COMMAND

    clock

SYSTEMS AFFECTED

    WinNT

PROBLEM

    Darren J.  Kress posted  following.   It's not  a buf...  but it's
    possible and with  security implications.   A user changing  their
    local systems time will affect password age and therefore  whether
    their  password  should  be  expired.   This  is  also true for an
    administrator viewing  a users  account information.   Here's  the
    scenario:

        1.      The true time is 3 PM on October 21st, 1999.
        2.      User-A changed their password 20 days ago on October 1st, 1999.
        3.      The Maximum Password Age is set to 25 days on the domain.
        4.      Administrator-1, who has the correct time specified on
                their  local  workstation,   views  User-A's   account
                through User Manager for  Domains.  The account  looks
                fine.  Administrator-A then retrieves the password age
                via a third party tool which states the password is 20
                days old.  This is good.
        5.       Administrator-2, who has their local system  time set
                as October 31st, 1999, views User-A's account  through
                User Manager for Domains.   The account now has  "User
                must  change  password  at  next  logon"  checked.  If
                Administrator-2  presses  OK  to  the  User Properties
                dialog box  in this  state it  will modify  the SAM so
                that  all  administrators  see  User-A as having "User
                must change  password at  next logon"  checked.   When
                Administrator-2 retrieves the password age via a third
                party  tool  it  states  the  account's password is 30
                days old.  This is not good.

    The user can  also affect the  dates by either  moving their local
    clock  forward  or  backward.   If  a  user doesn't want to change
    their password all they have to do is move their clock  backwards.
    The  Last  Logon/Logoff  and  account  expiration  dates  are  not
    affected in this manner.  They  seem to use the PDCs clock  rather
    than the local PC.

SOLUTION

    Well,  it's  all  human  factor  after  all...  It's  really not a
    security  problem.   Workarounf/fix?    Get  your  clock   working
    properly.

    If a time synchronization method is employed, the effects of  what
    Darren saw will  be mitigated.   Time Synchronization has  lots of
    useful purposes, and can help prevent misrepresentations in things
    like  last  login  time,  but  when  it comes to password age, the
    information is entirely dependent on the PDC. As such, the  answer
    to  a  query  about  the  password  age  should  also  be entirely
    dependent on  information from  the PDC.  Introducing a  variable,
    the  clock  on  the  querying  machine,  is unnecessary and *does*
    introduce the opportunity for exploit.