Securing Scripts

Microsoft® Windows® 2000 Scripting Guide

Security is always a primary concern for system administrators; this is as true for scripts and scripting as it is for anything else. After all, no one wants a repeat of the ILOVEYOU virus, a script that, largely without warning, managed to wreak havoc worldwide.

WSH 5.6 includes a number of measures designed to guard against problems such as this. The ILOVEYOU virus succeeded not so much by exploiting a flaw in Windows Script Host as it did by exploiting a flaw in human nature: people are innately curious about anything that is given to them. Faced with the decision "Do you want to run this script?" and with no other information to go on, many people opted to run the script.

WSH 5.6 can help users make more intelligent choices. For example, when a user tries to run a script, WSH can be configured to display a dialog box that says, in effect, "We do not know who wrote this script, and we have no guarantee that it is safe to run. Are you sure you want to proceed?" Alternatively, system administrators can relieve users of the need to make choices at all. Instead, WSH can be configured so that users can only run scripts that have been pre-approved and digitally-signed.

This section of the chapter examines several techniques that can be used to enhance script security, including:

  • Signing scripts with digital signatures.

  • Restricting the ability of a user to run a script.

  • Disabling Windows Script Host.


  • Security obviously applies to items other than scripts. It is true that hackers often use scripts to ply their trade, simply because these plain-text files are easy to write and easy to distribute. However, scripts are not the only security threat faced by system administrators; after all, executable files and batch files have been misused as well. The techniques discussed in this chapter can be a useful part of any security plan, but they are by no means an entire security plan in and of themselves.