Maximum tolerance for computer clock synchronization (Windows)

Module: Active Directory

Supported Platforms: Windows 2000, Windows 2003, Windows 2008

This check reports a problem if this Kerberos Policy setting is higher than the recommended setting of 5 minutes. This check is intended to run only on domain controllers to produce results for specific domains.

The following table lists the error message for the check.

Table: Error message for Maximum tolerance for computer clock synchronization

Message String ID and Category	Platform and Message Numeric ID	Message Title and Description	Additional Information
String ID: ESM_CLOCK_SYNCH_TOO_HIGH Category: Policy Compliance	Windows 2000 (108143) Windows 2003 (208143) Windows 2008 (251143)	Title: Clock synchronization tolerance too high Description:When the value for this Kerberos Policy setting is too high, the possibility that a "replay attack" could occur increases. It is recommended that the value for "Maximum tolerance for computer clock synchronization" be set to 5 minutes.	Severity: yellow-2 Correctable: false Snapshot Updatable: false Template Updatable: false Information Field Format: [%s]

Message String ID and Category

Platform and Message Numeric ID

Message Title and Description

Additional Information

String ID: ESM_CLOCK_SYNCH_TOO_HIGH

Category: Policy Compliance

Windows 2000 (108143)
Windows 2003 (208143)
Windows 2008 (251143)

Title: Clock synchronization tolerance too high

Description:When the value for this Kerberos Policy setting is too high, the possibility that a "replay attack" could occur increases. It is recommended that the value for "Maximum tolerance for computer clock synchronization" be set to 5 minutes.

Severity: yellow-2

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]