2.2.9 Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy setting determines which users and groups can change the time and date on the internal clock of the computers in your environment.

Users who are assigned this user right can affect the appearance of event logs.

When a computer's time setting is changed, logged events reflect the new time, not the actual time that the events occurred.

When configuring a user right in the SCM enter a comma delimited list of accounts.

Accounts can be either local or located in Active Directory, they can be groups, users, or computers.

Note: Discrepancies between the time on the local computer and on the domain controllers in your environment may cause problems for the Kerberos authentication protocol, which could make it impossible for users to log on to the domain or obtain authorization to access domain resources after they are logged on.

Also, problems will occur when Group Policy is applied to client computers if the system time is not synchronized with the domain controllers.

The recommended state for this setting is: 'Administrators, LOCAL SERVICE'.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Administrators, LOCAL SERVICE':

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the system time

See Also

https://workbench.cisecurity.org/files/1941