"Force shutdown from a remote system"
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
"Force shutdown from a remote system" <-> 10-13-2006
Posted by Jimmy Brush on October 18, 2006, 8:02 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
This policy sets which user accounts can gain the "shutdown computer"
privilege, which is required to shutdown the computer. This is handled at
the authentication level.

Whenever a user logs into the system, whether from over the network or
locally at the computer, the system assigns that user login with a set of
privileges. Any program that user runs can only do what those privileges
allow for that user.

It should be impossible to shutdown the system unless you have this shutdown
privilege, regardless of which API or command is used.

When a user logs in from a network location, as is the case with say typing
\computername into an explorer window, using the computer administrator or
other mmc console to remotely administrate another computer, using one of
the many command-line tools available to remotely administrate a remote
computer such as the NET and SHUTDOWN command, etc, the system that you are
connecting to realizes that this is a network login and either assigns or
unassigns the shutdown privilege based on that policy setting.

In short:

"Force shutdown from a remote system" controls who gets the system shutdown
privilege when logged in via networking services.

"Shut down the system" controls who gets the system shutdown privilege when
logged in interactively.

This last statement is the kicker - When you connect to a computer using
Remote Desktop, as was mentioned in another reply, you are given a desktop
as if you were physically at the computer; this is considered an
"interactive" login, and NOT a network login, so the second policy setting
is used in this case to determine whether to assign the shutdown privilege.


--
- JB

Windows Vista Support Faq
http://www.jimmah.com/vista/


Posted by on October 19, 2006, 5:39 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Thanks Jimmy,

That really does clarify it. Fortunately for us, the only way we shut down
or reboot DC's is from Remote Desktop, or that rare instance in which we are
physically at the box. It also illuminates why it was recommended to us to
have the DC policy not have anyone have this right.


> This policy sets which user accounts can gain the "shutdown computer"
> privilege, which is required to shutdown the computer. This is handled at
> the authentication level.
>
> Whenever a user logs into the system, whether from over the network or
> locally at the computer, the system assigns that user login with a set of
> privileges. Any program that user runs can only do what those privileges
> allow for that user.
>
> It should be impossible to shutdown the system unless you have this
> shutdown privilege, regardless of which API or command is used.
>
> When a user logs in from a network location, as is the case with say
> typing \computername into an explorer window, using the computer
> administrator or other mmc console to remotely administrate another
> computer, using one of the many command-line tools available to remotely
> administrate a remote computer such as the NET and SHUTDOWN command, etc,
> the system that you are connecting to realizes that this is a network
> login and either assigns or unassigns the shutdown privilege based on that
> policy setting.
>
> In short:
>
> "Force shutdown from a remote system" controls who gets the system
> shutdown privilege when logged in via networking services.
>
> "Shut down the system" controls who gets the system shutdown privilege
> when logged in interactively.
>
> This last statement is the kicker - When you connect to a computer using
> Remote Desktop, as was mentioned in another reply, you are given a desktop
> as if you were physically at the computer; this is considered an
> "interactive" login, and NOT a network login, so the second policy setting
> is used in this case to determine whether to assign the shutdown
> privilege.
>
>
> --
> - JB
>
> Windows Vista Support Faq
> http://www.jimmah.com/vista/



Similar ThreadsPosted
Component Services Remote Shutdown Permissions November 9, 2005, 4:09 am
Hide system processes monitoring to remote computers under XP November 7, 2007, 6:19 am
Force reboot in WSUS September 22, 2005, 3:55 pm
Use of Kerberos unreliable, can I force it? July 17, 2008, 5:03 am
Force password change at next logon. October 14, 2008, 6:49 am
Virtual Task Force Nabs 565 Cyber Criminals May 23, 2006, 7:18 pm
How to force a (the same !) user to logon when connecting to a network shared folder ? March 4, 2007, 8:19 am
Is it possible to use "Run As" in a shutdown script? January 7, 2006, 11:01 am
shutdown logfile January 21, 2006, 6:29 am
Strange Message on Shutdown...! July 13, 2005, 7:22 pm

The site map in XML format XML site map

Contact Us | Privacy Policy