Top of Page

Security  Security
Domain Time II Server
Version 5.2

Settings on this page control the Domain Time Security settings.

 

 Denial of Service (Flooding) Protection 

DoS Protection Enabled
      If any one machine sends more than requests in a -second period, ban for: seconds
      Auto-extend ban if abuse continues while IP is banned

Domain Time II has automatic protection against Denial-of-Service (DoS) disruption caused by intentional or accidental flooding of the network.

    Any system that exceeds the DoS traffic thresholds you specify here has its access automatically blocked for a period of time.

    Use the Auto-extend ban if abuse continues while IP is banned option if you have persistent bad actors whose bans expire, only to be re-blocked. You can also block them by IP address (see below).

    Note: Even legitimate traffic can be blocked if it occurs too frequently. Take care that time sync requests from any individual machine or any tools that send repeated inquiries/commands to this machine do not exceed your DoS threshold.

 

 Access Permissions 

  No restrictions
  Permit only listed range(s)
  Deny any in listed range(s)
IP ranges

 First IP in range
 Last IP in range
  Allow Domain Time II Manager to change the time zone on this machine
           Auto-Manage Windows Firewall

Your time service can potentially be degraded by responding to audit inquires, sync triggers, and/or time requests from clients or servers on other network subnets over which you have little control. For example, this can happen if your Domain Time Server is accessible from a public network and many other users discover and start to use your server as a time source.

    To prevent this kind of problem, you may specify whether Domain Time should accept or reject time protocol traffic from certain IP addresses. You can specify whether to Permit or Deny traffic from multiple ranges of addresses. This allows you to easily restrict your incoming traffic to only the intended machines.

    If you wish to permit or deny a single IP address, enter it as both the First and Last IP address in the range.

    Allow Domain Time II Manager to change the time zone on this machine
    When checked, you may change the timezone on this machine remotely from Manager.

    Auto-Manage Windows Firewall
    As of Version 5.2.b.20150821, Domain Time supports automatic management of the Windows Firewall to allow access to the required time protocol and control ports. See Auto-Manage Windows Firewall Settings for detailed information.

     

    Command Restrictions

    When you click on the button you'll be presented with the Command Restrictions dialog window. You can use these settings to restrict what kind of Domain Time II control and sync messages your server listens for on the network.

    Command Restrictions Dialog
    Command Restrictions Dialog   [Click for larger size]

    The default protocol restriction settings assure both maximum functionality and a high degree of security; in most cases you will have no need to adjust them from the defaults. Domain Time II components communicate with each other primarily through directed communication, and are therefore highly resistant to spoofing and other malign interference.

    The Domain Time II protocol command restriction capability is intended for use by system administrators in environments where an extra level of security is required, such as running a Server on the open Internet. Using the restrictions list, you can determine exactly what Domain Time II protocol command messages the service is allowed to listen for. Think of the command restriction list as an application-level "firewall" allowing in only the desired Domain Time II commands and blocking any others. Keep in mind that the restriction list only affects incoming DTII protocol commands - outgoing commands are not affected.

    Warning:
    Disabling protocol commands can have unintended consequences on the operation of your entire time distribution network, including the prevention of cascade triggers and sync notifications, which may result in inaccurate clocks. Problems resulting from disabled protocol messages can be quite hard to troubleshoot later, particularly by the next system administrator after you. Make adjustments only if you understand and require them, and be sure you document the changes so you can maintain the consistency and smooth operation of your time network.

 

Next Proceed to the Symmetric Keys page
Back Back to the Broadcasts and Multicasts page

Domain Time II Software distributed by Microsemi, Inc.
Documentation copyright © 1995-2024 Greyware Automation Products, Inc.
All Rights Reserved
All Trademarks mentioned are the properties of their respective owners.