| VID |
28043 |
| Severity |
20 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The Windows system is configured to allow a shutdown without the user logging in. This feature determines whether the Shutdown button in the Log On to Windows dialog box is enabled. The Log On to Windows dialog box is displayed when you are logging on to Windows NT4/2000/2003/XP.
By setting the value of this feature to 0, a user is forced to log on before being able to shut down the system. Anyway, with physical access to a system, a user can always shut down by turning the power switch off. If a high level of security is desired, this feature should be disabled, and physical access to the power cord and switch has been restricted.
* Note: This check requires an account with Guest or upper privileges which can access the registry of the remote host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* Platforms Affected:
Windows NT Any version
Windows 2000 Any version
Windows XP, 2003, VISTA, 7, 2008, 8, 2012 |
| Recommendation |
Disable Shutdown button to require users to log in before shutting down. In Windows NT, this requires an edit to the registry. In Windows 2000, change the "Allow system to be shut down without having to log on" option. Follow the steps below appropriate for your system.
For Windows NT:
1. Open Registry Editor. (From the Windows NT Start menu, select Run, type regedt32, and click OK.)
2. Go to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key.
3. Change the value of the ShutdownWithoutLogon entry to 0.
4. Restart your system for this change to take effect.
For a Windows 2000 domain:
1. Start Microsoft Management Console (From the DOS prompt, type "mmc").
2. Add Group Policy Snap-in.
3. Browse Group Policy Objects.
4. Select the Domain Policy of interest.
5. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options.
6. Set the "Allow system to be shut down without having to log on" option to the desired setting.
For a stand-alone Windows 2000 computer:
1. From the DOS prompt on the affected computer, start gpedit.msc. The focus is local computer by default.
2. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Option.
3. Set the "Allow system to be shut down without having to log on" option to the desired setting.
For Windows XP, 2003, VISTA, 7, 2008, 8, 2012, 10, 2016, 2019:
1. Go to Start menu -> Run and Type 'gpedit.msc'
2. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Option.
3. Set the "Allow system to be shut down without having to log on" option to the desired setting. |
| Related URL |
CVE-1999-0593 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
1291 (ISS) |
|
