Scripting is a two-edged sword

Date:May 6, 2004 / year-entry #177
Tags:other
Orig Link:https://blogs.msdn.microsoft.com/oldnewthing/20040506-00/?p=39483
Comments:    15
Summary:A three line VB script will disable your firewall. The advantage of scripting is that you can control so many things with just a few lines of code. The disadvantage of scripting is that bad people can control so many things with just a few lines of code. I wonder how long it will be...

A three line VB script will disable your firewall.

The advantage of scripting is that you can control so many things with just a few lines of code.

The disadvantage of scripting is that bad people can control so many things with just a few lines of code.

I wonder how long it will be before there's a virus that disables the firewall.

Comments (15)
  1. Mr Sarky says:
    May 6, 2004 at 7:31 am

    A single cup of coffee will disable your computer’s power supply :-)

  2. Dave says:
    May 6, 2004 at 7:42 am

    A single cup of coffee will disable your computer’s power supply :-)

    Spoken like a man that has experienced it…

  3. Duncan Smart says:
    May 6, 2004 at 8:14 am

    The more that is done to stop users running as Admin then these scripts won’t be able to (easily) harm.

  4. Jonathan says:
    May 6, 2004 at 8:58 am

    The more that is done to stop users running as Admin then these scripts won’t be able to (easily) harm.

    I agree. As part of SP2-related education, Microsoft should really push getting people to have separate Admin and Limited accounts, and to use Admin only when necessary.

  5. Dennis Jackson says:
    May 6, 2004 at 9:05 am

    >The more that is done to stop users running as Admin then these scripts won’t be able to (easily) harm.

    >I agree. As part of SP2-related education, Microsoft should really push getting people to have separate Admin and Limited accounts, and to use Admin only when necessary.

    Does Windows 2000/XP provide a method for a user to install software or occasionally run tasks as Admin without logging out and back in? i.e., like the *nix command "sudo"

  6. Jeremy Croy says:
    May 6, 2004 at 9:24 am

    Runas

  7. Juan Miguel Venturello says:
    May 6, 2004 at 9:47 am

    Denis, open a cmd prompt, type ‘runas /?’

    Can be integrated into the shell. Or is: right click into a file while holding shift, choose ‘Run As…’

    ;)

  8. Scott says:
    May 6, 2004 at 10:14 am

    How does OS X handle this?

  9. Scott says:
    May 6, 2004 at 10:15 am

    Oops, forgot to mention that there are trojans that kill ZoneAlarm and any antivirus. So it’s been done already.

  10. Henk Devos says:
    May 6, 2004 at 10:25 am

    To answer the OS X question:

    The installer will prompt for an admin password.

  11. Gernot says:
    May 6, 2004 at 11:36 am

    "The more that is done to stop users running as Admin then these scripts won’t be able to (easily) harm."

    I agree, however be aware some Applications in the past (Application compatibility on current OS versions) have to run as Admin and some only need to be Admin to install. This is changing, however it takes time. How do I explain to my uncle that he cannot run his favorite application because it is dangerous to run as Admin all the time. Some non techie users do not get the danger it ran on Win98 or the last version of NT why does it no longer run?

  12. josh says:
    May 6, 2004 at 11:53 am

    Most apps do run as a restricted user, although many need some tweaking first. Enable auditing and you can find what files/registry keys they’re bugging on and permit access to those, assuming there’s nothing critical. If all else fails, you can mark a shortcut to run as a different user, though you do need to enter the appropriate password each time.

    It takes too long to set up and punch all the right holes though, you need to get programmers used to the idea of running restricted first.

  13. John Vert says:
    May 6, 2004 at 2:38 pm

    3 lines is too many, just run "netsh firewall set opmode mode=disable" No scripting required.

  14. Mike Dimmick says:
    May 6, 2004 at 3:52 pm

    John, the 3-line script only enables remote administration of the firewall; it doesn’t disable it completely. But you’re right, that is of course even simpler.

    Do virus scanners scan .bat and .cmd files?

  15. Pavel Lebedinsky says:
    May 7, 2004 at 12:16 am

    Peter Torr has a very well written blog about security aspects of scripting in Windows:

    http://weblogs.asp.net/ptorr/archive/2004/04/24/119627.aspx

Comments are closed.


*DISCLAIMER: I DO NOT OWN THIS CONTENT. If you are the owner and would like it removed, please contact me. The content herein is an archived reproduction of entries from Raymond Chen's "Old New Thing" Blog (most recent link is here). It may have slight formatting modifications for consistency and to improve readability.

WHY DID I DUPLICATE THIS CONTENT HERE? Let me first say this site has never had anything to sell and has never shown ads of any kind. I have nothing monetarily to gain by duplicating content here. Because I had made my own local copy of this content throughout the years, for ease of using tools like grep, I decided to put it online after I discovered some of the original content previously and publicly available, had disappeared approximately early to mid 2019. At the same time, I present the content in an easily accessible theme-agnostic way.

The information provided by Raymond's blog is, for all practical purposes, more authoritative on Windows Development than Microsoft's own MSDN documentation and should be considered supplemental reading to that documentation. The wealth of missing details provided by this blog that Microsoft could not or did not document about Windows over the years is vital enough, many would agree an online "backup" of these details is a necessary endeavor. Specifics include:

<-- Back to Old New Thing Archive Index