Solved

NTP Relay Server

Posted on 2013-11-01
15
1,342 Views
Last Modified: 2013-11-15
Hi Experts,

Hopefully you can help with this one

For security we are looking at spinning up an NTP server to act as a relay for external time sources. Ie have it sync with an external source but have devices in the dmz and lan sync with it

What is the best way to go about this using window servers, and can it be done using web edition or must it be standard or above?
0
Comment
Question by:FSIFM
  • 5
  • 4
  • 4
  • +1
15 Comments
 
LVL 44

Expert Comment

by:Darr247
ID: 39616727
Here's a list of level 2 servers
http://support.ntp.org/bin/view/Servers/StratumTwoTimeServers

According to http://support.ntp.org/bin/view/Servers/RulesOfEngagement you shouldn't connect to a level one server unless your time server services 100 or more clients.

Beyond that, I'm not sure what you're asking... here's how to configure Server 2008
http://support.microsoft.com/kb/816042
Is your version in this list?
Applies to
•Windows Server 2012 Standard
•Windows Server 2012 Essentials
•Windows Server 2008 R2 Standard
•Windows Server 2008 R2 Datacenter
•Windows Server 2008 R2 Enterprise
•Windows Server 2008 Standard
•Windows Server 2008 Enterprise
•Windows Server 2008 Datacenter
•Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
•Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
•Microsoft Windows Server 2003, Standard Edition (32-bit x86)
•Microsoft Windows Server 2003, Web Edition
•Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
•Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
•Windows Server 2008 R2 Service Pack 1
0
 
LVL 4

Author Comment

by:FSIFM
ID: 39616739
As far as i understand it, connecting to a NTP service exposes systems to risk as it is subset able

As such we want a "sacrificial" NTP server, that can sit in the dmz and obtain the correct time from an external source

This can then be called by our DC's to obtain the correct time from, thus providing an additional level of security
0
 
LVL 44

Expert Comment

by:Darr247
ID: 39616846
Ahhhh... "our DC's" is quite a different scenario than I inferred from your original post. :)

If you have more than one DC, they should be syncing themselves to the PDC Emulator Master (aka flexible single master operations or FSMO).
Running
netdom /query fsmo
from a DC's command prompt should tell you which server that is. That would be the one on which you want to focus this effort.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 45

Expert Comment

by:Craig Beck
ID: 39617927
Well, the PDC Emulator role is just one of five FSMO roles.  However, Darr is correct in that you should focus on the DC which holds this role.

This link will show you how to configure the DC to sync time with an external NTP server...

All of the other DCs, member servers and domain-joined clients will automatically synchronize their time with the PDC.
0
 
LVL 14

Expert Comment

by:frankhelk
ID: 39620051
If you want to use external sources, I would recommend to put - as decribed above - a simple Windows machine (or VM) into the DMZ and let any local client machine sync to that NTP server. A simple Linux machine would do as well - maybe better.

If correct time on high priority, I would recommend at least 2 machines in the DMZ syncing to external sources (ie. from pool.ntp.org) and give both "relay" machines as sources to the clients. There's no need for separate machines either - you might simply equip every machine in the DMZ with an NTP service and have great redundancy. Unless there are hundreds of clients asking for the time every minute, NTP would not have a visible perfomance impact

Besides of that I would recommend to kick out the crappy W32time service and use the real thing - a port of the classic NTP service. This would separate the "time master" role from the "DC" role, is free, and stable like a rock.

See this article for details.

Addendum: Even more secure, you could place a radio controlled NTP appliance (or two, for redundancy) into your local net ... that's no risk at all.
0
 
LVL 4

Author Comment

by:FSIFM
ID: 39620945
Cheers Franhelk,

That exactly the information i've been after

I also found this article http://securityvulns.com/advisories/timesync.asp/ which was informative

Would you say best practice then to guard against potential threats would be that each host calls a time server even LAN services? Or as you said just use boxes in the dmz and call the time from them using the DC to then distribute the correct time across the LAN
0
 
LVL 14

Expert Comment

by:frankhelk
ID: 39623667
From my viewpoint, the most safe practice would be to place one (or more if redundancy is needed) radio controlled time server appliance into the local LAN, not into the DMZ.

Any system in the DMZ is per definition vulnerable to attacks from the outside. Any infected system in the DMZ may possibly infect systems in the otherwise safe LAN (not real threats, only theoretic considerations).

The time server appliances don't need to contact anything on the internet ... they get their time sync from radio signals (GPS, DCF77, and much more) with built-in radio controlled clocks, and they serve theitr clients with various timesync protocols, i.e. NTP. Because there's no need for contact, there should be no possibility of contact.

I've worked with such appliances from Meinberg, and have good experiences with 'em. A good startng point would be the M300 series (see here). If redundancy is an issue, these applliances have a nice gimmick: With the latest firmware they are able to form a high availability cluster that acts as a virtual timeserver where the box with the best conditions serves the client on a common IP address. If one box fails, the next best jumps in and serves on the same IP.

(Statement: This describes only my personal experience. Other boxes may be as good or better. I'm not affiliated with Meinberg in any way and I'm not paid for these statements.)

Unfortunately these boxes cost about the same you'd give for an average PC with a radio clock card - which would be the second choice for that. If you have other server PCs around (like an intranet server, an internal mail server, etc.), you might choose to simply equip one or more of them with radio clock cards and use them as time server (the performance impact is minimal). I wouldn't recommend to use the DCs for that.

For simple redundancy reasons and time service quality I would recommend to let each system (DCs, clients, servers, switches, etc.) call the time souce(s) by itself instead of placing a central node in between. If that node fails, the time service breaks. Unnecessary bottleneck/weak spot.

Just for reference: My article on NTP.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39623827
I would also say it's not necessary to place a NTP server in a DMZ, especially if it's not servicing external clients.
0
 
LVL 14

Expert Comment

by:frankhelk
ID: 39624532
As I've said before, it's not only "not necessary" to put the NTP server into the DMZ, I would in fact avoid it due to security considerations.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39624631
I agree there can be security considerations in some isntances.  However sometimes it's not possible to not place a NTP server in a DMZ, and in some networks it's actually a requirement in order to provide NTP services for devices inside the DMZ itself.  It largely depends on the design of the network/DMZ.

The point I was making was that if you aren't providing NTP services to external devices there's no need to put it in the DMZ.

You will find that PCI-DSS requirements can be met with a NTP server in a DMZ, so it's not entirely frowned upon.
0
 
LVL 4

Author Comment

by:FSIFM
ID: 39626646
Cheers for all the info guys

In this instance though, we're not looking a purchasing any new kit. We want to sync with external time sources

So would it still be the best bet still to sync our LAN servers with external time servers?
0
 
LVL 4

Author Comment

by:FSIFM
ID: 39642010
Hi Guys, could anyone answer the above just to clarify?
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 250 total points
ID: 39642114
Yes, just get one or two devices to sync with external time servers, then get everything else to sync with those.
0
 
LVL 14

Accepted Solution

by:
frankhelk earned 250 total points
ID: 39643226
My recommendation for the second best solution (behind dedicated, radio controlled appliances) would be:

Use a Windows port of the classic NTP client on all involved machines (any *ix comes with an incarnation of NTP anyhow). Set up at least two servers into your DMZ with a NTP client, and sync those servers to a variety of servers from pool.ntp.org - i.e. put
server 0.europe.pool.ntp.org
server 1.europe.pool.ntp.org
server 2.europe.pool.ntp.org
server 3.europe.pool.ntp.org

Open in new window

into your1 ntp.conf. You don't need to install new machines into the DMZ, just install it on any machine in your DMZ - there's no visible performance impact due to NTP (load on the machines could nevertheless influence the NTP precision, but NTP is designed to cope with that).

Install NTP clients on any machine within your local LAN, including the DCs. Disable W32time wherever you find it (the NTP installer should do that for you in most cases).

Refer to my article for more details, or just ask me in case of problems.
0
 
LVL 4

Author Closing Comment

by:FSIFM
ID: 39650841
Cheers for all of your help lads :)
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question