Advanced Settings Tab Server Timings Tab Slave Timings Tab Client Timings Tab Slave Lists Tab Server Tab Time Sources Tab Security Settings Tab Broadcast Time Tab Log Settings Tab Server Tab Time Sources Tab Security Settings Tab Broadcast Time Tab Log Settings Tab Advanced Settings Tab Server Timings Tab Slave Timings Tab Client Timings Tab Slave Lists Tab


 Documentation\Configuration\Server\Security Settings
    Domain Time II offers exclusive security features to ensure that your network's time is correct and resistant to both intentional and inadvertent interference from other sources.

    Domain Time II Server Control Panel - Security Settings Tab
    The Domain Time II Control Panel Applet - Security Settings Tab

      One of the most common way that time messages are interfered with on a network is the concurrent operation of other time servers. Domain Time II avoids this kind of problem by implementing a client-request/server-response structure for time updates.

      Unlike many time systems that depend upon a time broadcast from a server to passively listening clients, Domain Time II servers do not broadcast time (unless configured to do so by the administrator - see the When to use Heartbeats and NTP Broadcasts page). Instead, servers wait for requests from clients before providing the time, and clients only accept time from the server that they made the request of. This has several advantages:

      • Clients cannot be confused by broadcasts from an extraneous time server
      • Network traffic is minimized
      • Both servers and clients can keep records of the transaction

      In addition to the built-in protection of the system basic design, there are these additional protections against tampering/interference with your time system:

    Denial of Service (Flooding) Protection

    Another way that your time service can be affected are by Denial of Service (DoS) attacks. DoS attacks are attempts to disable your system's operation by flooding the system with bogus and/or malformed messages. Domain Time II protects against these kind of attacks by not allowing any system to monopolize its resources. Any system that exceeds the DoS traffic thresholds you specify has its access automatically blocked for a period of time. Both Domain Time Clients and Servers have this protection.

      This protection is enabled by default, and configured from the Security Settings tab. Note: The security dialog tab is not available on NT 3.51. For NT 3.51, you must use either the DOMTIME.INI file or the registry to configure security settings. These options can also be specified in the DOMTIME.INI file for automated setup with your desired configuration.

      Note: If you use tools such as the DTTest utility that send repeated requests to the server, keep in mind that a rapid test rate can trigger the DoS protection and cause the server to stop responding to your test. You may wish to disable DoS Protection for the duration of your testing or change the thresholds to accommodate your traffic.

      The DoS Protection Enabled checkbox controls whether or not the Denial of Service feature is enabled.

      If any one machine sends more than requests in a -second period.
      sets the threshold before the DoS protection kicks in.

      Domain Time should stop responding to that machine for seconds.
      Any machine that exceeds the DoS threshold will be blocked for this amount of time.

    Access Permissions

    Your time service can potentially be degraded by responding to time requests from clients or servers on other network subnets over which you have little control. For example, this can happen if your Domain Time server is accessible from a public network and many other users discover and start to use your server as a time source.

      To prevent this kind of problem, you may specify whether Domain Time should accept or reject time protocol traffic from certain IP addresses. You can specify whether to Permit or Deny traffic from multiple ranges of addresses. This allows you to easily restrict your time traffic to the intended destinations. This protection is available on both Domain Time II Server and several of the Clients.

      If you wish to permit or deny a single IP address, enter it as both the First and Last IP address in the range.

      No restrictions is the default setting.

      These values can also be preset using the DOMTIME.INI template file.

    Advanced - Command Restrictions

    When you click on the Advanced button on the Domain Time II Server Security tab, you'll be presented with the Command Restrictions dialog window. You can use these settings to restrict what kind of Domain Time II control and sync messages your server listens for on the network.

    Domain Time II Server - Command Restrictions dialog
    The Domain Time II Server - Command Restrictions Page

    The default protocol restriction settings assure both maximum functionality and a high degree of security; in most cases you will have no need to adjust them from the defaults. Domain Time II components communicate with each other primarily through directed communication, and are therefore highly resistant to spoofing and malign interference.

    The Domain Time II protocol command restriction capability is intended for use by system administrators in environments where an extra level of security is required, such as running a Server on the open Internet. Using the restrictions list, you can determine exactly what Domain Time II protocol command messages the service is allowed to listen for. Think of the command restriction list as an application-level "firewall" allowing in only the desired Domain Time II commands and blocking any others. Keep in mind that the restriction list only affects incoming DTII protocol commands - outgoing commands are not affected.

    Disabling protocol commands can have unintended consequences on the operation of your entire time distribution network, including the prevention of cascade triggers and sync notifications, which may result in inaccurate clocks. Problems resulting from disabled protocol messages can be quite hard to troubleshoot later, particulary by the next system administrator after you. Make adjustments only if you understand and require them, and be sure you document the changes so you can maintain the consistency and smooth operation of your time network.



Copyright © 1995-2021 Greyware Automation Products, Inc.  All Rights Reserved
All Trademarks mentioned are the properties of their respective owners.
Greyware Automation Products, Inc.
308 Oriole Ct, Murphy, TX 75094
972-867-2794 (voice) 972-208-1479 (fax)

Close Printer-Friendly Version