Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 250
  • Last Modified:

Domain member is shutting down computers and servers

Below is an attachment of the event viewer of one of our servers. This user doesn't have admin privileges (shouldn't anyway) He is using the wininit.exe process to remotely shutdown computers and yesterday he hit a server.. so he's got my full attention now..

Please advise,
3 Solutions
Dan McFaddenSystems EngineerCommented:
Is this server available on the Internet or is it only visible on your internal network?

I would try to ID where the user account hcrhs\ckeener is logged in.  I would also verify the user account domain group membership(s) to see if anything is out of the ordinary.  I would also audit the servers that have been shutdown by this user.  Look to see if the local admin group(s) have been modified.  I would also look in the Local Security Policies on each server to see if any of the User Rights Assignment policies have been modified to include this user or a group this user may be in.

I would immediately reset the account's password and disable the account.  If the account is assigned to an actual authorized person, I would go speak with that person, especially if you can tie a server reboot event to this account, coming from the authorized person's computer.  I would then do the following:

1. Inform the necessary management people of a potential security issue.
2. Audit the account's settings and group membership
3. Audit all Enterprise and Domain level, core administrative groups (Administrators, Exchange Admins, Database Admins, SCOM, SCCM, etc groups)
4. Reset the password of the Administrator account in all domains.
5. Search thru the affected servers for activity (logon/logoff events) for the above user account

It might sound a bit extreme, but you may have a situation where you have a rogue internal person/process that is shutting down servers or you have an account that has been compromised and is actively disrupting operations.

PapaSmurffAuthor Commented:
Thanks Dan. We have malicious students doing this. They have be targeting computers and yesterday they hit a server. It is hard to prove if the student remained in his seat the whole time. I'll looking for two things really:

1) How/why are they able to shutdown a server?

2) How can we block this from happening campus wide.

Dan McFaddenSystems EngineerCommented:
So, I would still audit membership in some domain groups and the server local policies.

If you were to look (on a server) at the policy called "Shut down the system" you would see that by default there are only 2 group allowed to execute the function:

1. Administrators
2. Backup Operators

I would audit both of these groups of unusual membership.  I would also audit the following policy for modifications.

- Force shutdown from a remote system (default = Administrators)

You may also want to audit your domain policies for the above items.

You will probably want to using GPOs to block client functionality (workstation lock down, if these are school assests).  Do you use GPO to:

1. block "Run" from being displayed?
2. block the installation or use of certain ".exe"
--- shutdown.exe is built into the OS
--- Sysinternal's PsTools can cause havoc
3. shutdown the service "Remote Registry"
4. limit the visible icons/apps available to general user accounts

As for how to block functionality like this on a large scale, first you have to determine and understand the process being used before being able to block it.  There is no magic solution.

Probably the best tactic to use it to block everything, then open up only what is truly necessary.

The best method (IMO) for securing your servers from this type of intrusion, would be to build a dedicated server only network and protect it with a firewall then open only the necessary ports to grant the needed services.  Don't put workstations and servers on the same subnet.  Treat the entire campus network as if it is the Internet and create protected subnets for core infrastructure services.

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

PapaSmurffAuthor Commented:
Thanks Dan. Student was suspended for 2 days and he showed us how it was done. Command prompt / shutdown -i

1) We run a batch file startup script and they just click on that before it ends and get access to the command prompt.
2) Windows 7, start orb, search "command"
3) Create a batch file on the desktop and run

He used the shutdown -i  command. We are currently using this to resolve the issues for the servers:  Think that's what you mentioned above. All computers will be secured with image updates.

We have about 12 different VLAN's. (servers one one, projectors on another,etc.)

Yes, we block the run command and control panel/command prompt is hidden but apparently not blocked.

Is there a sure fire way to prohibit access to the command prompt?
Thanks again!
Dan McFaddenSystems EngineerCommented:
To disable the command prompt:

You may want to also play with the settings under:  

User Configuration - Administrative Templates - Start Menu and Taskbar -

1. Do not search for files
2. Do not search Internet
3. Do not search programs and Control Panel items

Blocking it does prevent one from searching for it.  So you may want to block some searching.

These are User based GPOs, so you would have to apply them to an OU where the user accounts reside.

you may check this article to provide you more information about this event which occurs normally in Microsoft windows which is in general up normal i faced this case 3 times for 3 years count in also the unexpected shutdown :- 

here's also all reasons could shutdown the O.S without warning and some notes may help to prevent this :-

Adam LeinssSenior Desktop EngineerCommented:
So basically he had administrator why do the students have admin rights again?
PapaSmurffAuthor Commented:
Thank you Dan and Bahloul!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now