Security Account Manager (SAM)

Applies To: Windows Server 2003 with SP1

What does the Security Account Manager (SAM) do?

The Security Account Manager (SAM) is a database present on servers running Windows Server 2003 that stores user accounts and security descriptors for users on the local computer.

Who does this feature apply to?

This feature applies to IT professionals who want to troubleshoot or understand the SAM component’s behavior in deployment. Troubleshooting may require that additional tools be downloaded. This topic also applies to developers that have licensed the SAMR and LSAR protocols and developers that use the LSA trust application programming interfaces (APIs) from MSDN.

What new functionality is added to this feature in Windows Server 2003 Service Pack 1?

SAM WPP Logging

Detailed description

Security Accounts Manager (SAM) debug logs can be collected by Windows software trace preprocessor (WPP) during deployment. WPP can be used to gather information about what the SAM component is doing during a period of time when the Windows system is not behaving as expected. This information can be used by Microsoft Product Support Services to help you troubleshoot issues in your deployment.

Why is this change important? What threats does it mitigate?

This may reduce the number of live debug sessions if the log information is sufficient to determine what is occurring.

What works differently?

Nothing works differently. A new feature is enabled to generate logging. Following are the logman commands that can be used to enable logging:

logman create trace samlog -p "{f2969c49-b484-4485-b3b0-b908da73cebb}" 3
logman start samlog
rem repeat action that is interesting and that should be captured in log
logman stop samlog

This will generate an extended transaction log (ETL), which your Product Support Engineer will be able to parse using the debug symbol set.

What settings are added or changed in Windows Server 2003 Service Pack 1?

A new Event Tracing for Windows (ETW) entry exists, f2969c49-b484-4485-b3b0-b908da73cebb. This entry reflects whether or not logging has been enabled for the SAM component. The following sample output from tracelog –enumguid includes the new entry.

    Guid                     Enabled  LoggerId Level Flags
-----------------------------------------------------------
1046d4b1-fce5-48bc-8def-fd33196af19a     FALSE  0    0    0
5007c7b1-1444-4303-bdbe-359c79fc032a     FALSE  0    0    0
7e4b70ee-8296-4f0f-a3ba-f58ef7bb4e96     FALSE  0    0    0
77db410c-561e-4358-8b0e-af866e91bb89     FALSE  0    0    0
dd5ef90a-6398-47a4-ad34-4dcecdef795f     FALSE  0    0    0
196e57d9-49c0-4b3b-ac3a-a8a93ada1938     FALSE  0    0    0
1540ff4c-3fd7-4bba-9938-1d1bf31573a7     FALSE  0    0    0
94a984ef-f525-4bf1-be3c-ef374056a592     FALSE  0    0    0
3121cf5d-c5e6-4f37-be86-57083590c333     FALSE  0    0    0
94335eb3-79ea-44d5-8ea9-306f49b3a04e     FALSE  0    0    0
4a8aaa94-cfc4-46a7-8e4e-17bc45608f0a     FALSE  0    0    0
f33959b4-dbec-11d2-895b-00c04f79ab69     FALSE  0    0    0
8e598056-8993-11d2-819e-0000f875a064     FALSE  0    0    0
f2969c49-b484-4485-b3b0-b908da73cebb     FALSE  0    0    0
cc85922f-db41-11d2-9244-006008269001     FALSE  0    0    0
c92cf544-91b3-4dc0-8e11-c580339a0bf8     FALSE  0    0    0
bba3add2-c229-4cdb-ae2b-57eb6966b0c4     FALSE  0    0    0
8fc7e81a-f733-42e0-9708-cfdae07ed969     FALSE  0    0    0
cddc01e2-fdce-479a-b8ee-3c87053fb55e     FALSE  0    0    0
6acd39eb-4cb0-486b-83fa-307aa23767b1     FALSE  0    0    0
65f67abd-ecd2-4501-9b10-d48db2300e6c     FALSE  0    0    0
28cf047a-2437-4b24-b653-b9446a419a69     FALSE  0    0    0
fc4b0d39-e8be-4a83-a32f-c0c7c4f61ee4     FALSE  0    0    0
fc570986-5967-4641-a6f9-05291bce66c5     FALSE  0    0    0
39a7b5e0-be85-47fc-b9f5-593a659abac1     FALSE  0    0    0
dab01d4d-2d48-477d-b1c3-daad0ce6f06b     FALSE  0    0    0
58db8e03-0537-45cb-b29b-597f6cbebbfe     FALSE  0    0    0
58db8e03-0537-45cb-b29b-597f6cbebbfd     FALSE  0    0    0

Preventing SAM and LSA handles from hijacking

Detailed description

The server side implementation of the SAMR and LSAR protocols now implements security checks to ensure that the current caller is the same caller that opened the first handle returned from SamConnect and LsaOpenPolicy respectively.

The Security Account Manager Remote Procedure Call (RPC) protocol (SAMR) is an integral subsystem that is used to perform remote Service Account Manager operations, such as user account management and manipulation. The SAMR interface defines the remote Security Account Manager (SAM) methods that are called by the client. SamConnect is the function that is used to connect to the SAM database.

Why is this change important?

This change is related to the RPC changes that help prevent elevation of privilege attacks on your system. Implementing this change in the Active Directory interfaces helps make your system more secure by default.

What works differently?

If your application uses the SAMR or LSAR protocols, access checks are performed on each call received and verify that the client identity that opens the context handle is the same as the client identity that is making the call. If your application does not use that convention, it will no longer function after installation of Windows Server 2003 Service Pack 1 (SP1).

How do I fix these issues?

All calls to the SAMR and LSAR methods must be in the same security context as the call that generated the context handle being used in the call. If they are not you must modify your application to comply with this requirement.

Do I need to change my code to work with Windows Server 2003 Service Pack 1?

Most applications will not need to be changed. However, if the application's code switches security contexts while using context handles obtained from the SAMR and LSAR interface it will need to be modified. If the application is using any of the following APIs, verify with the application developer that the calling security context doesn’t change between the call LsaOpenPolicy and any subsequent Lsa API call that uses the handle returned from LsaOpenPolicy.

  • LsaOpenPolicy

  • LsaQueryInformationPolicy

  • LsaSetInformationPolicy

  • LsaQueryDomainInformationPolicy

  • LsaSetDomainInformationPolicy

  • LsaEnumerateTrustedDomains

  • LsaLookupNames

  • LsaLookupNames2

  • LsaLookupSids

  • LsaEnumerateAccountsWithUserRight

  • LsaEnumerateAccountRights

  • LsaAddAccountRights

  • LsaRemoveAccountRights

  • LsaOpenTrustedDomainByName

  • LsaQueryTrustedDomainInfo

  • LsaSetTrustedDomainInformation

  • LsaDeleteTrustedDomain

  • LsaQueryTrustedDomainInfoByName

  • LsaSetTrustedDomainInfoByName

  • LsaEnumerateTrustedDomainsEx

  • LsaCreateTrustedDomainEx

  • LsaQueryForestTrustInformation

  • LsaSetForestTrustInformation

  • LsaForestTrustFindMatch

  • LsaStorePrivateData

  • LsaRetrievePrivateData