Check or Attack Name: Remote Shutdown Privilege

A user has been detected with Force Shutdown from a Remote System privileges. This right is normally granted to only Administrators and Server Operators.

Verify user rights in User Manager.

To audit and revoke this privilege, follow these steps:

1. Open User Manager. From the Windows NT Start menu, select Programs, Administrative Tools (Common), User Manager.
2. From the Policies menu, select User Rights to display the User Rights Policy dialog box.
3. From the Right list, select Force shutdown from a remote system.
4. Verify this right is set in accordance with your security policy.
5. To remove a user, select the user and click Remove.

Microsoft Knowledge-Pak Network Suite 10142417, Built-in Group Rights, http://support.microsoft.com/support/ntserver/serviceware/10142417.asp