Time Sources Tab Security Settings Tab Log Settings Tab Client Timings Tab Advanced Settings Tab

 Top of Page

 Documentation\Configuration\Clients\Windows\Full Client\Security Settings
    Domain Time II offers exclusive security features to ensure that your network's time is correct and resistant to both intentional and inadvertent interference from other sources.

    Domain Time II Full Client Control Panel - Security Settings Tab
    Full Client Control Panel Applet - Security Settings Tab

    Denial of Service (Flooding) Protection


    Automatic protection against Denial of Service (DoS) attacks.

      DoS attacks are attempts to disable your system's operation by flooding the system with bogus and/or malformed messages. Domain Time II protects against these kind of attacks by not allowing any system to monopolize its resources. When DoS protection is enabled, any system that exceeds the DoS traffic thresholds you specify has its access automatically blocked for a period of time.

      DoS Protection Enabled
      DoS protection is enabled when this box is checked. This is the default.

      If any one machine sends more than requests in a -second period,
      Domain Time should stop responding to that machine for seconds

      These fields allow you to specify what level of traffic the client should consider as a DoS attack, and also how long to suspend communication from the offending machine.

      The default settings should be sufficient for most applications, however, you may wish to adjust them if you have different traffic security requirements.

    Access Permissions


    Control which machines can communicate with your client.

      Your time service can potentially be interfered with if you are automatically discovering and/or receiving time signals from unwanted time servers.

      To prevent this kind of problem, you may specify whether Domain Time should accept or reject time protocol traffic from certain IP addresses. You can specify whether to Permit or Deny traffic from multiple ranges of addresses. This allows you to easily restrict your time traffic to come only from the systems you intend.

      If you wish to permit or deny a single IP address, enter it as both the First and Last IP address in the range.

      No restrictions is the default setting.

      These values can also be preset using the DOMTIME.INI template file.

    Advanced - Command Restrictions


    When you click on the Advanced button on the Security tab, you'll be presented with the Command Restrictions dialog window. You can use these settings to restrict what kind of Domain Time II control and sync messages your client listens for on the network.

    Domain Time II Full Client - Command Restrictions dialog
    The Domain Time II Full Client - Command Restrictions Page

    The default protocol restriction settings assure both maximum functionality and a high degree of security; in most cases you will have no need to adjust them from the defaults. Domain Time II components communicate with each other primarily through directed communication, and are therefore highly resistant to spoofing and malign interference.

    The Domain Time II protocol command restriction capability is intended for use by system administrators in environments where an extra level of security is required, such as running a Client on the open Internet. Using the restrictions list, you can determine exactly what Domain Time II protocol command messages the service is allowed to listen for. Think of the command restriction list as an application-level "firewall" allowing in only the desired Domain Time II commands and blocking any others. Keep in mind that the restriction list only affects incoming DTII protocol commands - outgoing commands are not affected.

    Warning:
    Disabling protocol commands can have unintended consequences on the operation of your entire time distribution network, including the prevention of cascade triggers and sync notifications, which may result in inaccurate clocks. Problems resulting from disabled protocol messages can be quite hard to troubleshoot later, particulary by the next system administrator after you. Make adjustments only if you understand and require them, and be sure you document the changes so you can maintain the consistency and smooth operation of your time network.

     

     

    Next Proceed to the Log Settings page
    Back Back to the Time Sources page

Domain Time II Software distributed by Microsemi, Inc.
Documentation copyright © 1995-2018 Greyware Automation Products, Inc.
All Rights Reserved
All Trademarks mentioned are the properties of their respective owners.