Securing access to SAM database

Reading Time: < 1 minute

The SAM database is located in teh repair directory under the Windows folder. The SAM database contains password information and is quite secure but for a higher level of security change permissions on the repair directory.

1) Right click on the repair directory located under C:\Windows
2) Click properties
3) Click the security tab
4) Allow administrators and system should have full control permissions. Remove any other users.

Secure Remote Desktop on a Windows 2003 Terminal Server

Reading Time: < 1 minute

1) Open Administrative Tools and then Terminal Services Configuration
2) Select connections from the left pane and then RDP-TCP
3) Click the action menu and properties
4) Select the permissions tab
5) Ensure that only admins (Full Control) and System available. Remove any other users. If you have an admin group you use for RDP access, add and allow full control.
If you wish you can also disable other features such as drive mapping, windows printer mapping etc. These can be found by clicking the client settings tab.

Clear Down the Default User Profile on a terminal server

Reading Time: < 1 minute

To help speed up the creation of profiles for new users logging onto a terminal server and to enhance security remove the below folders from c:\documents and settings\default user

1) Remove Mail Recipient from SendTo
2) Remove Desktop (create shortcut) from SendTo
3) Remove Compressed (Zipped) Folder from SendTo
4) Remove Accessories from Start Menu\Programs
5) Remove Remote Assistance  from Programs
6) Hide Start Menu\Programs\Startup

In order to modify the default user registry, it must be loaded into registry editor. To do this, follow the below instructions. Please take a backup of your resgistry and system before making any changes.
1) Launch registry editor
3) Open the load hive window clicking file and then selecting Load Hive
4) Locate and select the default users Ntuser.DAT file which should be located in C:\Documents and Settings\Default User\Ntuser.DAT
5) Click the Open button and when prompted type DefUsr for the key name
6) Click OK

After modifying the default user profile it is important to unload the hive. If this is not done a new user will not be able to read the Ntuser.dat file within default user as the system will have it locked.

1) Select the root of the DefUsr key
2) Click file and click Unload Hive