Grossly incorrect system time leads the network security to be diminished. This would, in turn, make it difficult to obtain the up-to-date time securely over the network. Maximum network security protocols depend on the use of security keys which expire after a certain period of time. To track the lifetime and expiry of security keys; timekeeping over long periods becomes immensely critical. However, this problem seems to be resolved with the help of Secure Time Seeding in Windows 11/10.
Secure Time Seeding in Windows 11/10
Scenarios where a computer shows incorrect time and date
Below are the scenarios where a system date and time setting on a computer incorrectly reverts to a date and time that is at least one day in the past:
- The computer is originally connected to the Internet.
- The computer is turned off and restarted while it’s connected to a closed private network.
- The private network has no SSL servers (and, consequently, the client has no outbound SSL traffic).
Improving timekeeping in Windows; here are the solutions
1] Hosting a custom “Secure” Time Service
Obtaining the current time from a server over a protocol like SSL, while ignoring the errors in time-related protocol validations on the client is one solution. This is an unfavourable solution as any exceptions to the security validations would require thorough inspection since it opens the client to potential threats. Another challenge that the client may face from this solution is the inability to reach the server from the current network at any point of time.
2] Secure Time Seeding – a client-side solution:
The secure answer to address this issue is the Windows Secure Time Seeing feature; this is a part of the Windows Time Service. With metadata from outgoing SSL connections, this feature actively sets the date & time for a computer. While hosting a custom” Secure” Time service makes security exceptions, the Secure Time Seeding feature is much more trusted. This works on the principle of trusting only the data from SSL connections established based on the certificates installed on the client, without treating specific certificates differently.
In Windows, the Secure Time Seeding feature was shipped and the same is turned “ON” by default. Windows tablets and other Windows devices running this version of the OS use this feature already and the same shows advancements in timekeeping.
Prerequisites for Secure Time Seeding feature
This feature requires-
- W32time Service to be enabled (“Set Time Automatically” Date-Time UI setting enabled)
- Internet connectivity and
- Outgoing SSL traffic from the device to function.
To see this feature in action, reset your system clock forward or backward by a week’s time or longer. You will notice that time gets automatically updated after a short duration.
Enable or disablie Secure Time Seeding in Windows
To disable:
To disable the secure time seeding feature, go to the below mentions registry key and set the registry value to ‘0’ for the following Registry Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
- Value Name: UtilizeSslTimeData
- Value Type: REG_DWORD
To enable:
- Simply set the above registry value to 1 and reboot your machine.
- Also, ensure W32time service is also enabled.
There was one known issue related to timekeeping in Windows client, where the Windows System time jumped. But this seems to have been fixed by Microsoft now.
To read more about Secure Time Seeding in Windows, visit MSDN Blogs.
