Abe Getchell wrote:
When the security option "Shutdown: Allow system to be shutdown without having to log on" (in the local security policy) is set to "Disable", and the power management setting "When I press the power button" is set to "Shut Down", it is possible for an unauthenticated user to press the power button at the Windows logon screen and gracefully shutdown the system.
It is also possible for the unauthenticated user to unplug the power cord. What would you like them to do about that?
I reported this to the MSRC on 6/25/2008 and their stance was that this wasn't a security vulnerability
Good call. Now, if for some reason a remote user was able to obtain a 'local user' login screen, that would be a serious issue. Physical access to the box trumps most security measures we are able to apply.