Welcome to Vista Banter. You are currently viewing our boards as a guest which gives you limited access to view most discussions, articles and access our other FREE features. By joining our free community you will have access to ask questions and reply to others posts, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact contact support. |
|
Security and Windows Vista A forum for discussion on security issues with Windows Vista. (microsoft.public.windows.vista.security) |
|
|
LinkBack | Thread Tools | Display Modes |
|
|||
"Force shutdown from a remote system"
This policy sets which user accounts can gain the "shutdown computer"
privilege, which is required to shutdown the computer. This is handled at the authentication level. Whenever a user logs into the system, whether from over the network or locally at the computer, the system assigns that user login with a set of privileges. Any program that user runs can only do what those privileges allow for that user. It should be impossible to shutdown the system unless you have this shutdown privilege, regardless of which API or command is used. When a user logs in from a network location, as is the case with say typing \\computername into an explorer window, using the computer administrator or other mmc console to remotely administrate another computer, using one of the many command-line tools available to remotely administrate a remote computer such as the NET and SHUTDOWN command, etc, the system that you are connecting to realizes that this is a network login and either assigns or unassigns the shutdown privilege based on that policy setting. In short: "Force shutdown from a remote system" controls who gets the system shutdown privilege when logged in via networking services. "Shut down the system" controls who gets the system shutdown privilege when logged in interactively. This last statement is the kicker - When you connect to a computer using Remote Desktop, as was mentioned in another reply, you are given a desktop as if you were physically at the computer; this is considered an "interactive" login, and NOT a network login, so the second policy setting is used in this case to determine whether to assign the shutdown privilege. -- - JB Windows Vista Support Faq http://www.jimmah.com/vista/ |
|
|||
"Force shutdown from a remote system"
Thanks Jimmy,
That really does clarify it. Fortunately for us, the only way we shut down or reboot DC's is from Remote Desktop, or that rare instance in which we are physically at the box. It also illuminates why it was recommended to us to have the DC policy not have anyone have this right. "Jimmy Brush" wrote in message ... This policy sets which user accounts can gain the "shutdown computer" privilege, which is required to shutdown the computer. This is handled at the authentication level. Whenever a user logs into the system, whether from over the network or locally at the computer, the system assigns that user login with a set of privileges. Any program that user runs can only do what those privileges allow for that user. It should be impossible to shutdown the system unless you have this shutdown privilege, regardless of which API or command is used. When a user logs in from a network location, as is the case with say typing \\computername into an explorer window, using the computer administrator or other mmc console to remotely administrate another computer, using one of the many command-line tools available to remotely administrate a remote computer such as the NET and SHUTDOWN command, etc, the system that you are connecting to realizes that this is a network login and either assigns or unassigns the shutdown privilege based on that policy setting. In short: "Force shutdown from a remote system" controls who gets the system shutdown privilege when logged in via networking services. "Shut down the system" controls who gets the system shutdown privilege when logged in interactively. This last statement is the kicker - When you connect to a computer using Remote Desktop, as was mentioned in another reply, you are given a desktop as if you were physically at the computer; this is considered an "interactive" login, and NOT a network login, so the second policy setting is used in this case to determine whether to assign the shutdown privilege. -- - JB Windows Vista Support Faq http://www.jimmah.com/vista/ |
|
|||
"Force shutdown from a remote system"
i can do a remote shutdown on any device with a mac address as long as you are on the local network (even via rdp) using lan cables not wirless and pc will shutoff but across net i dont know how even to detect this and both would be good to lern any ideas? -- jamieduk |
|
Thread Tools | |
Display Modes | |
|
|