Security Account Manager (SAM)
Applies To: Windows Server 2003 with SP1
What does the Security Account Manager (SAM) do?
The Security Account Manager (SAM) is a database present on servers running Windows Server 2003 that stores user accounts and security descriptors for users on the local computer.
Who does this feature apply to?
This feature applies to IT professionals who want to troubleshoot or understand the SAM component’s behavior in deployment. Troubleshooting may require that additional tools be downloaded. This topic also applies to developers that have licensed the SAMR and LSAR protocols and developers that use the LSA trust application programming interfaces (APIs) from MSDN.
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
SAM WPP Logging
Detailed description
Security Accounts Manager (SAM) debug logs can be collected by Windows software trace preprocessor (WPP) during deployment. WPP can be used to gather information about what the SAM component is doing during a period of time when the Windows system is not behaving as expected. This information can be used by Microsoft Product Support Services to help you troubleshoot issues in your deployment.
Why is this change important? What threats does it mitigate?
This may reduce the number of live debug sessions if the log information is sufficient to determine what is occurring.
What works differently?
Nothing works differently. A new feature is enabled to generate logging. Following are the logman commands that can be used to enable logging:
logman create trace samlog -p "{f2969c49-b484-4485-b3b0-b908da73cebb}" 3
logman start samlog
rem repeat action that is interesting and that should be captured in log
logman stop samlog
This will generate an extended transaction log (ETL), which your Product Support Engineer will be able to parse using the debug symbol set.
What settings are added or changed in Windows Server 2003 Service Pack 1?
A new Event Tracing for Windows (ETW) entry exists, f2969c49-b484-4485-b3b0-b908da73cebb. This entry reflects whether or not logging has been enabled for the SAM component. The following sample output from tracelog –enumguid
includes the new entry.
Guid Enabled LoggerId Level Flags
-----------------------------------------------------------
1046d4b1-fce5-48bc-8def-fd33196af19a FALSE 0 0 0
5007c7b1-1444-4303-bdbe-359c79fc032a FALSE 0 0 0
7e4b70ee-8296-4f0f-a3ba-f58ef7bb4e96 FALSE 0 0 0
77db410c-561e-4358-8b0e-af866e91bb89 FALSE 0 0 0
dd5ef90a-6398-47a4-ad34-4dcecdef795f FALSE 0 0 0
196e57d9-49c0-4b3b-ac3a-a8a93ada1938 FALSE 0 0 0
1540ff4c-3fd7-4bba-9938-1d1bf31573a7 FALSE 0 0 0
94a984ef-f525-4bf1-be3c-ef374056a592 FALSE 0 0 0
3121cf5d-c5e6-4f37-be86-57083590c333 FALSE 0 0 0
94335eb3-79ea-44d5-8ea9-306f49b3a04e FALSE 0 0 0
4a8aaa94-cfc4-46a7-8e4e-17bc45608f0a FALSE 0 0 0
f33959b4-dbec-11d2-895b-00c04f79ab69 FALSE 0 0 0
8e598056-8993-11d2-819e-0000f875a064 FALSE 0 0 0
f2969c49-b484-4485-b3b0-b908da73cebb FALSE 0 0 0
cc85922f-db41-11d2-9244-006008269001 FALSE 0 0 0
c92cf544-91b3-4dc0-8e11-c580339a0bf8 FALSE 0 0 0
bba3add2-c229-4cdb-ae2b-57eb6966b0c4 FALSE 0 0 0
8fc7e81a-f733-42e0-9708-cfdae07ed969 FALSE 0 0 0
cddc01e2-fdce-479a-b8ee-3c87053fb55e FALSE 0 0 0
6acd39eb-4cb0-486b-83fa-307aa23767b1 FALSE 0 0 0
65f67abd-ecd2-4501-9b10-d48db2300e6c FALSE 0 0 0
28cf047a-2437-4b24-b653-b9446a419a69 FALSE 0 0 0
fc4b0d39-e8be-4a83-a32f-c0c7c4f61ee4 FALSE 0 0 0
fc570986-5967-4641-a6f9-05291bce66c5 FALSE 0 0 0
39a7b5e0-be85-47fc-b9f5-593a659abac1 FALSE 0 0 0
dab01d4d-2d48-477d-b1c3-daad0ce6f06b FALSE 0 0 0
58db8e03-0537-45cb-b29b-597f6cbebbfe FALSE 0 0 0
58db8e03-0537-45cb-b29b-597f6cbebbfd FALSE 0 0 0
Preventing SAM and LSA handles from hijacking
Detailed description
The server side implementation of the SAMR and LSAR protocols now implements security checks to ensure that the current caller is the same caller that opened the first handle returned from SamConnect
and LsaOpenPolicy
respectively.
The Security Account Manager Remote Procedure Call (RPC) protocol (SAMR) is an integral subsystem that is used to perform remote Service Account Manager operations, such as user account management and manipulation. The SAMR interface defines the remote Security Account Manager (SAM) methods that are called by the client. SamConnect
is the function that is used to connect to the SAM database.
Why is this change important?
This change is related to the RPC changes that help prevent elevation of privilege attacks on your system. Implementing this change in the Active Directory interfaces helps make your system more secure by default.
What works differently?
If your application uses the SAMR or LSAR protocols, access checks are performed on each call received and verify that the client identity that opens the context handle is the same as the client identity that is making the call. If your application does not use that convention, it will no longer function after installation of Windows Server 2003 Service Pack 1 (SP1).
How do I fix these issues?
All calls to the SAMR and LSAR methods must be in the same security context as the call that generated the context handle being used in the call. If they are not you must modify your application to comply with this requirement.
Do I need to change my code to work with Windows Server 2003 Service Pack 1?
Most applications will not need to be changed. However, if the application's code switches security contexts while using context handles obtained from the SAMR and LSAR interface it will need to be modified. If the application is using any of the following APIs, verify with the application developer that the calling security context doesn’t change between the call LsaOpenPolicy
and any subsequent Lsa API call that uses the handle returned from LsaOpenPolicy
.
LsaOpenPolicy
LsaQueryInformationPolicy
LsaSetInformationPolicy
LsaQueryDomainInformationPolicy
LsaSetDomainInformationPolicy
LsaEnumerateTrustedDomains
LsaLookupNames
LsaLookupNames2
LsaLookupSids
LsaEnumerateAccountsWithUserRight
LsaEnumerateAccountRights
LsaAddAccountRights
LsaRemoveAccountRights
LsaOpenTrustedDomainByName
LsaQueryTrustedDomainInfo
LsaSetTrustedDomainInformation
LsaDeleteTrustedDomain
LsaQueryTrustedDomainInfoByName
LsaSetTrustedDomainInfoByName
LsaEnumerateTrustedDomainsEx
LsaCreateTrustedDomainEx
LsaQueryForestTrustInformation
LsaSetForestTrustInformation
LsaForestTrustFindMatch
LsaStorePrivateData
LsaRetrievePrivateData