Security Account Manager

The SAM ( Security Account Manager or manager of the accounts of safety) is the database of the local accounts on Windows Server 2003, Windows XP, Windows 2000. It is one of the components of the Register base. It contains the local passwords.

The utility syskey of Microsoft is necessary if one wants to protect from a local attacker (nobody having a physical access to the room where the PC is) ; this utility makes it possible to improve safety on the key of Chiffrement of the passwords.

The service " Security Account' Manager"

Controls on SAM are made via the service Gestionnaire accounts of safety , it belongs to the services necessary for the good performance of Windows. Its exact American name is Security Accounts Manager (with an S with account).

It is one of the components which is managed by achievable the Lsass.exe.

So that this service functions, it is necessary that the service " Call of distant procedures " (RPC) is started.

If the service " Administrative of accounts of safety " stops, the computer reboote.

The service " Distributed Transaction Coordinator " use the service " Administrative of accounts of safety ".

Coding

The Fonction of chopping used for the passwords is MD5 (Message Digest) (on the last versions of Windows, in 2005).

Physical site

SAM is stored physically in the file %SystemRoot% \ system32 \ Config \ SAM . It is a file of hive included in HKEY_LOCAL_MACHINE, itself included in the Register base.

The physical site of SAM used at the time of the last boot is one of the elements preserved under the key hivelist in register base:

hivelist is under HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ .
the name of the value is " \ \ REGISTRY \ \ MACHINE \ \ SAM "
the value is " \ \ Device \ \ HarddiskVolume1 \ \ WINDOWS \ \ system32 \ \ config \ \ SAM "

Libraries DLL

The libraries DLL used for SAM are

samlib.dll (SAM library)
samsrv.dll (SAM waiter)

Characteristic on the passwords at the time of a restoration

The tool of restoration rstrui.exe leaves intact the local passwords, to avoid confusion in the users after a restoration.

3 types of accounts

There exist 3 types of accounts: user, computer and group.

Enumeration of the accounts of SAM by an anonymous user

For safety reasons, it is advised to prohibit the enumeration of accounts and divisions in SAM with the anonymous users under Windows 2003 and XP. The disadvantage is that presents compatibility issues with NT 4.

This functionality is parameterized in register base by the 2 values RestrictAnonymous and RestrictAnonymoussam , in the key HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ LSA (LSA means here Local Subsystem Authority , to see Lsass.exe).

In Window 2003 and XP, these 2 parameters of the register are modified via the console of management Secpol.msc . On a version of Windows in French, this utility is called by defect Stratégie of local safety in the tools of administration . When one clicks above, the window which is posted calls local Paramètres of safety . The two options relating to the enumeration by an anonymous user are in local Stratégies/Options of safety .

History

On the first version of Windows NT, the safety of SAM was by defect at least. With the wire of the versions, safety improved, for example, passage of the chopping of MD4 to MD5.

In parallel, starting from the pack 3 of Windows NT, the utility syskey makes it possible to improve coding of the passwords, which ensures a better safety vis-a-vis a local attacker.

Initially SAM managed the local accounts and the accounts of field, under Windows NT. From Windows 2000, the accounts of field are managed by Active Directory. If the system administrator wants to start again Active Directory in restoration mode, it will have to be connected for an account which belongs to SAM and not an account of Active Directory.

Under Windows NT, the theoretical limit on the size of SAM is of 40 thousand comptes ; empirically, in certain cases, it was possible to reach the 60 thousand accounts. Under Windows Server 2000 or Windows Server 2003, this limit does not have any practical interest.

See too

External bonds

Syskey, article of Microsoft
Safety of the SAM base on the waiters Windows 2000 NOT controllers of field by Michel Pruche.
the traps on password and the restoration via rstrui.exe
Comprendre Activates Directory

Random links: