Security

Get ready for 2007 Daylight Saving Time changes

If you operate a network in the United States, impending changes to Daylight Saving Time (DST), courtesy of the Energy Policy Act of 2005, is going to affect your operations. Mike Mullins details the effects and tells you how to prepare for them.

Time is critical when it comes to security. Logs, access time, and authentication all need to exhibit the precise time if they're going to work correctly. And synchronization of that time across your enterprise is vital.

If you operate a network in the United States, impending changes to Daylight Saving Time (DST), courtesy of the Energy Policy Act of 2005, is going to affect your operations. Let's look at what these changes entail.

What's the problem?

Most of us are familiar with the DST rule of thumb: Spring forward, Fall back. While the concept will remain the same, the details are changing this year.

Previously, DST began on the first Sunday of April and ended on the last Sunday of October. This year, thanks to an energy bill President Bush signed in August 2005, DST begins three weeks earlier on March 11. (DST also ends one week later; this year, it ends November 4.)

Besides having to manually change some clocks, how does this affect your organization? It depends on what type of hardware and software you have in your enterprise.

For example, if you run Microsoft systems on your network, Windows Vista and Windows Server 2003 are good to go. Both OS versions either have the changes built-in or the changes were part of a previous service pack—one more reason to make sure you're up to date on the latest service pack. But you'll need to update other Windows systems. Don't wait until March 9 to make sure—do your homework now.

However, regardless of what software you're running on your network, the possible effects of an unevenly applied time change can have a variety of effects on your security operations.

  • Authentication systems: Systems that rely on accurate local system time (e.g., Kerberos) to grant system access will typically fail, denying authentication credentials to valid users.
  • Time-based access control systems: Erroneously granted access could result in a violation of security policy. Systems could grant access during a time it should be denied, or they could deny valid users access.
  • Logging systems: Incorrect timestamps result in an inaccurate audit trail.

What's the solution?

Whenever feasible, configure systems to record time in Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT)—not local time. Time zones are subject to changes in local laws and regulations, but UTC and GMT time are consistent across the globe. Two synchronized clocks reading UTC or GMT will be identical regardless of their physical locations. If you're not already using GMT on your security devices and logging mechanism, now would be a good time to start.

For systems that need to run on local time, visit your various vendors' Web sites to determine which solutions they suggest. Here's some links from major vendors to get you started:

  • Apple: Mac OS X has an update that will fix this problem.
  • Cisco: Cisco has patches and workaround solutions available for all supported systems.
  • Juniper: Most current JUNOS versions support the changes. However, it also recommends changing devices to use UTC.
  • Microsoft: Redmond has a wide variety of patches and workarounds for systems beyond its support cycle.
  • Sun: Patches are available; Sun recommends applying patches regardless of current time zone setting.

Final thoughts

This change hasn't received nearly as much hype as the millennium bug, but that turned out to be a huge non-event. However, this isn't a problem you can ignore either. Get your systems patched, updated, or mitigated, and move on to the next problem. Remember: Time stands still for no one.

Miss a column?

Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

45 comments
LincDK
LincDK

Australia changed the dates of Daylight savings last year and I have to say, the general consensus was that the work experience kid wrote the patch for it. For most of us, we just grinned and bore it for extra few weeks. staff learn't not to rely on their outlook calendar if dealing with companies outside of their office. Nightmare.... I hope things go better for you folk in the US.

computerd}}
computerd}}

For those that don't know about the patch and aren't updating your computers, get ready for a hack attack. Haven't found a windows 2000 patch yet.

paul.gormley
paul.gormley

How are UK based networks effected by this, if it all ?

Ian Gregory
Ian Gregory

I live in the UK, notwithstanding, I was advised to download the "critical" update for Dalight Saving Time, as I am not affected by this, I deleted the download. Now I just get a large sign saying I deleted a critical download - it doesn't matter that it doesn't affect me! MS should get their act together, and it may be a good idea to try putting such downloads as optional downloads in future.

GonePhishing
GonePhishing

Its hard to find applications that won't continue to work just fine. UTC is the standard applications count on, and UTC doesn't change. A problem will arise if people see local time and see that its an hour off. As a rule, clocks don't say "9:00 AM Standard Time" or "9:00 AM Daylight Time". Its truncated to the ambiguous "9:00 AM". If someone sees the time, sees that its an hour off, the temptation is to change it. That's what will cause a problem; that's what would cause people to diverge from UTC. The appropriate fix is to switch from Standard time to Daylight time. That's not something people are used to doing. Head off the temptation to change the time. Get the new start and end dates in place.

Jaqui
Jaqui

DST is a device designed for the sole purpose of screwing you over for sleep two weekends of the year. it doesn't reduce energy consumption. it doesn't change the number of hours he sun is in the sky. all is does is rob your staff of effectiveness for a week after the clocks are changed. so, it actually costs your business MORE to switch the clocks than to tell everyone that you stick to standard time.

/dev/null
/dev/null

Not local time. Kerberos uses UTC, not the local representation. Therefore even if the patch isn't applied authentication will still work, lots of applications will be affected but not auth. So apply the patch regardless. This is even more painful in the *nix environment, especially when dealing with old legacy versions. See: http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1241193,00.html google search: MS document that states it: site:microsoft.com kerberos DST utc

computerd}}
computerd}}

Make sure you manually update your mobile phones also. We are already seeing a conflict with our Outlook schedules being off an hour. Cingular and Nextel have patches.

hsorensen
hsorensen

Go to http://www.intelliadmin.com/Downloads.htm. You'll find a little utility that makes patching W2k boxes about as easy as it gets. It's called "Windows NT/2000/XP/2003 Daylight Saving Time Fix". They've even got one for Win98 boxes. Point-n-Click, a whole lot easieer than manually going through all the steps.

rkuhn040172
rkuhn040172

You probably aren't affected at all. But, as the world shrinks smaller and smaller every year and we all interact in more and more ways, if you do any business at all with the US, have meetings scheduled with US counterparts, networked globally with the US, have staff who travel here with laptops, handhelds, etc there could be complications.

DownRightTired
DownRightTired

These two cause more drama than Bobby and Whitney

MTCMPTRGUY
MTCMPTRGUY

I really don't understand why all of the sudden this is Microsofts problem... they didn't make the change to DST. How are they supposed to know if the changes will affect you? The person in the next office may need the changes.

JamesOD
JamesOD

Perhaps this will finally force Microsoft and others to make changing the DST rules easy. While this is the first (I think) change of DST to affect the USA, other parts of the world have had to deal with numerous changes in DST rules. Microsoft, all PDAs and many network device do not have a simple and reliable way of changing the rules. Calendaring Outlook and synchronising with a PDA does not handle the change well!

rkuhn040172
rkuhn040172

Study after study after study shows DST does save energy, period. The only real question is how much and is it worth the problems that it creates.

bill.herde
bill.herde

The issue is not if you like it or agree with it. It is. And as IT profesionals you need to know how to deal with it.

DownRightTired
DownRightTired

have had kerberos errors logged on my server. Yeh it uses an offset but that offset is based on time zones right? so if you have 2 machines set in the same time zone but with 2 different times authentication will fail. (got the logs to prove it ;-)

mjfera
mjfera

True, Kerberos uses offsets from UTC. However, an un-updated client in the Eastern Time Zone will be using GMT-5 on March 12th, while the updated server will be using an adjusted version of GMT-5, which is only 4 hours behind GMT. This will yield a 60 minute difference between client and server, and kerberos will fail. The link below is from a Cisco Field Notice. Note the sentence "If you are using Kerberos in your network, it will fail." http://www.cisco.com/en/US/products/sw/conntsw/ps1869/products_field_notice09186a00807e0301.shtml IMHO, if I have to choose a reliable source of technical information regarding Kerberos, I'm going to choose Cisco over a post on a message board. Just my two cents.

mmorrison
mmorrison

Which is why a user from any particular timezone can authenticate to a network in a seprate TZ. The only thing is the skew (delta) from the value for UTC the auth-server is running has to be within the default defined value. On MS it's 5 minutes. Btw: Time Machine for UNIX, Linux or Windows can help check for issues. http://www.solution-soft.com/pr/PR_TimeMachine-DST_02-22-07.shtml

SO.CAL Guy
SO.CAL Guy

Microsoft has made patch's for there products so i really can't understand why some of the blogers are blaming them for this they did there job and i think the reason they put the patch in high-priority updates is because a lot of ppl would bypass the patch if it was in optional updates

NoStaff
NoStaff

It is true that Microsoft has released a number of patches to address the DST issue, but these solutions are a crapshoot. In an all MS environment (OS+ Exchange 2k3 + Windows Mobile 5) testing is proving that there is no way to fix it all. The patches seem to have no way of knowing what's already been done on a mailbox. Broken events get fixed, but fixed events get broken. Correct them only to have them broken again by the PDA fix!! This definely could have been done better by MS. The Exchange tool has a horrible fix rate and pushing the Outlook update out and then training 100s of users to correctly apply is a nightmare.

MumpsGuy
MumpsGuy

I lived in Arizona for over 30 years, never jumped forward or fell back. Never missed it, and the world didn't end because it didn't happen there. Now I live in Virginia, and find it's a worthless event. Why bother?

medullaoblongata
medullaoblongata

http://www.berkeley.edu/news/media/releases/2007/03/08_dst.shtml http://www.ucei.berkeley.edu/PDF/csemwp163.pdf. The study was conducted in Victoria, Australia but the location and climate is equivalent to southern California in the Northern Hemisphere. The researchers found that energy consumption [b]increased[/b] by .34 % when DST was extended. Furthermore, this study wasn't just predicting based on trends, the extension actually occurred due to the Olympics. The decision to extend DST in the US was based off of 25 year old studies that concluded there would be a 1% decrease in consumption. According to this article, http://news.nationalgeographic.com/news/2005/07/0728_050728_daylight.html there really isn't "study after study after study" that "shows DST does save energy". I'd like to see links to those numerous studies that prove DST saves energy because I wasn't able to find much support for it. Seems pretty silly to cause all of this upheaval and problems that we have been experiencing due to DST based on information that is 25 years old. A lot of things have changed since the '70s and I tend to doubt that conclusions found about energy consumption still hold true now.

apotheon
apotheon

The Mondays immediately following the changeovers not only result in decreased worker productivity, but also contribute to increased incidence of fatal traffic accidents. The autumn switch is statistically worse than the spring incidence of changing the clocks for the death toll, but it's a measurable increase in both cases. As far as I'm concerned, we can afford to spend a little more energy to save lives. Also . . . if they're really that worried about saving energy, they should just stick to DST year 'round.

scotts
scotts

We have no choice but to deal with it and the issues that it causes... good, bad or indifferent.

mmorrison
mmorrison

It is a little complicated. But's here's a decent converstation from MIT about this issue. http://diswww.mit.edu:8008/menelaus.mit.edu/kerberos/27540 If you're asking will an application fail? It breaks down to, it depends.

jtew
jtew

Microsoft did a crack job of testing the patches before releasing them, and then revamped them and did a rerelease, they also have made a patch for updating the outlook calandars from the server which will only work in certain environments, and not all. They also failed to properly document the calander tool.

toxic psychotic avenger
toxic psychotic avenger

Microsft did not create the DST bill nor did they sign it into law. it is not their "responsibility" to fix what is essentially your issue. if you do not like their fixes, write your own.

TonytheTiger
TonytheTiger

They have the 5 o'clock news coming on at 4. Of course, 3's already past, so I can't scroll back to see what's on now.

Tig2
Tig2

And good luck with all that. There are opinions that energy savings result. There are not facts. With this change, it was emplaced in a manner that allows it to be rolled back to the original logic if there is no provable reason to do it early again. Why would that be? I am interested in seeing what productivity losses occur this week with missed appointments and meetings. And if the value of that lost productivity is equal to, greater than, or lesser than the value of the energy savings that we will supposedly realise.

rkuhn040172
rkuhn040172

End of story. I live in Indiana, one of those States that used to not change. I couldn't care either way but if it saves energy, why not do it?

apotheon
apotheon

I was eating cereal when I read that. I almost choked on it. You need "Warning: May Cause Laughter" disclaimers on these things.

DownRightTired
DownRightTired

"I propose that since these natural circadian rhythms you speak of are so dangerous, that we pass a law requiring all businesses to close after 9pm" Im assuming you were being sarcastic here, yet your poking fun at the very thing your supporting. Congress telling me I have to go to bed an hour earlier is the same as telling me i have to close my business an hour earlier. "but in the interest of safety, I'll cooperate." so you wouldnt cooperate in the interest of safety but are all for cooperating in the interest of.... of what? Maybe next congress could enact a bill requiring that one hour of your daily pay would go to an energy conservation fund. That fund could build pretty windmills with flowers on them. I believe that would meet your requirements for acceptability as it would save energy and just make it nice to be outside (all the time not just the summer!):-)

DownRightTired
DownRightTired

I havnt seen the report but the I can definitely see where that extra hour of drinking at the bar in the fall would cause more accidents. I know its my favorite night to go out! Would be interested to see the report to see if it notes a timetable.

DownRightTired
DownRightTired

thats why i love this country, all the options for conserving energy and we decide to control the sun.

apotheon
apotheon

"[i]The effort put forth for DST is two fold. One, try to save some energy. Two, it's just nice being light outside later in the summer[/i]" 1. As long as you're trying, it doesn't matter how effective you are or whether there are side-effects much worse than the positive effects toward which you're aiming, I guess. That's fairly typical for the justifications offered for governmental programs. 2. If you want to stay out later, stay out later. You don't have to cause people to die just to have the ability to stay out later.

rkuhn040172
rkuhn040172

Well then, while we're throwing out DST because it is causing more accidents (tenths or even hundredths of a percent more), perhaps we shouldn't stop there. I propose that since these natural circadian rhythms you speak of are so dangerous, that we pass a law requiring all businesses to close after 9pm. Kinda puts a crimp in my late night runs to Taco Bell, but in the interest of safety, I'll cooperate. Now really, sarcasm aside, get a grip on the cranial-anal inverse and think about what you and Apotheon are saying. Sure, I'm pretty sure we can find a study to support just about anything nowadays. I sort of remember someone proving that eating too much broccoli actually causes cancer. The effort put forth for DST is two fold. One, try to save some energy. Two, it's just nice being light outside later in the summer :)

TonytheTiger
TonytheTiger

making that extra pot of coffee to stay awake!

Tig2
Tig2

That people trying to work graveyard shifts tend to cause more accidents. Your body has a natural circadian rhythm. Efforts to circumvent it tend to cause problems- like a lack of alertness. You really need to try a quick search of an issue before you post knee jerk responses. And your attitude will tend to invite flames. We really don't need that. Edited to add an "r" in an appropriate place.

apotheon
apotheon

Good of you to offer an opinion. Now offer some logical support for your statements, rather than just stating them and figuring that covers it. "[i]DST is still worth it and the driving consequences just need to be addressed. Can't throw the baby out with the bath water.[/i]" Unsupported statements. Thanks for your time. Please move along. "[i]One of the reasons quoted in the story in the fall case of DST could be related to alcohol consumption (extra hour to drink). Hardly a reason to not embrace DST.[/i]" Yeah . . . 'cause I always get drunk to celebrate the end of DST. Don't you? (that was sarcasm) "[i]But because DST temporarily inconviences some people is beside the point. You don't like DST...I don't like energy saving light bulbs.[/i]" There's a distinct difference between disliking energy saving lightbulbs and disliking the possibility of someone half-asleep flying through a Stop sign to t-bone my car, potentially killing or maiming me. Thanks for playing. Please move along.

rkuhn040172
rkuhn040172

1) DST is still worth it and the driving consequences just need to be addressed. Can't throw the baby out with the bath water. 2) One of the reasons quoted in the story in the fall case of DST could be related to alcohol consumption (extra hour to drink). Hardly a reason to not embrace DST. Bottom line, the world has energy issues. DST helps temporarily address this. Much more needs to be done. But because DST temporarily inconviences some people is beside the point. You don't like DST...I don't like energy saving light bulbs. Who cares?

rkuhn040172
rkuhn040172

Instead of spewing crap like that. Tell me, oh enlightened one, just how exactly does DST cause more traffic accidents? And even if it does, that doesn't mean that DST isn't a good idea. The next logical step would be to do DST and decrease the traffic accidents at the same time. Your logic is so flawed at times I just have laugh.