CCE-47601-0Platform: cpe:/o:microsoft:windows_server_2016 | Date: (C)2022-09-02 (M)2023-07-04 |
This security setting determines whether a computer can be shut down without having to log on to Windows.
When this policy is enabled, the Shut Down command is available on the Windows logon screen.
When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown.
Default on workstations: Enabled.
Default on servers: Disabled.
Countermeasure:
Disable the Allow system to be shut down without having to log on setting.
Potential Impact:
Operators will have to log on to servers to shut them down or restart them.
Fix:
(1) GPO: Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsShutdown: Allow system to be shut down without having to log on
(2) REG: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem!ShutdownWithoutLogon
Parameter:
[enabled/disabled]
Technical Mechanism:
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log on
(2) REG: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System!ShutdownWithoutLogon
CCSS Severity: | CCSS Metrics: |
CCSS Score : 7.5 | Attack Vector: NETWORK |
Exploit Score: 3.9 | Attack Complexity: LOW |
Impact Score: 3.6 | Privileges Required: NONE |
Severity: HIGH | User Interaction: NONE |
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | Scope: UNCHANGED |
| Confidentiality: NONE |
| Integrity: NONE |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:83562 |