Solved

Domain member is shutting down computers and servers

Posted on 2015-01-07
8
212 Views
Last Modified: 2015-01-08
Below is an attachment of the event viewer of one of our servers. This user doesn't have admin privileges (shouldn't anyway) He is using the wininit.exe process to remotely shutdown computers and yesterday he hit a server.. so he's got my full attention now..

Please advise,
Thanks!
capture1.JPG
0
Comment
Question by:PapaSmurff
8 Comments
 
LVL 26

Accepted Solution

by:
Dan McFadden earned 425 total points
ID: 40535389
Is this server available on the Internet or is it only visible on your internal network?

I would try to ID where the user account hcrhs\ckeener is logged in.  I would also verify the user account domain group membership(s) to see if anything is out of the ordinary.  I would also audit the servers that have been shutdown by this user.  Look to see if the local admin group(s) have been modified.  I would also look in the Local Security Policies on each server to see if any of the User Rights Assignment policies have been modified to include this user or a group this user may be in.

I would immediately reset the account's password and disable the account.  If the account is assigned to an actual authorized person, I would go speak with that person, especially if you can tie a server reboot event to this account, coming from the authorized person's computer.  I would then do the following:

1. Inform the necessary management people of a potential security issue.
2. Audit the account's settings and group membership
3. Audit all Enterprise and Domain level, core administrative groups (Administrators, Exchange Admins, Database Admins, SCOM, SCCM, etc groups)
4. Reset the password of the Administrator account in all domains.
5. Search thru the affected servers for activity (logon/logoff events) for the above user account

It might sound a bit extreme, but you may have a situation where you have a rogue internal person/process that is shutting down servers or you have an account that has been compromised and is actively disrupting operations.

Dan
0
 

Author Comment

by:PapaSmurff
ID: 40535405
Thanks Dan. We have malicious students doing this. They have be targeting computers and yesterday they hit a server. It is hard to prove if the student remained in his seat the whole time. I'll looking for two things really:

1) How/why are they able to shutdown a server?

2) How can we block this from happening campus wide.

Thanks!
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40535468
So, I would still audit membership in some domain groups and the server local policies.

If you were to look (on a server) at the policy called "Shut down the system" you would see that by default there are only 2 group allowed to execute the function:

1. Administrators
2. Backup Operators

I would audit both of these groups of unusual membership.  I would also audit the following policy for modifications.

- Force shutdown from a remote system (default = Administrators)

You may also want to audit your domain policies for the above items.

You will probably want to using GPOs to block client functionality (workstation lock down, if these are school assests).  Do you use GPO to:

1. block "Run" from being displayed?
2. block the installation or use of certain ".exe"
--- shutdown.exe is built into the OS
--- Sysinternal's PsTools can cause havoc
3. shutdown the service "Remote Registry"
4. limit the visible icons/apps available to general user accounts

As for how to block functionality like this on a large scale, first you have to determine and understand the process being used before being able to block it.  There is no magic solution.

Probably the best tactic to use it to block everything, then open up only what is truly necessary.

The best method (IMO) for securing your servers from this type of intrusion, would be to build a dedicated server only network and protect it with a firewall then open only the necessary ports to grant the needed services.  Don't put workstations and servers on the same subnet.  Treat the entire campus network as if it is the Internet and create protected subnets for core infrastructure services.

Dan
0
 

Author Comment

by:PapaSmurff
ID: 40535739
Thanks Dan. Student was suspended for 2 days and he showed us how it was done. Command prompt / shutdown -i

1) We run a batch file startup script and they just click on that before it ends and get access to the command prompt.
2) Windows 7, start orb, search "command"
3) Create a batch file on the desktop and run

He used the shutdown -i  command. We are currently using this to resolve the issues for the servers: http://masud-ahmed-windows7-server-2008.blogspot.com/2013/07/windows-7-disable-remote-shutdown.html  Think that's what you mentioned above. All computers will be secured with image updates.

We have about 12 different VLAN's. (servers one one, projectors on another,etc.)

Yes, we block the run command and control panel/command prompt is hidden but apparently not blocked.

Is there a sure fire way to prohibit access to the command prompt?
Thanks again!
0
Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

 
LVL 26

Assisted Solution

by:Dan McFadden
Dan McFadden earned 425 total points
ID: 40535790
To disable the command prompt:

http://technet.microsoft.com/en-us/library/cc975912.aspx

You may want to also play with the settings under:  

User Configuration - Administrative Templates - Start Menu and Taskbar -

1. Do not search for files
2. Do not search Internet
3. Do not search programs and Control Panel items

Blocking it does prevent one from searching for it.  So you may want to block some searching.

These are User based GPOs, so you would have to apply them to an OU where the user accounts reside.

Dan
0
 
LVL 3

Assisted Solution

by:Bahloul
Bahloul earned 75 total points
ID: 40537438
you may check this article to provide you more information about this event which occurs normally in Microsoft windows which is in general up normal i faced this case 3 times for 3 years count in also the unexpected shutdown :-


https://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.2&EvtID=1074&EvtSrc=User32&LCID=1033  

here's also all reasons could shutdown the O.S without warning and some notes may help to prevent this :-

http://msdn.microsoft.com/en-us/library/windows/desktop/aa376885(v=vs.85).aspx


Bahloul.
0
 
LVL 22

Expert Comment

by:Adam Leinss
ID: 40537879
So basically he had administrator rights...so why do the students have admin rights again?
0
 

Author Comment

by:PapaSmurff
ID: 40538244
Thank you Dan and Bahloul!
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now