Security Watch

The Importance of Keeping Time

Unreliable and inaccurate time sources can lead to security vulnearabilities.

I've been taking it a bit easy this week — visiting with friends, stopping to look at the flowers at a rest stop, saying more than two words to the hotel clerk, and enjoying meals without having to talk to a client or read a technical article. I don't think I've checked my watch once.

But my computer is keeping great track of time. I've got three virtual computers in a Windows Server 2003 domain chugging along in Microsoft Virtual PC on my laptop. They're keeping perfect time, since the Microsoft Time Service automatically keeps them in synch. Knowledge Base article 884476, "Configuring the Windows Time Service Against a Large Offset," provides a brief description of how the PDC emulator of the forest root domain becomes the authoritative time server for the forest, and how each desktop and server uses its authenticating DC in order to keep the time synchronized throughout the forest. The article documents several Registry settings and has a very interesting piece of advice that can impact the security of your Windows systems. The article's at But here's the skinny: You shouldn't synch the authoritative time server over the Internet. Instead, provide an accurate hardware clock. When you use a time server on the Internet as the basis for time in your forest, you may be accepting too large a risk. It might be possible for someone to spoof one of the known time servers on the Internet and provide your authoritative server with the incorrect time. This means that your whole infrastructure will soon be ticking along perfectly in synch with itself — but will be out of synch with the rest of the world.

This would be bad, since correct time is important to many systems. Kerberos, of course, relies on time synchronization as part of its authentication process. Event logs need to log the correct time or much of the information may be useless. It certainly will cause problems if presented as evidence in court. Applications that rely on time will also be disturbed — transactions may not be available, and mistakes can be made. Even the offline folders function requires accurate time. When files are synched the latest date wins. Want to guess what happens when the latest file has a time stamp that is earlier than the oldest file?

So, could this happen? Would an attacker do this for fun? Might someone target your organization, spoof the time server and tweak your clock settings, mount an attack in which events record things happening at the wrong time, then remove the fake time server and allow the real one to eventually set things back to normal? I don't know. But I do know that providing a hardware clock on the LAN is one more thing you can do to mitigate potential risk. You'll have to evaluate the risk to your organization yourself.

Now, where can I find an accurate, mobile hardware clock that plugs into the USB port on my laptop?

About the Author

Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.

comments powered by Disqus
Most   Popular