diff --git a/ntpd/templates/ntp.conf.erb b/ntpd/templates/ntp.conf.erb
index 51b2a9f..5ebd9e5 100644
--- a/ntpd/templates/ntp.conf.erb
+++ b/ntpd/templates/ntp.conf.erb
@@ -3,9 +3,9 @@
 tinker panic 0
 
 <% end -%>
-# By default, exchange time with everybody, but don't allow configuration.
-restrict -4 default kod notrap nomodify nopeer noquery
-restrict -6 default kod notrap nomodify nopeer noquery
+# By default deny everything
+restrict default ignore
+restrict -6 default ignore
 
 # Local users may interrogate the ntp server more closely.
 restrict 127.0.0.1
@@ -16,6 +16,7 @@ driftfile /var/lib/ntp/ntp.drift
 
 # Remote servers.
 <% ntp_server.each do |server| -%>
+restrict <%= server %> mask 255.255.255.255 nomodify notrap noquery
 server <%= server %>
 <% end -%>
 <% if is_virtual == "false" -%>