NTP set to loopback?

ImAMacGuy
Valued Contributor II

I'm going through our PCI audit results and one of the things I need to look into is setting up the NTP being configured to loopback. This strikes me as being bad for AD enabled machines and the time drift, or am I not understanding what setting it to loopback actually is? What are the impacts of doing this?

5 REPLIES 5

davidacland
Honored Contributor II

I haven't heard of that being used. It's technical possible, but wouldn't keep accurate time.

We always set them to use the AD domain.

fgeronimo
New Contributor

To implement this, the code below may help. Kudos to @franton

NTP loopback

I am not sure on impact of doing this.

franton
Valued Contributor III

Hello.

I implemented this as per the CIS guide but frankly I think it's pointless. I always point corporate devices to the internal NTP services, whether they be the stratum 1/2 servers or to the AD domain controller(s) IF they're running NTP services. (learned the hard way that Windows Time Services != NTP ... too bad the people I worked for never did).

ImAMacGuy
Valued Contributor II

we have our internal NTP servers & apple's time servers (for DEP reasons). Not sure if there was anything that may not work because of setting to loopback. I thought it was kind of pointless too.

sdagley
Esteemed Contributor II

It doesn't address the CIS guide, but to appease the firewall admins at a previous org that refused to open an NTP port to time.aople.com I had the DNS folks redirect time.apple.com to an internal NTP server. While it'd have been easy enough to edit the hosts file on a Mac this solution also addressed the needs of iOS devices (which I think still have no method to re-direct NTP queries)