No Menu

IT Support Forum

A community of IT professionals

No Menu

Security Account Manager (SAM)

Posted on by Webmaster

IT Support Forum › Forums › Windows › Windows Server 2003 R2 › General Discussion › Security Account Manager (SAM)

Tagged: SAM, Security Account Manager

  • This topic has 0 replies, 1 voice, and was last updated 5 years, 5 months ago by Webmaster.
Viewing 0 reply threads
  • Author
    Posts
    • September 8, 2017 at 3:19 pm #2188
      Webmaster
      Keymaster

      Applies To:Windows Server 2003 with SP1
      What does the Security Account Manager (SAM) do?
      TheSecurity Account Manager (SAM) is a database present on servers running Windows Server 2003 that stores user accounts
      and security descriptors for users on thelocal computer.
      Who does this feature apply to?
      This featureapplies to IT professionals who want to troubleshoot or understand theSAM component’s behavior in
      deployment.Troubleshooting may requirethatadditional tools be downloaded.This topicalso applies to developers that have
      licensed theSAMR and LSAR protocols and developers that usetheLSA trustapplication programming interfaces (APIs) from
      MSDN.
      What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
      SAM WPP Logging
      Detailed description
      Security Accounts Manager (SAM) debug logs can becollected by Windows softwaretrace preprocessor (WPP) during
      deployment.WPP can be used to gather information about what theSAM component is doing during a period of time when
      the Windows system is not behaving as expected.This information can be used by Microsoft ProductSupportServices to help
      you troubleshoot issues in your deployment.
      Why is this change important? What threats does it mitigate?
      This may reducethe number of live debug sessions if thelog information is sufficient to determine what is occurring.
      What works differently?
      Nothing works differently. A new featureis enabled to generatelogging.Following arethelogman commands that can be
      used to enablelogging:
      logman create trace samlog -p “{f2969c49-b484-4485-b3b0-b908da73cebb}” 3
      logman start samlog
      rem repeat action that is interesting and that should be captured in log
      logman stop samlog
      This will generatean extended transaction log (ETL), which your ProductSupportEngineer will beableto parse using the
      debug symbol set.
      What settings are added or changed in Windows Server 2003 Service Pack 1?
      A new EventTracing for Windows (ETW) entry exists, f2969c49-b484-4485-b3b0-b908da73cebb.This entry reflects whether
      or not logging has been enabled for theSAM component.Thefollowing sample output from tracelog –enumguid includes the
      new entry.
      Guid Enabled LoggerId Level Flags
      ———————————————————–
      1046d4b1-fce5-48bc-8def-fd33196af19a FALSE 0 0 0
      5007c7b1-1444-4303-bdbe-359c79fc032a FALSE 0 0 0
      7e4b70ee-8296-4f0f-a3ba-f58ef7bb4e96 FALSE 0 0 0
      77db410c-561e-4358-8b0e-af866e91bb89 FALSE 0 0 0
      dd5ef90a-6398-47a4-ad34-4dcecdef795f FALSE 0 0 0
      196e57d9-49c0-4b3b-ac3a-a8a93ada1938 FALSE 0 0 0
      1540ff4c-3fd7-4bba-9938-1d1bf31573a7 FALSE 0 0 0
      94a984ef-f525-4bf1-be3c-ef374056a592 FALSE 0 0 0
      3121cf5d-c5e6-4f37-be86-57083590c333 FALSE 0 0 0
      94335eb3-79ea-44d5-8ea9-306f49b3a04e FALSE 0 0 0
      4a8aaa94-cfc4-46a7-8e4e-17bc45608f0a FALSE 0 0 0
      f33959b4-dbec-11d2-895b-00c04f79ab69 FALSE 0 0 0
      8e598056-8993-11d2-819e-0000f875a064 FALSE 0 0 0
      f2969c49-b484-4485-b3b0-b908da73cebb FALSE 0 0 0
      cc85922f-db41-11d2-9244-006008269001 FALSE 0 0 0
      c92cf544-91b3-4dc0-8e11-c580339a0bf8 FALSE 0 0 0
      bba3add2-c229-4cdb-ae2b-57eb6966b0c4 FALSE 0 0 0
      8fc7e81a-f733-42e0-9708-cfdae07ed969 FALSE 0 0 0
      cddc01e2-fdce-479a-b8ee-3c87053fb55e FALSE 0 0 0
      6acd39eb-4cb0-486b-83fa-307aa23767b1 FALSE 0 0 0
      65f67abd-ecd2-4501-9b10-d48db2300e6c FALSE 0 0 0
      28cf047a-2437-4b24-b653-b9446a419a69 FALSE 0 0 0
      fc4b0d39-e8be-4a83-a32f-c0c7c4f61ee4 FALSE 0 0 0
      fc570986-5967-4641-a6f9-05291bce66c5 FALSE 0 0 0
      39a7b5e0-be85-47fc-b9f5-593a659abac1 FALSE 0 0 0
      dab01d4d-2d48-477d-b1c3-daad0ce6f06b FALSE 0 0 0
      58db8e03-0537-45cb-b29b-597f6cbebbfe FALSE 0 0 0
      58db8e03-0537-45cb-b29b-597f6cbebbfd FALSE 0 0 0
      Preventing SAM and LSA handles from hijacking
      Detailed description
      Theserver sideimplementation of theSAMR and LSAR protocols now implements security checks to ensurethat thecurrent
      caller is thesamecaller that opened thefirst handlereturned from SamConnect and LsaOpenPolicy respectively.
      TheSecurity Account Manager Remote Procedure Call (RPC) protocol (SAMR) is an integral subsystem that is used to perform
      remoteService Account Manager operations, such as user account managementand manipulation.TheSAMR interface
      defines theremoteSecurity Account Manager (SAM) methods thatarecalled by theclient. SamConnect is thefunction that is
      used to connect to theSAM database.
      Why is this change important?
      This changeis related to the RPC changes that help preventelevation of privilegeattacks on your system. Implementing this
      changein the Active Directory interfaces helps makeyour system moresecure by default.
      What works differently?
      If your application uses theSAMR or LSAR protocols,access checks are performed on each call received and verify that the
      client identity that opens thecontext handleis thesameas theclient identity that is making thecall. If your application does not
      usethat convention, it will no longer function after installation of Windows Server 2003 Service Pack 1 (SP1).
      How do I fix these issues?
      All calls to theSAMR and LSAR methods must bein thesamesecurity contextas thecall that generated thecontext handle
      being used in thecall. If they are notyou must modify your application to comply with this requirement.
      Do I need to change my code to work with Windows Server 2003 Service Pack 1?
      Mostapplications will not need to bechanged. However, if theapplication’s codeswitches security contexts while using context
      handles obtained from theSAMR and LSAR interfaceit will need to be modified. If theapplication is using any of thefollowing
      APIs,verify with theapplication developer that thecalling security context doesn’t change between thecall LsaOpenPolicy and
      any subsequent Lsa API call that uses the handlereturned from LsaOpenPolicy.
      LsaOpenPolicy
      LsaQueryInformationPolicy
      LsaSetInformationPolicy
      LsaQueryDomainInformationPolicy
      LsaSetDomainInformationPolicy
      LsaEnumerateTrustedDomains
      LsaLookupNames
      LsaLookupNames2
      LsaLookupSids
      LsaEnumerateAccountsWithUserRight
      LsaEnumerateAccountRights
      LsaAddAccountRights
      LsaRemoveAccountRights
      LsaOpenTrustedDomainByName
      LsaQueryTrustedDomainInfo
      LsaSetTrustedDomainInformation
      LsaDeleteTrustedDomain
      LsaQueryTrustedDomainInfoByName
      LsaSetTrustedDomainInfoByName
      LsaEnumerateTrustedDomainsEx
      LsaCreateTrustedDomainEx
      LsaQueryForestTrustInformation
      LsaSetForestTrustInformation
      LsaForestTrustFindMatch
      LsaStorePrivateData
      LsaRetrievePrivateData

  • Author
    Posts
Viewing 0 reply threads
  • You must be logged in to reply to this topic.
Log In
Hard Drive Or Flash Drive? »
  • Share via Facebook 
  • Share via Google 
  • Share via Twitter 
  • Share via Reddit 
  • Share via StumbleUpon 

Search Forums

Log In
Register Lost Password

Powered by WordPress and HeatMap AdAptive Theme