Preventions

No Ready System-Level Mitigation

Restrict Access to Administrative Privileges

Enforce an Acceptable Use Policy

Enforce a Social Media Policy

Install an Anti-Virus Solution

Install a Web Proxy Solution

Restrict Access to Registry Editor

Enforce File Permissions

Prohibition of Devices On-site

Physical Access Controls

End-User Security Awareness Training

Pre-Employment Background Checks

Disable Printing, Windows

Application Whitelisting

Enforce a Data Classification Policy

Prohibit Email Auto-Forwarding to External Domains, Exchange

Network Intrusion Prevention Systems

Data Loss Prevention Solution

DNS Filtering

Access Reviews

Employee Off-boarding Process

Full Disk Encryption

Restrict Mobile Clipboard via Intune App Protection Policies

Financial Approval Process

Corporate Card Spending Limits

Enterprise-Managed Web Browsers

Bootloader Password

Next-Generation Firewalls

Native Anti-Tampering Protections

Protocol Allow Listing

Restrict Disc Media Mounting, Group Policy

Restrict Floppy Drive Mounting, Group Policy

Restrict Removable Disk Mounting, Group Policy

Insider Threat Awareness Training

Employee Mental Health & Support Program

Network Access Control (NAC)

Mobile Device Management (MDM)

Employee Vulnerability Support Program

Restrict Windows System Time Modification

Windows Time Service Synchronization

Exchange Restrict Outbound Emails via Recipient Domain

Regulation Awareness Training

Implement MIP Sensitivity Labels

Privileged Access Management (PAM)

Managerial Approval

Social Media Screening

Employment Reference Checks

Criminal Background Checks

Government-Issued ID Verification

Human Resources Collaboration for Early Threat Detection

Enforce Multi-Factor Authentication (MFA)

Azure Conditional Access Policies

Structured Request Channels for Operational Needs

Consistent Enforcement of Minor Violations

Insider-Focused Threat Intelligence

Disable Proxy Configuration on Windows Systems

Disable Snipping Tool, Group Policy

Static Code Analysis via CI/CD Pipelines

Local DNS Sinkhole, Windows

Local DNS Sinkhole, Linux

Non-Disclosure Agreement

Security Vetting and Clearance

Psychological Risk Assessment Program

Microsoft Litigation Hold

Identity Credential Challenge and Verification

Service Desk Caller Verification Process

Conditional Contact During Leave

Endpoint Network Access Agent Enforcement

Merchant Category Code (MCC) Blocking

Network Segmentation

Centralized Asset Inventory Control

Account Inventory and Ownership Validation

Controlled Software Inventory Management

Service Account Classification and Scope Limitation

Data Inventory

Change Management

AI Usage Policy

Intellectual Property Agreement

USB Peripheral Allow-Listing

Physical Port Security for Workstations

Multi-Party Approval Enforcement

System-Enforced Reviewer Assignment and Rotation

Attribution-Enabled Display Controls

Geographic Conditional Access Enforcement

High-Risk Jurisdiction Classification Framework

ID: PV043
Created: 07th April 2025
Updated: 07th April 2025
Platform: Windows
Contributor: The ITM Team

Restrict Windows System Time Modification

Using Group Policy on Windows it is possible to block the ability for users to modify the system date/time.

In the Group Policy Editor, navigate to:
Computer Configuration -> Windows Settings -> Security Settings → Local Policies → User Rights Assignment → Change the system time

Remove any users or groups that do not need this permission.

Sections

ID	Name	Description
AF032	System Time Modification	A subject modifies the system date, time, time zone, hardware clock, or time synchronization configuration of a device to obscure the chronology of activity relevant to an insider threat investigation. This behavior may affect timestamps associated with file creation, file modification, authentication events, process execution, log generation, scheduled activity, or other forensic artifacts used to reconstruct subject activity. System time modification may be performed before, during, or after an infringement to create ambiguity in the investigative timeline, frustrate correlation between endpoint, identity, network, and application telemetry, or cause investigators to misinterpret the sequence of events. The behavior should be assessed in context with administrative privilege use, time synchronization changes, endpoint telemetry gaps, and inconsistencies between local artifacts and centralized logging sources.
AF032.001	Windows System Time Modification	A subject modifies the Windows system time, time zone, or time synchronization behavior to obscure timestamps associated with local artifacts, event logs, file activity, process execution, or other evidence relevant to an insider threat investigation. On Windows systems, this behavior may involve manual date and time changes, abuse of the “Change the system time” user right, modification of Windows Time service behavior, or use of administrative tooling to alter clock settings.