lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 6 Sep 2011 18:57:16 +0300
From: Georgi Guninski <guninski@...inski.com>
To: "Thor (Hammer of God)" <thor@...merofgod.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	"paul.szabo@...ney.edu.au" <paul.szabo@...ney.edu.au>
Subject: Re: Cybsec Advisory 2011 0901 Windows Script Host
 DLL Hijacking

On Mon, Sep 05, 2011 at 07:50:51PM +0000, Thor (Hammer of God) wrote:
> Excellent points - one slight addition, though:
> 
> >In fact, the Windows Script Host software is mostly used to write system maintenance scripts, 
> >so it's obvious its scripts can't be restricted or they'd be useless.
> 
> Scripts can certainly be restricted based on the account context they are executed under.   There is actually plenty one can do with "normal user" scripts, but as you've pointed out, many of the options admins require scripts for need escalated privileges.   This is obviously be design, and it helps to keep admins aware of best practices when choosing to deploy solutions via scripting.  There are, of course, many many other ways once can accomplish system maintenance in a more secure way such as WMI, PS (which can require signed scripts) and of course GPO and/or any other number of solutions.  
> 
> I thought it important to outline that since, in my experience with "real" admins, WSH is actually *not* used mostly for system maintenance per se, but for standard automation.   Using scripts to perform actual administrative tasks/maintenance is just a bad idea to begin with.  
>

you mean "to perform actual administrative tasks/maintenance" 
``"real" admins'' just click with the mouse on the platform in this thread?

-- 
joro

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists