Not to sound critical, but it seem rather pointless. If the user wants
to shutdown the computer, they can hit the button or pull the plug.
Picture this scenario:
You've done your research, you've implemented the work around. Now
you're ready to deploy the latest and greatest patch/.dat
file/what-have-you. You expect everyone to leave their PC's on so you
can do your work afterhours.
What you don't know is that "Joe" user had a problem with OUTLOOK
crashing and decided that he would deal with it the next day. But he
figures he'll reboot before he leaves. He hits the Reboot button,
flicks off his monitor and is out the door, EXPECTING his PC to restart
and be operational for tomorrows work day. But it doesn't. His OUTLOOK
Crashing is the result of some virus which has now infected the OS
beyond repair and the PC wont boot. Rendering your WORKAROUND and
deployment useless for that particular unit.
While this is made up, it can easily be imagined. Also, if this one PC
was infected and on a LAN, who's to say that the others are not
infected. If they are, those users may follow in "JOE"'s footsteps,
reboot and leave. And those PC's may not restart.
I am trying to demonstrate the flaw in the reasoning here.
Rather than spending time with GPO's it might prove more beneficial to
EDUCATE your end users. Explain to them exactly what you are trying to
do and the proper procedures they must follow. Explain that their
cooperation if vital to the security and integrity of the network. If
you make the end users feel that what they are doing is important, then
they feel important and that makes them feel good. That tends to lead
to the desired behavior.
Also..with regards to rebooting to resolve issues. On a WIN95/WIN98
network sure, I can see this as a good solution, but in a Win2000/WinXP
(it's been MY experience that) it should SPARSELY be the case that the
user needs to reboot to resolve the issue. Most issues with these OS's
can be resolved while the PC is on and operational.
If they REBOOT the PC to resolve some issue, who's to say that will
ACTUALLY start back up again. Maybe the HD is going, or the OS is
corrupt/infected/whatever. If they are rebooting, then there is a
problem. The problem should be addressed by methods other than
rebooting. So after all of your research, even if you do find a GPO or
some REG Tweak to disable SHUTDOWN and enable RESTART, you CANNOT
guarantee that the PC will actually come up.
My $.02
- JMB
-----Original Message-----
From: Nathaniel Hall [mailto:halln (at) otc (dot) edu [email concealed]]
Sent: Thursday, October 28, 2004 8:03 PM
To: Houpt, Dani; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Re: Remove "Shutdown" command from w2k PCs but enable restart
You could have the systems wake up using Wake On LAN this is built into
most new systems (except laptops). There are many batch files that can
do this with a program called wol.exe.
Nathaniel Hall, GSEC
Intrusion Detection and Firewall Technician
Ozarks Technical Community College -- Office of Computer Networking
halln (at) otc (dot) edu [email concealed]
417-799-0552
Houpt, Dani wrote:
>We have a Windows 2000 AD environment and want to restrict our PC users
>from shutting off their PCs so we can send out OS/AV patches at night.
>We created a GPO to do this but it also blocks them from restarting.
>
>Many times, issues on PCs are resolved even before the users call the
>helpdesk by rebooting, so we don't want to remove that ability from
>them.
>
>Does anyone know a way that we can remove "Shutdown" while still allow
>"Restart"?
>
>I opened a case with MS about this and the rep said that he didn't
>think that it could be done.
>
>Thanks,
>-Dani
>INDEPENDENCE COMMUNITY BANK CONFIDENTIALITY NOTICE: This message
>(and any attachment) is confidential and
>intended for the sole use of the individual or entity to which it is
addressed. If you are
>not the intended recipient, you must not review, retransmit, convert to
hard-copy,
>copy, use or disseminate this email or any of its attachments. If you
received this email
>in error, please notify the sender immediately and delete it. This
notice is automatically
>appended to all Internet email.
>
>
>-----------------------------------------------------------------------
to shutdown the computer, they can hit the button or pull the plug.
Picture this scenario:
You've done your research, you've implemented the work around. Now
you're ready to deploy the latest and greatest patch/.dat
file/what-have-you. You expect everyone to leave their PC's on so you
can do your work afterhours.
What you don't know is that "Joe" user had a problem with OUTLOOK
crashing and decided that he would deal with it the next day. But he
figures he'll reboot before he leaves. He hits the Reboot button,
flicks off his monitor and is out the door, EXPECTING his PC to restart
and be operational for tomorrows work day. But it doesn't. His OUTLOOK
Crashing is the result of some virus which has now infected the OS
beyond repair and the PC wont boot. Rendering your WORKAROUND and
deployment useless for that particular unit.
While this is made up, it can easily be imagined. Also, if this one PC
was infected and on a LAN, who's to say that the others are not
infected. If they are, those users may follow in "JOE"'s footsteps,
reboot and leave. And those PC's may not restart.
I am trying to demonstrate the flaw in the reasoning here.
Rather than spending time with GPO's it might prove more beneficial to
EDUCATE your end users. Explain to them exactly what you are trying to
do and the proper procedures they must follow. Explain that their
cooperation if vital to the security and integrity of the network. If
you make the end users feel that what they are doing is important, then
they feel important and that makes them feel good. That tends to lead
to the desired behavior.
Also..with regards to rebooting to resolve issues. On a WIN95/WIN98
network sure, I can see this as a good solution, but in a Win2000/WinXP
(it's been MY experience that) it should SPARSELY be the case that the
user needs to reboot to resolve the issue. Most issues with these OS's
can be resolved while the PC is on and operational.
If they REBOOT the PC to resolve some issue, who's to say that will
ACTUALLY start back up again. Maybe the HD is going, or the OS is
corrupt/infected/whatever. If they are rebooting, then there is a
problem. The problem should be addressed by methods other than
rebooting. So after all of your research, even if you do find a GPO or
some REG Tweak to disable SHUTDOWN and enable RESTART, you CANNOT
guarantee that the PC will actually come up.
My $.02
- JMB
-----Original Message-----
From: Nathaniel Hall [mailto:halln (at) otc (dot) edu [email concealed]]
Sent: Thursday, October 28, 2004 8:03 PM
To: Houpt, Dani; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Re: Remove "Shutdown" command from w2k PCs but enable restart
You could have the systems wake up using Wake On LAN this is built into
most new systems (except laptops). There are many batch files that can
do this with a program called wol.exe.
Nathaniel Hall, GSEC
Intrusion Detection and Firewall Technician
Ozarks Technical Community College -- Office of Computer Networking
halln (at) otc (dot) edu [email concealed]
417-799-0552
Houpt, Dani wrote:
>We have a Windows 2000 AD environment and want to restrict our PC users
>from shutting off their PCs so we can send out OS/AV patches at night.
>We created a GPO to do this but it also blocks them from restarting.
>
>Many times, issues on PCs are resolved even before the users call the
>helpdesk by rebooting, so we don't want to remove that ability from
>them.
>
>Does anyone know a way that we can remove "Shutdown" while still allow
>"Restart"?
>
>I opened a case with MS about this and the rep said that he didn't
>think that it could be done.
>
>Thanks,
>-Dani
>INDEPENDENCE COMMUNITY BANK CONFIDENTIALITY NOTICE: This message
>(and any attachment) is confidential and
>intended for the sole use of the individual or entity to which it is
addressed. If you are
>not the intended recipient, you must not review, retransmit, convert to
hard-copy,
>copy, use or disseminate this email or any of its attachments. If you
received this email
>in error, please notify the sender immediately and delete it. This
notice is automatically
>appended to all Internet email.
>
>
>-----------------------------------------------------------------------
>----
>-----------------------------------------------------------------------
----
>
>
>
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]