Security Account Manager (SAM) Database

Every computer that runs Windows has its own local domain; that is, it has an account database for accounts that are specific to that computer. Conceptually, this is an account database like any other with accounts, groups, SIDs, and so on. These are referred to as local accounts, local groups, and so on. Because computers typically do not trust each other for account information, these identities stay local to the computer on which they were created.

The Security Account Manager (SAM) is a database that is present on computers running Windows operating systems that stores user accounts and security descriptors for users on the local computer.

Accounts are always created relative to an issuing authority. In Windows, the issuing authority is referred to as a domain. A domain can be either a local domain or extend across a network. Domains store information about their accounts in an account database. Windows uses Active Directory as the account database in domain-based environments, whereas in environments that are not domain-based, it uses the security account manager (SAM) built-in database as the account database. The Security Accounts Manager (SAM) manages accounts for the built-in domain and the account domain.

Domain

Description

Built-in domain

This domain contains default local groups, such as the Administrators and Users groups, that are established when the operating system is installed. The name of this domain is a localized version of BUILTIN.

Account domain

The account domain can contain user, group, and local group accounts. The Administrator account is in this domain. The accounts defined in the account domain of a workstation or member server are limited to accessing resources located on the physical computer where the account resides. On a system that is not part of a network and therefore has no primary domain, the account domain is used to house all accounts that provide access to the computer. On a system that is part of a network, the computer’s account domain is used to house accounts that do not access network resources. Accounts that require access to the network must be defined in the account domain of a domain controller. The name of this domain is assigned at system installation time and is determined by the computer name. If the computer name is changed, the account domain name will not be updated until the computer is restarted.

SAM objects include the following:

  • SAM_ALIAS: A local group

  • SAM_GROUP: A group that is not a local group

  • SAM_USER: A user account

  • SAM_DOMAIN: A domain

  • SAM_SERVER: A computer account

Audit SAM Policy

It enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects. If you configure this policy setting, an audit event is generated when a SAM object is accessed. Success audits record successful attempts, and failure audits record unsuccessful attempts.

Event 4661 ( A handle to an object was requested ) indicates that a handle was requested for either an Active Directory object or a Security Account Manager (SAM) object.

References

  • https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-authsod/fa8e09d1-02b9-4526-a6ed-b6ff244e721e

  • https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-sam

  • https://docs.microsoft.com/en-us/windows/desktop/secmgmt/built-in-and-account-domains

  • https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-authsod/ed5620c9-b0b2-469f-8941-51d80294a377

  • https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b