G
Gordon Price
I have read the MSDN article 'Providing a Secure eXPerience' and I have a
question on implementation. The article describes creating a new Software
Restriction Policy Path Rule, to the effect of Disallowing *.VBS. Thus, no
VBS file will execute. Then it goes on to describe creating a Certificate
Rule to allow properly sighed files to run. We are a small architecture
office, and spending a few hundred bucks on a certificate for this seems
overkill, not to mention that I still haven't limited users from running
properly signed scripts, checked by Verisign, that I don't want run on my
network anyway. I could setup CertificateServer and sign all my own scripts,
but that too seems overkill.
So I tried this. I made the first rule as advertised, then I made a second
rule, Allowing C:\Scripts\*.vbs. The C:\Scripts folder is readonly for
everyone but administrators. The result is that a script in that scripts
folder will execute, and nothing else will. With this setup you would have a
situation where in house scripts are available, everything else, in e:mail,
on floppies, on the desktop, etc is blocked, and users can't add scripts to
the allowed folder even if they could figure out they needed to, and a non
WSH virus would have to be able to find that folder to place a virus script
and have the admin security rights, at which point I am toast anyway. Net
result, REAL security, Easily, without extra cost. Am I on to something? Am
I crazy? If this works like it seems to, I wonder why MS never even mentions
it. Then again, they don't mention any negatives? Can anyone see a flaw in
this?
Thanks,
Gordon
question on implementation. The article describes creating a new Software
Restriction Policy Path Rule, to the effect of Disallowing *.VBS. Thus, no
VBS file will execute. Then it goes on to describe creating a Certificate
Rule to allow properly sighed files to run. We are a small architecture
office, and spending a few hundred bucks on a certificate for this seems
overkill, not to mention that I still haven't limited users from running
properly signed scripts, checked by Verisign, that I don't want run on my
network anyway. I could setup CertificateServer and sign all my own scripts,
but that too seems overkill.
So I tried this. I made the first rule as advertised, then I made a second
rule, Allowing C:\Scripts\*.vbs. The C:\Scripts folder is readonly for
everyone but administrators. The result is that a script in that scripts
folder will execute, and nothing else will. With this setup you would have a
situation where in house scripts are available, everything else, in e:mail,
on floppies, on the desktop, etc is blocked, and users can't add scripts to
the allowed folder even if they could figure out they needed to, and a non
WSH virus would have to be able to find that folder to place a virus script
and have the admin security rights, at which point I am toast anyway. Net
result, REAL security, Easily, without extra cost. Am I on to something? Am
I crazy? If this works like it seems to, I wonder why MS never even mentions
it. Then again, they don't mention any negatives? Can anyone see a flaw in
this?
Thanks,
Gordon