RE: Worms and CScript/WScript
From: Nick FitzGerald (nick@virus-l.demon.co.uk)Date: 05/22/02
- Previous message: Michael Wright: "RE: Worms and CScript/WScript"
- In reply to: Michael Wright: "RE: Worms and CScript/WScript"
- Next in thread: Richard H. Cotterell: "RE: Worms and CScript/WScript"
- Next in thread: Ken Pfeil: "RE: Strange scan on 1433"
- Reply: Richard H. Cotterell: "RE: Worms and CScript/WScript"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 22 May 2002 17:04:30 +1200 From: Nick FitzGerald <nick@virus-l.demon.co.uk> To: incidents@securityfocus.com
mwright@allcovered.com wrote:
> The NSA guide, titled: "E-mail Security in the Wake of Recent Malicious Code
> Incidents" actually recommends disabling Windows Scripting Host by removing
> both cscript.exe and wscript.exe.
And that makes it "correct" or "a good idea"?
> I have added that to my logon script so that every time a user logs onto one
> of my networks, WSH is disabled. Add that to a managed anti-virus solution
> that filters attachments by extension, and does real-time protection of both
> servers and workstations and you have a very effective virus/worm/trojan
> defense.
In the corporate arena you often can get away without either of these
"advanced" scripting mechanisms, but Windows Update -- which is
rather critical to SOHO users having any chance of staying vaguely
up-to-date with security patches -- used to and presumably still does
depend on WSH (I think VBS specifically). Thus, suggesting disabling
it as a blanket recommendation may not be a wise thing... (And, even
in the corporate arena, you may better off restricting access to it
rather than removing it -- if your admin group uses VB scripts for
advanced system admin, certainly let them continue to run it so long
as scripts can be run under a suitably privileged security context
without introducing other unwanted problems but lock down your
ordinary users' access to the EXEs.)
> You can download the afore mentioned NSA guide directly here:
> http://nsa2.www.conxion.com/emailexec/guides/eec-1.pdf
I won't comment further on this (and probably nor here but on the
focus-virus list if I ever do) until I've read it...
> or browse through all the NSA guides at http://www.nsa.gov
Let's see -- the NSA gives out security advice from a site that
_requires_ browser scripting to be enabled?
Hmmmm -- do you think we may be able to make an informed estimate of
the likely quality and thoroughness of that advice from just this one
data point??
-- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Michael Wright: "RE: Worms and CScript/WScript"
- In reply to: Michael Wright: "RE: Worms and CScript/WScript"
- Next in thread: Richard H. Cotterell: "RE: Worms and CScript/WScript"
- Next in thread: Ken Pfeil: "RE: Strange scan on 1433"
- Reply: Richard H. Cotterell: "RE: Worms and CScript/WScript"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
