Penetration Testing on Win 2k Advance Server

[Spyder32]

Yeah, if this is a school box, run a port scan on the machine from home or from outside the school network (or that machine, whichever you'd get a valid response from) and see if you have port 139 open. See what port's are open in the first place on the machine and then post back your finding's.

[vynkz]

The remote shutdown through that method you mentioned Ronin was the first method he used as i first mentioned in my very first post, i had disabled that with the server service and advanced power management already. That method won't give user's a shutdown prompt. Ran netstat and Port 139 is not open, but i already disabled admin shares, ran net config, gpedit, restricted a 1 user session on the box, and put LanMan Parameters as hidden in the registry, is that enough? Apparently not since he can still shut me down, argggh. Still can't find anything on altavista either.

[R0n1n]

ok, sorry my bad. There is also shutdown.exe on the resource kit that does the same thing so have a look for that.

Get hold of the NSA hardening guidelines and apply them, should lock the box down even further, you`ll need to adust the local security policy and the user permissions.

However given that he has Admin rights to the box already its going to be tricky to lock him out completely.

Do you see anything else in your netstat?

Also, any chance you can run a traffic sniff and see what he is sending?

[Dagreat1]

Have you tried disabling dcom on your computer? I believe RemoteExec (Google) and other tools of the sort take advantage of Dcom. Start > Run > dcomcnfg
I might be mixing something up here though.
Let us know if that solves the problem.