I'm going through our PCI audit results and one of the things I need to look into is setting up the NTP being configured to loopback. This strikes me as being bad for AD enabled machines and the time drift, or am I not understanding what setting it to loopback actually is? What are the impacts of doing this?
I implemented this as per the CIS guide but frankly I think it's pointless. I always point corporate devices to the internal NTP services, whether they be the stratum 1/2 servers or to the AD domain controller(s) IF they're running NTP services. (learned the hard way that Windows Time Services != NTP ... too bad the people I worked for never did).
we have our internal NTP servers & apple's time servers (for DEP reasons). Not sure if there was anything that may not work because of setting to loopback. I thought it was kind of pointless too.
It doesn't address the CIS guide, but to appease the firewall admins at a previous org that refused to open an NTP port to time.aople.com I had the DNS folks redirect time.apple.com to an internal NTP server. While it'd have been easy enough to edit the hosts file on a Mac this solution also addressed the needs of iOS devices (which I think still have no method to re-direct NTP queries)
