I have been asked to look into SIEM products (and specifically ELM) and how it is affected by time drift on computers. By default, domain-joined computers will leverage the built-in domain-based time synchronization that has been used for a long time. Someone came across this TechNet article - http://support.microsoft.com/kb/939322. In the article it says:
We do not guarantee and we do not support the accuracy of the W32Time service between nodes on a network. The W32Time service is not a full-featured NTP solution that meets time-sensitive application needs. The W32Time service is primarily designed to do the following:
- Make the Kerberos version 5 authentication protocol work.
- Provide loose sync time for client computers.
The W32Time service cannot reliably maintain sync time to the range of 1 to 2 seconds. Such tolerances are outside the design specification of the W32Time service.
Based on this, some people in our department want to abandon the domain-based time sync and manually configure hundreds of servers to point to our GPS-based NTP devices.
With ELM, does the software overcome the potential computer time drift, and if so, how?
Cheers
Dave