Re: Windows Vista Power Management & Local Security Policy

["William A. Rowe, Jr." <wrowe () rowe-clan net>]

Abe Getchell wrote:
> When the security option "Shutdown: Allow system to be shutdown without
> having to log on" (in the local security policy) is set to "Disable", and
> the power management setting "When I press the power button" is set to "Shut
> Down", it is possible for an unauthenticated user to press the power button
> at the Windows logon screen and gracefully shutdown the system.

It is also possible for the unauthenticated user to unplug the power cord.
What would you like them to do about that?

> I reported this to the MSRC on 6/25/2008 and their stance was that this
> wasn't a security vulnerability

Good call.

Now, if for some reason a remote user was able to obtain a 'local user'
login screen, that would be a serious issue.  Physical access to the box
trumps most security measures we are able to apply.