Is there a way to only run scripts written by Administrator 
Author Message
 Is there a way to only run scripts written by Administrator

Hi All
    Is it possible to have client machines on a network configured so that
they will only run scripts that have an encription or signature that the
administrator has endorsed or encoded. I administrate school networks and
like to use VBScripts to do various tasks (as you do) but I am anxious to
say the least to let the kids run riot with WSH. A suitable 3 lines of code
e-mailed as attachment to their mates would have me recovering from backups
their home drives for a week. Any ideas or sources of info greatly
appreciated.
                                        Thanks in advance
                                                        Mike


Mon, 01 Sep 2003 12:51:42 GMT  
 Is there a way to only run scripts written by Administrator
This is pretty a tough question to answer in just a few sentences.  In general, it depends a great
deal on what version of Windows you are running on the workstations and how extreme you want to get.
It's easier to "cripple scripting" than it is to allow "selective scripting".

Symantec makes freely available a "noscript.exe" utility that disables scripting by effectively
disabling the registry keys that are needed for scripting to work.  It can also be used to re-enable
scripting.  But since it's publicly available, there's nothing to stop a student from figuring out
what you did and undoing it ;-).

On NT based systems (NT4 and Win2K) it's possible to restrict execute access to the wscript and
cscript EXE files.  Longer term, WSH 5.6 will support script signing and security policies that
allow only signed scripts from a trusted source to be executed.  To do it right will mean getting a
certificate from a trusted root CAs (Certification Authorities) like VeriSign or Thawte and a host
of others.  Even longer term, Windows XP *may* support other scripting safety features that are
easier to administer...

--
Michael Harris
Microsoft.MVP.Scripting
--

Please do not email questions - post them to the newsgroup instead.
--

Quote:

> Hi All
>     Is it possible to have client machines on a network configured so that
> they will only run scripts that have an encription or signature that the
> administrator has endorsed or encoded. I administrate school networks and
> like to use vbscripts to do various tasks (as you do) but I am anxious to
> say the least to let the kids run riot with WSH. A suitable 3 lines of code
> e-mailed as attachment to their mates would have me recovering from backups
> their home drives for a week. Any ideas or sources of info greatly
> appreciated.
>                                         Thanks in advance
>                                                         Mike



Mon, 01 Sep 2003 09:09:13 GMT  
 Is there a way to only run scripts written by Administrator
Thanks Michael and Jim
    It's just what the doctor ordered, I should be able to implement it
without too much hassle.
            Mike


Quote:
> Take a look at the attached post (author: Jim Warrington) for another

possible short term solution.
Quote:

> --
> Michael Harris
> Microsoft.MVP.Scripting
> --

> Please do not email questions - post them to the newsgroup instead.
> --




Quote:
> > Thanks Michael
> >     I am using NoScript at the moment that disables the WSH when they
log on
> > and enables when they log out. It's not pretty but it will do until 5.6
gets
> > up and running. Your response saves me time in not looking for something
> > that doesn't exsist at the moment and for that I am gratefull.
> >                                                         Thanks
> >                                                                 Mike


> > > This is pretty a tough question to answer in just a few sentences.  In
> > general, it depends a great
> > > deal on what version of Windows you are running on the workstations
and
> > how extreme you want to get.
> > > It's easier to "cripple scripting" than it is to allow "selective
> > scripting".

> > > Symantec makes freely available a "noscript.exe" utility that disables
> > scripting by effectively
> > > disabling the registry keys that are needed for scripting to work.  It
can
> > also be used to re-enable
> > > scripting.  But since it's publicly available, there's nothing to stop
a
> > student from figuring out
> > > what you did and undoing it ;-).

> > > On NT based systems (NT4 and Win2K) it's possible to restrict execute
> > access to the wscript and
> > > cscript EXE files.  Longer term, WSH 5.6 will support script signing
and
> > security policies that
> > > allow only signed scripts from a trusted source to be executed.  To do
it
> > right will mean getting a
> > > certificate from a trusted root CAs (Certification Authorities) like
> > VeriSign or Thawte and a host
> > > of others.  Even longer term, Windows XP *may* support other scripting
> > safety features that are
> > > easier to administer...

> > > --
> > > Michael Harris
> > > Microsoft.MVP.Scripting
> > > --

> > > Please do not email questions - post them to the newsgroup instead.
> > > --



> > > > Hi All
> > > >     Is it possible to have client machines on a network configured
so
> > that
> > > > they will only run scripts that have an encription or signature that
the
> > > > administrator has endorsed or encoded. I administrate school
networks
> > and
> > > > like to use vbscripts to do various tasks (as you do) but I am
anxious
> > to
> > > > say the least to let the kids run riot with WSH. A suitable 3 lines
of
> > code
> > > > e-mailed as attachment to their mates would have me recovering from
> > backups
> > > > their home drives for a week. Any ideas or sources of info greatly
> > > > appreciated.
> > > >                                         Thanks in advance
> > > >                                                         Mike



Thu, 04 Sep 2003 01:19:02 GMT  
 Is there a way to only run scripts written by Administrator
Thanks Michael
    I am using NoScript at the moment that disables the WSH when they log on
and enables when they log out. It's not pretty but it will do until 5.6 gets
up and running. Your response saves me time in not looking for something
that doesn't exsist at the moment and for that I am gratefull.
                                                        Thanks
                                                                Mike

Quote:
> This is pretty a tough question to answer in just a few sentences.  In

general, it depends a great
Quote:
> deal on what version of Windows you are running on the workstations and

how extreme you want to get.
Quote:
> It's easier to "cripple scripting" than it is to allow "selective
scripting".

> Symantec makes freely available a "noscript.exe" utility that disables

scripting by effectively
Quote:
> disabling the registry keys that are needed for scripting to work.  It can

also be used to re-enable
Quote:
> scripting.  But since it's publicly available, there's nothing to stop a

student from figuring out
Quote:
> what you did and undoing it ;-).

> On NT based systems (NT4 and Win2K) it's possible to restrict execute

access to the wscript and
Quote:
> cscript EXE files.  Longer term, WSH 5.6 will support script signing and

security policies that
Quote:
> allow only signed scripts from a trusted source to be executed.  To do it

right will mean getting a
Quote:
> certificate from a trusted root CAs (Certification Authorities) like

VeriSign or Thawte and a host
Quote:
> of others.  Even longer term, Windows XP *may* support other scripting

safety features that are
Quote:
> easier to administer...

> --
> Michael Harris
> Microsoft.MVP.Scripting
> --

> Please do not email questions - post them to the newsgroup instead.
> --




Quote:
> > Hi All
> >     Is it possible to have client machines on a network configured so
that
> > they will only run scripts that have an encription or signature that the
> > administrator has endorsed or encoded. I administrate school networks
and
> > like to use vbscripts to do various tasks (as you do) but I am anxious
to
> > say the least to let the kids run riot with WSH. A suitable 3 lines of
code
> > e-mailed as attachment to their mates would have me recovering from
backups
> > their home drives for a week. Any ideas or sources of info greatly
> > appreciated.
> >                                         Thanks in advance
> >                                                         Mike



Mon, 01 Sep 2003 23:19:34 GMT  
 Is there a way to only run scripts written by Administrator

Take a look at the attached post (author: Jim Warrington) for another possible short term solution.

--
Michael Harris
Microsoft.MVP.Scripting
--

Please do not email questions - post them to the newsgroup instead.
--

Quote:

> Thanks Michael
>     I am using NoScript at the moment that disables the WSH when they log on
> and enables when they log out. It's not pretty but it will do until 5.6 gets
> up and running. Your response saves me time in not looking for something
> that doesn't exsist at the moment and for that I am gratefull.
>                                                         Thanks
>                                                                 Mike


> > This is pretty a tough question to answer in just a few sentences.  In
> general, it depends a great
> > deal on what version of Windows you are running on the workstations and
> how extreme you want to get.
> > It's easier to "cripple scripting" than it is to allow "selective
> scripting".

> > Symantec makes freely available a "noscript.exe" utility that disables
> scripting by effectively
> > disabling the registry keys that are needed for scripting to work.  It can
> also be used to re-enable
> > scripting.  But since it's publicly available, there's nothing to stop a
> student from figuring out
> > what you did and undoing it ;-).

> > On NT based systems (NT4 and Win2K) it's possible to restrict execute
> access to the wscript and
> > cscript EXE files.  Longer term, WSH 5.6 will support script signing and
> security policies that
> > allow only signed scripts from a trusted source to be executed.  To do it
> right will mean getting a
> > certificate from a trusted root CAs (Certification Authorities) like
> VeriSign or Thawte and a host
> > of others.  Even longer term, Windows XP *may* support other scripting
> safety features that are
> > easier to administer...

> > --
> > Michael Harris
> > Microsoft.MVP.Scripting
> > --

> > Please do not email questions - post them to the newsgroup instead.
> > --



> > > Hi All
> > >     Is it possible to have client machines on a network configured so
> that
> > > they will only run scripts that have an encription or signature that the
> > > administrator has endorsed or encoded. I administrate school networks
> and
> > > like to use vbscripts to do various tasks (as you do) but I am anxious
> to
> > > say the least to let the kids run riot with WSH. A suitable 3 lines of
> code
> > > e-mailed as attachment to their mates would have me recovering from
> backups
> > > their home drives for a week. Any ideas or sources of info greatly
> > > appreciated.
> > >                                         Thanks in advance
> > >                                                         Mike

[ Attached Message ]

From:
To:
Date: Wed, 7 Mar 2001 12:33:13 -0500
Local: Wed, Mar 7 2001 12:33 pm
Subject: Have your cake, and eat it too...
With the advent of the I_Love_You (and other) virus(es), transmitted via vbs
scripts, many sysadmins (and other mature and responsible {*filter*}s) have
disabled scripting altogether, to protect against further mischief.  This
may be likened to "throwing-out-the-baby-with-the-bathwater".

Here is a suggestion for "having your cake, and eating it too".  The idea is
to place your "production" scripts in a directory (er, sorry, folder) of
trusted scripts, and launch your scripts with ANOTHER script, that I call a
"filter script".  The idea behind the "filter script" is to only allow for
running those scripts in the "trusted scripts" directory...

Normally, the registry entry for vbs scripts reads something like this:

    c:\windows\WScript.exe "%1" %*

that is, it calls wscript directly to run the script.

What I would suggest is for the vbs file type entry to look something like
this:

    c:\windows\WScript.exe c:\Filter.vbs "%1" %*

And, the "filter script" would look something like this:

--- <snip> ---
Const sTrustPath = "c:\TrustedScripts\"

  ' get first argument (should be a script full path),
  '   and strip off the filename, leaving just the path...
  Set oArgs = WScript.Arguments
  sScriptPath = Left(oArgs(0), InStrRev(oArgs(0), "\"))

  ' make sure that this is one of the Trusted Scripts...
  if (UCase(sScriptPath) <> UCase(sTrustPath)) then
     MsgBox("Attempt made to run UnTrustWorthy Script, will abort")
     WScript.Quit
  End If

  ' passed the test, so run it...
  Set oSH = WScript.CreateObject("WSCript.shell")
  oSH.Run "c:\windows\wscript.exe " & oArgs(0)

--- </snip> ---

Note: I didn't bother to make any provision for passing along the command
line parameters of the original script, but you scripting afficianados don't
need any help with that...

cheers, jw



Tue, 02 Sep 2003 08:26:47 GMT  
 Is there a way to only run scripts written by Administrator
Just realize that this is relatively easy to defeat simply by executing wscript/cscript.exe manually
from the command line or by adding shortcuts to wscript/cscript to the SendTo menu.  All you're
doing here is changing what the default open action is for scripts.

Don't underestimate how enterprising students can be (like I need to tell *you* that ;-) and don't
get too comfortable...

--
Michael Harris
Microsoft.MVP.Scripting
--

Please do not email questions - post them to the newsgroup instead.
--

Quote:

> Thanks Michael and Jim
>     It's just what the doctor ordered, I should be able to implement it
> without too much hassle.
>             Mike



> > Take a look at the attached post (author: Jim Warrington) for another
> possible short term solution.

> > --
> > Michael Harris
> > Microsoft.MVP.Scripting
> > --

> > Please do not email questions - post them to the newsgroup instead.
> > --



> > > Thanks Michael
> > >     I am using NoScript at the moment that disables the WSH when they
> log on
> > > and enables when they log out. It's not pretty but it will do until 5.6
> gets
> > > up and running. Your response saves me time in not looking for something
> > > that doesn't exsist at the moment and for that I am gratefull.
> > >                                                         Thanks
> > >                                                                 Mike


> > > > This is pretty a tough question to answer in just a few sentences.  In
> > > general, it depends a great
> > > > deal on what version of Windows you are running on the workstations
> and
> > > how extreme you want to get.
> > > > It's easier to "cripple scripting" than it is to allow "selective
> > > scripting".

> > > > Symantec makes freely available a "noscript.exe" utility that disables
> > > scripting by effectively
> > > > disabling the registry keys that are needed for scripting to work.  It
> can
> > > also be used to re-enable
> > > > scripting.  But since it's publicly available, there's nothing to stop
> a
> > > student from figuring out
> > > > what you did and undoing it ;-).

> > > > On NT based systems (NT4 and Win2K) it's possible to restrict execute
> > > access to the wscript and
> > > > cscript EXE files.  Longer term, WSH 5.6 will support script signing
> and
> > > security policies that
> > > > allow only signed scripts from a trusted source to be executed.  To do
> it
> > > right will mean getting a
> > > > certificate from a trusted root CAs (Certification Authorities) like
> > > VeriSign or Thawte and a host
> > > > of others.  Even longer term, Windows XP *may* support other scripting
> > > safety features that are
> > > > easier to administer...

> > > > --
> > > > Michael Harris
> > > > Microsoft.MVP.Scripting
> > > > --

> > > > Please do not email questions - post them to the newsgroup instead.
> > > > --



> > > > > Hi All
> > > > >     Is it possible to have client machines on a network configured
> so
> > > that
> > > > > they will only run scripts that have an encription or signature that
> the
> > > > > administrator has endorsed or encoded. I administrate school
> networks
> > > and
> > > > > like to use vbscripts to do various tasks (as you do) but I am
> anxious
> > > to
> > > > > say the least to let the kids run riot with WSH. A suitable 3 lines
> of
> > > code
> > > > > e-mailed as attachment to their mates would have me recovering from
> > > backups
> > > > > their home drives for a week. Any ideas or sources of info greatly
> > > > > appreciated.
> > > > >                                         Thanks in advance
> > > > >                                                         Mike



Thu, 04 Sep 2003 03:27:45 GMT  
 Is there a way to only run scripts written by Administrator

Quote:

> Just realize that this is relatively easy to defeat simply by executing wscript/cscript.exe manually
> from the command line or by adding shortcuts to wscript/cscript to the SendTo menu.  All you're
> doing here is changing what the default open action is for scripts.

> Don't underestimate how enterprising students can be (like I need to tell *you* that ;-) and don't
> get too comfortable...

> --
> Michael Harris
> Microsoft.MVP.Scripting
> --

> Please do not email questions - post them to the newsgroup instead.
> --

On the other hand average Joe Blow is the one interested in LoveLetter, AnaKournikova,
and the like and preventing him from executing by double clicking means closing
99(.999?)% of (usual) flood doors for pest proliferation.

In the absence of signed - thus safe approach (we'll still have to wait for this one),
Jim's way seems to be realistic and clever workaround. One small suggestion would be
to couple it with logon script that would check and/or re-enforce registry settings, and
may be small add on to original script that would "open floor" to array of trusted sites.

Once behind the steering wheel (so to speak) knowledgeable and/or mischievous users will
find a way to harm the system, no matter what.

Branimir



Thu, 04 Sep 2003 06:32:32 GMT  
 
 [ 7 post ] 

 Relevant Pages 

1. Is there a way to only run scripts written by Administrator

2. Running a script with administrator privileges

3. script i am writing

4. Removing local Administrator account from Administrators group

5. Running as an Administrator

6. Running scipt as local administrator

7. Run Apps As Administrator?

8. a procedure I am writing for using with kshow

9. Am I writing over something ?

10. ways of adding vb scripting

11. How to running the script after i write in text editor

12. Not running, am I doing something wrong

 

 
Powered by phpBB® Forum Software