STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to VMware vSphere 7.0 ESXi Security Technical Implementation Guide

V-256409

CAT II (Medium)

The ESXi host must configure NTP time synchronization.

Rule ID

SV-256409r1038976_rule

STIG

VMware vSphere 7.0 ESXi Security Technical Implementation Guide

Version

V1R4

CCIs

CCI-001891, CCI-002046

Discussion

To ensure the accuracy of the system clock, it must be synchronized with an authoritative time source within DOD. Many system functions, including time-based logon and activity restrictions, automated reports, system logs, and audit records, depend on an accurate system clock. If there is no confidence in the correctness of the system clock, time-based functions may not operate as intended and records may be of diminished value. Satisfies: SRG-OS-000355-VMM-001330, SRG-OS-000356-VMM-001340

Check Content

From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Configure >> System >> Time Configuration.

Under "Current Time Configuration", verify "Time Synchronization" is set to "Network Time Protocol". 

Under "Network Time Protocol", verify the "NTP Servers" are authorized DOD time sources.

If the ESXi host is not configured to pull time from authoritative DOD time sources, this is a finding.

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

Get-VMHost | Get-VMHostNTPServer
Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"}

If the NTP service is not configured with authoritative DOD time sources or the service does not have a "Policy" of "on" or is stopped, this is a finding.

Fix Text

From the vSphere Client, go to Hosts and Clusters.

Select the ESXi Host >> Configure >> System >> Time Configuration.

Under "Network Time Protocol", click "Edit...". Ensure the "NTP Servers" are authorized DOD time sources. 

Ensure the "NTP Service Startup Policy" is set to "Start and stop with host". 

Ensure the "Enable" checkbox, in the upper left, is checked. Click "OK".

Click "Edit" to configure the NTP service to start and stop with the host and with authoritative DOD time sources.

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

$NTPServers = "ntpserver1","ntpserver2"
Get-VMHost | Add-VMHostNTPServer $NTPServers
Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} | Set-VMHostService -Policy On
Get-VMHost | Get-VMHostService | Where {$_.Label -eq "NTP Daemon"} | Start-VMHostService