IT Support Forum › Forums › Windows › Windows Server 2003 R2 › General Discussion › Security Account Manager (SAM)
Tagged: SAM, Security Account Manager
- This topic has 0 replies, 1 voice, and was last updated 5 years, 9 months ago by
Webmaster.
-
AuthorPosts
-
-
September 8, 2017 at 3:19 pm #2188
Webmaster
KeymasterApplies To:Windows Server 2003 with SP1
What does the Security Account Manager (SAM) do?
TheSecurity Account Manager (SAM) is a database present on servers running Windows Server 2003 that stores user accounts
and security descriptors for users on thelocal computer.
Who does this feature apply to?
This featureapplies to IT professionals who want to troubleshoot or understand theSAM component’s behavior in
deployment.Troubleshooting may requirethatadditional tools be downloaded.This topicalso applies to developers that have
licensed theSAMR and LSAR protocols and developers that usetheLSA trustapplication programming interfaces (APIs) from
MSDN.
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
SAM WPP Logging
Detailed description
Security Accounts Manager (SAM) debug logs can becollected by Windows softwaretrace preprocessor (WPP) during
deployment.WPP can be used to gather information about what theSAM component is doing during a period of time when
the Windows system is not behaving as expected.This information can be used by Microsoft ProductSupportServices to help
you troubleshoot issues in your deployment.
Why is this change important? What threats does it mitigate?
This may reducethe number of live debug sessions if thelog information is sufficient to determine what is occurring.
What works differently?
Nothing works differently. A new featureis enabled to generatelogging.Following arethelogman commands that can be
used to enablelogging:
logman create trace samlog -p “{f2969c49-b484-4485-b3b0-b908da73cebb}” 3
logman start samlog
rem repeat action that is interesting and that should be captured in log
logman stop samlog
This will generatean extended transaction log (ETL), which your ProductSupportEngineer will beableto parse using the
debug symbol set.
What settings are added or changed in Windows Server 2003 Service Pack 1?
A new EventTracing for Windows (ETW) entry exists, f2969c49-b484-4485-b3b0-b908da73cebb.This entry reflects whether
or not logging has been enabled for theSAM component.Thefollowing sample output from tracelog –enumguid includes the
new entry.
Guid Enabled LoggerId Level Flags
———————————————————–
1046d4b1-fce5-48bc-8def-fd33196af19a FALSE 0 0 0
5007c7b1-1444-4303-bdbe-359c79fc032a FALSE 0 0 0
7e4b70ee-8296-4f0f-a3ba-f58ef7bb4e96 FALSE 0 0 0
77db410c-561e-4358-8b0e-af866e91bb89 FALSE 0 0 0
dd5ef90a-6398-47a4-ad34-4dcecdef795f FALSE 0 0 0
196e57d9-49c0-4b3b-ac3a-a8a93ada1938 FALSE 0 0 0
1540ff4c-3fd7-4bba-9938-1d1bf31573a7 FALSE 0 0 0
94a984ef-f525-4bf1-be3c-ef374056a592 FALSE 0 0 0
3121cf5d-c5e6-4f37-be86-57083590c333 FALSE 0 0 0
94335eb3-79ea-44d5-8ea9-306f49b3a04e FALSE 0 0 0
4a8aaa94-cfc4-46a7-8e4e-17bc45608f0a FALSE 0 0 0
f33959b4-dbec-11d2-895b-00c04f79ab69 FALSE 0 0 0
8e598056-8993-11d2-819e-0000f875a064 FALSE 0 0 0
f2969c49-b484-4485-b3b0-b908da73cebb FALSE 0 0 0
cc85922f-db41-11d2-9244-006008269001 FALSE 0 0 0
c92cf544-91b3-4dc0-8e11-c580339a0bf8 FALSE 0 0 0
bba3add2-c229-4cdb-ae2b-57eb6966b0c4 FALSE 0 0 0
8fc7e81a-f733-42e0-9708-cfdae07ed969 FALSE 0 0 0
cddc01e2-fdce-479a-b8ee-3c87053fb55e FALSE 0 0 0
6acd39eb-4cb0-486b-83fa-307aa23767b1 FALSE 0 0 0
65f67abd-ecd2-4501-9b10-d48db2300e6c FALSE 0 0 0
28cf047a-2437-4b24-b653-b9446a419a69 FALSE 0 0 0
fc4b0d39-e8be-4a83-a32f-c0c7c4f61ee4 FALSE 0 0 0
fc570986-5967-4641-a6f9-05291bce66c5 FALSE 0 0 0
39a7b5e0-be85-47fc-b9f5-593a659abac1 FALSE 0 0 0
dab01d4d-2d48-477d-b1c3-daad0ce6f06b FALSE 0 0 0
58db8e03-0537-45cb-b29b-597f6cbebbfe FALSE 0 0 0
58db8e03-0537-45cb-b29b-597f6cbebbfd FALSE 0 0 0
Preventing SAM and LSA handles from hijacking
Detailed description
Theserver sideimplementation of theSAMR and LSAR protocols now implements security checks to ensurethat thecurrent
caller is thesamecaller that opened thefirst handlereturned from SamConnect and LsaOpenPolicy respectively.
TheSecurity Account Manager Remote Procedure Call (RPC) protocol (SAMR) is an integral subsystem that is used to perform
remoteService Account Manager operations, such as user account managementand manipulation.TheSAMR interface
defines theremoteSecurity Account Manager (SAM) methods thatarecalled by theclient. SamConnect is thefunction that is
used to connect to theSAM database.
Why is this change important?
This changeis related to the RPC changes that help preventelevation of privilegeattacks on your system. Implementing this
changein the Active Directory interfaces helps makeyour system moresecure by default.
What works differently?
If your application uses theSAMR or LSAR protocols,access checks are performed on each call received and verify that the
client identity that opens thecontext handleis thesameas theclient identity that is making thecall. If your application does not
usethat convention, it will no longer function after installation of Windows Server 2003 Service Pack 1 (SP1).
How do I fix these issues?
All calls to theSAMR and LSAR methods must bein thesamesecurity contextas thecall that generated thecontext handle
being used in thecall. If they are notyou must modify your application to comply with this requirement.
Do I need to change my code to work with Windows Server 2003 Service Pack 1?
Mostapplications will not need to bechanged. However, if theapplication’s codeswitches security contexts while using context
handles obtained from theSAMR and LSAR interfaceit will need to be modified. If theapplication is using any of thefollowing
APIs,verify with theapplication developer that thecalling security context doesn’t change between thecall LsaOpenPolicy and
any subsequent Lsa API call that uses the handlereturned from LsaOpenPolicy.
LsaOpenPolicy
LsaQueryInformationPolicy
LsaSetInformationPolicy
LsaQueryDomainInformationPolicy
LsaSetDomainInformationPolicy
LsaEnumerateTrustedDomains
LsaLookupNames
LsaLookupNames2
LsaLookupSids
LsaEnumerateAccountsWithUserRight
LsaEnumerateAccountRights
LsaAddAccountRights
LsaRemoveAccountRights
LsaOpenTrustedDomainByName
LsaQueryTrustedDomainInfo
LsaSetTrustedDomainInformation
LsaDeleteTrustedDomain
LsaQueryTrustedDomainInfoByName
LsaSetTrustedDomainInfoByName
LsaEnumerateTrustedDomainsEx
LsaCreateTrustedDomainEx
LsaQueryForestTrustInformation
LsaSetForestTrustInformation
LsaForestTrustFindMatch
LsaStorePrivateData
LsaRetrievePrivateData
-
-
AuthorPosts
- You must be logged in to reply to this topic.