Securing VBScript

Last month's Outlook Edition that featured the Air Force Academy professors' demonstration of VBScript code to thwart the Outlook Email Security Update triggered several responses about ways to more tightly secure VBScript.

One reader suggested renaming the wscript.exe file from Windows Scripting Host (WSH), which actually runs the scripts. A May 12, 2000, message from the ntbugtraq discussion list, however, notes that Windows 2000 will restore that file, and other versions of Windows will change the file type association to match the new file name.

http://www.ntbugtraq.com/

The professors suggested using a registry entry change to make .vbs files open in Notepad by default, rather than running the script. To create a .reg file that lets Win2K make that alteration to .vbs files and .vbe (encoded VBScript) files), copy the following lines into Notepad, then save the file as VBSafe.reg:

	Windows Registry Editor Version 5.00
	\[HKEY_CLASSES_ROOT\VBEFile\]
	"AlwaysShowExt"=""
	
	\[HKEY_CLASSES_ROOT\VBEFile\Shell\]
	@="Edit"
	
	\[HKEY_CLASSES_ROOT\VBSFile\]
	"AlwaysShowExt"=""
	
	\[HKEY_CLASSES_ROOT\VBSFile\Shell\]
	@="Edit"

The @ key sets the default for each file type to Edit. The AlwaysShowExt key makes sure that any .vbs or .vbe file shows the file extension, making it harder for users to misunderstand what type of file they're opening.

If you're using a different version of Windows, the first line of your script will differ from that shown above. Export any key from the registry editor to get a sample of how your .reg file should look. If you're not sure how to deploy registry changes like these, read Kathy Ivens' review of the available options in the April 2001 issue of Windows 2000 Magazine. For a variation on the theme, in the Spring 2001 issue, Chris Taylor suggests additional registry changes to provide a warning to users when they try to open a .vbs file. You can read his suggestions and download a sample .reg file.

http://www.win2000mag.com/Articles/Index.cfm?ArticleID=19914

Organizations using Exchange 2000 can use another method. Microsoft has updated Store.exe to allow administrators to block Messaging API (MAPI) clients based on the version number. For example, if you've mandated that users who want full MAPI access to their mailboxes must use either Outlook 2000 with the Email Security Update or Outlook 2002, you can enforce that policy at the server level. The change is available as a public hotfix if you can't wait for Service Pack 1 (SP1), available any day now.

The Microsoft articles listed after this commentary explain how to get the fix and set up the necessary Disable MAPI Clients registry value on your server. You'll need to know the version numbers for the different flavors of Outlook. This is not the version you see in Outlook's About Microsoft Outlook dialog box, but the version number as viewed from the Exchange 2000 System Manager. (Under the Mailbox Store, look under Logons.) Outlook 2002 is version 10.0.0.2627; Outlook 2000 with the Email Security Update is 5.0.3136.0 or later. Also check out Siegfried Weber's list of the MAPI client version numbers.

http://www.cdolive.com/build.htm.

As the articles explain, you must drop the 0 after the major build number to get the proper value for the registry. If you want to allow only versions later than the Outlook Email Security Update, you could set the Disable MAPI Clients value to 5.3136.0-. The hyphen at the end means any version equal to or greater than the version given.

The following URLs will take you to Microsoft articles about the Disable MAPI Clients registry value.

http://support.microsoft.com/support/kb/articles/q288/8/94.asp

http://support.microsoft.com/support/kb/articles/q289/1/15.asp
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish