Settings on this page control the Domain Time Security settings.
Domain Time II has automatic protection against Denial-of-Service (DoS) disruption caused by intentional or accidental flooding of the network.
Any system that exceeds the DoS traffic thresholds you specify here has its access automatically blocked for a period of time.
Use the Auto-extend ban if abuse continues while IP is banned option if you
have persistent bad actors whose bans expire, only to be re-blocked. You can also block them by IP address (see below).
Note: Even legitimate traffic can be blocked if it occurs too frequently. Take care that
time sync requests from any individual machine or
any tools that send repeated inquiries/commands to this machine do not exceed your DoS threshold.
Your time service can potentially be degraded by responding to audit inquires, sync triggers, and/or time requests from clients or servers on other network subnets over which you
have little control. For example, this can happen if your Domain Time Server is accessible from a public network and many other users
discover and start to use your server as a time source.
To prevent this kind of problem, you may specify whether Domain Time should accept or reject time protocol traffic from certain IP addresses.
You can specify whether to Permit or Deny traffic from
multiple ranges of addresses. This allows you to easily restrict your incoming traffic to only the intended machines.
If you wish to permit or deny a single IP address, enter it as both the First and Last IP address in the range.
Allow Domain Time II Manager to change the time zone on this machine
When checked, you may change the timezone on this machine remotely from Manager.
Auto-Manage Windows Firewall
As of Version 5.2.b.20150821, Domain Time supports automatic management of the Windows Firewall to allow access to the required time protocol and control ports.
See Auto-Manage Windows Firewall Settings for detailed information.
When you click on the button
you'll be presented with the Command Restrictions dialog window. You can use these settings to restrict what kind of Domain Time II control and
sync messages your server listens for on the network.
The default protocol restriction settings assure both maximum functionality and a high degree of security; in most cases you will have no need to adjust them from the defaults.
Domain Time II components communicate with each other primarily through directed communication, and are therefore highly resistant to spoofing and other malign
The Domain Time II protocol command restriction capability is intended for use by system administrators in environments where an extra level of
security is required, such as running a Server on the open Internet. Using the restrictions list, you can determine exactly what Domain Time II protocol
command messages the service is allowed to listen for. Think of the command restriction list as an application-level "firewall" allowing in only the
desired Domain Time II commands and blocking any others. Keep in mind that the restriction list only affects incoming DTII protocol commands - outgoing
commands are not affected.
Disabling protocol commands can have unintended consequences on the operation of your entire time distribution network, including the prevention
of cascade triggers and sync notifications, which may result in inaccurate clocks. Problems resulting from disabled protocol messages can be quite
hard to troubleshoot later, particularly by the next system administrator after you. Make adjustments only if you understand and require them, and be
sure you document the changes so you can maintain the consistency and smooth operation of your time network.