Setting Clock Synchronization Tolerance to Prevent Replay Attacks
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
You can use the Maximum tolerance for clock synchronization Group Policy to protect your organization against replay attacks, in which attackers replay authentic network exchanges that they capture off the wire to cause the server to allow them access to the system. If your clock synchronization tolerance setting is low, the server rejects replayed messages for which the allowable time skew has passed.
The Maximum tolerance for computer clock synchronization Group Policy is set to 5 minutes by default. In most cases, this provides an acceptable level of security. You can increase protection against replay attacks by shortening the maximum tolerance for clock synchronization. Tighter synchronization requirements, however, might result in increased authentication traffic.
Shortening the maximum tolerance reduces replay attacks because the Kerberos V5 authentication protocol uses authenticators based on time to establish user identities. A shorter tolerance makes a replay attack more difficult.
The Maximum tolerance for computer clock synchronization Group Policy can be found in the Default Domain Policy object under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy.
In general these settings should be changed only if there is a strong reason to believe you might be vulnerable to this type of attack.
For more information about time synchronization in Windows Server 2003, see the Windows Security Collection of the Windows Server 2003 Technical Reference (or see the Windows Security Collection on the Web at http://www.microsoft.com/reskit).