Domain member is shutting down computers and servers

Posted on 2015-01-07
Medium Priority
Last Modified: 2015-01-08
Below is an attachment of the event viewer of one of our servers. This user doesn't have admin privileges (shouldn't anyway) He is using the wininit.exe process to remotely shutdown computers and yesterday he hit a server.. so he's got my full attention now..

Please advise,
Question by:PapaSmurff
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 28

Accepted Solution

Dan McFadden earned 1700 total points
ID: 40535389
Is this server available on the Internet or is it only visible on your internal network?

I would try to ID where the user account hcrhs\ckeener is logged in.  I would also verify the user account domain group membership(s) to see if anything is out of the ordinary.  I would also audit the servers that have been shutdown by this user.  Look to see if the local admin group(s) have been modified.  I would also look in the Local Security Policies on each server to see if any of the User Rights Assignment policies have been modified to include this user or a group this user may be in.

I would immediately reset the account's password and disable the account.  If the account is assigned to an actual authorized person, I would go speak with that person, especially if you can tie a server reboot event to this account, coming from the authorized person's computer.  I would then do the following:

1. Inform the necessary management people of a potential security issue.
2. Audit the account's settings and group membership
3. Audit all Enterprise and Domain level, core administrative groups (Administrators, Exchange Admins, Database Admins, SCOM, SCCM, etc groups)
4. Reset the password of the Administrator account in all domains.
5. Search thru the affected servers for activity (logon/logoff events) for the above user account

It might sound a bit extreme, but you may have a situation where you have a rogue internal person/process that is shutting down servers or you have an account that has been compromised and is actively disrupting operations.


Author Comment

ID: 40535405
Thanks Dan. We have malicious students doing this. They have be targeting computers and yesterday they hit a server. It is hard to prove if the student remained in his seat the whole time. I'll looking for two things really:

1) How/why are they able to shutdown a server?

2) How can we block this from happening campus wide.

LVL 28

Expert Comment

by:Dan McFadden
ID: 40535468
So, I would still audit membership in some domain groups and the server local policies.

If you were to look (on a server) at the policy called "Shut down the system" you would see that by default there are only 2 group allowed to execute the function:

1. Administrators
2. Backup Operators

I would audit both of these groups of unusual membership.  I would also audit the following policy for modifications.

- Force shutdown from a remote system (default = Administrators)

You may also want to audit your domain policies for the above items.

You will probably want to using GPOs to block client functionality (workstation lock down, if these are school assests).  Do you use GPO to:

1. block "Run" from being displayed?
2. block the installation or use of certain ".exe"
--- shutdown.exe is built into the OS
--- Sysinternal's PsTools can cause havoc
3. shutdown the service "Remote Registry"
4. limit the visible icons/apps available to general user accounts

As for how to block functionality like this on a large scale, first you have to determine and understand the process being used before being able to block it.  There is no magic solution.

Probably the best tactic to use it to block everything, then open up only what is truly necessary.

The best method (IMO) for securing your servers from this type of intrusion, would be to build a dedicated server only network and protect it with a firewall then open only the necessary ports to grant the needed services.  Don't put workstations and servers on the same subnet.  Treat the entire campus network as if it is the Internet and create protected subnets for core infrastructure services.

Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.


Author Comment

ID: 40535739
Thanks Dan. Student was suspended for 2 days and he showed us how it was done. Command prompt / shutdown -i

1) We run a batch file startup script and they just click on that before it ends and get access to the command prompt.
2) Windows 7, start orb, search "command"
3) Create a batch file on the desktop and run

He used the shutdown -i  command. We are currently using this to resolve the issues for the servers: http://masud-ahmed-windows7-server-2008.blogspot.com/2013/07/windows-7-disable-remote-shutdown.html  Think that's what you mentioned above. All computers will be secured with image updates.

We have about 12 different VLAN's. (servers one one, projectors on another,etc.)

Yes, we block the run command and control panel/command prompt is hidden but apparently not blocked.

Is there a sure fire way to prohibit access to the command prompt?
Thanks again!
LVL 28

Assisted Solution

by:Dan McFadden
Dan McFadden earned 1700 total points
ID: 40535790
To disable the command prompt:


You may want to also play with the settings under:  

User Configuration - Administrative Templates - Start Menu and Taskbar -

1. Do not search for files
2. Do not search Internet
3. Do not search programs and Control Panel items

Blocking it does prevent one from searching for it.  So you may want to block some searching.

These are User based GPOs, so you would have to apply them to an OU where the user accounts reside.


Assisted Solution

Bahloul earned 300 total points
ID: 40537438
you may check this article to provide you more information about this event which occurs normally in Microsoft windows which is in general up normal i faced this case 3 times for 3 years count in also the unexpected shutdown :-


here's also all reasons could shutdown the O.S without warning and some notes may help to prevent this :-


LVL 22

Expert Comment

by:Adam Leinss
ID: 40537879
So basically he had administrator rights...so why do the students have admin rights again?

Author Comment

ID: 40538244
Thank you Dan and Bahloul!

Featured Post

WordPress Tutorial 3: Plugins, Themes, and Widgets

The three most common changes you will make to your website involve the look (themes), the functionality (plugins), and modular elements (widgets).

In this article we will briefly define each again, and give you directions on how to install them.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Configuring Remote Assistance for use with SCCM
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question