Security Watch
The Importance of Keeping Time
Unreliable and inaccurate time sources can lead to security vulnearabilities.
- By Roberta Bragg
- 08/30/2004
I've been taking it a bit easy this week — visiting with friends, stopping
to look at the flowers at a rest stop, saying more than two words to the hotel
clerk, and enjoying meals without having to talk to a client or read a technical
article. I don't think I've checked my watch once.
But my computer is keeping great track of time. I've got three virtual computers
in a Windows Server 2003 domain chugging along in Microsoft Virtual PC on my
laptop. They're keeping perfect time, since the Microsoft Time Service automatically
keeps them in synch. Knowledge Base article 884476, "Configuring
the Windows Time Service Against a Large Offset," provides a brief
description of how the PDC emulator of the forest root domain becomes the authoritative
time server for the forest, and how each desktop and server uses its authenticating
DC in order to keep the time synchronized throughout the forest. The article
documents several Registry settings and has a very interesting piece of advice
that can impact the security of your Windows systems. The article's at http://snipurl.com/8r5f.
But here's the skinny: You shouldn't synch the authoritative time server over
the Internet. Instead, provide an accurate hardware clock. When you use a time
server on the Internet as the basis for time in your forest, you may be accepting
too large a risk. It might be possible for someone to spoof one of the known
time servers on the Internet and provide your authoritative server with the
incorrect time. This means that your whole infrastructure will soon be ticking
along perfectly in synch with itself — but will be out of synch with the
rest of the world.
This would be bad, since correct time is important to many systems. Kerberos,
of course, relies on time synchronization as part of its authentication process.
Event logs need to log the correct time or much of the information may be useless.
It certainly will cause problems if presented as evidence in court. Applications
that rely on time will also be disturbed — transactions may not be available,
and mistakes can be made. Even the offline folders function requires accurate
time. When files are synched the latest date wins. Want to guess what happens
when the latest file has a time stamp that is earlier than the oldest file?
So, could this happen? Would an attacker do this for fun? Might someone target
your organization, spoof the time server and tweak your clock settings, mount
an attack in which events record things happening at the wrong time, then remove
the fake time server and allow the real one to eventually set things back to
normal? I don't know. But I do know that providing a hardware clock on the LAN
is one more thing you can do to mitigate potential risk. You'll have to evaluate
the risk to your organization yourself.
Now, where can I find an accurate, mobile hardware clock that plugs into the
USB port on my laptop?
About the Author
Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.