Critical Scripting Security Issues

Sadly, Microsoft implemented VBScript without much thought for the consequences. Windows XP, Microsoft's newest client operating system, shipped with full scripting capability built-in and enabled by default. The power of VBScript can be used not only for beneficial administrative tasks, but also for malicious hacking, and many viruses are based on VBScript or another ActiveX Scripting Language.

Administrators have reacted to the security threat of scripts in a number of ways.

• Deleting WScript.exe. Unfortunately, this doesn't work on Windows 2000 or later, because WScript.exe is under Windows File Protection. Delete it and it just comes back.

• Disassociating the VB, VBS, JS, and other WSH file extensions, or re-associating them to simply open in Notepad rather than in WSH. This effectively disables scripting.

• Deploying antivirus software, such as Norton AntiVirus, which detects script execution and halts it.

Regrettably, disabling scripting usually disables it for good, meaning you can't use scripting for logon scripts, administrative tasks, and other beneficial purposes. There's a middle road that you can take however, which authorizes only certain scripts for execution. This middle road helps protect you against scripts written by hackers, while still allowing scripts to be used for administrative and logon purposes.

Fortunately, Microsoft's come to the table with security improvements that can make scripting safe again, and I've devoted Chapter 28 to the topic of scripting security.