What is security accounts manager?
The Security Accounts Manager (SAM), located in the windows system32 config directory, is a database file in the Windows operating system that stores user accounts, comprising usernames and passwords. The main aim behind SAM is to make our system more secure and reliable by protecting credentials in case of a data breach.
Configuring Security Account Manager facilitates user logons, giving users the ability to authenticate themselves to the local machine if an account has been created for them in SAM. SAM holds the user and account information in its database and when a user enters credentials, they are authenticated against the SAM database. If the credentials are correct the user logs on and if they are incorrect an error message will be generated and user will be asked to re-enter the credentials.
What is SAM in Active Directory?
Active Directory Security Accounts Manager (AD SAM) has various naming conventions employed for individual objects. Regarding a User, two specific fields hold significance: sAMAccountName (SAM-Account) and userPrincipalName (UPN).
sAMAccountNames are login identifiers preserved for backward compatibility with pre-NT4 clients. They follow the format domainname\username and samaccountname max length is limited to 20 characters. On the other hand, UPNs serve as login names structured like email addresses. It’s important to note that the domain of the UPN may not necessarily correspond with the user’s location domain. Their format is username@domainname.com, and there’s no character limit.
Evolution of SAM
SAM stores passwords in its database using LAN Manager (LN) hash or New Technology LAN Manager (NTLM) hash format which is determined by the set of policies being implemented.
Offline attacks on the SAM database are possible because SAM database is stored in the memory. So, Microsoft introduced the SYSKEY (System Key) function in Windows NT 4.0 to provide SAM database security against offline software cracking. Enabling the SYSKEY allows you to encrypt the password hash values with a key.
NTLM hash is considered to be more secure than the conventional LM hash because it uses MD4 algorithm to convert plaintext into hashed format. NTLM hash also supports both uppercase and lowercase letters. Similar to the LM hash format NTLM hash also does not perform a salt routine.
How Security Accounts Manager works on local computers
On a local computer, which is used only by a single user and is not connected to a local area network, SAM only stores the password for that particular user and will only ask for that password. SAM file continues to run in the background when a system has been accessed.
The Security Account Manager database (SAM DB) is occasionally found in a backup for subsequent recovery, and it can be accessed without the use of any specialized software.
How SAM works in LAN?
In LAN settings, particularly when managing active directory users and computers, every user account is assigned a local area network password and a Windows operating system password in SAM. When a user attempts to login, Windows asks for the username and the password and authenticates these passwords against the ones in the SAM database. If they are a match the user will be granted access to the system.
Importance of SAM
A serious vulnerability can have a significant negative effect on a system if the SAM policies are not configured.
SAM DB can prove to be beneficial in case a system has been stolen, accessing the data will not be possible if SAM is configured on the system. SAM is also viable in protecting to an extent against online attacks.
SAM vulnerabilities
Since SAM is a database file that stores users' passwords it makes it a highly targeted object by attackers. We are seeing an increased number of attack campaigns in the past few years against known or new vulnerabilities found in the SAM database. Here is an overview of some of the major ones.
SeriousSam vulnerability aka Hive Nightmare is a default configuration set by Microsoft in Windows 10 and 11 that allows attackers with user account access to perform a Pass-the-Hash (and potentially Silver Ticket) attack. By leveraging this vulnerability, attackers can access hashed passwords that are stored in the SAM and the Registry.
sAMAccountName spoofing vulnerability tracked as CVE-2021-42278 sAM. This vulnerability features a severity rating of 7.5 out of 10. It is concerned with a privilege flaw that tends to affect the AD DS or Active Directory Domain Services component.
SAMR (Security Account Manager Remote) vulnerability could allow security feature bypass if an attacker makes multiple attempts to match passwords to a username.
SAM and LSAD protocols vulnerability provides the attacker with an elevation of privilege and access to the SAM database.The vulnerability is caused by the way the SAM and Local Security Authority (Domain Policy) (LSAD remote protocols establish the Remote Procedure Call (RPC) channel.
Window SAMs Hardening is Essential
Implementing a comprehensive server security policy, especially for domain controllers, is an essential step in the process of securing both Windows and Linux servers. Compliance must be attained and maintained through a set of evolving, continuously implemented, and easily-audited controls. By not hardening your assets the SAM vulnerabilities can provide an attacker with an elevation of privileges, access to passwords and affect the Active Directory with disruptions in service. Reducing the attack surface by eliminating potential attack vectors is done through hardening automation.
Baseline Configuration for Security Account Manager
A security baseline is a best practice recommended configuration setting by most commonly the Center for Internet Security (CIS) or by the National Institute of Standards and Technology (NIST) that explains a security implication.
Here are several of the SAM CIS benchmark protocols advised to harden:
Network access: Restrict clients allowed to make remote calls to SAM
This policy setting allows you to restrict remote RPC connections to SAM. If not selected, the default security descriptor will be used.
If not hardened: A malicious agent could remotely access the SAM and discover confidential information.
Network access: Do not allow anonymous enumeration of SAM accounts
This policy setting controls the ability of anonymous users to enumerate the accounts in the SAM.
If not hardened: An unauthorized user could anonymously list account names and use the information to perform social engineering attacks or attempt to guess passwords. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information). READ MORE– link to policy expert with all the information
Network access: Restrict clients allowed to make remote calls to SAM
This policy setting allows you to restrict remote RPC connections to SAM. If not selected, the default security descriptor will be used.
If not hardened: A malicious agent could remotely access the SAM and discover confidential information.
Network access: Do not allow anonymous enumeration of SAM accounts and shares
This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares.
If not hardened: An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks.
For organizations that do not want to perform hardening manually due to time and resources, CalCom offers them a solution. Hardening Automation Suite by CalCom provides solutions for many system components and is able to fully automate the hardening process.
