On Mon, Sep 05, 2011 at 07:50:51PM +0000, Thor (Hammer of God) wrote: > Excellent points - one slight addition, though: > > >In fact, the Windows Script Host software is mostly used to write system > >maintenance scripts, > >so it's obvious its scripts can't be restricted or they'd be useless. > > Scripts can certainly be restricted based on the account context they are > executed under. There is actually plenty one can do with "normal user" > scripts, but as you've pointed out, many of the options admins require > scripts for need escalated privileges. This is obviously be design, and it > helps to keep admins aware of best practices when choosing to deploy > solutions via scripting. There are, of course, many many other ways once can > accomplish system maintenance in a more secure way such as WMI, PS (which can > require signed scripts) and of course GPO and/or any other number of > solutions. > > I thought it important to outline that since, in my experience with "real" > admins, WSH is actually *not* used mostly for system maintenance per se, but > for standard automation. Using scripts to perform actual administrative > tasks/maintenance is just a bad idea to begin with. >
you mean "to perform actual administrative tasks/maintenance" ``"real" admins'' just click with the mouse on the platform in this thread? -- joro _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
