No Menu

IT Support Forum

A community of IT professionals

No Menu

Security Account Manager (SAM)

Posted on by Webmaster

IT Support Forum › Forums › Windows › Windows Server 2003 R2 › General Discussion › Security Account Manager (SAM)

Tagged: SAM, Security Account Manager

This topic contains 0 replies, has 1 voice, and was last updated by  Webmaster 1 year, 9 months ago.

  • Author
    Posts
  • September 8, 2017 at 3:19 pm #2188

    Webmaster
    Keymaster

    Applies To:Windows Server 2003 with SP1
    What does the Security Account Manager (SAM) do?
    TheSecurity Account Manager (SAM) is a database present on servers running Windows Server 2003 that stores user accounts
    and security descriptors for users on thelocal computer.
    Who does this feature apply to?
    This featureapplies to IT professionals who want to troubleshoot or understand theSAM component’s behavior in
    deployment.Troubleshooting may requirethatadditional tools be downloaded.This topicalso applies to developers that have
    licensed theSAMR and LSAR protocols and developers that usetheLSA trustapplication programming interfaces (APIs) from
    MSDN.
    What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
    SAM WPP Logging
    Detailed description
    Security Accounts Manager (SAM) debug logs can becollected by Windows softwaretrace preprocessor (WPP) during
    deployment.WPP can be used to gather information about what theSAM component is doing during a period of time when
    the Windows system is not behaving as expected.This information can be used by Microsoft ProductSupportServices to help
    you troubleshoot issues in your deployment.
    Why is this change important? What threats does it mitigate?
    This may reducethe number of live debug sessions if thelog information is sufficient to determine what is occurring.
    What works differently?
    Nothing works differently. A new featureis enabled to generatelogging.Following arethelogman commands that can be
    used to enablelogging:
    logman create trace samlog -p “{f2969c49-b484-4485-b3b0-b908da73cebb}” 3
    logman start samlog
    rem repeat action that is interesting and that should be captured in log
    logman stop samlog
    This will generatean extended transaction log (ETL), which your ProductSupportEngineer will beableto parse using the
    debug symbol set.
    What settings are added or changed in Windows Server 2003 Service Pack 1?
    A new EventTracing for Windows (ETW) entry exists, f2969c49-b484-4485-b3b0-b908da73cebb.This entry reflects whether
    or not logging has been enabled for theSAM component.Thefollowing sample output from tracelog –enumguid includes the
    new entry.
    Guid Enabled LoggerId Level Flags
    ———————————————————–
    1046d4b1-fce5-48bc-8def-fd33196af19a FALSE 0 0 0
    5007c7b1-1444-4303-bdbe-359c79fc032a FALSE 0 0 0
    7e4b70ee-8296-4f0f-a3ba-f58ef7bb4e96 FALSE 0 0 0
    77db410c-561e-4358-8b0e-af866e91bb89 FALSE 0 0 0
    dd5ef90a-6398-47a4-ad34-4dcecdef795f FALSE 0 0 0
    196e57d9-49c0-4b3b-ac3a-a8a93ada1938 FALSE 0 0 0
    1540ff4c-3fd7-4bba-9938-1d1bf31573a7 FALSE 0 0 0
    94a984ef-f525-4bf1-be3c-ef374056a592 FALSE 0 0 0
    3121cf5d-c5e6-4f37-be86-57083590c333 FALSE 0 0 0
    94335eb3-79ea-44d5-8ea9-306f49b3a04e FALSE 0 0 0
    4a8aaa94-cfc4-46a7-8e4e-17bc45608f0a FALSE 0 0 0
    f33959b4-dbec-11d2-895b-00c04f79ab69 FALSE 0 0 0
    8e598056-8993-11d2-819e-0000f875a064 FALSE 0 0 0
    f2969c49-b484-4485-b3b0-b908da73cebb FALSE 0 0 0
    cc85922f-db41-11d2-9244-006008269001 FALSE 0 0 0
    c92cf544-91b3-4dc0-8e11-c580339a0bf8 FALSE 0 0 0
    bba3add2-c229-4cdb-ae2b-57eb6966b0c4 FALSE 0 0 0
    8fc7e81a-f733-42e0-9708-cfdae07ed969 FALSE 0 0 0
    cddc01e2-fdce-479a-b8ee-3c87053fb55e FALSE 0 0 0
    6acd39eb-4cb0-486b-83fa-307aa23767b1 FALSE 0 0 0
    65f67abd-ecd2-4501-9b10-d48db2300e6c FALSE 0 0 0
    28cf047a-2437-4b24-b653-b9446a419a69 FALSE 0 0 0
    fc4b0d39-e8be-4a83-a32f-c0c7c4f61ee4 FALSE 0 0 0
    fc570986-5967-4641-a6f9-05291bce66c5 FALSE 0 0 0
    39a7b5e0-be85-47fc-b9f5-593a659abac1 FALSE 0 0 0
    dab01d4d-2d48-477d-b1c3-daad0ce6f06b FALSE 0 0 0
    58db8e03-0537-45cb-b29b-597f6cbebbfe FALSE 0 0 0
    58db8e03-0537-45cb-b29b-597f6cbebbfd FALSE 0 0 0
    Preventing SAM and LSA handles from hijacking
    Detailed description
    Theserver sideimplementation of theSAMR and LSAR protocols now implements security checks to ensurethat thecurrent
    caller is thesamecaller that opened thefirst handlereturned from SamConnect and LsaOpenPolicy respectively.
    TheSecurity Account Manager Remote Procedure Call (RPC) protocol (SAMR) is an integral subsystem that is used to perform
    remoteService Account Manager operations, such as user account managementand manipulation.TheSAMR interface
    defines theremoteSecurity Account Manager (SAM) methods thatarecalled by theclient. SamConnect is thefunction that is
    used to connect to theSAM database.
    Why is this change important?
    This changeis related to the RPC changes that help preventelevation of privilegeattacks on your system. Implementing this
    changein the Active Directory interfaces helps makeyour system moresecure by default.
    What works differently?
    If your application uses theSAMR or LSAR protocols,access checks are performed on each call received and verify that the
    client identity that opens thecontext handleis thesameas theclient identity that is making thecall. If your application does not
    usethat convention, it will no longer function after installation of Windows Server 2003 Service Pack 1 (SP1).
    How do I fix these issues?
    All calls to theSAMR and LSAR methods must bein thesamesecurity contextas thecall that generated thecontext handle
    being used in thecall. If they are notyou must modify your application to comply with this requirement.
    Do I need to change my code to work with Windows Server 2003 Service Pack 1?
    Mostapplications will not need to bechanged. However, if theapplication’s codeswitches security contexts while using context
    handles obtained from theSAMR and LSAR interfaceit will need to be modified. If theapplication is using any of thefollowing
    APIs,verify with theapplication developer that thecalling security context doesn’t change between thecall LsaOpenPolicy and
    any subsequent Lsa API call that uses the handlereturned from LsaOpenPolicy.
    LsaOpenPolicy
    LsaQueryInformationPolicy
    LsaSetInformationPolicy
    LsaQueryDomainInformationPolicy
    LsaSetDomainInformationPolicy
    LsaEnumerateTrustedDomains
    LsaLookupNames
    LsaLookupNames2
    LsaLookupSids
    LsaEnumerateAccountsWithUserRight
    LsaEnumerateAccountRights
    LsaAddAccountRights
    LsaRemoveAccountRights
    LsaOpenTrustedDomainByName
    LsaQueryTrustedDomainInfo
    LsaSetTrustedDomainInformation
    LsaDeleteTrustedDomain
    LsaQueryTrustedDomainInfoByName
    LsaSetTrustedDomainInfoByName
    LsaEnumerateTrustedDomainsEx
    LsaCreateTrustedDomainEx
    LsaQueryForestTrustInformation
    LsaSetForestTrustInformation
    LsaForestTrustFindMatch
    LsaStorePrivateData
    LsaRetrievePrivateData

  • Author
    Posts

You must be logged in to reply to this topic.

Hard Drive Or Flash Drive? »
  • Share via Facebook 
  • Share via Google 
  • Share via Twitter 
  • Share via Reddit 
  • Share via StumbleUpon 

Search Forums

Log In
Register Lost Password

Powered by WordPress and HeatMap AdAptive Theme