Windows NT includes a subsystem that automatically associates file types with an executable and instructs the OS to run a particular executable when a user double-clicks an associated file. An intruder can use this feature to configure malicious mobile code (e.g., Web-based Windows Script Host—WSH—scripts) to run automatically on a user's system or change the user's file associations so that the user unwittingly executes malicious code. How can I prevent malicious mobile code from automatically executing, and how can I prevent intruders from changing the file associations?
To prevent Web-based scripts from executing automatically, change the Windows file associations for the following file types:
- .jse and .js (JScript files)
- .vbs and .vbe (VBScript files)
- .wsc, .wsh, and .wsf (WSH files)
These file extensions are for script files that can contain malicious mobile code and that an attacker can execute from a Web browser. To change the file associations for these file types, start Windows Explorer, go to the View menu, then select Options. Go to the File Types tab and, for each of the file types I mentioned above, select the file type, then click Edit. In the Edit File Type dialog box, select the Open action in the Actions box, then click Edit. Replace the content of the Application used to perform action text box with C:\WINNT\Notepad.exe "%1", as Figure 1 shows. Next, click OK once and Close twice to exit the Options dialog box. Now, whenever a user launches a script file, NT will display the script contents in Notepad instead of executing the script.
An alternative solution is to simply rename the wscript.exe executable, which is the file that executes WSH, Visual Basic (VB), and Java scripts on the Windows platform. When you rename the executable (for example, to wscript.eze), then try to run a WSH, VB, or Java script file, NT generates an error message. This error message states that the OS can't find wscript.exe and prompts you to enter an alternative path to the script execution engine.
To prevent unauthorized users, including intruders, from changing file associations on a Windows system, use the Permissions menu option in the Windows system registry editor to change the access control settings on the HKEY_CLASSES_ROOT registry hive and all its subkeys. Change the access control settings so that only authorized system or domain administrators can change file associations.
