Windows – Prevent users from changing the system time on windows

operating systemtimewindows

I don't want users to be able to change the system time. For this, I have set the Group Policy "Change the system time" to include only my Administrator account. I want to know the validity of this measure. Is there any way that despite this check, users will be able to change the system time by using some workaround technique that I am unaware of?

Best Answer

The Group Policy setting works, in that it does what it says it does, however, you asked if there are any workarounds?

First of all, in changing the "Change the system time" policy, you may have inadvertently prevented Windows Time from doing its job, so you might want to check if you're getting any w32tm errors in your event logs now that the "Administrators" group or "LOCAL SERVICE" account no longer has the ability to change the time. Windows Time (the NTP client) does want to periodically change the system time.

Any attempt to change the system time from within Windows is checked against the SeSystemtimePrivilege user right. Doesn't matter if you use w32tm.exe, date.exe, time.exe, etc., the process will inherit the security token of the user who called the program, and Windows will deny the time change request if the process doesn't have SeSystemtimePrivilege.

Secondly, you cannot prevent an administrator from being an administrator. So as long as I have an administrative session on the machine, I will be able to work around and/or modify the security policy on that machine however necessary so that I can change the clock again.

If I have physical access to the machine at all, then I will boot it from a USB stick and make myself an administrator (or make a new local account and add it to the administrators group,) then I will boot back up normally and log in with the new admin account, at which point I will be able to disable Group Policy, modify the local security policy however I wish, and then I will be able to change the system time (among quite a lot else.)

Further measures that the IT department would take to prevent people like me from such tampering include BIOS password, Bitlocker, Sophos Safeguard, etc. Those things would prevent me (but maybe not someone smarter/more determined than me) from tampering with the system, even if I had physical access to it.

But even things like Bitlocker have limits. I could boot the system, freeze the RAM with compressed air/nitrogen, transplant it to another system for dumping, and find the key so that I could decrypt the drive. Then start back at step 1.

Moral of the story is that if someone else has physical access to your computer, it isn't your computer anymore.

Now if you're talking about a system that's only logged on to remotely, the story changes a bit. I'd essentially need to fall back to exploits or 0-days that affect one or more of the interfaces into the system left available to me... the RDP protocol, WinRM protocol, etc. etc. That's a much more difficult task.