Audit Policy: Object Access: SAM is a setting in the Windows operating system that controls the auditing of security events related to access to the Security Accounts Manager (SAM) database. The SAM database is used to store user account information, including login credentials, on a Windows system.
When the setting is enabled, the system will generate an audit event in the security log of the event viewer every time an attempt is made to access the SAM database. This can include events such as a user logging in with a valid account, or an unauthorized user attempting to access the database.
Auditing object access can be useful for security purposes, as it allows you to track who is accessing sensitive information and when. You can configure the Audit Policy: Object Access: SAM setting in the Local Security Policy editor on your Windows system. You can either turn on or off the event generation and configure other related setting according to your requirement
What type of attacks happened on Audit Policy: Object Access: SAM?
The Security Accounts Manager (SAM) database is an important component of the Windows operating system that stores information about user accounts, including login credentials. As such, it can be a target for attackers who are looking to gain unauthorized access to a system.
One type of attack that can target the SAM database is called a “pass the hash” attack. In this type of attack, an attacker who has obtained the hashed password for an account is able to use that hash to authenticate to a system as that user without needing to know the clear-text password. This can be accomplished by injecting the hash into a protocol that uses the NTLM or LanMan hash for authentication, such as Remote Desktop Protocol (RDP) or Server Message Block (SMB). This can be done by exploiting a vulnerability on the target machine or by phishing a user to gain access to their login credentials.
Another type of attack that can target the SAM database is known as a “SAM database attack“. This is where an attacker who has gained administrative access to a system attempts to modify or corrupt the SAM database in order to create new user accounts, change passwords, or disable existing accounts.
These types of attacks can be mitigated by having a good security practice, such as using strong and unique passwords, regularly updating system, and having a multi-factor authentication. Auditing the object access events that are generated when the Audit Policy: Object Access: SAM setting is enabled can also help to detect and respond to these types of attacks.
What is the potential impact on Audit Policy: Object Access: SAM?
The potential impact of not properly configuring the Audit Policy: Object Access: SAM can be significant for an organization’s security posture. Some possible impacts include:
- Lack of visibility: Without auditing enabled, it may be difficult to detect unauthorized access or changes to the SAM, which could lead to security breaches or data loss.
- Compliance issues: Many regulatory compliance standards require organizations to implement proper auditing and logging. Failing to do so could result in non-compliance and potential fines.
- Difficulty in incident response: In the event of a security incident, the lack of auditing data could make it difficult to determine the scope and cause of the incident, making it harder to respond effectively.
- Unintended impact: Auditing configuration that is not properly set up could lead to high volume of unnecessary logs, which could lead to system and performance degradation and also to security alerts being ignored
What are the major vulnerabilities of Audit Policy: Object Access: SAM?
Audit Policy: Object Access: SAM is not directly vulnerable to any attack but it can be used as a way of tracking any suspicious activity on the SAM database, that may lead to an attack and it also gives an indication if the system is compromised.
There are a few vulnerabilities and attacks that can target the SAM database, including:
- Pass-the-hash attacks: In a pass-the-hash attack, an attacker who has obtained the hashed password for an account is able to use that hash to authenticate to a system as that user without needing to know the clear-text password. This can be done by injecting the hash into a protocol that uses the NTLM or LanMan hash for authentication, such as Remote Desktop Protocol (RDP) or Server Message Block (SMB).
- Password spraying: It’s a method of guessing a user’s password using a list of commonly used or weak passwords. This can be done by using a tool or script to try multiple passwords against a large number of accounts in order to identify valid login credentials.
- SAM database attacks: This is where an attacker who has gained administrative access to a system attempts to modify or corrupt the SAM database in order to create new user accounts, change passwords, or disable existing accounts.
- It’s possible to have multiple or stale accounts that are no longer needed or are associated with employees that have left the organization by having inefficient user account management. This can increase the attack surface and make it easier for an attacker to find a way in.
Why is it important to harden Audit Policy: Object Access: SAM?
Hardening the Audit Policy: Object Access: SAM is important because it helps to secure the Security Accounts Manager (SAM) and the data it stores. Here are a few hardening recommendations for the Audit Policy: Object Access: SAM setting:
- Enable auditing for the SAM database: By enabling the Audit Policy: Object Access: SAM setting, you can track access to the SAM database and detect any unauthorized access attempts.
- Limit administrative access: Limit the number of users who have administrative access to the system. This can help to prevent privilege escalation attacks and reduce the risk of unauthorized access to the SAM database.
- Use strong and unique passwords: Using strong and unique passwords for all user accounts can help to prevent pass-the-hash attacks and other types of attacks that rely on stealing login credentials.
- Use Multi-Factor Authentication: Using multi-factor authentication (MFA) can add an extra layer of security to user accounts, making it more difficult for an attacker to gain unauthorized access to the SAM database.
- Keep the system updated: Keep your system updated with the latest security patches and updates. This can help to protect against known vulnerabilities that can be exploited to gain unauthorized access to the SAM database.
- Monitor the Security Log: The security log can be used to track access to the SAM database, as well as other security-related events. It’s important to regularly review the security log for suspicious activity and to have a plan in place for responding to any security incidents that are detected.
- Regularly review the user accounts: Regularly review and validate all the user accounts that exist on the system and remove the accounts that are no longer needed or are associated with employees that have left the organization. This can help to minimize the attack surface and prevent the reuse of old or stale accounts.
- Implement Access control: Implement access control on all your sensitive files and folders. This can help to prevent unauthorized access and protect against privilege escalation attacks.
If you haven't yet established an organizational system hardening routine, now is a good time to start a hardening project. A good place to start is building your policy, usually according to best practices such as the CIS Benchmarks. Your next step will be implementing your policy in your network, and finally, maintaining your infrastructure to be hardened at all times.
What are the best practices for Audit Policy: Object Access: SAM?
Recommended best practices for the Audit Policy: Object Access: SAM (Security Accounts Manager) include the following:
- Enable auditing for object access on the SAM hive of the registry
- Audit successful and failed attempts to access the SAM
- Monitor for unexpected changes to the SAM, such as the creation or deletion of user accounts
- Review the security log regularly to identify any suspicious activity related to the SAM
It is also recommended to review these events with other system events, such as those from security software and network devices, to get a comprehensive view of the security posture of the system.