L1 BIO 12.02.01 CIS Office - Macro security

Publisher: Disable All Macros Except Digitally Signed

πŸ“… 2025-10-30
β€’
⏱️ 3 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Disable all Publisher macros except digitally signed - ONLY signed macros can run (unsigned macros BLOCKED, no user override).

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
8/10
Implementatie
3u (tech: 1u)
Van toepassing op:
βœ“ Microsoft Publisher

Publisher macro attacks: Publisher files (.pub): Desktop publishing (newsletters, brochures), VBA macros: Automation (maar RARE in Publisher - mostly used in Excel/Word), Unsigned macros: Malware vector (no verification), Attack: Malicious .pub file (macro malware) β†’ email attachment β†’ user opens β†’ unsigned macro BLOCKED. Signed macros: Code signing certificate (publisher identity verified), Trusted: Certificate in Trusted Publishers β†’ auto-run, Not trusted: User prompt (add to trusted?), Unsigned: BLOCKED (no user override - protection against social engineering). Enterprise: Code-sign internal Publisher templates β†’ push certificate (auto-allow).

PowerShell Modules Vereist
Primary API: Intune / GPO
Connection: Registry-based
Required Modules:

Implementatie

Signed macros only: Policy: VBA Macro Notification Settings: Disable all except digitally signed macros, Effect: Unsigned macros: BLOCKED (notification: 'Macros have been disabled'), Signed (trusted): Auto-run, Signed (not trusted): User prompt (trust publisher?), User override: NOT possible (unsigned always blocked).

Vereisten

  1. Publisher 2016+
  2. Code signing infrastructure (if internal macros)
  3. Trusted Publishers: Certificate deployment (GPO/Intune)
  4. Intune of GPO

Implementatie

Intune Settings Catalog: Publisher\Security\Trust Center β†’ VBA Macro Notification Settings: Disable all except digitally signed macros. Certificate deployment: Intune (Trusted Publishers).

Compliance

CIS Office Benchmark L1, BIO 12.02 (Macro blocking), DISA STIG, Microsoft Security Baseline.

Monitoring

Gebruik PowerShell-script macro-notification-signed-only.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script macro-notification-signed-only.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Dwingt alleen digitaal ondertekende macros in Publisher .DESCRIPTION Dit script implementeert CIS control O365-PU-000003 voor het instellen van VBA macro meldingen zodat alleen digitaal ondertekende macros zijn toegestaan in Microsoft Publisher. Dit voorkomt uitvoering van potentieel schadelijke niet-ondertekende macros. .REQUIREMENTS - PowerShell 5.1 of hoger - Lokale administrator rechten voor registry wijzigingen - Microsoft Publisher geΓ―nstalleerd .PARAMETER Monitoring Controleert de huidige compliance status .PARAMETER Remediation Past de aanbevolen configuratie toe .PARAMETER Revert Herstelt de originele configuratie .PARAMETER WhatIf Toont wat er zou gebeuren zonder wijzigingen door te voeren .EXAMPLE .\macro-notification-signed-only.ps1 -Monitoring Controleert of alleen ondertekende macros zijn toegestaan .EXAMPLE .\macro-notification-signed-only.ps1 -Remediation Dwingt alleen digitaal ondertekende macros .NOTES Registry pad: HKCU:\Software\Policies\Microsoft\Office\16.0\Publisher\Security Waarde: VBAWarnings = 2 CIS Control: O365-PU-000003 DISA STIG: Microsoft Office 365 ProPlus v3r3 #> #Requires -Version 5.1 param( [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) # Globale variabelen $RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\Publisher\Security" $ValueName = "VBAWarnings" $ExpectedValue = 2 $ControlID = "O365-PU-000003" function Test-Compliance { try { if (-not (Test-Path $RegistryPath)) { return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue return ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue) } catch { return $false } } function Invoke-Monitoring { Write-Host "Monitoring ${ControlID}: Alleen digitaal ondertekende macros toestaan" -ForegroundColor Green try { if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry pad bestaat niet: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue) { Write-Host "βœ“ Control compliant: ${ValueName} = $ExpectedValue (Alleen digitaal ondertekende macros toegestaan)" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$ValueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: ${ValueName} = $actualValue (Expected: $ExpectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Fout bij controleren registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating ${ControlID}: Alleen digitaal ondertekende macros toestaan" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host "WhatIf: Zou registry waarde instellen: ${ValueName} = $ExpectedValue" -ForegroundColor Cyan return $true } if (-not (Test-Path $RegistryPath)) { Write-Host "Registry pad aanmaken: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } Set-ItemProperty -Path $RegistryPath -Name $ValueName -Value $ExpectedValue -Type DWord -Force Write-Host "βœ“ Registry waarde succesvol ingesteld: ${ValueName} = $ExpectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 return Invoke-Monitoring } catch { Write-Host "βœ— Fout bij configureren registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Revert { Write-Host "Reverting ${ControlID}: Macro instellingen herstellen" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host "WhatIf: Zou registry waarde verwijderen: ${ValueName}" -ForegroundColor Cyan return $true } if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue Write-Host "βœ“ Registry waarde verwijderd: ${ValueName}" -ForegroundColor Green } return $true } catch { Write-Host "βœ— Fout bij herstellen registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } # Hoofd uitvoering try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } elseif ($Revert) { $result = Invoke-Revert exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Gebruik: .\macro-notification-signed-only.ps1 [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow Write-Host " -Monitoring: Controleer huidige compliance status" -ForegroundColor White Write-Host " -Remediation: Pas aanbevolen configuratie toe" -ForegroundColor White Write-Host " -Revert: Herstel originele configuratie" -ForegroundColor White Write-Host " -WhatIf: Toon wat er zou gebeuren" -ForegroundColor White Write-Host "" Write-Host "Handmatige configuratie:" -ForegroundColor Cyan Write-Host "Group Policy: User Configuration > Administrative Templates > Microsoft Publisher 2016" -ForegroundColor White Write-Host "> Publisher Options > Security > Trust Center > Macro Settings" -ForegroundColor White Write-Host "> VBA Macro Notification Settings: Enabled: Disable all except digitally signed macros" -ForegroundColor White } } catch { Write-Host "βœ— Onverwachte fout: $($_.Exception.Message)" -ForegroundColor Red exit 1 }

Risico zonder implementatie

Risico zonder implementatie
High: Hoog: Unsigned Publisher macros = malware risk.

Management Samenvatting

Publisher macros: Signed ONLY. Unsigned blocked (no override). Code signing required. Implementatie: 1-3 uur.