Domain member is shutting down computers and servers

Below is an attachment of the event viewer of one of our servers. This user doesn't have admin privileges (shouldn't anyway) He is using the wininit.exe process to remotely shutdown computers and yesterday he hit a server.. so he's got my full attention now..

Please advise,
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

Dan McFaddenConnect With a Mentor Systems EngineerCommented:
Is this server available on the Internet or is it only visible on your internal network?

I would try to ID where the user account hcrhs\ckeener is logged in.  I would also verify the user account domain group membership(s) to see if anything is out of the ordinary.  I would also audit the servers that have been shutdown by this user.  Look to see if the local admin group(s) have been modified.  I would also look in the Local Security Policies on each server to see if any of the User Rights Assignment policies have been modified to include this user or a group this user may be in.

I would immediately reset the account's password and disable the account.  If the account is assigned to an actual authorized person, I would go speak with that person, especially if you can tie a server reboot event to this account, coming from the authorized person's computer.  I would then do the following:

1. Inform the necessary management people of a potential security issue.
2. Audit the account's settings and group membership
3. Audit all Enterprise and Domain level, core administrative groups (Administrators, Exchange Admins, Database Admins, SCOM, SCCM, etc groups)
4. Reset the password of the Administrator account in all domains.
5. Search thru the affected servers for activity (logon/logoff events) for the above user account

It might sound a bit extreme, but you may have a situation where you have a rogue internal person/process that is shutting down servers or you have an account that has been compromised and is actively disrupting operations.

PapaSmurffAuthor Commented:
Thanks Dan. We have malicious students doing this. They have be targeting computers and yesterday they hit a server. It is hard to prove if the student remained in his seat the whole time. I'll looking for two things really:

1) How/why are they able to shutdown a server?

2) How can we block this from happening campus wide.

Dan McFaddenSystems EngineerCommented:
So, I would still audit membership in some domain groups and the server local policies.

If you were to look (on a server) at the policy called "Shut down the system" you would see that by default there are only 2 group allowed to execute the function:

1. Administrators
2. Backup Operators

I would audit both of these groups of unusual membership.  I would also audit the following policy for modifications.

- Force shutdown from a remote system (default = Administrators)

You may also want to audit your domain policies for the above items.

You will probably want to using GPOs to block client functionality (workstation lock down, if these are school assests).  Do you use GPO to:

1. block "Run" from being displayed?
2. block the installation or use of certain ".exe"
--- shutdown.exe is built into the OS
--- Sysinternal's PsTools can cause havoc
3. shutdown the service "Remote Registry"
4. limit the visible icons/apps available to general user accounts

As for how to block functionality like this on a large scale, first you have to determine and understand the process being used before being able to block it.  There is no magic solution.

Probably the best tactic to use it to block everything, then open up only what is truly necessary.

The best method (IMO) for securing your servers from this type of intrusion, would be to build a dedicated server only network and protect it with a firewall then open only the necessary ports to grant the needed services.  Don't put workstations and servers on the same subnet.  Treat the entire campus network as if it is the Internet and create protected subnets for core infrastructure services.

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

PapaSmurffAuthor Commented:
Thanks Dan. Student was suspended for 2 days and he showed us how it was done. Command prompt / shutdown -i

1) We run a batch file startup script and they just click on that before it ends and get access to the command prompt.
2) Windows 7, start orb, search "command"
3) Create a batch file on the desktop and run

He used the shutdown -i  command. We are currently using this to resolve the issues for the servers:  Think that's what you mentioned above. All computers will be secured with image updates.

We have about 12 different VLAN's. (servers one one, projectors on another,etc.)

Yes, we block the run command and control panel/command prompt is hidden but apparently not blocked.

Is there a sure fire way to prohibit access to the command prompt?
Thanks again!
Dan McFaddenConnect With a Mentor Systems EngineerCommented:
To disable the command prompt:

You may want to also play with the settings under:  

User Configuration - Administrative Templates - Start Menu and Taskbar -

1. Do not search for files
2. Do not search Internet
3. Do not search programs and Control Panel items

Blocking it does prevent one from searching for it.  So you may want to block some searching.

These are User based GPOs, so you would have to apply them to an OU where the user accounts reside.

BahloulConnect With a Mentor Commented:
you may check this article to provide you more information about this event which occurs normally in Microsoft windows which is in general up normal i faced this case 3 times for 3 years count in also the unexpected shutdown :- 

here's also all reasons could shutdown the O.S without warning and some notes may help to prevent this :-

Adam LeinssCommented:
So basically he had administrator why do the students have admin rights again?
PapaSmurffAuthor Commented:
Thank you Dan and Bahloul!
All Courses

From novice to tech pro — start learning today.