BIO 12.02.01

Microsoft Security Guide: Restrict Legacy JScript Execution

📅 2025-10-30
⏱️ 3 minuten lezen
🔴 Must-Have

💼 Management Samenvatting

Restrict legacy JScript execution - blocks legacy JScript 5.8 engine (prevents abuse via Windows Script Host and IE11).

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
8/10
Implementatie
4u (tech: 1u)
Van toepassing op:
Windows 10
Windows 11

JScript = ancient + abused: JScript: Microsoft's JavaScript implementation (1996-2011), JScript 5.8: Last version (2011 - 14 years old), Modern JavaScript: Chakra (IE11), V8 (Chrome/Edge) - JScript obsolete. Attack vectors: Windows Script Host: .js files executed via wscript.exe/cscript.exe (malware delivery - no user interaction), IE11: JScript execution (exploit kits), Malicious .js: Double-click → JScript execution → malware install. Restrict JScript: JScript 5.8 BLOCKED (WSH .js files won't run), Modern JavaScript: Unaffected (browsers use modern engines).

PowerShell Modules Vereist
Primary API: Intune / GPO
Connection: Registry-based
Required Modules:

Implementatie

Restrict JScript: Policy: Prevent access to 16-bit applications: Enabled (blocks JScript 5.8), Effect: .js files (WSH): BLOCKED (wscript.exe refuses execution), IE11 JScript: BLOCKED, Modern browsers: Unaffected (Chakra/V8 work normally), PowerShell: Unaffected (different engine).

Vereisten

  1. Windows 10/11
  2. Legacy .js scripts: Migrate to PowerShell (if business-critical)
  3. Intune of GPO

Implementatie

Intune Settings Catalog: MS Security Guide → Prevent access to 16-bit applications: Enabled (blocks JScript 5.8). Migration: .js scripts → PowerShell .ps1.

Compliance

Microsoft Security Baseline, BIO 12.02 (Block legacy tech), DISA STIG.

Monitoring

Gebruik PowerShell-script restrict-legacy-jscript.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script restrict-legacy-jscript.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Beperkt legacy JScript uitvoering voor Office .DESCRIPTION Dit script implementeert Microsoft Security Guide control voor het beperken van legacy JScript uitvoering in Office applicaties. Legacy JScript kan een beveiligingsrisico vormen en moet worden beperkt tot veilige contexten. Deze control vereist handmatige configuratie via Group Policy omdat de exacte registry implementatie nog niet volledig is gedocumenteerd door Microsoft. .REQUIREMENTS - PowerShell 5.1 of hoger - Lokale administrator rechten voor Group Policy wijzigingen - Microsoft Office geïnstalleerd .PARAMETER Monitoring Controleert de huidige compliance status .PARAMETER Remediation Toont handmatige configuratie instructies .PARAMETER Revert Toont instructies voor herstellen .PARAMETER WhatIf Toont wat er zou gebeuren zonder wijzigingen door te voeren .EXAMPLE .\restrict-legacy-jscript.ps1 -Monitoring Controleert of legacy JScript is beperkt .EXAMPLE .\restrict-legacy-jscript.ps1 -Remediation Toont instructies voor het beperken van legacy JScript .NOTES Microsoft Security Guide Control: Restrict legacy JScript execution for Office Handmatige configuratie vereist via Group Policy #> #Requires -Version 5.1 param( [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) # Globale variabelen $ControlID = "MSG-OFFICE-JSCRIPT" function Test-Compliance { # Deze control vereist handmatige verificatie return $false } function Invoke-Monitoring { Write-Host "Monitoring ${ControlID}: Legacy JScript uitvoering beperken voor Office" -ForegroundColor Green Write-Host "`nDeze control vereist HANDMATIGE VERIFICATIE:" -ForegroundColor Yellow Write-Host "" Write-Host "CONTROLE STAPPEN:" -ForegroundColor Cyan Write-Host "1. Open Group Policy Management Console (gpedit.msc)" -ForegroundColor White Write-Host "2. Navigeer naar: User Configuration > Administrative Templates > Microsoft Office 2016" -ForegroundColor White Write-Host "3. Zoek naar: 'Restrict legacy JScript execution for Office'" -ForegroundColor White Write-Host "4. Verifieer dat de policy is ingesteld op: Enabled" -ForegroundColor White Write-Host "" Write-Host "ALTERNATIEF via Registry:" -ForegroundColor Cyan Write-Host "Path: HKCU:\Software\Policies\Microsoft\Office\16.0\Common\Security" -ForegroundColor White Write-Host "Value: DisableVBScript = 1 (indien beschikbaar)" -ForegroundColor White return $false } function Invoke-Remediation { Write-Host "Remediating ${ControlID}: Legacy JScript uitvoering beperken voor Office" -ForegroundColor Yellow Write-Host "`nDeze control vereist HANDMATIGE CONFIGURATIE:" -ForegroundColor Yellow Write-Host "" Write-Host "REMEDIATION STAPPEN:" -ForegroundColor Cyan Write-Host "1. Open Group Policy Management Console (gpedit.msc)" -ForegroundColor White Write-Host "2. Navigeer naar: User Configuration > Administrative Templates > Microsoft Office 2016" -ForegroundColor White Write-Host "3. Zoek naar: 'Restrict legacy JScript execution for Office'" -ForegroundColor White Write-Host "4. Dubbelklik op de policy" -ForegroundColor White Write-Host "5. Selecteer: Enabled" -ForegroundColor White Write-Host "6. Klik op: OK" -ForegroundColor White Write-Host "7. Run 'gpupdate /force' om policy toe te passen" -ForegroundColor White Write-Host "" Write-Host "RATIONALE:" -ForegroundColor Cyan Write-Host "Legacy JScript en VBScript in Office kunnen worden misbruikt voor code execution." -ForegroundColor White Write-Host "Deze moeten worden beperkt tot veilige, gecontroleerde contexten." -ForegroundColor White return $false } function Invoke-Revert { Write-Host "Reverting ${ControlID}: Legacy JScript beperking herstellen" -ForegroundColor Yellow Write-Host "`nHERSTEL STAPPEN:" -ForegroundColor Cyan Write-Host "1. Open Group Policy Management Console (gpedit.msc)" -ForegroundColor White Write-Host "2. Navigeer naar: User Configuration > Administrative Templates > Microsoft Office 2016" -ForegroundColor White Write-Host "3. Zoek naar: 'Restrict legacy JScript execution for Office'" -ForegroundColor White Write-Host "4. Dubbelklik op de policy" -ForegroundColor White Write-Host "5. Selecteer: Not Configured (of Disabled)" -ForegroundColor White Write-Host "6. Klik op: OK" -ForegroundColor White Write-Host "7. Run 'gpupdate /force' om policy toe te passen" -ForegroundColor White return $false } # Hoofd uitvoering try { if ($Monitoring) { $result = Invoke-Monitoring exit 1 } elseif ($Remediation) { $result = Invoke-Remediation exit 1 } elseif ($Revert) { $result = Invoke-Revert exit 0 } else { Write-Host "Gebruik: .\restrict-legacy-jscript.ps1 [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow Write-Host " -Monitoring: Controleer huidige compliance status" -ForegroundColor White Write-Host " -Remediation: Toon handmatige configuratie instructies" -ForegroundColor White Write-Host " -Revert: Toon instructies voor herstellen" -ForegroundColor White Write-Host " -WhatIf: Toon wat er zou gebeuren" -ForegroundColor White } } catch { Write-Host "✗ Onverwachte fout: $($_.Exception.Message)" -ForegroundColor Red exit 1 }

Risico zonder implementatie

Risico zonder implementatie
High: Hoog: Legacy JScript = malware delivery (WSH .js files - no user interaction).

Management Samenvatting

Restrict legacy JScript 5.8 (WSH malware delivery). Modern JavaScript unaffected. Migration: PowerShell. Implementatie: 1-4 uur.