Securing Windows Time service

[kuki9591]

Any windows folk out there that can assist.

We had some penertration tests performed on some servers, one of the few things picked up was the Windows Time Service


Observation: The NTP service running on the server disclosed technical information that would be of use to an attacker in fingerprinting the Operating System on the server.

Recommendation: The configuration of the NTP service should be amended to prevent this type of disclosure

Would anybody have a clue as to how the time service can be secured from this type of scan?

Windows Server 2003 Enterprise SP2
Patched to Jan 2008

Thanks in advance.

Mike

[MattS]

Quote:

Originally Posted by kuki9591

Any windows folk out there that can assist.

We had some penertration tests performed on some servers, one of the few things picked up was the Windows Time Service


Observation: The NTP service running on the server disclosed technical information that would be of use to an attacker in fingerprinting the Operating System on the server.

Recommendation: The configuration of the NTP service should be amended to prevent this type of disclosure

Would anybody have a clue as to how the time service can be secured from this type of scan?

Windows Server 2003 Enterprise SP2
Patched to Jan 2008

There are going to be several ways it could be done and the correct method will depend on your risk assessment. Are you worried about systems inside the local network knowing what OS the server is running?

The way I normally go about things is to restrict access at the LAN borders. Only allow NTP between the server/s and the trusted time providers. If you are a bit paranoid, fit an atomic or radio clock to a Domain Controller or two, use those as the source for all other time requests, and completely shut the door to NTP through the perimeter on the firewall.

If that still isn't good enough, happy trawling

[kuki9591]

Thanks for the response, NTP is already closed on the firewalls, the pentesters ran the scan on the same subnets as the servers.

Google used to be my friend until this little gem came along.

thanks again.

Mike

[MattS]

Quote:

Originally Posted by kuki9591

Thanks for the response, NTP is already closed on the firewalls, the pentesters ran the scan on the same subnets as the servers.

You mean they came in, ran a standard automated test suite, handed over the output and charged a fortune

You have to question the validity of the test to your own circumstances. There is usually a lot of other traffic floating around a typical subnet announcing the Windows servers to anyone able to drive Ethereal.

Quote:

Google used to be my friend until this little gem came along.

As far as I know there is no way to change the reply from the time service on Windows servers. Which is what the security experts mean when they say

Quote:

technical information that would be of use to an attacker in fingerprinting the Operating System on the server.

The choice seems to be;
1. Accept that any host able to query the time service can discover it is a Windows server.

2. Completely replace the time syncronisation infrastructure across the Active Directory domain.

[thehappychappy]

If your not allowing NTP traffic outside of your "trusted perimeter" then its not really an issue.

your risk assessment will most likely mitigate the attack chances via internal security mechanisms.

i.e. only authorised personal on-site, only approved equipment allowed to connect to lan.


Time is critical in the AD domain and its just not worth the risk trying to be too paranoid about it.

Time needs to get to all servers and within the AD structure the client machines.

It's the clients that can be the tricky bit.

I'm assuming your clients and some servers in a distributed environment are all over the place.

Davie



P.S there is a decent article on Windows Time Service at technet http://technet2.microsoft.com/Window...0c0181033.mspx

[kuki9591]

Quote:

Originally Posted by MattS

You mean they came in, ran a standard automated test suite, handed over the output and charged a fortune

Well, our customer paid for the test, it's a 6 monthly thing they do.

Quote:

Originally Posted by MattS

You have to question the validity of the test to your own circumstances.

yes, raised the integrity of their testing with the SDM, I have other issues with it.

Thanks again

[kuki9591]

Quote:

Originally Posted by thehappychappy

I'm assuming your clients and some servers in a distributed environment are all over the place.

Not quite, it's a webhosting environment, no client machines, 100% server environment.

Thanks for the technet link.

Mike