VBScript - Enforcing the use of digital scripts

Securing your environment by enforcing and utilizing digitally signed

scripts is easy with the features built into Windows and Windows

Scripting Host (WSH).

Last week we discussed digitally signing your scripts within VBScript.

Digitally signing scripts allows you to verify who authored a script as

well as ensure that the script has not been altered since the script was

originally signed. By enforcing the use of digital signatures within

your scripts, you can increase the security of your environment and add

an additional layer of protection from many of the script-related

attacks that are common today.

This week we demonstrate how to enable the enforcement of digitally

signed scripts within your Windows environment.

Enforcing digitally signed scripts requires the modification of the

registry. Please make sure you know what you're doing before attempting

modification of the registry. To enforce digitally signed scripts you

must create a new REG DWORD key called TrustPolicy in the registry under

the following hive:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\

The following values are possible for this key:

0 = All scripts can run and there is no warning

1 = A warning dialog box is displayed showing the security status of the

script. Unsigned scripts can still run

2 = Scripts require verification of the signature before a script can be

ran. Unsigned scripts cannot run

To import these settings into your registry, create a file called

EnforceSig.reg and paste the following into the file:

--------------- Copy section after this line ----------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]

"UseWINSAFER"="0"

"TrustPolicy"=dword:00000000

-------------------------- End Copy -------------------------

Note: The UseWINSAFER line is only required on Windows XP.

After you paste this text into the file and save it, you can run it to

import the settings above into the registry. Notice that I have set

"TrustPolicy" to 00000000 by default. If you want to restrict the

settings, change this to 00000001 or 00000002 as noted above.

Also note that there has been some confusion over the use of script

signing support in Windows XP. Windows XP includes a new policy type

called Software Restriction Policy (SRP). To use the backward

compatible Script Trust Policy, you must first disable SRP. To disable

SRP:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script

Host\Settings\TrustPolicy

a) WINSAFER set to 1 = SRP will be used, and "TrustPolicy" will be

ignored

b) WINSAFER set to 0 (or not present) = the "TrustPolicy" setting will

be used.

Next week we will show you how to programmatically sign your VBScripts.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies