|
Applies to: Winfrasoft VPN-Q 2009
Enterprise Edition The process to create a VB
Script that can perform custom security checks and have the results included
with Winfrasoft VPN-Q 2009’s security checks is a 4 step process. The process is
described below:
Step 1 – Create a custom VB Script
with security checks
Create your own custom VB Script with
your own custom security checks that you wish to have performed by the client on
the local system. These custom checks can include tests to ensure that a
particular piece of software is installed on a VPN client PC, or to query a
registry key etc. NOTE: Winfrasoft can NOT provide support for the functionality
of your own custom scripts.
Step 2 – Return Exit Codes from the
VB Script for Winfrasoft VPN-Q 2009 to interpret
Winfrasoft VPN-Q 2009 requires the
custom VB script to return one of the following Exit codes which then can be
included with the results of the security checks performed by the Winfrasoft
VPN-Q 2009 client software:
| Exit Code |
Result |
| 100 |
Pass |
| 101 |
Warning |
| 0 / Other |
Fail |
The following is an example of the
syntax to issue an Exit Code from a VB Script, in this case the VB Script will
be returning a Warning Code:
WScript.Quit 101
Step 3 – Configure the Custom
Security Check Script policy objects
To enable the Winfrasoft VPN-Q
2009 Client to run the custom VB script, configure the Custom Security
Check Script Policy.
This policy setting enables the
use of a custom Windows Scripting Host (WSH) script as an additional security
check to run on the VPN client. The script can be in VB Script or J Script
format and must return a valid check status result, see the Winfrasoft VPN-Q
2009 documentation for further details. If you enable this policy you must
specify the full path to the custom script check script. You can also specify
any arguments which may be required, as well the script’s onscreen
behaviour.
If you disable or do not configure this policy then no custom security checks
are run. It is highly recommended that the script is digitally signed to prevent
tampering, see step 4.
Step 4 – Signing the VB Script file
(Optional)
Although it is an optional step
in the process, it is recommended that all custom security checks are digitally
signed to ensure the integrity of the custom check. Digital signing of the VB
script ensures that the custom security checks, executed at the client side,
perform as designed and that the script has not been modified in an attempt to
circumvent it. To ensure that the VB Script executed on the client is signed and
un-tampered, the
Custom Security Check Script Signature
policy setting must be enabled:
This policy setting instructs
the VPN client to verify that the custom security check script has been
digitally signed, and that the signature is valid. This protects the script from
being modified or tampered with. If you enable this policy the script specified
in Custom Security Check Script policy setting MUST be digitally
signed and the signature MUST be valid for the security check to pass. If the
signature verification fails then the Custom Security Check will fail, and the
script will not be executed. If you disable or do not configure this policy then
the script specified in Custom Security Check Script policy
setting does not have to be digitally signed or have a valid signature in order
to run.
Note: A signed script which has
an invalid signature may still be blocked by the operating system, depending on
its configuration or Software Restriction Policy settings.
A Winfrasoft signed sample VB
Script can be downloaded here.
To digitally sign a VB Script, please refer to the Microsoft published
documentation on the Sign Tool utility:
http://msdn2.microsoft.com/en-us/library/8s9b9yaz(VS.80).aspx
Last updated: 25/02/2009 |