Settings on this page control the Domain Time Security settings.

Domain Time II has automatic protection against Denial-of-Service (DoS) disruption caused by intentional or accidental flooding of the network.

Any system that exceeds the DoS traffic thresholds you specify here has its access automatically blocked for a period of time.

Use the Auto-extend ban if abuse continues while IP is banned option if you have persistent bad actors whose bans expire, only to be re-blocked. You can also block them by IP address (see below).

Note: Even legitimate traffic can be blocked if it occurs too frequently. Take care that any tools that send repeated inquiries/commands to this machine do not exceed your DoS threshold.

Your Client's performance can potentially be degraded by responding to audit inquiries, sync triggers, or other traffic from machines on other network subnets over which you have little control.

To prevent this kind of problem, you may specify whether Domain Time should accept or reject time protocol traffic from certain IP addresses. You can specify whether to Permit or Deny traffic from multiple ranges of addresses. This allows you to easily restrict your incoming traffic to only the intended machines.

If you wish to permit or deny a single IP address, enter it as both the First and Last IP address in the range.

Allow Domain Time II Manager to change the time zone on this machine
When checked, you may change the timezone on this machine remotely from Manager.

Auto-Manage Windows Firewall
As of Version 5.2.b.20150821, Domain Time supports automatic management of the Windows Firewall to allow access to the required time protocol and control ports. See Auto-Manage Windows Firewall Settings for detailed information.

 

Command Restrictions

When you click on the button you'll be presented with the Command Restrictions dialog window. You can use these settings to restrict what kind of Domain Time II control and sync messages your server listens for on the network.

Command Restrictions Dialog   [Click for larger size]

The default protocol restriction settings assure both maximum functionality and a high degree of security; in most cases you will have no need to adjust them from the defaults. Domain Time II components communicate with each other primarily through directed communication, and are therefore highly resistant to spoofing and other malign interference.

The Domain Time II protocol command restriction capability is intended for use by system administrators in environments where an extra level of security is required, such as running a Server on the open Internet. Using the restrictions list, you can determine exactly what Domain Time II protocol command messages the service is allowed to listen for. Think of the command restriction list as an application-level "firewall" allowing in only the desired Domain Time II commands and blocking any others. Keep in mind that the restriction list only affects incoming DTII protocol commands - outgoing commands are not affected.

Warning:

---

Disabling protocol commands can have unintended consequences on the operation of your entire time distribution network, including the prevention of cascade triggers and sync notifications, which may result in inaccurate clocks. Problems resulting from disabled protocol messages can be quite hard to troubleshoot later, particularly by the next system administrator after you. Make adjustments only if you understand and require them, and be sure you document the changes so you can maintain the consistency and smooth operation of your time network.

---

 Proceed to the Symmetric Keys page

 Back to the Broadcasts and Multicasts page