The base of data SAM is one of the "bushes" (hive) of system list (registry) Windows NT. This "bush" belongs to "branch" (sub tree) HKEY_.LOCAL_.MACHINE and is called SAM. It is located in the catalog of \.shinnt_.root\.Systeme2\.Chonfig (winnt_.root the arbitrary symbol of catalog with the system files Windows NT) in the separate file, which also is called SAM. Major portion of the information in the base of data SAM is stored in the binary form. Access to it is usually possible through the dispatcher of stocktaking records. To change the records, which are stored in the base of data SAM with the aid of the programs, which make it possible to directly edit list Windows NT (REGEDT or REGEDT32), is not recommended. Moreover, this cannot be made, since the access to the base of data SAM is forbidden for all without the exception of the categories of users OS Windows NT.

Storage of the passwords of the users

Specifically, in the stocktaking records of the base of data SAM is located the information about the user names and the passwords, which is necessary for identification and authorization of users with their interactive entrance into the system. As in any other contemporary multi-user OS, this information is stored in the encoded form. In the base of data SAM each password is usually represented in the form of two 16- byte sequences, obtained by different methods.

In method Windows NT the line of the symbols of user password cached with the aid of function MD4.1. as a result from the symbolic password, introduced by user 2, is obtained 16- byte sequence - cached password Windows NT. This sequence then it is ciphered on DES- algorithm 3, and the result of coding remains in the base data SAM. In this case as the key is used the so-called relative identifier of the user (Relative Identifier, or in abbreviated form - RID), which is the automatically being increased ordinal number of the stocktaking record of this user in the base data SAM.

For the compatibility with another software of corporation Microsoft (Windows for Workgroups, Windows 95/98 and LAN Manager) in the base of data SAM is stored also the information about the password of user in standard LAN Manager. For its formation all literal symbols of the initial line of password are led to the upper register, and, if password contains less than 14 symbols, then it is supplemented with zero. From each 7- byte half gated with such means of the password of user is separately formed the key for the coding of a certain fixed 8- byte sequence on DES- algorithm. Two 8- byte halves of the cached password LAN Manager obtained as a result again are ciphered on DES- algorithm (in this case as the key it is used RID user) and they are placed into the base data SAM.

Use of the password

The information about the passwords, carried into the base of data SAM, serves for authorization of users Windows NT. With the interactive or net entrance into the system the introduced password first it cached and it is ciphered, and then it is compared with the 16- byte sequence, recorded in the base data SAM. If these values coincide, the entrance into the system is permitted for user.

Usually in the base of data SAM are stored in encoded form both cached passwords. However, in certain cases OS calculates only one of them. For example, if the user of domain Windows NT changes its password, working on the computer with Windows for Workgroups, then in its stocktaking record will remain only password Lan Manager. But if user password contains more than 14 symbols or these symbols they do not enter into the so-called collection of the supplier of equipment (original equipment manufacturer, or in abbreviated form - OEM), then into the base of data SAM will be carried only password Windows NT.

Possible attacks on the base data SAM

The usually increased interest of the burglar of password protection OS cause administrative authorities. It is possible to obtain them, after learning in the cashed or symbolic form the password of the administrator of system, who is stored in the base data SAM. Therefore precisely to the base of data SAM there is directed the main attack of the burglar of the password protection Windows NT.

On silence in OS Windows NT the access to the file of \.shinnt_.root\.Systeme2\.Chonfig\.SAM is blocked for all without the exception of its users. Nevertheless with the aid of program NTBACKUP any possessor of right to the reserve copying is file and catalogs Windows NT it can transfer this file from the "hard" disk to the magnetic tape. The reserve copy of list also can be created by utility REGBAK from composition of Windows NT Resource Kit. Furthermore, of undoubted interest for any burglar they are the reserve copy of file SAM (SAM. SAV) in the catalog of \.shinnt_.root\.Systeme2\.Chonfig and the compressed archive copy SAM (file SAM. _) in the catalog of \.shinnt_.root\.Repair.

When the physical copy of file SAM is present, to extract the secured in it information represents no labor. After loading file SAM into the list of any other computer with Windows NT (for example, with the aid of command Load Hive program REGEDT32), it is possible to in detail study the stock-taking records of users in order to determine values of RID of users and encrypted versions of their cached passwords. Knowing RID and having the encoded version of the cached password, computer burglar can attempt to decipher this password in order to use him, for example, for obtaining the net access to another computer. However, it is insufficient for the interactive entrance into the system one knowledge alone of the cahed password. It is necessary to obtain its symbolic idea.

For restoring the user passwords OS Windows NT in the symbolic form there are special password burglars, who carry out both the direct selection of passwords and search on the dictionary. Sometimes for this purpose is used the combined method of the breaking of the password protection: as the dictionary will begin to operate the file with the precomputed cashed passwords, which correspond to the symbolic sequences, which frequently adapt as the passwords of the users of operating systems. One of the most known programs of the breaking of passwords OS Windows NT - LOphtCrack.

Protection Windows NT from the password burglars

Thus, conclusion is single-valued: the most important task of the system administrator Windows NT consists of the protection of information, which is stored in the base of data SAM, from the unsanctioned access. For this purpose it is necessary to limit physical access to the computers of network and, first of all, it is pre-barter to the controllers. Additionally, with the presence of the corresponding firmware means, should be established passwords BASIC INPUT-OUTPUT SYSTEM for the start of computers and to a change in their tuning BASIC INPUT-OUTPUT SYSTEM. Then, using tuning BASIC INPUT-OUTPUT SYSTEM, one should open the load of computers from the flexible and the CDS. But for guaranteeing the control of access to the files and the folders OS Windows NT the system division of "hard" disk must have a size NTFS.

The catalog of \.shinnt_.root\.repair must be with the means of operating system shut for the access of all users, including administrators, and to solve to access only during the work of utility RDISK, which creates in this catalog the archive copies of the system list Windows NT. System administrators also they must attentively follow the fact, where and as are stored the diskettes of emergency restoration (Emergency Repair Disks) and archive copies on the magnetic tapes, if on the latter is present the duplicate of the system list Windows NT.

In such a case, when computer with the operating system Windows NT enters into domain, then on silence the names and the cached passwords of last ten users, which were being recorded with this computer, remain (they are cached) in its local system list (in division SEccURITY\.Policy\.Secrets of "bush" HKEY_.LOCAL_.MACHINE). In order to abolish the caching of passwords on the computers of domain, it is necessary with the aid of utility REGEDT32 into division Microsoft\.WindowsNT\.CurrentVersion\.Winlogon "bush" HKEY_.LOCAL_.MACHINE to add parameter CashedLogonsCount, after establishing its value by equal to zero, and type - REG_.SZ. For the protection of the base of data SAM it is possible to use utility SYSKEY, which forms part of the packet of renovation Windows NT Service Pack 3. It makes it possible to include the regime of the additional coding of information about the passwords, which is stored in the base data SAM. Unique 128- bit key for the additional coding of passwords (the so-called key of the coding of passwords - Password Encryption Key, or OF RIVERS) automatically remains in the system list for further use.