Access Add-ins: Vereist Een Vertrouwde Uitgever Voor Add-ins

<# ================================================================================ OFFICE POWERSHELL SCRIPT - Nederlandse Baseline voor Veilige Cloud ================================================================================ .SYNOPSIS Access - VBA Macros: Alleen Digitaal Ondertekende Toegestaan .DESCRIPTION DISA STIG Control: O365-AC-000003 Controleert dat VBA macros die niet digitaal zijn ondertekend worden geblokkeerd in Microsoft Access. Dit voorkomt uitvoering van potentieel schadelijke macros. Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\Access\Security\TrustCenter Registry Value: VBAWarnings Expected Value: 2 (Disable all except digitally signed macros) .NOTES Filename: addins-trusted-publisher-required.ps1 Author: Nederlandse Baseline voor Veilige Cloud Version: 1.0 DISA STIG: O365-AC-000003 .PARAMETER Monitoring Controleert huidige registry setting .PARAMETER Remediation Past registry setting aan naar aanbevolen waarde .PARAMETER Revert Verwijdert registry setting (terug naar default) .EXAMPLE .\addins-trusted-publisher-required.ps1 -Monitoring Controleert huidige VBAWarnings setting .EXAMPLE .\addins-trusted-publisher-required.ps1 -Remediation Configureert VBAWarnings = 2 #> #Requires -Version 5.1 [CmdletBinding()] param( [Parameter()][switch]$Monitoring, [Parameter()][switch]$Remediation, [Parameter()][switch]$Revert, [Parameter()][switch]$WhatIf ) $ErrorActionPreference = 'Stop' $PolicyName = "Access - VBA Macros: Alleen Digitaal Ondertekende" $RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\Access\Security\TrustCenter" $RegistryValueName = "VBAWarnings" $ExpectedValue = 2 function Test-Compliance { try { if (-not (Test-Path $RegistryPath)) { return @{ IsCompliant = $false; RegistryPathExists = $false; CurrentValue = $null; ExpectedValue = $ExpectedValue } } $regValue = Get-ItemProperty -Path $RegistryPath -Name $RegistryValueName -ErrorAction SilentlyContinue $currentValue = if ($regValue) { $regValue.$RegistryValueName } else { $null } return @{ IsCompliant = ($currentValue -eq $ExpectedValue) RegistryPathExists = $true CurrentValue = $currentValue ExpectedValue = $ExpectedValue } } catch { return @{ IsCompliant = $false; Error = $_.Exception.Message } } } function Invoke-Monitoring { Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "$PolicyName" -ForegroundColor Cyan Write-Host "Nederlandse Baseline voor Veilige Cloud" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan $result = Test-Compliance Write-Host "`nRegistry Path: $RegistryPath" -ForegroundColor Gray Write-Host "Value Name: $RegistryValueName" -ForegroundColor Gray Write-Host "Expected Value: $($result.ExpectedValue) (Disable except signed)" -ForegroundColor Gray if (-not $result.RegistryPathExists) { Write-Host "`nStatus: [FAIL] NON-COMPLIANT" -ForegroundColor Red Write-Host "Registry path does not exist" -ForegroundColor Yellow return $result } Write-Host "Current Value: $($result.CurrentValue)" -ForegroundColor $(if ($result.IsCompliant) { 'Green' } else { 'Red' }) if ($result.IsCompliant) { Write-Host "`nStatus: [OK] COMPLIANT" -ForegroundColor Green } else { Write-Host "`nStatus: [FAIL] NON-COMPLIANT" -ForegroundColor Red Write-Host "Run with -Remediation to fix" -ForegroundColor Yellow } return $result } function Invoke-Remediation { Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "REMEDIATION: $PolicyName" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan try { if (-not (Test-Path $RegistryPath)) { Write-Host "`nCreating registry path..." -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null Write-Host "[OK] Registry path created" -ForegroundColor Green } Write-Host "`nSetting registry value..." -ForegroundColor Yellow Set-ItemProperty -Path $RegistryPath -Name $RegistryValueName -Value $ExpectedValue -Type DWord -Force Write-Host "[OK] VBAWarnings = $ExpectedValue configured" -ForegroundColor Green Start-Sleep -Milliseconds 500 $verification = Test-Compliance if ($verification.IsCompliant) { Write-Host "`n[OK] Verification successful - COMPLIANT" -ForegroundColor Green } else { Write-Host "`n⚠️ Verification failed" -ForegroundColor Red } return $verification } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red throw } } function Invoke-Revert { Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "REVERT: $PolicyName" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan try { if (Test-Path $RegistryPath) { $regValue = Get-ItemProperty -Path $RegistryPath -Name $RegistryValueName -ErrorAction SilentlyContinue if ($regValue) { Remove-ItemProperty -Path $RegistryPath -Name $RegistryValueName -Force Write-Host "[OK] Registry value removed" -ForegroundColor Green } else { Write-Host "Registry value not set" -ForegroundColor Gray } } else { Write-Host "Registry path does not exist" -ForegroundColor Gray } } catch { Write-Host "[FAIL] ERROR: $_" -ForegroundColor Red throw } } try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result.IsCompliant) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result.IsCompliant) { 0 } else { 1 }) } elseif ($Revert) { Invoke-Revert exit 0 } else { Write-Host "`nAvailable parameters:" -ForegroundColor Yellow Write-Host " -Monitoring : Check compliance status" -ForegroundColor White Write-Host " -Remediation : Apply recommended configuration" -ForegroundColor White Write-Host " -Revert : Remove setting" -ForegroundColor White } } catch { Write-Error "Script failed: $_" exit 2 }