Windows-itpro-docs: Time.windows.com

The http ports are used to determine if the client is online and able to access the Internet. It does a test to verify that it can access www.msftconnecttest.com. See https://docs.microsoft.com/en-us/windows/privacy/manage-windows-1809-endpoints#network-connection-status-indicator-ncsi

I don’t disagree, but its not true that we need port 123 open for all the listed ports as the article says. We need 443/80 for everything and port 123 for a single URL.

Thanks
Robert

Sent from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10

From: Greg Lindsay notifications@github.com
Sent: Wednesday, October 9, 2019 2:43:23 PM
To: MicrosoftDocs/windows-itpro-docs windows-itpro-docs@noreply.github.com
Cc: Rkendall75 robertjkendall@hotmail.com; Author author@noreply.github.com
Subject: Re: [MicrosoftDocs/windows-itpro-docs] Time.windows.com (#5143)

The http ports are used to determine if the client is online and able to access the Internet. It does a test to verify that it can access www.msftconnecttest.comhttps://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.msftconnecttest.com&data=02%7C01%7C%7C59db7158e6ca4d421fa308d74d01b5c9%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637062542044082521&sdata=4FMdLdrGe6YNd9%2Fa9udWcnx9DowasBZ%2FFDUGlml6l8I%3D&reserved=0. See https://docs.microsoft.com/windows/privacy/manage-windows-1809-endpointshttps://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fwindows%2Fprivacy%2Fmanage-windows-1809-endpoints&data=02%7C01%7C%7C59db7158e6ca4d421fa308d74d01b5c9%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637062542044082521&sdata=rm755UVVOGPL31FhPibvUPyAdC4sHHHw%2BWrnrbRgSRA%3D&reserved=0

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHubhttps://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fwindows-itpro-docs%2Fissues%2F5143%3Femail_source%3Dnotifications%26email_token%3DAJXJIXVNXH7EWYUBRS5DBT3QNZF7XA5CNFSM4I7EEBIKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEAZQGCI%23issuecomment-540214025&data=02%7C01%7C%7C59db7158e6ca4d421fa308d74d01b5c9%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637062542044092526&sdata=zRGptqtfWClHuVB5uDh0Quh9j5XO86kLagAV7rw8Zt8%3D&reserved=0, or unsubscribehttps://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAJXJIXU45LSGWKGDEMINP6DQNZF7XANCNFSM4I7EEBIA&data=02%7C01%7C%7C59db7158e6ca4d421fa308d74d01b5c9%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637062542044102535&sdata=%2BtX%2Buhyxl3%2BkSQiXksDLrk7sP7TX6TaEFYMLKhJcwHo%3D&reserved=0.

@greg-lindsay Would it be feasible to state in the document to limit allow access to 123 (UDP/NTP) only for a single domain (_time.windows.com_) as suggested? We would like to aid with relevant content updates if necessary. Thanks.

Maybe the proposed change is appropriate for Windows Autopilot and American or western countries with large enterprise deployments. To me, it looks slightly different, because I don't use Windows Autopilot and I also only manage a small business amount of computers. My specific case is for all the computers I manage, I quickly change time.windows.com to my local national (and trustworthy) NTP servers, like ntp.online.no in Oslo, Norway (and maybe no.pool.ntp.org). That makes it practical for me to allow more than 1 NTP server to pass the firewall (likely something like 5). In my own network, the NTP and SNTP ports are open for traffic in general, so any NTP server will work. On the other hand, allowing all addresses has caused some minor attack attempts to be reported in the firewall, from Chinese or Russian NTP servers.

The article states Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP) I believe the only one that requires 123 is time.windows.com not all hosts.

I wonder if this is an indirect suggestion that the document phrasing seems to be too liberal. What @Rkendall75 also said, is that in his opinion, only one address is needed for the NTP port (UDP/NTP 123), but that seems to be too strict in my opinion. Since I don't have personal experience with Filtering or Firewall rules to allow only a small number of addresses, I don't have a useful suggestion for what would be a middle ground between those two opposite points. I also presume it is quite difficult to predict a reduced number of addresses to allow through the Firewall, even more so when it comes to determining what is a good solution for Windows Autopilot. Knowing that it is close to unpredictable which addresses (IP or DNS) will be preferred in environments beyond the United States, also taking into account that NTP server names might change over time, I don't know what could be a practical solution to implement for a change in the current document ("Your Mileage May Vary").

Exactly my comment was that the only host that needs 123 is whatever your time server is none of the other endpoints need that port opened.

Thanks
Robert

Sent from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10

From: Trond B. Kroklinotifications@github.com
Sent: Tuesday, June 9, 2020 10:14 AM
To: MicrosoftDocs/windows-itpro-docswindows-itpro-docs@noreply.github.com
Cc: Rkendall75robertjkendall@hotmail.com; Mentionmention@noreply.github.com
Subject: Re: [MicrosoftDocs/windows-itpro-docs] Time.windows.com (#5143)

The article states Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP) I believe the only one that requires 123 is time.windows.com not all hosts.

I wonder if this is an indirect suggestion that the document phrasing seems to be too liberal. What @Rkendall75https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FRkendall75&data=02%7C01%7C%7Cf52a8877876744b7e6f908d80c9884d7%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637273196479765435&sdata=XlRafX5WvctvXLPfuKam255U1JFFafgeXRgfrxORnPQ%3D&reserved=0 also said, is that in his opinion, only one address is needed for the NTP port (UDP/NTP 123), but that seems to be too strict in my opinion. Since I don't have personal experience with Filtering or Firewall rules to allow only a small number of addresses, I don't have a useful suggestion for what would be a middle ground between those two opposite points. I also presume it is quite difficult to predict a reduced number of addresses to allow through the Firewall, even more so when it comes to determining what is a good solution for Windows Autopilot. Knowing that it is close to unpredictable which addresses (IP or DNS) will be preferred in environments beyond the United States, also taking into account that NTP server names might change over time, I don't know what could be a practical solution to implement for a change in the current document ("Your Mileage May Vary").

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fwindows-itpro-docs%2Fissues%2F5143%23issuecomment-641455574&data=02%7C01%7C%7Cf52a8877876744b7e6f908d80c9884d7%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637273196479775430&sdata=0GQUcK0qnb19CLQtUo2JQgsdS3yX4rqNBxQwSf%2FN6u4%3D&reserved=0, or unsubscribehttps://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAJXJIXVX2DMSR2TBP7PJA33RVZUV5ANCNFSM4I7EEBIA&data=02%7C01%7C%7Cf52a8877876744b7e6f908d80c9884d7%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637273196479785420&sdata=QlglnhKIvFKGBXqVFMImh0kuwN0eMe0nkZA5l7zfTzA%3D&reserved=0.

@e0i : Should we ask the document author for a final comment on this, whether it should be updated or not?

We haven't got feedback from Greg as commented above. The best way to get relevant feedback, in this case, is to come up with a PR with mentioned suggestions so I'm passing this to a contributor for that. Thank you for the discussion.

@Rkendall75 @illfated In my opinion this is addressed a bit further in the article:

In environments that have more restrictive Internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to allow access to the required services

The sentence you are referring to in the beginning of the article refers to a less restrictive environment (which also exists), and then it goes further to talk about what you need to do for more restrictive environments. If you find that this is not explicit enough, what wording would you see appropriate for the first sentence?

Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP).

@VLG17 : Thank you for the practical feedback. Good & fair point.

I think the current phrasing/wording is OK as it is, based on your summary of what is actually already present in the document page. Giving access to only 1 NTP host (time.windows.com) on restricted networks, or access to all NTP hosts (UDP/123 completely open) on non-restricted networks. In my opinion, it is very difficult to find a middle ground between those two, because everyone and their mother has an opinion on how many and which NTP servers to allow.

@VLG17 Right to the point!. Thank you for providing this detail that is too easy to look over.