Domain member is shutting down computers and servers

Posted on 2015-01-07
Last Modified: 2015-01-08
Below is an attachment of the event viewer of one of our servers. This user doesn't have admin privileges (shouldn't anyway) He is using the wininit.exe process to remotely shutdown computers and yesterday he hit a server.. so he's got my full attention now..

Please advise,
Question by:PapaSmurff
LVL 27

Accepted Solution

Dan McFadden earned 425 total points
ID: 40535389
Is this server available on the Internet or is it only visible on your internal network?

I would try to ID where the user account hcrhs\ckeener is logged in.  I would also verify the user account domain group membership(s) to see if anything is out of the ordinary.  I would also audit the servers that have been shutdown by this user.  Look to see if the local admin group(s) have been modified.  I would also look in the Local Security Policies on each server to see if any of the User Rights Assignment policies have been modified to include this user or a group this user may be in.

I would immediately reset the account's password and disable the account.  If the account is assigned to an actual authorized person, I would go speak with that person, especially if you can tie a server reboot event to this account, coming from the authorized person's computer.  I would then do the following:

1. Inform the necessary management people of a potential security issue.
2. Audit the account's settings and group membership
3. Audit all Enterprise and Domain level, core administrative groups (Administrators, Exchange Admins, Database Admins, SCOM, SCCM, etc groups)
4. Reset the password of the Administrator account in all domains.
5. Search thru the affected servers for activity (logon/logoff events) for the above user account

It might sound a bit extreme, but you may have a situation where you have a rogue internal person/process that is shutting down servers or you have an account that has been compromised and is actively disrupting operations.


Author Comment

ID: 40535405
Thanks Dan. We have malicious students doing this. They have be targeting computers and yesterday they hit a server. It is hard to prove if the student remained in his seat the whole time. I'll looking for two things really:

1) How/why are they able to shutdown a server?

2) How can we block this from happening campus wide.

LVL 27

Expert Comment

by:Dan McFadden
ID: 40535468
So, I would still audit membership in some domain groups and the server local policies.

If you were to look (on a server) at the policy called "Shut down the system" you would see that by default there are only 2 group allowed to execute the function:

1. Administrators
2. Backup Operators

I would audit both of these groups of unusual membership.  I would also audit the following policy for modifications.

- Force shutdown from a remote system (default = Administrators)

You may also want to audit your domain policies for the above items.

You will probably want to using GPOs to block client functionality (workstation lock down, if these are school assests).  Do you use GPO to:

1. block "Run" from being displayed?
2. block the installation or use of certain ".exe"
--- shutdown.exe is built into the OS
--- Sysinternal's PsTools can cause havoc
3. shutdown the service "Remote Registry"
4. limit the visible icons/apps available to general user accounts

As for how to block functionality like this on a large scale, first you have to determine and understand the process being used before being able to block it.  There is no magic solution.

Probably the best tactic to use it to block everything, then open up only what is truly necessary.

The best method (IMO) for securing your servers from this type of intrusion, would be to build a dedicated server only network and protect it with a firewall then open only the necessary ports to grant the needed services.  Don't put workstations and servers on the same subnet.  Treat the entire campus network as if it is the Internet and create protected subnets for core infrastructure services.

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)


Author Comment

ID: 40535739
Thanks Dan. Student was suspended for 2 days and he showed us how it was done. Command prompt / shutdown -i

1) We run a batch file startup script and they just click on that before it ends and get access to the command prompt.
2) Windows 7, start orb, search "command"
3) Create a batch file on the desktop and run

He used the shutdown -i  command. We are currently using this to resolve the issues for the servers:  Think that's what you mentioned above. All computers will be secured with image updates.

We have about 12 different VLAN's. (servers one one, projectors on another,etc.)

Yes, we block the run command and control panel/command prompt is hidden but apparently not blocked.

Is there a sure fire way to prohibit access to the command prompt?
Thanks again!
LVL 27

Assisted Solution

by:Dan McFadden
Dan McFadden earned 425 total points
ID: 40535790
To disable the command prompt:

You may want to also play with the settings under:  

User Configuration - Administrative Templates - Start Menu and Taskbar -

1. Do not search for files
2. Do not search Internet
3. Do not search programs and Control Panel items

Blocking it does prevent one from searching for it.  So you may want to block some searching.

These are User based GPOs, so you would have to apply them to an OU where the user accounts reside.


Assisted Solution

Bahloul earned 75 total points
ID: 40537438
you may check this article to provide you more information about this event which occurs normally in Microsoft windows which is in general up normal i faced this case 3 times for 3 years count in also the unexpected shutdown :- 

here's also all reasons could shutdown the O.S without warning and some notes may help to prevent this :-

LVL 22

Expert Comment

by:Adam Leinss
ID: 40537879
So basically he had administrator why do the students have admin rights again?

Author Comment

ID: 40538244
Thank you Dan and Bahloul!

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Supermicro 91 error 8 37
Windows icons complete gone 8 31
RDP- Windows 7 home Premium to 7 Pro via VPN 10 15
Batch File- Finding Drive Description 11 20
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question