Security Accounts Manager

Security Accounts Manager

The Security Accounts Manager (SAM) is a database stored as a registry file in Windows NT, Windows 2000, and later versions of Windows. It stores users' passwords in a hashed format (in an LM hash and an NTLM hash). Since a hash function is one-way, this provides some measure of security for the storage of the passwords.

In an attempt to improve the security of the SAM database against offline software cracking, Microsoft introduced the SYSKEY function in Windows NT 4.0. When SYSKEY is enabled, the on-disk copy of the SAM file is partially encrypted, so that the password hash values for all local accounts stored in the SAM are encrypted with a key (usually also referred to as the "SYSKEY").

In the case of online attacks, it is not possible to simply copy the SAM file to another location. The SAM file cannot be moved or copied while Windows is running, since the Windows kernel obtains and keeps an exclusive filesystem lock on the SAM file, and will not release that lock until the operating system has shut down or a blue screen exception has been thrown. However, the in-memory copy of the contents of the SAM can be dumped using various techniques, making the password hashes available for offline brute-force attack.

Removing LM Hash

Most versions of Windows can be configured to disable the creation and storage of valid LM hashes when the user changes their password. This is the default setting in Windows Vista, but was disabled by default in previous versions of Windows. Note: enabling this setting does not immediately clear the LM hash values from the SAM, but rather enables an additional check during password change operations that will instead store a "dummy" value in the location in the SAM database where the LM hash is otherwise stored. (This dummy value has no relationship to the user's password - it is the same value used for all user accounts.]

As well, LM hashes cannot be calculated when the user chooses a password of over 14 characters in length. Thus, when a user (or administrator) sets a password of 15 characters or longer, the LM hash value is set to a "dummy" value, which is not valid for authentication purposes.

Related Attacks

In Windows NT 3.51, NT 4.0 and 2000, an attack was devised to bypass the local authentication system. If the SAM file is deleted from the hard drive (e.g. mounting the Windows OS volume into an alternative operating system), the attacker could log in as any account with no password. This flaw was corrected with Windows XP.

External links

* [ Description of binary structures stored in SAM registry hive.]
* [ Offline NT Password & Registry Editor] - open-source program and boot disk to reset (change) passwords in SAM (without cracking them)
*Ophcrack [] - open-source password cracker for LM & NTLM hashes using rainbow tables, Live CD will extract hashes from SAM

Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Security Accounts Manager — (SAM) bzw. Sicherheitskontenverwaltung ist ein Dienst von Microsoft Windows, mit dem Benutzerinformationen wie Anmeldename und Kennwort als Hashwerte in einer Datenbank gespeichert werden. Diese Datenbank ist verschlüsselt und kann unter Windows… …   Deutsch Wikipedia

  • Security Accounts Manager —    Abbreviated SAM. In Microsoft Windows NT, the security system that manages and provides access to the account or SAM database. SAM authenticates a user name and password against information contained in the database and creates an access token …   Dictionary of networking

  • Security Account Manager — Security Accounts Manager (SAM) ist ein Dienst von Microsoft Windows, mit dem Benutzerinformationen wie Anmeldename und Kennwort als Hashwerte in einer Datenbank gespeichert werden. Diese Datenbank ist verschlüsselt und kann unter Windows nicht… …   Deutsch Wikipedia

  • Security Account Manager — La SAM (Security Account Manager ou gestionnaire des comptes de sécurité) est la base de données des comptes locaux sur Windows Server 2003, Windows XP, Windows 2000. C est l un des composants de la base de registre. Elle contient les mots de… …   Wikipédia en Français

  • security identifier —    Abbreviated security ID or SID. In Microsoft Windows NT, a unique name that identifies a logged on user to the internal security system.    A SID contains a complete set of permissions and can apply to a single user or to a group.    See also… …   Dictionary of networking

  • Security and safety features new to Windows Vista — There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.Beginning in early 2002 with Microsoft s announcement of their Trustworthy Computing… …   Wikipedia

  • security — /si kyoor i tee/, n., pl. securities, adj. n. 1. freedom from danger, risk, etc.; safety. 2. freedom from care, anxiety, or doubt; well founded confidence. 3. something that secures or makes safe; protection; defense. 4. freedom from financial… …   Universalium

  • Security Support Provider Interface — SSPI is an API used by Microsoft Windows systems to perform a variety of security related operations such as authentication.SSPI functions as a common interface to several Security Support Providers (SSP) such as: * NTLM * Kerberos * Secure… …   Wikipedia

  • Object Manager (Windows) — Object Manager in Windows, categorized hierarchically using namespaces Object Manager (internally called Ob) is a subsystem implemented as part of the Windows Executive which manages Windows resources. Each resource, which are surfaced as logical …   Wikipedia

  • Desktop Window Manager — For the X Window System window manager, see dwm. Desktop Window Manager A component of Microsoft Windows Details Included with Windows Vista Windows Server 2008 Windows 7 Windows Server 2008 R2 …   Wikipedia

We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.