Remote Shutdown Bypass Firewall Protection

I can remotely shutdown the PC with Bitdefender installed in an easy way. And Bitdefender neither detect that intrusion/attack nor display Pop-up about that.

Target PC Settings

Firewall: ON

IDS: ON

Block Port Scan: ON

Stealth Mode: ON or Remote

Network Profile: Home/office

Paranoid Mode: ON

Steps to reproduce

On Target PC

1) Click on Start -> Setting -> Control Panel

2) Double Click Administrative Tools

3) Double Click Local Security Policies -> Local Policies -> Click User Right Assignments

4) Locate the option 'Force Shutdown From a Remote System' on right side. go to its properties.

5) Go to Add User or Group and either write the user name of your (source PC) like Your Computer Name\User Name in the text box appeared or click on Advanced -> Find Now -> and select Everyone from Name (RDN) and press Ok.

On Source PC

Now go to the Command Prompt of the Source PC and type the command "shutdown -i -s -m \\IP Address or Host Name of the Target PC" without quotes and press Enter. You will see the message appear on the Target PC. Kindly see the attachment. And after sometime (may 20 secs by-default), the Target PC will be shutdown even if the Bitdefender is installed with above mentioned Firewall settings.

Find more posts tagged with

Comments

columbo

Fascinating ONT, yet could you help this average user understand what this means? This was done on a Home Network, between your 2 PCs, both with Bitdefender on them, correct, or doesn't that matter?

Would someone in my neighborhood be able to do that on my PCs, or at a coffee shop with my laptop? If you were not to have made those settings on the Target PC, would that have worked, and is Windows set up that way by default, that we all need to make changes to the Target PC (Windows settings) for this not to happen?

Thanks for helping me understand

coolcool1227

Fascinating ONT, yet could you help this average user understand what this means? This was done on a Home Network, between your 2 PCs, both with Bitdefender on them, correct, or doesn't that matter?

Would someone in my neighborhood be able to do that on my PCs, or at a coffee shop with my laptop? If you were not to have made those settings on the Target PC, would that have worked, and is Windows set up that way by default, that we all need to make changes to the Target PC (Windows settings) for this not to happen?

Thanks for helping me understand

When I was writing this post, I was also thinking at the same time the same point that many users can ask who will bother to change the settings (on Target PC), but only few can deep insight in to the issue that what I want to say. By the way, arguing like this is not a solution to that finding. I have a scenario that in your office system, one can set these settings in your absence if he got access to your system and can irritate you by remotely shutdown your PC frequently and this may become a headache for you what is going on to your system.There ****** can be written for doing the same settings automatically and sent to anyone and irritate him. (Thats my thinking only).

However, by doing above mentioned steps on Target PC with Bitdefender installed having above said Firewall settings, following points can be concluded, may be more

1) Stealth Mode is not effective either set to ON or Remote.

2) Low or No Network Attack/Intrusion Blocking from outside.

3) No Notification or Pop-up about that Intrusion/Attack even when the Paranoid Mode and User Mode are set to ON.

4) No logging of that Intrusion/Attack.

I consider this a kind of attack on the system and a security breach.

Kindly rectify me, if someone find my findings technically wrong.

rootkit

Hello

Since this operations is made via Windows Remote software and on that PC the user is added manually in the list, it can't be considered an attack and the remote command is permitted.

The software is functioning as designed.

Take care.

coolcool1227

Would you like to explain in terms of Network Layers so that I can understand better?

And by the way what is the purpose of Stealth Mode here, because it means that the system is pinged and access from network even if the Stealth Mode is ON?

columbo

Hello

Since this operations is made via Windows Remote software and on that PC the user is added manually in the list, it can't be considered an attack and the remote command is permitted.

The software is functioning as designed.

Take care.

Thank you Christian, for that peace of mind

coolcool1227

It would be great learning for me if someone explain above in terms of Network Layers?

JAGUARS

It would be great learning for me if someone explain above in terms of Network Layers?

for me too.

rootkit

Hello

Please check on Wikipedia the article about Application layer.

http://en.wikipedia.org/wiki/Application_layer

As I mentioned earlier, since the user was added manually and the remote application is the one embedded in the operating system, the action is legit.

Take care.

coolcool1227

Firewall is filtering/scanning/analyzing the all the incoming and outgoing packets. And from the packet analysis, why doesn't Bitdefender can't judge that the shutdown command is initiated remotely from another system and which can terminate the Windows Services on the local PC in unusual way which may be suspicious and this termination can't be detected by Bitdefender. Why?

Does HIPS can detect such unusual termination of Windows Services whether initiated local or remote?

Kindly rectify if I am wrong. I'll appreciate it.

coolcool1227

Firewall is filtering/scanning/analyzing the all the incoming and outgoing packets. And from the packet analysis, why doesn't Bitdefender can't judge that the shutdown command is initiated remotely from another system and which can terminate the Windows Services on the local PC in unusual way which may be suspicious and this termination can't be detected by Bitdefender. Why?

Does HIPS can detect such unusual termination of Windows Services whether initiated local or remote?

Kindly rectify if I am wrong. I'll appreciate it.

Any comments.....Kindly rectify if I am wrong. I'll appreciate it.