RE: [Full-Disclosure] Security aspects of time synchronization infrastructure

From: joe (mvp_at_joeware.net)
Date: 08/20/04

  • Next message: 3APA3A: "Security aspects of time synchronization infrastructure"
    To: "'3APA3A'" <3APA3A@security.nnov.ru>, <bugtraq@securityfocus.com>
    Date: Thu, 19 Aug 2004 18:59:06 -0400
    
    

    Interesting paper. I am curious about this statement though as you seemingly
    don't give supporting information.

    "If network is configured in accordance to these recommendations it's
    possible to bring whole Windows 2003 forest down
    with a single UDP packet."

    What is your line of reasoning here? In a properly configured forest, all
    machines will take their time from their default time source and not from a
    preconfigured machine as you outlined. If the time on the PDC emulator of
    the forest is spanked into a new value, either the other machines will be
    unable to sync with it due to not being able to authenticate with it or the
    forest time will change and authentication will continue on. It could impact
    kerberos certs in that they may need to be reissued sooner, but I fail to
    see an issue where the entire forest could be brought down. I could see this
    having adverse affects on MIT trusts and non-MS kerberos clients unless they
    have the Vintela or Centrify *nix/Win integration software (or other
    software configured to do the same) that forces a timesync with the Forest.

    If you would prefer to discuss offline, that is fine as well.

      Thanks, joe

    -----Original Message-----
    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of 3APA3A
    Sent: Thursday, August 19, 2004 5:26 PM
    To: bugtraq@securityfocus.com
    Cc: full-disclosure@lists.netsys.com
    Subject: [Full-Disclosure] Security aspects of time synchronization
    infrastructure

    Hello bugtraq,

      I published whitepaper called "Security aspects of time
      synchronization infrastructure". It describes some observations on
      very common security flaws in time synchronization infrastructure
      design, including (but not limited to) MS Windows Active Directory.

      http://www.security.nnov.ru/advisories/timesync.asp

      Any comments are very appreciated.

    --
    /3APA3A
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: 3APA3A: "Security aspects of time synchronization infrastructure"

    Relevant Pages

    • Re: Site or Domain
      ... Domain aren't security Boundaries, ... forest, and they are not themselves the ultimate security boundary. ... Each Active Directory domain is authoritative for the ... Domain controller hardware and security facilities Each Windows Server ...
      (microsoft.public.windows.server.active_directory)
    • RE: Active Directory network security
      ... >Subject: RE: Active Directory network security ... >X-Mailer: Microsoft Outlook, Build 10.0.2627 ... In fact the only true security boundary in AD is a forest. ... >Domain Admins must be fully trusted. ...
      (Focus-Microsoft)
    • RE: Active Directory network security
      ... In fact the only true security boundary in AD is a forest. ... Domain Admins must be fully trusted. ... use group policies like crazy. ...
      (Focus-Microsoft)
    • RE: [Full-Disclosure] Security aspects of time synchronization infrastructure
      ... In a properly configured forest, ... Security aspects of time synchronization ... very common security flaws in time synchronization infrastructure ...
      (Bugtraq)
    • RE: [Full-Disclosure] Security aspects of time synchronization infrastructure
      ... In a properly configured forest, ... Security aspects of time synchronization ... very common security flaws in time synchronization infrastructure ...
      (Full-Disclosure)