Skip to main content
  • EN

Does anyone have recommendations for time settings on a Veeam hardened repo?  After researching, I’m seeing conflicting recommendations from use the internal CMOS clock, use an internal NTP server, or use an external NTP server.  Just wanted to see what some of the Veeam experts recommend.

That’s an interesting question ​@stryker54141 . In several sessions I’ve been on the Hardened Repo, I’ve not heard this discussed; at least...I don’t remember it being discussed 😉

Let me see if I can find something in some of my notes or otherwise...

As mentioned in this article, “it’s okay to use the local clock of a server as time source for Veeam Hardened Repository.”

The minimum immutability setting is 7 days, and your internal clock on a modern server should never be out by that much.

 

If you must use NTP though, follow the recommendations in that article to secure it.

I believe when setting this up via the ISO file it has you use an external NTP server.  I am testing the Beta v13 and the JEOS ISO which allows you to deploy a VHR and it asks for external NTP for that so I would assume that is the preference.

Ok ​@stryker54141 -

Have you seen this blog article by one of Veeam’s PMs who has spear-headed the Hardened Repo, and more specifically, the ISO installer? I think this should provide you with some details on how to get NTP setup:

https://www.veeam.com/blog/securing-hardened-repository-against-remote-time-attacks.html

@Chris.Childerhose - Yes, it defaults to an external NTP server, but doesn’t that go against the whole principal of this server being completely segmented from the internet?

 

@Chris.Childerhose - Yes, it defaults to an external NTP server, but doesn’t that go against the whole principal of this server being completely segmented from the internet?

 

It would yes.  I am just stating what is being used during initial setup and with the new v13 stuff since Veeam manages updates it would require external access.

If you set up an internal NTP server then that would work too but it would need to get the time externally so maybe segragated networks?

@coolsport00  - Thanks, that’s the same article that ​@Tommy O'Shea posted.  I read it last night, but noticed that it was written in 2023.  A lot can change in two years and I wanted to see if the opinions had changed.  I’m leaning toward just using the internal CMOS clock of the server.

@stryker54141 -

Glad you initially found the article before posting. Understood….and true, things can change in such a time. Again, I haven’t heard Hannes have a change in stance on that article, and have been in at least a few sessions where he’s talked about the Hardened Repo. I would agree with you in choosing the internal CMOS for NTP….to keep all unneeded external avenues closed on it.

Best.

Hi ​@stryker54141 , here is another contribution regarding NTP, NTP is a critical component for many, many applications, so if you want to get deeper in how NTP works, here is the RCF5905.

 

https://www.rfc-editor.org/rfc/rfc5905.html 

 

some clock sources and implementation model.

 


 

 

Comment


Terms & Conditions