Jump to content

Security Account Manager

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Zobh (talk | contribs) at 04:06, 29 April 2009. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

The Security Accounts Manager (SAM) is a database stored as a registry file in Windows NT, Windows 2000, and later versions of Windows. It stores users' passwords in a hashed format (in LM hash and NTLM hash). Since a hash function is one-way, this provides some measure of security for the storage of the passwords.

In an attempt to improve the security of the SAM database against offline software cracking, Microsoft introduced the SYSKEY function in Windows NT 4.0. When SYSKEY is enabled, the on-disk copy of the SAM file is partially encrypted, so that the password hash values for all local accounts stored in the SAM are encrypted with a key (usually also referred to as the "SYSKEY").

In the case of online attacks, it is not possible to simply copy the SAM file to another location. The SAM file cannot be moved or copied while Windows is running, since the Windows kernel obtains and keeps an exclusive filesystem lock on the SAM file, and will not release that lock until the operating system has shut down or a blue screen exception has been thrown. However, the in-memory copy of the contents of the SAM can be dumped using various techniques, making the password hashes available for offline brute-force attack.

Removing LM Hash

Most versions of Windows can be configured to disable the creation and storage of valid LM hashes when the user changes their password. This is the default setting in Windows Vista, but was disabled by default in previous versions of Windows. Note: enabling this setting does not immediately clear the LM hash values from the SAM, but rather enables an additional check during password change operations that will instead store a "dummy" value in the location in the SAM database where the LM hash is otherwise stored. (This dummy value has no relationship to the user's password - it is the same value used for all user accounts.)

As well, LM hashes cannot be calculated when the user chooses a password of over 14 characters in length. Thus, when a user (or administrator) sets a password of 15 characters or longer, the LM hash value is set to a "dummy" value, which is not valid for authentication purposes.

In Windows NT 3.51, NT 4.0 and 2000, an attack was devised to bypass the local authentication system. If the SAM file is deleted from the hard drive (e.g. mounting the Windows OS volume into an alternative operating system), the attacker could log in as any account with no password. This flaw was corrected with Windows XP.

This article is based on material taken from the Free On-line Dictionary of Computing prior to 1 November 2008 and incorporated under the "relicensing" terms of the GFDL, version 1.3 or later.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Security_Account_Manager&oldid=286788974"