Re[2]: [Full-Disclosure] Security aspects of time synchronization infrastructure

• Previous message: Barry Fitzgerald: "Re: [Full-Disclosure] RE: [Full-Disclosure]MS should re-write code with security in mind"
• In reply to: joe: "RE: [Full-Disclosure] Security aspects of time synchronization infrastructure"
• Next in thread: joe: "RE: [Full-Disclosure] Security aspects of time synchronization infrastructure"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 20 Aug 2004 10:21:51 +0400
To: "joe" <mvp@joeware.net>

Dear joe,

--Friday, August 20, 2004, 2:59:06 AM, you wrote to 3APA3A@security.nnov.ru:

j> "If network is configured in accordance to these recommendations it's
j> possible to bring whole Windows 2003 forest down with a single UDP
j> packet."

j> What is your line of reasoning here? In a properly configured forest, all
j> machines will take their time from their default time source and not from a
j> preconfigured machine as you outlined. If the time on the PDC emulator of
j> the forest is spanked into a new value, either the other machines will be
j> unable to sync with it due to not being able to authenticate with it or the

Time synchronisation doesn't require authentication, at least it looks
like packets are only signed with computer key. That's why it's still
possible to change time across all forest with a single packet, if one
of the forest's reliable time sources or PDC emulator in root domain use
external SNTP server.

Before Windows 2000 SP4 it was possible to set date far in future (for
example to 2038). Locked accounts, expired certificates in addition to
"problem 2038" (Jan, 19 2038 is maximum date value for 32 bit time_t
timestamp used in many C compilers). But setting date 12 hours in future
or 12 hours in past still can produce a lot of harm.

-- 
~/ZARAZA
Итак, я буду краток. (Твен)

• Previous message: Barry Fitzgerald: "Re: [Full-Disclosure] RE: [Full-Disclosure]MS should re-write code with security in mind"
• In reply to: joe: "RE: [Full-Disclosure] Security aspects of time synchronization infrastructure"
• Next in thread: joe: "RE: [Full-Disclosure] Security aspects of time synchronization infrastructure"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re[2]: [Full-Disclosure] Security aspects of time synchronization infrastructure ... j> possible to bring whole Windows 2003 forest down with a single UDP ... j> the forest is spanked into a new value, either the other machines will be ... possible to change time across all forest with a single packet, ... (Bugtraq) Re[2]: [Full-Disclosure] Security aspects of time synchronization infrastructure ... j> possible to bring whole Windows 2003 forest down with a single UDP ... j> the forest is spanked into a new value, either the other machines will be ... possible to change time across all forest with a single packet, ... (Full-Disclosure) Re: Creating/editing user accounts ... Subject: Creating/editing user accounts ... useful setting, but in a DMZ forest, I'd be removing that right immediately. ... The last thing I would want is some malicious d00d adding his machines to my ... (Focus-Microsoft) Re: Assigned = yes installed=no different subnets,site and domain ... > For one the staff machines h+ave a differents naming scheme and two they also have a different IP Scheme. ... >> It is not supported for a site in one forest to have site systems in another>> forest. ... >> This posting is provided "AS IS" with no warranties, ... Will i be able to install the>> client and manage them. ... (microsoft.public.sms.setup) Re: Assigned = yes installed=no different subnets,site and domain ... This posting is provided "AS IS" with no warranties, ... > For one the staff machines h+ave a differents naming scheme and two they ... >> forest. ... >> using the Client push technology on both the staff ans student machines. ... (microsoft.public.sms.setup)