Phasers to Full

My friend and former colleague called me again. He was
grateful to have an active and operational NTP architecture,
however he had now encountered a slight issue.
On some of his Windows XP clients, the time was more
skewed more than 15 hours. Perhaps some of his users
had inadvertently changed the date, perhaps there had
been a failure in the provisioning procedure; how the
clocks got that far out of phase does not really matter.
What does matter is two default registry values that
prevent the Windows Time service from synchronization
outside of a 54000 second (15 hour) MaxPosPhaseCorrection and/or MaxNegPhaseCorrection.
So, here’s how I told me friend to deal with it.
In the last NTP article I outlined how to use the command
line w32time utility to configure the NTP architecture. For ease of deployment my
friend put that command syntax into a login script. That works nicely since he can
simply add in the following:
REG ADD HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeConfig
/v MaxNegPhaseCorrection /t REG_DWORD /d 4294967295 /fREG ADD HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesW32TimeConfig /v MaxPosPhaseCorrection
/t REG_DWORD /d 4294967295 /f
What do these commands do?
First, we’re using the “reg.exe” utility native to the
OS. I love built-ins; saves bandwidth!
Next, we’re giving key path. Both the MaxPos and MaxNeg
values are located under HKLMSYSTEMCurrentControlSetServicesW32TimeConfig.
Then, we’re telling “reg.exe” to target the “MaxPosPhaseCorrection”
and “MaxNegPhaseCorrection” values respectively.
Finally, we’re stating that these values are both indeed
(type)REG_DWORD and then modifying the data field from 54000 to 4294967295.
Note: if my arithmetic is correct, that comes out to around 136 years. Cool.
The “/f” simply allows us to overwrite the existing data
in the PhaseCorrection values without dealing with a “yn” prompt.
So, that appeared to work out well for my friend. However,
we should also consider the fact that “reg.exe” can perform the same operation against
remote computers. Simply preface the HKLMwith
a \
ComputerName> and
there you go.
Could be slick to have a centralized script that pumps
“net view” output into an array, the elements of which become values in our “reg.exe” \ComputerName syntax.
That would be elegant, no?
– Jason Pittman, M.S. Network Security
Posted in PCI