Block Windows Remote Shutdown on a Domain

[ctav01]

I work for a high school as the tech guy and the little darlings have
just discovered the joys of Remote Shutdown. I was researching a way
to block them and found a previous post about going to Group Policies,
Computer Configuration, Windows Settings, Security Settings, Local
Policies, User Rights Assignments and changing the Force Shutdown
groups. I checked the Group Policies for our domain and none of the
User Rights Assignments were set so I enabled the Force Shutdown
policy and set it to "nobody" (or blank). My questions are whether or
not setting it at the domain level is the best way to go and if
anything needs to be done to "push" the setting out (like a reboot).
Thanks in advance.

 

[Harry Johnston]

I work for a high school as the tech guy and the little darlings have
just discovered the joys of Remote Shutdown.

Something is wrong with your security settings. By default, only administrators
have the right to remotely shut down the system.

Harry.

 

[ctav01]

Something is wrong with your security settings. By default, only administrators
have the right to remotely shut down the system.

Harry.

Yeah, I wondered about that too. From what I've read, the user need
admin access on the local computer AS WELL AS admin on the remote
computer to do a Remote Shutdown. Unfortunately, the lab they're
doing the shutting down in and from was badly set up (before my time)
and the local student accounts have local admin access but not domain
admin access. The other labs, which are getting some of their
computers shut down, are better set up and these kids shouldn't have
any admin access so I'm not sure how they're still able to shut them
down.

Regardless, changing the Group Policy for the domain seems to have
fixed it. I wasn't able to shut down anything (with my domain admin
rites) but I'll have to wait to see if it's still a problem in the
"bad" lab. Thanks for the reply Harry.

 

[Guest]

While you're at it, check to see if adminstrative shares are accessible
remotely. For example:

net use x: \\computername\c$

If this is possible it's a much more serious security hole than shutdown.
They could in principle trash all the data on the computer this way.

 

[Guest]

I have a question. You have a domain and the computer are joined to the
domain and the students can shut down the domain controller and the
workstations of other users as well? Is this correct.

 

[Guest]

You have a domain controller with workstations joined to the domain and the
students can reboot workstations. Is that correct. Can they reboot the
domain controller too?

 

[Guest]

You have a domain controller with workstations joined to the domain and the
students can reboot workstations. Is that correct. Can they reboot the
domain controller too?

 

[ctav01]

You have a domain controller with workstations joined to the domain and the
students can reboot workstations. Is that correct. Can they reboot the
domain controller too?

No, they can only reboot/shutdown other workstations.

Most of the school's computers are attached to the domain and use a
generic student domain login but some computers aren't joined to the
domain and have a local generic student login. Unfortunately, both
generic student logins usually have local admin access (the "good"
labs have DeepFreeze installed and, until now, had no issues with the
students logging in with admin privileges) which gave them the ability
to use Remote Shutdown across campus (but not at the domain
controller). I think changing the Group Policies at the domain fixed
things for now but I need to test it further.

 

[Harry Johnston]

Most of the school's computers are attached to the domain and use a
generic student domain login but some computers aren't joined to the
domain and have a local generic student login. Unfortunately, both
generic student logins usually have local admin access (the "good"
labs have DeepFreeze installed and, until now, had no issues with the
students logging in with admin privileges) which gave them the ability
to use Remote Shutdown across campus (but not at the domain
controller). I think changing the Group Policies at the domain fixed
things for now but I need to test it further.

I don't know much about DeepFreeze. I'm doubtful that there is any way to
prevent an admin user from playing nasty tricks with the system.

In any case, I recommend that you use the "Deny logon from the network"
privilege on the student machines to prevent students from connecting to other
machines over the network. This should not only stop them performing remote
shutdowns but also block an entire category of related attacks - remotely
killing other student's applications, launching applications remotely, and so on.

Harry.

 

[ctav01]

In any case, I recommend that you use the "Deny logon from the network"
privilege on the student machines to prevent students from connecting to other
machines over the network. This should not only stop them performing remote
shutdowns but also block an entire category of related attacks - remotely
killing other student's applications, launching applications remotely, and so on.

So that wouldn't stop a student computer from doing some sort of
network mischief but it would stop someone from doing network mischief
on that particular student computer? Ug, sounds like I would have to
touch every student computer to make this work.

Btw, would that privilege also block things like VNC and Remote
Desktop?

Thanks.

 

[Harry Johnston]

So that wouldn't stop a student computer from doing some sort of
network mischief but it would stop someone from doing network mischief
on that particular student computer? Ug, sounds like I would have to
touch every student computer to make this work.

Yes, but you can do it with group policy - if I remember correctly you said you
had a domain with existing group policy? Look in Computer Settings, Windows
Settings, Security Settings, Local Policies, User Rights Assignments, Deny
access to this computer from the network.

If you don't have a domain you could do it remotely using ntrights.exe which is
part of the Windows Server 2003 Resource Kit Tools:

<http://www.microsoft.com/downloads/...69-57ff-4ae7-96ee-b18c4790cffd&DisplayLang=en>

You'd still need to touch each computer but only over the network.

Btw, would that privilege also block things like VNC and Remote
Desktop?

I don't know about VNC. I don't believe it would affect Remote Desktop because
that has it's own privilege (Allow/Deny Logon through Terminal Services).

Harry.