I logged remotely to a server with RDP and I noticed that I had options to restart or shutdown that server. This means we can shutdown or restart a server without physical access and without authentication:
We can remove the Shut down and Restart hyperlink by setting the following REG_DWORD value UseShutDownControls to 0 in the HKLM\SOFTWARE\SSOProvider\SuperGina registry key.
So this is a clear case of misconfiguration, probably due to the fact that the installation script was copied from a workstation installation where you might want to allow this setting.
But even on a workstation you might not want to have those options when connecting to it remotely. So do consider carefully if you want to enable this setting.