First, if you really are who you claim you are, is it wise for you to post
your location and ship name in a public / internationally visible forum like
this? Would you not contact someone else within your organization for
assistance? Do you not already have both Microsoft tech support people and
security incident response people waiting to help within your organization,
and would they not be happy to swoop in and assist if your machines were
under attack?
Here's how to enable auditing:
http://securityadmin.info/faq.asp#auditing
However, to get the IP address that would help identify what computer is
doing this, you need a log from a third party firewall, router, IDS or
sniffer. Windows 2000 and older does not include this functionality without
third party tools. This is OK because I would think you would want to have
someone looking at network traffic anyways to figure out how this is
happening and from where.
Are you sure this is the remote shutdown feature? Could there be some
buffer overflow going on that, say, stops a service like RPC and the service
is configured to restart the computer when the service fails? Or, could it
be some kind of non-malicious system failure? Or a virus? What do you see
in the Windows event logs? What clues are pointing you to this conclusion?
Exact word for word error messages are always
If things are as you say they are, I would be pretty frightened. If
machines are really being shut down through the shut down feature, then that
person has administrative privileges and the game is already over. AND the
firewall may be letting in some kind of remote administration traffic
[NetBIOS, Telnet, etc.] that it probably shouldn't be doing. If this is
happening from the Internet, then the firewall is not protecting you as
well.
