My Favourite Security-focused GPO: Stopping Script Execution with File Associations

Some time ago, I stumbled upon an excellent post by Red Canary[1] that introduced a clever method to prevent users from accidentally executing malicious scripts. They suggested changing file associations so that when users double-click on scripts, they open in Notepad instead of running. While their approach is insightful, I noticed that applying their method domain-wide through Group Policy wasn’t as straightforward as it could be[2].

After searching around and not finding a straightforward guide on implementing this across an entire Active Directory domain, I decided to put together this post. Changing default file associations to block script execution is one of the safest policies you can apply, and it can significantly reduce the risk of users unintentionally running malicious scripts.

If you don’t have medium Premium, you can read this blog here: https://kostas-ts.medium.com/59a05b6d181e?source=friends_link&sk=4e8aed8c955d15c94f0434bda0a5aab7

Why Change File Associations?

Script files like .js, .vbs, and .bat are often exploited by attackers to run malicious scripts. These scripts are typically utilized in the early stages of an intrusion (T1059 — Command and Scripting Interpreter) to download the next phase or activate malware that is already present on the disk. By changing the default behavior of these files to open in Notepad instead of executing, we can: