This really does need to be controlled by your Windows Admin people using a GPO. There are Windows rights for 'Sutdown a server' and 'Remote shutdown a server' that need to be restricted.
IMHO, a DBA should have both these rights, but the general user community definitely should not have the rights.
Also, it is definitely poor practice for anyone to directly log on to a DB server to do any T-SQL related work. All SQL access should be done from a client machine. You should only log on to a DB server (either at the console or via RDP, etc) during troubleshooting when nothing else can do the job you need.
Original author: SQL Server FineBuild 1-click install and best practice configuration of SQL Server 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005. 1 Dec 2016
: now over 39,000 downloads.
Disclaimer: All information provided is a personal opinion that may not match reality.
Quote: "When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist." - Archbishop Hélder Câmara