Domain Controller STS time guessing OFF

28th August 2023

Domain Controllers may use the time field in SSL connections to guess at the time when other time sources are unavailable. OpenSSL puts random values in this field.

Steve Gibson from SecurityNow podcast talks about this here at time marker 2 hours

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config]
“UtilizeSslTimeData”=dword:00000000

I’ll put this here for reference

netdom /query fsmo

w32tm /query /configuration

net stop w32time

w32tm /config /syncfromflags:manual /manualpeerlist:”0.ca.pool.ntp.org, 1.ca.pool.ntp.org, 2.ca.pool.ntp.org”

w32tm /config /reliable:yes

net start w32time

w32tm /query /status

w32tm /query /configuration

w32tm /resync