PapaSmurff
asked on
Domain member is shutting down computers and servers
Below is an attachment of the event viewer of one of our servers. This user doesn't have admin privileges (shouldn't anyway) He is using the wininit.exe process to remotely shutdown computers and yesterday he hit a server.. so he's got my full attention now..
Please advise,
Thanks!
capture1.JPG
Please advise,
Thanks!
capture1.JPG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
So, I would still audit membership in some domain groups and the server local policies.
If you were to look (on a server) at the policy called "Shut down the system" you would see that by default there are only 2 group allowed to execute the function:
1. Administrators
2. Backup Operators
I would audit both of these groups of unusual membership. I would also audit the following policy for modifications.
- Force shutdown from a remote system (default = Administrators)
You may also want to audit your domain policies for the above items.
You will probably want to using GPOs to block client functionality (workstation lock down, if these are school assests). Do you use GPO to:
1. block "Run" from being displayed?
2. block the installation or use of certain ".exe"
--- shutdown.exe is built into the OS
--- Sysinternal's PsTools can cause havoc
3. shutdown the service "Remote Registry"
4. limit the visible icons/apps available to general user accounts
As for how to block functionality like this on a large scale, first you have to determine and understand the process being used before being able to block it. There is no magic solution.
Probably the best tactic to use it to block everything, then open up only what is truly necessary.
The best method (IMO) for securing your servers from this type of intrusion, would be to build a dedicated server only network and protect it with a firewall then open only the necessary ports to grant the needed services. Don't put workstations and servers on the same subnet. Treat the entire campus network as if it is the Internet and create protected subnets for core infrastructure services.
Dan
If you were to look (on a server) at the policy called "Shut down the system" you would see that by default there are only 2 group allowed to execute the function:
1. Administrators
2. Backup Operators
I would audit both of these groups of unusual membership. I would also audit the following policy for modifications.
- Force shutdown from a remote system (default = Administrators)
You may also want to audit your domain policies for the above items.
You will probably want to using GPOs to block client functionality (workstation lock down, if these are school assests). Do you use GPO to:
1. block "Run" from being displayed?
2. block the installation or use of certain ".exe"
--- shutdown.exe is built into the OS
--- Sysinternal's PsTools can cause havoc
3. shutdown the service "Remote Registry"
4. limit the visible icons/apps available to general user accounts
As for how to block functionality like this on a large scale, first you have to determine and understand the process being used before being able to block it. There is no magic solution.
Probably the best tactic to use it to block everything, then open up only what is truly necessary.
The best method (IMO) for securing your servers from this type of intrusion, would be to build a dedicated server only network and protect it with a firewall then open only the necessary ports to grant the needed services. Don't put workstations and servers on the same subnet. Treat the entire campus network as if it is the Internet and create protected subnets for core infrastructure services.
Dan
ASKER
Thanks Dan. Student was suspended for 2 days and he showed us how it was done. Command prompt / shutdown -i
1) We run a batch file startup script and they just click on that before it ends and get access to the command prompt.
2) Windows 7, start orb, search "command"
3) Create a batch file on the desktop and run
He used the shutdown -i command. We are currently using this to resolve the issues for the servers: http://masud-ahmed-windows7-server-2008.blogspot.com/2013/07/windows-7-disable-remote-shutdown.html Think that's what you mentioned above. All computers will be secured with image updates.
We have about 12 different VLAN's. (servers one one, projectors on another,etc.)
Yes, we block the run command and control panel/command prompt is hidden but apparently not blocked.
Is there a sure fire way to prohibit access to the command prompt?
Thanks again!
1) We run a batch file startup script and they just click on that before it ends and get access to the command prompt.
2) Windows 7, start orb, search "command"
3) Create a batch file on the desktop and run
He used the shutdown -i command. We are currently using this to resolve the issues for the servers: http://masud-ahmed-windows7-server-2008.blogspot.com/2013/07/windows-7-disable-remote-shutdown.html Think that's what you mentioned above. All computers will be secured with image updates.
We have about 12 different VLAN's. (servers one one, projectors on another,etc.)
Yes, we block the run command and control panel/command prompt is hidden but apparently not blocked.
Is there a sure fire way to prohibit access to the command prompt?
Thanks again!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
So basically he had administrator rights...so why do the students have admin rights again?
ASKER
Thank you Dan and Bahloul!
ASKER
1) How/why are they able to shutdown a server?
2) How can we block this from happening campus wide.
Thanks!