All desktop client devices and member servers use the authenticating domain controller as their inbound time partner.The risk from these types of events is mitigated on most domain controllers, member servers, and end-user computers because the Windows Time Service automatically synchronizes time with domain controllers in the following ways: Users who try to sign in to the domain from devices with inaccurate time might not be able to authenticate.Īlso, because the Kerberos authentication protocol requires that the requester and authenticator have their clocks synchronized within an administrator-defined skew period, an attacker who changes a device's time may cause that computer to be unable to obtain or grant Kerberos protocol tickets.Computers that belong to a domain might not be able to authenticate themselves.Time stamps on files and folders that are created or modified could be incorrect.Time stamps on event log entries could be made inaccurate.Users who can change the time on a computer could cause several problems. This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. When a local setting is greyed out, it indicates that a GPO currently controls that setting. Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: This section describes features, tools and guidance to help you manage this policy.Ī restart of the device isn't required for this policy setting to be effective.Īny change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. Server type or GPOĪdministrators Server Operators Local ServiceĬlient Computer Effective Default Settings Default values are also listed on the policy’s property page. The following table lists the actual and effective default policy values. Members of the Administrators, Server Operators, and Local Service groups have this right on domain controllers.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |