Running Only Signed Scripts

If you don't want to mess around with software restriction policies, you can also rely on WSH's own built-in form of security policy. This policy allows you to specify that only signed scripts will be run; unsigned scripts won't be. This is probably the easiest and most effective way to prevent most unauthorized scripts.

To set the policy, open the registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script Host\Settings\TrustPolicy. Set the value to 0 to run all scripts, 1 to prompt the user if the script is untrusted, and 2 to only run trusted scripts. What's a trusted script? Any script that has been digitally signed by a certificate that the user's computer is configured to trust. For example, if you purchase a certificate from VeriSign (which all Windows computers trust by default), and use that certificate to sign your scripts, they'll run. Unfortunately, a hacker could do the same thing-but you could easily investigate the source of the certificate, because it's a way to uniquely identify the signer.

Using this built-in trust policy allows you to run only signed scripts no matter what version of Windows your users have, provided you've deployed WSH 5.6 or later to all computers. Note that this technique, because it relies on WSH and not the operating system, works on all operating systems capable of running WSH. Many of the other techniques in this chapter-such as Software Restriction Policies-run only on Windows XP, Windows Server 2003, and later.