[Previous] [Table of Contents] [Next]

Security Settings for WSH Scripts

Infection of a system by a script virus is always the result of user laziness or ignorance. If users don't open e-mail attachments (and if mail programs are set up so that attachments aren't opened by default, even in preview mode), a virus can't spread. Unfortunately, many inexperienced users open all e-mail attachments that they receive. And most Windows systems are set up so that all security settings are off (which reminds me of some Linux users, who always run their system using root user rights).

A system administrator can prevent scripts from being executed without removing WSH. You can also specify that this behavior be valid only for certain users or for the whole system. This option is available in all 32-bit versions of Windows, but you must activate it. The way to block WSH scripts from executing differs a bit between operating systems.

In Windows 2000 and Windows NT 4, you can limit the right to execute a file to specific user groups, so you can block ordinary users from executing WSH EXE files by following these steps:

  1. Log on as an administrator, and search for the files CScript.exe and WScript.exe (in the \System32 folder).
  2. Right-click on each file, and choose Properties from the context menu.
  3. Click on the Security property page (Figure B-1), click Everyone, and uncheck Read & Execute in the Allow column.
  4. Figure B-1 Security settings for WScript.exe

Repeat these steps for all other user groups for which you want to disable WSH. (Only the System and Administrator accounts have the right to execute a script. Also, installing Windows on an NTFS volume is mandatory.)

After you close the Security property page, execution of WSH scripts is blocked for the specified user groups. If you need to execute a script, you can log on as Administrator and execute the file. For online sessions, avoid logging on with Administrator rights.

An administrator might want to allow certain users to execute scripts even though WScript.exe and CScript.exe are disabled for most users. To define a subset of special users, just follow these steps: Create a user account (named Scripter, for example) and add it to a group that allows scripting. In Windows 2000, you can then create a shortcut to files such as WScript.exe or CScript.exe. Within the shortcut file's property page, you can add the path to a script file that can be executed using the shortcut. And you can check the check box Run As Different User. If an ordinary user double-clicks the shortcut file, Windows asks for a username and password. The user can enter the account name (Scripter in this case) and the password to execute the script under this account. By the way, you can also grant special rights to a script with this approach. The trick is to grant the required rights to the user without accidentally lowering system security.

Windows 95 and Windows 98 don't provide individual rights for files, but you can use the System Policy Editor to define system policies by following the steps below. (See the Microsoft Windows Resource Kit for details.) You can also define system policies in this way in Windows NT and Windows 2000.

  1. In Windows 95, Windows 98, or Windows NT 4, launch the System Policy Editor (Poledit.exe), load the local Registry (by choosing Open Registry from the File menu), and double-click on Local User.
  2. Select the branch Local User/Windows 98 System/Restrictions and select the Only Run Allowed Windows Applications entry.
  3. Click the Show button. In the Show Contents dialog box, use the Add button to add all Windows applications that you want to allow a user to execute.

After you close the open windows and restart Windows, the operating system allows the user to run only the applications listed in the Show Contents dialog box. If CScript.exe and WScript.exe aren't in the list, the user can't execute WSH scripts.

There's a problem with this approach. As a system administrator, you must define all allowed applications, which isn't a simple task. Also, you have to be careful not to disable RegEdit and the System Policy Editor for the Administrator account—otherwise, you can't change Registry entries. For more details about system policies, see the Microsoft Windows Resource Kit or my book Inside the Microsoft Windows 98 Registry.

In Windows 2000, defining system policies is much simpler. You can use the Microsoft Management Console (MMC) to specify applications that a user isn't allowed to execute. If you specify WScript.exe and CScript.exe, the user can't execute scripts after the next logon. There's one problem, however: MMC doesn't support system policies by default. You must create your own MMC version that supports local or remote policies. Here are the steps to create your own MMC application:

  1. Choose Run from the Start menu.
  2. Type MMC as a runnable command, and click OK to launch a new instance of MMC with an empty window.
  3. Choose Add/Remove Snap-in from the Console menu. On the Add/Remove Snap-in property sheet, click on the Standalone tab.
  4. Use the Add button and select the Group Policy snap-in in the Add Standalone Snap-in dialog box.
  5. After you close the open dialog boxes, the snap-in (an ActiveX control) is added to MMC. Save the defined page by using the Save As command from the Console menu.

After saving the configuration in an .msc file, you can open this file (as an MMC application) when you want to alter system policies. To change the list of applications not allowed to run, take the following steps:

  1. Launch your copy of MMC. Depending on your configuration, you might need to load the settings of a network machine. (The local settings are loaded automatically.)
  2. Select the Tree tab in the left pane, and click Local Computer Policy/User Configuration/Administrative Templates/System. The right pane will list the policies defined for your system.
  3. Double-click on the Don't Run Specified Windows Applications entry.
  4. On the new property sheet, click on the Policy tab, select the Enabled option, and click the Show button.
  5. Use the Add button in the Show Contents dialog box to add applications that the user won't be allowed to run, such as WScript.exe and CScript.exe. (See Figure B-2.)
  6. Click to view at full size.

    Figure B-2 Defining system policies using MMC in Windows 2000

After you close the open dialog box and click the Apply button on the Policy property page, Windows 2000 will block executing WSH scripts on that machine (for the specified user group). Note that a user can still use the Command Prompt window or the Run dialog box to launch WSH scripts, but a double-click at the shell level is disabled. For details on defining system policies for Windows 2000, see the Microsoft Windows 2000 Professional Resource Kit. A resource kit is also available for Windows 2000 Server.