Table of Contents
Windows SAM (Security Accounts Manager)
- Snippet from Wikipedia: Security Account Manager
The Security Account Manager (SAM) is a database file in Windows NT, Windows 2000, Windows XP, Windows Vista, Windows 7, 8.1, 10 and 11 that stores users' passwords. It can be used to authenticate local and remote users. Beginning with Windows 2000 SP4, Active Directory authenticates remote users. SAM uses cryptographic measures to prevent unauthenticated users accessing the system.
The user passwords are stored in a hashed format in a registry hive either as an LM hash or as an NTLM hash. This file can be found in
%SystemRoot%/system32/config/SAMand is mounted onHKLM/SAMandSYSTEMprivileges are required to view it.In an attempt to improve the security of the SAM database against offline software cracking, Microsoft introduced the SYSKEY function in Windows NT 4.0. When SYSKEY is enabled, the on-disk copy of the SAM file is partially encrypted, so that the password hash values for all local accounts stored in the SAM are encrypted with a key (usually also referred to as the "SYSKEY"). It can be enabled by running the
syskeyprogram. As of Windows 10 version 1709,syskeywas removed due to a combination of insecure security and misuse by bad actors to lock users out of systems.
- Definition: The Security Accounts Manager (SAM) is a database in Microsoft Windows that stores user account information, including passwords.
- Function: Provides authentication and authorization services for user accounts on Windows systems.
- Components:
- SAM Database: A registry hive file that stores user credentials and account information.
- SAM Service: A Windows service responsible for managing and accessing the SAM database.
- Features:
- Password Storage: Stores hashed versions of user passwords.
- User Account Management: Maintains information about user accounts, groups, and associated security identifiers (SIDs).
- Authentication: Works with the Local Security Authority (LSA) to authenticate users during login.
- Access Control: Implements policies for password complexity, expiration, and lockout.
- Usage: Critical for the authentication and management of local user accounts on Windows systems.
Examples
- Viewing user accounts stored in the SAM database:
* Use the `net user` command to list user accounts: ```cmd net user ```
- Resetting a user password using the SAM service:
* Open a command prompt with administrative privileges. * Use the `net user` command to reset the password: ```cmd net user username newpassword ```
- Configuring password policies through the SAM database:
* Open the [[Local Security Policy editor]] (`[[secpol.msc]]`). * Navigate to `Account Policies` > `Password Policy` to set policies such as minimum password length, complexity requirements, and expiration.
- SAM Database file location:
* The SAM database file is typically located in `C:\Windows\System32\config\SAM`.
Summary
- SAM (Security Accounts Manager): A critical component of Windows operating systems that stores user account information and passwords, providing authentication and authorization services, and implementing access control policies.
```