Americas

  • United States

Asia

Oceania

sbradley
Contributing Writer

How and when to set Windows logging to UTC time

How-To
Apr 10, 20195 mins
Network SecuritySecuritySmall and Medium Business

As networks become more distributed and cloud-based, you should consider changing servers to UTC time to ensure proper syncing. This will help with forensics investigations.

The concept of time zones is a relatively one. In England, to organize trains and schedules, the concept of railway time was introduced to overcome the confusion caused by having non-uniform local times in each town and station stop. It was also used to reduce accidents and issues in scheduling trains entering and leaving stations. As travel increased in scope and type, the need for standardization demanded that we had time zones. As we added technology, we just built on the concept of the need for local time.

Once upon a time we set the logging for servers in the local time of wherever they were located. This made correlation of events, especially to local computers, consistent and relatively easy. Then the internet was born, and we moved our servers to the cloud and data centers. Suddenly, setting logging to local time made no sense at all. Add to that having help desks and distributed organizations and making the correlation across organizations means that moving logging to Coordinated Universal Time (UTC) may be wise.

What is UTC and why is it important to security?

UTC is a 24-hour time standard that helps the world’s timing centers keep their time scales synchronized. It is based on Universal Time (UT1), which uses the speed of the Earth’s rotation to measure time.

As I explained earlier, if you cannot properly sync time across your network, it can have negative effect on security updates, authentication and forensics investigations. Moving logging to UTC helps keep your entire network in sync.

As with any decision, you need to evaluate what makes sense for your organization. If you are a small firm and all your administrators and users are in one time zone, logging into that time zone might be more appropriate. If all of the logs are pulled into a central location from various time zones for analysis, you might choose UTC to do a cross analysis. You should also check with your logging and firewall vendors to see what they recommend for selection of time.

Often applications choose a time zone for you. Thus, it’s wise to investigate ahead of time what time zone is chosen. For example, for many years Microsoft’s web server, Internet Information Services (IIS) would by default choose UTC time based on a specification.  As noted in KB271196, the extended log file format used by IIS was defined in the W3C Working Draft WD- logfile-960323 specification by Phillip M. Hallam-Baker and Brian Behlendorf. This document defined the date and time files to always be in Greenwich Mean Time (GMT), which shares the same current time as UTC. You had to make an adjustment if you wanted a local time zone.

Microsoft’s cloud platform Azure bases its system on UTC now, but that wasn’t always the case. In 2009, the decision was made to move Azure off of Pacific time zone logging time and onto UTC. Azure and the Windows Defender Advanced Threat Protection (ATP) portal uses UTC for their logging and tracking information. While the local computer is in its local time zone, the logging in the ATP portal is always UTC. However, it’s easy to click on the global icon on the menu to flip between the local time zone of the computer and UTC.

bradley timezone 1 Susan Bradley

Time zone setting for Windows Defender ATP 

Often in forensics, you use the registry to determine what time zone a computer is located in. As noted, you can look at HKEY_LOCAL_MACHINEControlSet001ControlTimeZoneInformation (in a mounted image) or on a live computer look at HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTimeZoneInformation to determine what time zone a computer is set for.

bradley timezone 2 Susan Bradley

Windows registry key showing time zone

As you can see, the registry key identifies what time zone the computer is in.

As noted in a recent article, when dealing with time and Azure and especially SQL, consider GETUTCDATE and SYSUTCDATETIME instead of using functions like GETDATE and SYSDATETIME. Older SQL applications often were written without cloud platforms in mind and using local time. Before migrating applications to the cloud, evaluate if they can handle a transition to UTC time.

Finally, you can use PowerShell to determine the exact time zone of the computer and use it to determine the time zone from a series of remote computers. The command Get-TimeZone will respond with the time zone of the computer. It can be combined with a list of servers to determine the time zone of numerous systems.

bradley timezone 3 Susan Bradley

Determine the time zone with PowerShell

Bottom line: Evaluate applications, logging and anything else that might be time sensitive and determine if they can be moved to UTC time or have an easy conversion from the local time to UTC time.  Determine what makes sense for you and what provides you with the best information. You might find as you add more cloud services that moving logging across your network to UTC makes the most sense to allow you to best correlate events.

sbradley
Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for Askwoody.com, is a moderator on the PatchManagement.org listserve, and writes a column of Windows security tips for CSOonline.com. In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at https://www.askwoody.com/tag/patch-lady-posts/ and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author