<<< Date Index >>>     <<< Thread Index >>>

Re: Windows Vista Power Management & Local Security Policy



Abe Getchell wrote:
When the security option "Shutdown: Allow system to be shutdown without
having to log on" (in the local security policy) is set to "Disable", and
the power management setting "When I press the power button" is set to "Shut
Down", it is possible for an unauthenticated user to press the power button
at the Windows logon screen and gracefully shutdown the system.

It is also possible for the unauthenticated user to unplug the power cord.
What would you like them to do about that?

I reported this to the MSRC on 6/25/2008 and their stance was that this
wasn't a security vulnerability

Good call.

Now, if for some reason a remote user was able to obtain a 'local user'
login screen, that would be a serious issue.  Physical access to the box
trumps most security measures we are able to apply.