Topic

Hardening operating system configurations

Applicable to

all

History

Priority

Should

Mar 2022

Unprivileged users are prevented from running script execution engines, including: • Windows Script Host (cscript.exe and wscript.exe) • PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe) • Command Prompt (cmd.exe) • Windows Management Instrumentation (wmic.exe) • Microsoft Hypertext Markup Language (HTML) Application Host (mshta.exe).

The recommendation to prevent unprivileged users from running script execution engines in Microsoft Windows has been expanded to encompass the use of script execution engines in any operating system.

Oct 2020

Standard users are prevented from running script execution engines in Microsoft Windows, including: • Windows Script Host (cscript.exe and wscript.exe) • PowerShell (powershell.exe, powershell_ise.exe and pwsh.exe) • Command Prompt (cmd.exe) • Windows Management Instrumentation (wmic.exe) • Microsoft HTML Application Host (mshta.exe).

Security control 1491 was amended to cover the use of all script engines, not just those native to Microsoft Windows.

Sep 2020

Standard users are prevented from running all script execution engines shipped with Microsoft Windows including Windows Script Host (cscript.exe and wscript.exe), powershell.exe, powershell_ise.exe, cmd.exe, wmic.exe and Microsoft HTML Application Host (mshta.exe).

Nov 2018

Standard users are prevented from running all script execution engines shipped with Microsoft Windows including Windows Script Host (cscript.exe and wscript.exe), powershell.exe, powershell_ise.exe, cmd.exe, wmic.exe and Microsoft HTML Application Host (mshta.exe).

Added to address a gap in guidance on the use of script execution engines in operating systems.