Passwords are fundamental elements of computer security, but researchers have found that they're involved in a large number of security breaches. Many IT professionals have given up the battle to force secure passwords on users. That's a political issue that ultimately falls on management. However, it pays to understand how Windows manages and enforces password usage through the Security Accounts Manager, or SAM.
Here are five things you may not know about the Windows Security Accounts Manager and passwords that can be beneficial for anyone managing enterprise desktops:
1. The Security Accounts Manager has been a core part of Microsoft's operating system for years and is a part of Windows 8.1 today. SAM's functionality is built into lsass.exe -- a Windows service located in c:\windows\system32.
The Windows SAM stores hashed versions of local Windows account passwords and manages the password validation process during logins.
2. The local Security Accounts Manager file (technically part of the Windows registry) is called SAM and is located in c:\windows\system32\config\. On domain controllers, the SAM file equivalent for Active Directory is called ntds.dit.
3. The SAM file is locked and cannot be accessed when the operating system is loaded as shown in Figure 1.
However, it is fully accessible if the computer is booted from a live recovery disk such as ophcrack (more details below). This is one of the main reasons you need to encrypt the hard drives of your enterprise laptops and desktops that are not well-secured physically. Yet, still, Windows passwords can be exposed if other weaknesses are present, so you cannot fully rely on encryption.
4. A backup copy of the SAM file located in c:\windows\system32\repair\ may be available. If passwords are being changed periodically, this file will likely contain stale passwords, but it's fully accessible to anyone logged into the computer. All it takes is one orphaned account on the machine to provide someone with ill intent unauthorized (and unaccountable) access.
5. Passwords can be stored in the SAM file using the older LAN Manager (LM) hash or the newer -- and more secure -- NTLM hash. Windows 7 and up defaults to NTLM hashes. Both types of hashes can be cracked using precalculated hashes known as rainbow tables, a method that was discovered over 10 years ago by Philippe Oechslin of the Swiss Federal Institute of Technology. Oechslin's ophcrack tool and Elcomsoft System Recovery are two well-known tools for cracking Windows passwords using precalculated password hashes. The options available in Elcomsoft System Recovery are shown in Figure 2.
More on Windows 8, passwords and security
Do you need Windows 8.1 biometrics support?
Windows 8.1 includes five new security features
Office 2013 is vulnerable, so use password recovery
Third-party components, privacy problems found in Windows 8
Password management is key during a merger
Another good tool for extracting the Windows password hashes from the SAM file is pwdump. More information on rainbow tables and Windows password cracking is available in this Hacking For Dummies sample chapter. Note that the although the Windows syskey program can be used to create more security around the SAM file, those controls can be broken as well using a tool such as Elcomsoft's Proactive System Password Recovery.
It's rare to have problems with the Windows Security Accounts Manager. Local accounts may or may not be on your admin radar as well. However, it pays to know the details around what, when, where and how it works. This knowledge can also provide a good rationale for keeping enterprise desktops locked down.
Given all of this, I think it's safe to say that nothing is truly secure when it comes to Windows passwords. There's nothing like having some of your most precious assets -- user passwords -- made so vulnerable. Do what you can to ensure the risks are minimized.
This was first published in December 2013