Infection of a system by a script virus is always the result of user laziness or ignorance. If users don't open e-mail attachments (and if mail programs are set up so that attachments aren't opened by default, even in preview mode), a virus can't spread. Unfortunately, many inexperienced users open all e-mail attachments that they receive. And most Windows systems are set up so that all security settings are off (which reminds me of some Linux users, who always run their system using root user rights).
A system administrator can prevent scripts from being executed without removing WSH. You can also specify that this behavior be valid only for certain users or for the whole system. This option is available in all 32-bit versions of Windows, but you must activate it. The way to block WSH scripts from executing differs a bit between operating systems.
In Windows 2000 and Windows NT 4, you can limit the right to execute a file to specific user groups, so you can block ordinary users from executing WSH EXE files by following these steps:
Figure B-1 Security settings for WScript.exe
Repeat these steps for all other user groups for which you want to disable WSH. (Only the System and Administrator accounts have the right to execute a script. Also, installing Windows on an NTFS volume is mandatory.)
After you close the Security property page, execution of WSH scripts is blocked for the specified user groups. If you need to execute a script, you can log on as Administrator and execute the file. For online sessions, avoid logging on with Administrator rights.
An administrator might want to allow certain users to execute scripts even though WScript.exe and CScript.exe are disabled for most users. To define a subset of special users, just follow these steps: Create a user account (named Scripter, for example) and add it to a group that allows scripting. In Windows 2000, you can then create a shortcut to files such as WScript.exe or CScript.exe. Within the shortcut file's property page, you can add the path to a script file that can be executed using the shortcut. And you can check the check box Run As Different User. If an ordinary user double-clicks the shortcut file, Windows asks for a username and password. The user can enter the account name (Scripter in this case) and the password to execute the script under this account. By the way, you can also grant special rights to a script with this approach. The trick is to grant the required rights to the user without accidentally lowering system security.
Windows 95 and Windows 98 don't provide individual rights for files, but you can use the System Policy Editor to define system policies by following the steps below. (See the Microsoft Windows Resource Kit for details.) You can also define system policies in this way in Windows NT and Windows 2000.
After you close the open windows and restart Windows, the operating system allows the user to run only the applications listed in the Show Contents dialog box. If CScript.exe and WScript.exe aren't in the list, the user can't execute WSH scripts.
There's a problem with this approach. As a system administrator, you must define all allowed applications, which isn't a simple task. Also, you have to be careful not to disable RegEdit and the System Policy Editor for the Administrator account—otherwise, you can't change Registry entries. For more details about system policies, see the Microsoft Windows Resource Kit or my book Inside the Microsoft Windows 98 Registry.
In Windows 2000, defining system policies is much simpler. You can use the Microsoft Management Console (MMC) to specify applications that a user isn't allowed to execute. If you specify WScript.exe and CScript.exe, the user can't execute scripts after the next logon. There's one problem, however: MMC doesn't support system policies by default. You must create your own MMC version that supports local or remote policies. Here are the steps to create your own MMC application:
After saving the configuration in an .msc file, you can open this file (as an MMC application) when you want to alter system policies. To change the list of applications not allowed to run, take the following steps:
Figure B-2 Defining system policies using MMC in Windows 2000
After you close the open dialog box and click the Apply button on the Policy property page, Windows 2000 will block executing WSH scripts on that machine (for the specified user group). Note that a user can still use the Command Prompt window or the Run dialog box to launch WSH scripts, but a double-click at the shell level is disabled. For details on defining system policies for Windows 2000, see the Microsoft Windows 2000 Professional Resource Kit. A resource kit is also available for Windows 2000 Server.