchronizes its time with public time servers. This ensures that the timestamps provided are consistent with universally accepted time standards.
B. Azure-Joined Computers: Computers integrated with Azure synchronize automatically with public time servers. This adds a layer of consistency and accuracy to our timestamp recording.
C. Domain Controller as the Authoritative Time Source: Group policies designate the domain controller as the authoritative time source for the domain. This controller sources its time from internal Microsoft time servers, which in turn derive their time from Microsoft’s Stratum 1 devices equipped with GPS antennas.
D. Time Synchronization Service: Every host computer boasts a time synchronization service. This service, familiar with the designated time servers, checks periodically if computer clocks need adjustment. Should discrepancies arise, the service makes the necessary corrections. This meticulous synchronization process ensures that our audit logs bear consistent timestamps.
E. Time Measurement & Granularity: Internal system clocks generate timestamps, capturing both date and time. These timestamps are presented in Coordinated Universal Time (UTC)—a contemporary iteration of Greenwich Mean Time (GMT)—or as local time adjusted from UTC. The granularity of our time measurement synchronizes our system clocks with reference clocks. Different granularities are set for different system components to guarantee timestamp precision.
IV. Compliance with IETF Standards: Our dedication to time synchronization complies with the standards delineated by the IETF, as outlined in IETF 5905. This ensures our synchronization methods align with globally accepted best practices.
Example of Plan of Action and Milestones ( POA & M):
Plan of Action and Milestones (POA&M) for [Company Name] Control Number: 3.3.7
- Objective: Ensure the accuracy and consistency of timestamps by synchronizing internal system clocks with an authoritative source for audit record purposes.
- Milestones:
M1: SIEM Tool Time Synchronization Review
- Action: Verify that the SIEM tool’s synchronization with public time servers is functioning as expected.
- Completion Date: [Date]
- Responsible Party: IT Department
M2: Azure-Joined Computers Synchronization Check
- Action: Conduct an audit to ensure that all Azure-joined computers are correctly synchronizing with public time servers.
- Completion Date: [Date]
- Responsible Party: Azure Admin Team
M3: Domain Controller Time Source Verification
- Action: Validate that the domain controller is indeed acting as the authoritative time source and is synchronizing with the internal Microsoft time servers.
- Completion Date: [Date]
- Responsible Party: Domain Admin Team
M4: Time Synchronization Service Audit
- Action: Assess each host computer’s time synchronization service to guarantee that they are functioning correctly and making adjustments when required.
- Completion Date: [Date]
- Responsible Party: IT Department
M5: Time Measurement & Granularity Assessment
- Action: Confirm that the timestamps generated are in the proper formats (UTC or local time with UTC offset) and that granularity settings are appropriately applied for different system components.
- Completion Date: [Date]
- Responsible Party: IT Department
AZURE - configuration:
Here’s a step-by-step guide to configuring time synchronization using group policies in Azure:
Azure VMs (virtual machines) are typically synchronized with time servers by default (thanks to the Azure infrastructure), these steps ensure that VMs within your Azure AD Domain Services-managed domain adhere to the time settings you specify in group policies.
-
Setup Azure AD Domain Services:
- If you haven’t already, set up Azure AD Domain Services following Azure’s documentation.
-
Access the Group Policy Management Console:
- From an Azure VM joined to your managed domain or a domain-joined computer, sign in using a user account that’s a member of the
AAD DC Administrators
group. - Open the Server Manager. From the “Tools” menu, select “Group Policy Management.”
- From an Azure VM joined to your managed domain or a domain-joined computer, sign in using a user account that’s a member of the
-
Create or Edit a Group Policy Object (GPO):
- In the Group Policy Management Console, navigate to
Forest: your domain > Domains > your domain
. - Right-click on the “Default Domain Policy” or another GPO of your choice and select “Edit.”
- In the Group Policy Management Console, navigate to
-
Navigate to Time Service Settings:
- In the Group Policy Management Editor, navigate to:
Computer Configuration > Policies > Administrative Templates > System > Windows Time Service
. - You’ll find several configurations here related to time service.
- In the Group Policy Management Editor, navigate to:
-
Configure the Time Service:
- Double-click on “Configure Windows NTP Client”.
- Set it to “Enabled”.
- Under options, set the “Type” to “NT5DS” to synchronize time from the domain hierarchy.
- If you want to specify an external time source, you can use the “NtpServer” field. Enter the DNS name or IP address of the external time source followed by
,0x1
(e.g.,time.windows.com,0x1
).
-
Additional Time Service Settings:
- While still in the
Windows Time Service
folder, you may want to configure other settings such as:- “Enable Windows NTP Client”: Ensure it’s set to “Enabled”.
- “Enable Windows NTP Server”: If you want the machine to act as an NTP server for other devices, set this to “Enabled”.
- While still in the
-
Close the Group Policy Management Editor.
-
Link the GPO:
- If you’ve created a new GPO instead of editing the default, make sure to link it to an Organizational Unit (OU) containing the computer objects you want the policy to apply to.
-
Force Group Policy Update:
- On the affected machines, you can force a group policy update by running the command:
gpupdate /force
in the Command Prompt or PowerShell.
- On the affected machines, you can force a group policy update by running the command:
-
Verify the Configuration:
- After the policy has been applied, you can verify the time source on a client machine by running the command:
w32tm /query /status
in Command Prompt or PowerShell.
Google Cloud Platform (GCP) configuration:
Google Cloud Platform (GCP) steps overview:
- Understand Default Behavior:
- Google Compute Engine VM instances synchronize with Google’s internal time servers by default, which are highly reliable and use multiple redundant servers and data sources.
- This default behavior typically ensures that VMs maintain accurate time.
- Set Custom Time Servers (if needed):
- If you need VMs to synchronize with a different time server, perhaps to be consistent with other systems in your organization, you can configure them to use the NTP (Network Time Protocol) servers of your choice.
- Configuring NTP on VMs:
- On Linux VMs:
- Edit the
/etc/ntp.conf
file. - Add or change the server lines to point to your NTP servers.
- Restart the NTP service.
- Edit the
- On Windows VMs:
- Open the “Date and Time” control panel.
- Navigate to the “Internet Time” tab.
- Click “Change settings…”
- Change the server to your NTP server and then click “Update now.”
- On Linux VMs:
- Group Policies for Google Cloud VMs:
- Google Cloud does not have the same group policy mechanism as Azure AD. If you need to ensure consistent settings across multiple VMs, you might need to use configuration management tools such as Puppet, Chef, or Ansible, or use startup scripts to ensure VMs have the correct time settings when they start up.
- Monitoring & Logging:
- Ensure that your monitoring solution checks for time drift on VMs. This will alert you if a VM’s time starts to diverge significantly from the expected time.
- Google Cloud’s operations suite (formerly Stackdriver) can be used to monitor and log time synchronization status.
Remember that the exact steps or tools might vary based on your organization’s unique requirements and the specific configurations of your VMs. Always consult Google Cloud’s official documentation or support channels when making changes to production systems.
RELEVANT INFORMATION:
Internal system clocks are used to generate timestamps, which include date and time. Time is expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. The granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, for example, clocks synchronizing within hundreds of milliseconds or within tens of milliseconds. Organizations may define different time granularities for different system components. Time service can also be critical to other security capabilities such as access control and identification and authentication, depending on the nature of the mechanisms used to support those capabilities. This requirement provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network. See [IETF 5905].
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.