May 31, 2004, 12:00 AM — Securing your environment by enforcing and utilizing digitally signed
scripts is easy with the features built into Windows and Windows
Scripting Host (WSH).
Last week we discussed digitally signing your scripts within VBScript.
Digitally signing scripts allows you to verify who authored a script as
well as ensure that the script has not been altered since the script was
originally signed. By enforcing the use of digital signatures within
your scripts, you can increase the security of your environment and add
an additional layer of protection from many of the script-related
attacks that are common today.
This week we demonstrate how to enable the enforcement of digitally
signed scripts within your Windows environment.
Enforcing digitally signed scripts requires the modification of the
registry. Please make sure you know what you're doing before attempting
modification of the registry. To enforce digitally signed scripts you
must create a new REG DWORD key called TrustPolicy in the registry under
the following hive:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\
The following values are possible for this key:
0 = All scripts can run and there is no warning
1 = A warning dialog box is displayed showing the security status of the
script. Unsigned scripts can still run
2 = Scripts require verification of the signature before a script can be
ran. Unsigned scripts cannot run
To import these settings into your registry, create a file called
EnforceSig.reg and paste the following into the file:
--------------- Copy section after this line ----------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
-------------------------- End Copy -------------------------
Note: The UseWINSAFER line is only required on Windows XP.
After you paste this text into the file and save it, you can run it to
import the settings above into the registry. Notice that I have set
"TrustPolicy" to 00000000 by default. If you want to restrict the
settings, change this to 00000001 or 00000002 as noted above.
Also note that there has been some confusion over the use of script
signing support in Windows XP. Windows XP includes a new policy type
called Software Restriction Policy (SRP). To use the backward
compatible Script Trust Policy, you must first disable SRP. To disable
a) WINSAFER set to 1 = SRP will be used, and "TrustPolicy" will be
b) WINSAFER set to 0 (or not present) = the "TrustPolicy" setting will
Next week we will show you how to programmatically sign your VBScripts.