Everhart, Glenn From: greg croasdill [gregc@frymulti.com] Sent: Friday, June 12, 1998 12:11 PM To: ntsecurity@iss.net Subject: [NTSEC] RE: ntsecurity-digest V3 #236 TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net Contact ntsecurity-owner@iss.net for help with any problems! --------------------------------------------------------------------------- We've just experienced an accidental "attack" on one of our NT 4.0 (sp3) servers. I believe that all of the folks on the list would benefit by knowing about this. ------ If you allow access to your NT consoles beware of the "clock watcher" attack. If someone brings up the date/time properties control panel (either through double clicking on the clock in the menu bar or control panel) and changes the time or date in any way. Even if the now high-lighted "Apply" button is not pressed, then the time on the server is modified. This will screw up any of the server's time based scripts and activities. In addition, the attacker does not even have to change the time. Just walk away, leaving the window up and the system date will not advance. All of this happens without pressing the "APPLY" or "OK" buttons on the control panel. You can replicate this on your own machine by double clicking the time in the menu bar, then changing the date to yesterday. Bring up a command window and type date. You will see that the system date has changed. Please make sure that access to the server console is controlled and that only the minimum required activity is done there. Also, make sure that the consoles have locking screen savers or that they are logged off. ------ What happened was that one of the operators just wanted to see a calendar for the month, double clicked on the clock and then left the console without dismissing the window. This was on a Friday night, the date did not advance on the system all weekend. All of our automated SQL Server scripts failed to run popery, and no backups occurred. We ended up loosing some very critical data. I have not seen any information on the behavior before and in our opinion, this is a VERY BIG and DANGEROUS BUG in NT 4.0 as it adversely effects the reliability of the system. I am sending this information into Microsoft in hope that they will fix this soon. ------------------------------------------------------------------ Greg Croasdill gregc@frymulti.com Chief of Electronic Commerce, Fry Multimedia, Ann Arbor, MI "I have seen the future, it is like the present, only much longer" -The Profit-