L1 BIO 12.06.01 CIS Office Benchmark - Add-ins

Excel Add-ins: Vereist Een Vertrouwde Uitgever Voor Add-ins

πŸ“… 2025-10-30
β€’
⏱️ 6 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Excel Add-ins vertrouwde Publisher requirement Blokkeert unsigned of niet-vertrouwde add-ins (.xll, .xlam) - executable code die volledig systeem-access heeft - om malware-laced add-ins te voorkomen terwijl legitimate signed add-ins toegestaan blijven.

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
8/10
Implementatie
6u (tech: 2u)
Van toepassing op:
βœ“ Microsoft Excel

Add-ins is hoog risico executables: .XLL add-ins zijn native DLLs (C/C++ code - volledige system access), .XLAM add-ins bevatten VBA macros (automation code), Add-ins load automatische (no user prompt if trusted), Add-ins persist over sessies (HKCU\Software\Microsoft\Office\Excel\Addins registry). Malware via add-ins: Keystroke logging, Diefstal van inloggegevens, Persistence mechanism (survives reboot), Data exfiltration. Zonder vertrouwde Publisher: enige signed add-in loads (stolen certificaat is automatische trust), Unsigned add-ins kunnen loaded worden (if user accepts prompt), No certificaat validatie.

Implementatie

vertrouwde Publisher requirement: Add-ins MOETEN signed zijn (code signing certificaat), certificaat MOET in vertrouwde Publishers store (explicit trust), Unsigned add-ins β†’ blocked (no 'schakel in' option), niet-vertrouwde publishers β†’ blocked. Effect: First add-in van publisher β†’ prompt 'Trust Deze publisher?', Subsequent add-ins van same publisher β†’ automatische load, Corporate add-ins β†’ pre-populate vertrouwde Publishers via GPO/Intune.

Vereisten

  1. Office 2016+
  2. Code signing certificaatn (for internal add-ins)
  3. vertrouwde Publishers GPO/Intune distribution
  4. Add-in inventory (which add-ins zijn in use?)

Implementatie

Intune Settings Catalog: Excel\Security\Vertrouwenscentrum β†’ Require die application add-ins are signed door vertrouwde Publisher: ingeschakeld. Distribute vertrouwde publisher certificaatn via GPO (Computer Config β†’ Windows Settings β†’ Beveiligingsinstellingen β†’ Public Key beleidsregels β†’ vertrouwde Publishers).

Monitoring

Gebruik PowerShell-script addins-trusted-publisher-required.ps1 (functie Invoke-Monitoring) – Controleren.

Monitor blocked add-in attempts (Office telemetry), audit vertrouwde Publishers list (remove unused publishers).

Compliance en Auditing

Add-in security voldoet aan: CIS Office Benchmark (Add-in trust settings), BIO 12.06 (Software execution controls), ISO 27001 A.14.2.1 (veilige development - code signing), NIST SP 800-53 CM-7 (Least functionality - Blokkeer unsigned code).

Remediatie

Gebruik PowerShell-script addins-trusted-publisher-required.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# ================================================================================ OFFICE POWERSHELL SCRIPT - Nederlandse Baseline voor Veilige Cloud ================================================================================ .SYNOPSIS Excel - VBA Macros: Alleen Digitaal Ondertekende Toegestaan .DESCRIPTION DISA STIG Control: O365-EX-000002 Controleert dat VBA macros die niet digitaal zijn ondertekend worden geblokkeerd in Microsoft Excel. Alleen macros van trusted publishers worden toegestaan. Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\Excel\Security Registry Value: VBAWarnings Expected Value: 2 (Disable all except digitally signed macros) .NOTES Filename: addins-trusted-publisher-required.ps1 Author: Nederlandse Baseline voor Veilige Cloud Version: 1.0 DISA STIG: O365-EX-000002 .PARAMETER Monitoring Controleert huidige registry setting .PARAMETER Remediation Past registry setting aan .PARAMETER Revert Verwijdert registry setting .EXAMPLE .\addins-trusted-publisher-required.ps1 -Monitoring #> #Requires -Version 5.1 [CmdletBinding()] param( [Parameter()][switch]$Monitoring, [Parameter()][switch]$Remediation, [Parameter()][switch]$Revert, [Parameter()][switch]$WhatIf ) $ErrorActionPreference = 'Stop' $PolicyName = "Excel - VBA Macros: Alleen Digitaal Ondertekende" $RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\Excel\Security" $RegistryValueName = "VBAWarnings" $ExpectedValue = 2 function Test-Compliance { try { if (-not (Test-Path $RegistryPath)) { return @{ IsCompliant = $false; RegistryPathExists = $false; CurrentValue = $null; ExpectedValue = $ExpectedValue } } $regValue = Get-ItemProperty -Path $RegistryPath -Name $RegistryValueName -ErrorAction SilentlyContinue $currentValue = if ($regValue) { $regValue.$RegistryValueName } else { $null } return @{ IsCompliant = ($currentValue -eq $ExpectedValue) RegistryPathExists = $true CurrentValue = $currentValue ExpectedValue = $ExpectedValue } } catch { return @{ IsCompliant = $false; Error = $_.Exception.Message } } } function Invoke-Monitoring { Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "$PolicyName" -ForegroundColor Cyan Write-Host "Nederlandse Baseline voor Veilige Cloud" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan $result = Test-Compliance Write-Host "`nRegistry Path: $RegistryPath" -ForegroundColor Gray Write-Host "Value Name: $RegistryValueName" -ForegroundColor Gray Write-Host "Expected Value: $($result.ExpectedValue) (Disable except signed)" -ForegroundColor Gray if (-not $result.RegistryPathExists) { Write-Host "`nStatus: [FAIL] NON-COMPLIANT" -ForegroundColor Red Write-Host "Registry path does not exist" -ForegroundColor Yellow return $result } Write-Host "Current Value: $($result.CurrentValue)" -ForegroundColor $(if ($result.IsCompliant) { 'Green' } else { 'Red' }) if ($result.IsCompliant) { Write-Host "`nStatus: [OK] COMPLIANT" -ForegroundColor Green } else { Write-Host "`nStatus: [FAIL] NON-COMPLIANT" -ForegroundColor Red } return $result } function Invoke-Remediation { Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "REMEDIATION: $PolicyName" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan try { if (-not (Test-Path $RegistryPath)) { Write-Host "`nCreating registry path..." -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null Write-Host "[OK] Registry path created" -ForegroundColor Green } Write-Host "`nSetting registry value..." -ForegroundColor Yellow Set-ItemProperty -Path $RegistryPath -Name $RegistryValueName -Value $ExpectedValue -Type DWord -Force Write-Host "[OK] VBAWarnings = $ExpectedValue configured" -ForegroundColor Green Start-Sleep -Milliseconds 500 return Test-Compliance } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red throw } } function Invoke-Revert { Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "REVERT: $PolicyName" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan try { if (Test-Path $RegistryPath) { $regValue = Get-ItemProperty -Path $RegistryPath -Name $RegistryValueName -ErrorAction SilentlyContinue if ($regValue) { Remove-ItemProperty -Path $RegistryPath -Name $RegistryValueName -Force Write-Host "[OK] Registry value removed" -ForegroundColor Green } } } catch { Write-Host "[FAIL] ERROR: $_" -ForegroundColor Red throw } } try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result.IsCompliant) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result.IsCompliant) { 0 } else { 1 }) } elseif ($Revert) { Invoke-Revert exit 0 } else { Write-Host "`nUsage: .\addins-trusted-publisher-required.ps1 [-Monitoring] [-Remediation] [-Revert]" -ForegroundColor Yellow } } catch { Write-Error "Script failed: $_" exit 2 }

Risico zonder implementatie

Risico zonder implementatie
High: HOOG: Unsigned/niet-vertrouwde add-ins is volledige system access (DLL execution). Malware persistence, Diefstal van inloggegevens, data exfiltration.

Management Samenvatting

Vereist een vertrouwde uitgever voor add-ins voor Excel add-ins. Blokkeer unsigned add-ins. Sign corporate add-ins, distribute vertrouwde publishers. Implementatie: 2-6 uur.