Re: Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking

[Georgi Guninski <guninski () guninski com>]

On Mon, Sep 05, 2011 at 07:50:51PM +0000, Thor (Hammer of God) wrote:
> Excellent points - one slight addition, though:
>
> > In fact, the Windows Script Host software is mostly used to write system maintenance scripts, 
> > so it's obvious its scripts can't be restricted or they'd be useless.
>
> Scripts can certainly be restricted based on the account context they are executed under.   There is actually plenty 
> one can do with "normal user" scripts, but as you've pointed out, many of the options admins require scripts for need 
> escalated privileges.   This is obviously be design, and it helps to keep admins aware of best practices when 
> choosing to deploy solutions via scripting.  There are, of course, many many other ways once can accomplish system 
> maintenance in a more secure way such as WMI, PS (which can require signed scripts) and of course GPO and/or any 
> other number of solutions.  
>
> I thought it important to outline that since, in my experience with "real" admins, WSH is actually *not* used mostly 
> for system maintenance per se, but for standard automation.   Using scripts to perform actual administrative 
> tasks/maintenance is just a bad idea to begin with.  

you mean "to perform actual administrative tasks/maintenance" 
``"real" admins'' just click with the mouse on the platform in this thread?

-- 
joro

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/