Security Accounts Manager is present in

Windows 7's Security Account Manager, also known as SAM, is a database that stores user account and security information for users accessing your office computer. The database runs automatically as a process when you start your computer. SAM is within the Windows folder inside the System 32 folder and works hand-in-hand with other processes on your computer.

Complete Path

1. To open the folder containing SAM, click "Start | Computer | C:\ | Windows | System32." Scroll down to “lsass.exe” to view the file's size. Since SAM is always running on your computer, double-clicking the file causes an error stating that the process is already running on your computer. Also, do not delete SAM; removing it corrupts your user account and security information resulting in Windows not being able to boot or load your user-account profiles.

Disabling

1. Do not disable SAM; killing it prevents other services and processes on your computer from functioning properly. SAM also gives clearance to services including the Internet and email functions as well as other processes and services that require administrator-level user accounts. Disabling SAM also causes other services and processes to fail to start or to not be notified when SAM is ready to provide security information to running services and processes.

Windows Versions

1. SAM is present in all versions of the Windows 7 operating system as well as Windows 8, Vista and XP. The database is also present in Windows Server versions. The database runs as a background process and doesn't require any user interaction.

Restoring SAM

1. If SAM is missing from your office computer or you receive a message stating SAM is corrupt, you can restore the database file from your Windows 7 installation directory or CD-ROM. Open the directory “i386” on your “C:\” drive, or insert the Windows 7 CD-ROM, and search for “lsass.exe.” Right-click the file's name and click “Copy.” Open the System32 directory within your computer's Windows folder. Right-click in any blank area within the directory's pane and click “Paste.” Restart your computer to complete the database installation.

By John Gates, on July 28th, 2022

The Security Accounts Manager (SAM) is a database file in Windows operating system that comprises of usernames and passwords. The main aim behind SAM is to make our system more secure and reliable by protecting credentials in case of a data breach.

Configuring SAM gives users the ability to authenticate themselves to the local machine if an account has  been created for them in SAM. SAM holds the user and account information in its   database and when a user enters credentials, they are authenticated against the SAM database. If the credentials are correct the user logs on and if they are incorrect an error message will be generated and user will be asked to re-enter the credentials.

Evolution of SAM

SAM stores passwords in its database using LAN Manager (LN) hash or New Technology LAN Manager (NTLM) hash format which is determined by the set of policies being implemented.

Offline attacks on the SAM database are possible because SAM database is stored in the memory. So, Microsoft introduced the SYSKEY (System Key) function in Windows NT 4.0 to provide SAM database security against offline software cracking. Enabling the SYSKEY allows you to encrypt the password hash values with a key.

NTLM hash is considered to be more secure than the conventional LM hash because it uses MD4 algorithm to convert plaintext into hashed format. NTLM hash also supports both uppercase and lowercase letters. Similar to the LM hash format NTLM hash also does not perform a salt routine.

How SAM works on local computer?

On a local computer, which is used only by a single user and is not connected to a local area network, SAM only stores the password for that particular user and will only ask for that password. SAM file continues to run in the background when a system has been accessed.

The Security Account Manager database (SAM DB) is occasionally found in a backup for subsequent recovery, and it can be accessed without the use of any specialized software.

How SAM works in LAN?

In LAN, every user account is assigned a local area network password and a Windows operating system password in SAM. When a user attempts to login, Windows asks for the username and the password and authenticates these passwords against the ones in the SAM database. If they are a match the user will be granted access to the system.

Importance of SAM

A serious vulnerability can have a significant negative effect on a system if the SAM policies are not configured.

SAM DB can prove to be beneficial in case a system has been stolen, accessing the data will not be possible if SAM is configured on the system. SAM is also viable in protecting to an extent against online attacks.

SAM vulnerabilities

Since SAM is a database file that stores users’ passwords it makes it a highly targeted object by attackers.  We are seeing an increased number of attack campaigns in the past few years against known or new vulnerabilities found in the SAM database. Here is an overview of some of the major ones.

SeriousSam vulnerability aka Hive Nightmare is a default configuration set by Microsoft in Windows 10 and 11 that allows attackers with user account access to perform a Pass-the-Hash (and potentially Silver Ticket) attack. By leveraging this vulnerability, attackers can access hashed passwords that are stored in the SAM and the Registry.

sAMAccountName spoofing vulnerability tracked as CVE-2021-42278 sAM. This vulnerability features a severity rating of 7.5 out of 10. It is concerned with a privilege flaw that tends to affect the AD DS or Active Directory Domain Services component.

SAMR (Security Account Manager Remote) vulnerability could allow security feature bypass if an attacker makes multiple attempts to match passwords to a username.

SAM and LSAD protocols vulnerability provides the attacker with an elevation of privilege and access to the SAM database.The vulnerability is caused by the way the SAM and Local Security Authority (Domain Policy) (LSAD remote protocols establish the Remote Procedure Call (RPC) channel.

Hardening is essential

Implementing a comprehensive server security policy is an essential step in the process of securing both Windows and Linux servers. Compliance must be attained and maintained through a set of evolving, continuously implemented, and easily-audited controls. By not hardening your assets the SAM vulnerabilities can provide an attacker with an elevation of privileges, access to passwords and affect the Active Directory with disruptions in service. Reducing the attack surface by eliminating potential attack vectors is done through hardening automation.

Baseline Configuration for SAM

A security baseline is a best practice recommended configuration setting by most commonly the Center for Internet Security (CIS) or by the National Institute of Standards and Technology (NIST) that explains a security implication.

Here are several of the SAM CIS benchmark protocols advised to harden:

Network access: Restrict clients allowed to make remote calls to SAM

This policy setting allows you to restrict remote RPC connections to SAM. If not selected, the default security descriptor will be used.

If not hardened: A malicious agent could remotely access the SAM and discover confidential information.

Network access: Do not allow anonymous enumeration of SAM accounts

This policy setting controls the ability of anonymous users to enumerate the accounts in the SAM.

If not hardened: An unauthorized user could anonymously list account names and use the information to perform social engineering attacks or attempt to guess passwords. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information).  READ MORE– link to policy expert with all the information

Network access: Restrict clients allowed to make remote calls to SAM

This policy setting allows you to restrict remote RPC connections to SAM. If not selected, the default security descriptor will be used.

If not hardened: A malicious agent could remotely access the SAM and discover confidential information.

Network access: Do not allow anonymous enumeration of SAM accounts and shares

This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares.

If not hardened: An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks.

Organizations that do not want to perform hardening manually due to time and resources, CalCom offers them a solution. Hardening Automation Suite by CalCom provides solutions for many system components and is able to fully automate the hardening process.

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.

Where is security account manager present?

Where is SAM database located?

What is SAM in Active Directory?

What is Security Account Manager Remote protocol?