Top 10 Control Points For Your Local SAM
Forgetting to audit your local SAMs can prove disastrous
- By Derek Melber
Every Windows computer running on your network contains a local security accounts manager (SAM) -- outside of those old Windows 9x clients. Servers and clients retain their local SAM even after they join a domain. The big questions are what does the local SAM do and what are the key control points to circumvent security vulnerabilities?
The local SAM’s primary responsibility is to store the local user and group accounts for the computer. The local SAM includes a built-in Administrator user account, which is master and commander of that computer. There are other user and group accounts created by default, which we discuss below. The SAM’s other responsibility is to authenticate local user logons. If a user attempts to logon to the local computer, the local SAM is responsible for authenticating the request.
There are 10 primary control points that need to be checked with regard to the local SAM. There are more than 10 control points on the local SAM, but I've selected the control points that should always be included in your audit.
Control Point #1: Administrator User Account
The Administrator account has the scope of the computer only. This account should not be confused with the Administrator user account at the domain, which has control over all user and computer accounts in the domain. The local Administrator account should be examined for the following control points:
- The account should be renamed
- The password should be unique and complex
- The account should not be used, except to recover from a computer failure
- The account should not be used by a service
Control Point #2: Guest User Account
The Guest user account is a default user account that exists in every local SAM. This account is disabled by default and should remain configured that way. This is a quick and easy check as you audit other user accounts in the local SAM. If the Guest account is enabled, a user could log on with this user account and could possibly enumerate shares and other user accounts.
Control Point #3: New User Accounts
There should be few, if any, additional user accounts in the local SAM. There should not be any user account for the user of the computer, whether a typical employee or a member of the IT staff, because such accounts can circumvent security. If there are any user accounts in the local SAM, they should be enabled only for dedicated services such as SMS and other remote management services.
Control Point #4: Administrators Group
This is a default group that contains only the local Administrator group on a freshly installed computer. As soon as the computer joins the domain, the Domain Admins group is also placed in this group, to provide remote administration capabilities.
The members of this group can control the local computer identically to the Administrator user account, so the membership should be limited. It is common to have the domain user account for IT staff members placed in the local Administrators group on their client computer. However, for typical employees, this can be a poor decision, since they would then be able to install applications and configure other key computer settings with this privilege.
Control Point #5: Account Policies
The account policies control the password length and how the user account is controlled if the password is forgotten. It is best to have the local SAM account policy meet or exceed the company security policy setting for the domain account policy. If the account policy is less strict than the domain account policy, it provides an easy way for someone to break into the local computer to then gain access to domain resources.
Control Point #6: User Rights
User rights control what a user or group of users can do on the local computer. These user rights provide additional privileges to the operating system and resources located on the computer. The user rights for servers are extremely important compared to those configured on clients. The user rights on every server should be audited to ensure that they are configured properly and no additional users have privileged access to the server.
Control Point #7: Audit Policy
The audit policy controls what will be tracked in the security log in the Event Viewer. Things that can be tracked include access to files/folders, account management, system events, and logons. An important setting for both servers and clients to keep track of when users logon and what resources are accessed and when.
Control Point #8: Services
Although not directly tied to the local SAM, services can be dependent on the user and group accounts configured in the local SAM. The services should all be audited on servers and clients alike. Services that are not being used on a computer should be disabled or removed. Service accounts should point to domain user accounts and should adhere to the password change policy like any other user account in the domain.
Control Point #9: Patch and Service Pack Level
Not directly associated with the SAM, patch and service pack levels can certainly affect the vulnerabilities of the local SAM. Ideally, the latest and greatest security patch and service pack should be installed on every client and server. The company security policy should indicate what that level is for computers in your company's environment. There should also be a process for automatically deploying patches and service packs. Services such as Software Update Services (SUS) and System Management Services (SMS) provide excellent methods for ensuring that all computers are patched correctly.
Control Point #10: Backup Procedures
In order to protect the user and group accounts listed in the local SAM, routine backups of the local SAM should be performed. This will ensure that servers and clients running key applications and storing services can be recovered in case of a disaster. The backup procedure should be automatic, with a detailed and documented procedure for cycling and storing the backup media.
The local SAM is full of key control points that need to be configured properly to protect the domain and local computer assets. The audit should sample as many servers and clients as possible. Each computer sampled should be audited to check the control points listed in this article to ensure it meets the minimum security requirements for your company.
Additional articles by Derek Melber
Derek Melber (MCSE, MVP, CISM) is president of BrainCore.Net AZ, Inc., as well as an independent consultant and speaker, as well as author of many IT books. Derek educates and evangelizes Microsoft technology, focusing on Active Directory, Group Policy, security and desktop management. As one of only 8 MVPs in the world on Group Policy, Derek’s company is often called upon to develop end-to-end solutions regarding Group Policy for companies. Derek is the author of the The Group Policy Resource Kit by MSPress, which is the defacto book on the subject.