changing server date

[Sherry]

We are using Windows 2000 Server, and I have a question,
grateful for your expert help!

Is there a way one(system admin with all the right access
right) can change the server clock without a trace? i.e.
we suspect an ex-admin had changed the server clock in
order to revise some file without changing the file
properties(e.g. date of last modified, etc.) Can you help
to direct us how to start checking on a potential lead?
thanks very much.

 

[serverguy]

It depends entirely on whether or not you have a domain. If yes, and your
root DC is correctly set to be the authoritative time source, then the 2000
server in question would automatically sych it's time with the DC on a
regular basis. So, any change made directly to the server would only be
temporary - until it synchs back up again at which time an event should be
logged. You could check the event logs - especially if you have security
auditing enabled (a best practice) to see who logged into the server and
when. The time synch events may tell you a very wide timeframe in which the
server's time may have changed. So, the answer is yes the server's time can
be changed even if only for a few hours. Proving if or who may have done it
is another story.

As for the file modified date change, the only thing I can say is that if
you had proper security controls in place, you would know who has access to
the file. If a large number of people can access it, there may be no way of
proving who changed it.

You may want to ask the folks on the security NG since the crux of your
question is how to spy on someone. There are many applications and loggers
(ie: Tripwire) which can do more advanced spying on servers if you are
interested.

 

[sherry]

thanks for the help! if the clock is "temporary" changed,
will the file modified then bear the right clock
or "wrong/tempered" clock? i.e. will we be able to tell
if it was altered?

thanks so much in advance!