-----Original Message----- From: Abe Getchell [mailto:me@xxxxxxxxxxxxxxx] Sent: Friday, 18 July 2008 12:39 PM To: bugtraq@xxxxxxxxxxxxxxxxx Subject: Windows Vista Power Management & Local Security Policy > When the security option "Shutdown: Allow system to be shutdown without having to log on" (in the local security policy) is set to "Disable", and > the power management setting "When I press the power button" is set to "Shut Down", it is possible for an unauthenticated user to press the power > button at the Windows logon screen and gracefully shutdown the system. The explanation of this security option, taken from the local security policy, > is as follows: I came into this late but I just had to comment on the above - apologies if it already happened. Since Win ME, you have been able to push the power button to gracefully shut down the computer (note I am not talking about servers that may have been altered by people with a clue but just home computers, terminals in an office that don't have someone looking after them who knows what they are doing etc). In some cases where, for whatever reason, the computer goes crappy and loses contact with the keyboard and mouse, this has been the way to shut it down without risking data by turning the power off or hitting the reset button. Personally, I don't feel that scenario is a risk because the person is there to begin with to press the button. There comes a point where the person to blame for a security issue must be the person who hired the one pushing the button to shut the machine down. Not everyone is honest but if you hire staff you have to assume they are going to do something stupid, even if accidentally, from time to time. I would prefer someone able to shut the machine down by pushing the button. I can't see why I would have to get up and drive 90 minutes to do that to a machine that is playing up when the person reporting that problem to me is presumably standing in front of it.
