This is both a question and warning. I've recently downloaded a utility called "tweakIP" which will allow you to connect to any NT machine, connect to it's registry, and set tcp/ip, netbios, etc. options. It also has a "reboot" option. I was able torun the utility on my NT Workstation and not only reboot my PDC, BDC, and other NT machines within my domain, but was able to connect to OTHER NT machines in FOREIGN DOMAINS in which I am NOT a user/member and reboot / change their settings as well!!! Beware !
I also checked the NT event/security log and it did not note anything unusual other than the machine was restarted. [but not who/why]
If anyone has a "lock-out" for this I would be interested to find out.
Regards,
J.R.
This conversation is currently closed to new comments.
I did some testing with TweakIP, which I found at Winfiles.com. It appears work just like the RK "shutdown.exe" program - which is dependent on user rights. There are three things you can do to limit who can remotely reboot your server:
First, open User Manager and focus it on the machine you need to protect against reboots. From the "Policies" menu, select "User Rights". Now edit the groups listed under the following rights:
1: "Force shutdown from a remote system" (I suggest editing this down toAdmins only). 2: "Shut down the system" (again, admins only would be smart).
One last method of buttoning up your server, set the key
HKEY Local Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ShutdownWithoutLogon = 1 also removethe DefaultPassword key from the same tree location in your registry.
Now you can verify by logging on as any non-admin user and running TweakIP. It will fail to restart the system.
To protect against others changing your registry settings, use REGEDT32 to set permissions on your registry keys. I think you'll find a couple of security whitepapers at MS's site if you look around.
If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.
Anyone can remotely reboot your server?
I also checked the NT event/security log and it did not note anything unusual other than the machine was restarted. [but not who/why]
If anyone has a "lock-out" for this I would be interested to find out.
Regards,
J.R.