[ntp:security] Security enhancements for NTPD on MS Windows and minor bug fixes for version 4.28

Danny Mayer mayer at ntp.org
Thu Jun 8 03:06:45 UTC 2017


Mario,

I don't have time to respond to all of your points right now and most of
your points are not security issues in any case.

You didn't specify which version of NTP you used in your analysis so it
will take time to look at each of these items. I do want to comment on a
few of your items.

Item 3) makes an assumption that ntpd is installed with all privileges.
The general recommendation that I have made after deep analysis a number
of years ago is that only two privileges are needed: Logon as service
and Change System time. Anything else is too much including the
privileges associated with the User group. I create an account with just
these two privileges and just use the None Group. Anything else is
unnecessary. The Network Service has too many privileges but NOT Change
System time:


    SE_ASSIGNPRIMARYTOKEN_NAME (disabled)
    SE_AUDIT_NAME (disabled)
    SE_CHANGE_NOTIFY_NAME (enabled)
    SE_CREATE_GLOBAL_NAME (enabled)
    SE_IMPERSONATE_NAME (enabled)
    SE_INCREASE_QUOTA_NAME (disabled)
    SE_SHUTDOWN_NAME (disabled)
    SE_UNDOCK_NAME (disabled)
    Any privileges assigned to users and authenticated users

I also strongly recommend against adding an installer (item 3.1) into
the ntpd image. It should always be separate. I have an installer that
does the above but I haven't had time to complete everything and release it.

Item 5 (and item 3.2) the single thread is a deliberate design decision
because with multiple cpu cores each with its own clock you are going to
get a lot of jitter with the local timestamp being added to each
incoming packet. In fact we lock the thread to a specific processor (see
iocompletionthread() in nt_iocompletionport.c. Also the beginning of the
file for specifics of some of the reasons for all this.

Item 6 is really about OpenSSL. While HOMEPATH and HOMEDRIVE that you
mention are possibilities they both require that those exist for the
user account being used. Since it is not necessary to create directories
for the account it needs to be accounted for in a different way. Either
way the ntpd server needs read and write access to the directory in
order to write the rand file.

I'll have more to comment on when I have a chance to look at your other
items though I do need to know which version you are looking at.

Danny

On 6/6/2017 8:44 AM, Mario at TYTEC wrote:
> Dear all,
> 
>  
> 
> 1^st of all, thank you for the superb software you provided as an open
> source project.
> 
>  
> 
> During the work on an project providing the NTPD service on MS Windows,
> I found some minor bugs and space for security enhancements.
> 
>  
> 
> The BUG - list is attached as a plain text file.
> 
>  
> 
> Mit freundlichen Grüßen / Best regards / Meilleures salutations
> 
>  
> 
> Dipl.-Ing. M. Türschmann
> 
> Ingenieurbüro Türschmann - TYTEC GmbH
> 
>>> sponsored by Microsoft’s BizSpark initiative <<
> 
> Von-Hase-Weg 8
> 
> D-07743 Jena
> 
> Tel.: +49 (0)3641 227 0 970
> 
> Fax: +49 (0)3641 227 0 972
> 
> E-Mail: mario.tuerschmann at tytec.de <mailto:mario.tuerschmann at tytec.de>
> 
> Web: www.tytec.de <http://www.tytec.de/>
> 
> Registergericht: Amtsgericht Jena,  HRB 504653
> Geschäftsführer: Dipl.-Ing. Mario Türschmann
> 
> Ust-IdNr. DE269078982
> 


More information about the security mailing list