L1 BIO 13.02.01 CIS Office Benchmark - External Content

Excel: Prompt Voordat Updating Automatische Links

πŸ“… 2025-10-30
β€’
⏱️ 5 minuten lezen
β€’
🟒 Should-Have

πŸ’Ό Management Samenvatting

Prompt voordat updating automatische links voorkomt dat Excel-bestanden automatisch externe data sources connecten (network shares, URLs, other workbooks) zonder gebruikerstoestemming, waardoor data exfiltration en DDE attacks geblokkeerd worden.

Aanbeveling
Implementeer
Risico zonder
Medium
Risk Score
6/10
Implementatie
3u (tech: 1u)
Van toepassing op:
βœ“ Microsoft Excel

automatische links is security risk: External workbook links (=\\server\share\file.xlsx!A1 formulas), URL connections (web queries naar malicious sites), DDE connections (legacy - can execute commands), OLE object updates (embedded files). Attack scenarios: Phishing Excel β†’ links to attacker server (credential harvesting via SMB), Malicious formulas β†’ WEBSERVICE() calls to exfiltrate data, DDE exploits (CVE-2017-11882 era - now patched maar legacy risk). Zonder prompt: Links update automatische upon file open (no user warning), External connections established (netwerkverkeer to unknown servers), Data exfiltration possible (formulas Verzend cell data to attacker URL).

Implementatie

Update Links prompt: Registry: WorkbookLinkWarnings is 2 (Schakel in met notification), Effect: File met external links β†’ prompt 'Deze workbook bevat links to other data sources...', User chooses: Update (connect to external sources) vs Don't Update (open offline), Network activity blocked Totdat gebruikerstoestemming.

Vereisten

  1. Office 2016+
  2. Intune configuration profile of GPO
  3. User training (understand external links risk)

Implementeeratie

Intune Settings Catalog: Excel\Security\Vertrouwenscentrum\External Content β†’ Prompt user op automatische update voor Workbook Links: Schakel ind. Users see prompt: 'Schakel in automatische update of links?' met security warning.

Monitoring

Gebruik PowerShell-script ask-update-automatic-links.ps1 (functie Invoke-Monitoring) – Controleren.

Monitor external link usage (audit workbooks met links), investigate suspicious external connections (unknown URLs, network shares).

Compliance en Auditing

External link regelt voldoen aan: CIS Office Benchmark (External content controls), BIO 13.02 (Netwerkbeveiliging - ungeautoriseerde connections), ISO 27001 A.13.2.1 (Information transfer controls).

Remediatie

Gebruik PowerShell-script ask-update-automatic-links.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# ================================================================================ OFFICE POWERSHELL SCRIPT - Nederlandse Baseline voor Veilige Cloud ================================================================================ .SYNOPSIS Excel - Ask to Update Automatic Links .DESCRIPTION DISA STIG Control: O365-EX-000016 Controleert dat Excel vraagt om automatische links te updaten voordat dit gebeurt. Dit voorkomt automatische data-extractie via kwaadaardige links. Registry Path: HKCU:\Software\Policies\Microsoft\Office\16.0\Excel\Options Registry Value: UpdateLinks Expected Value: 1 (Enabled - ask before updating) .NOTES Filename: ask-update-automatic-links.ps1 Author: Nederlandse Baseline voor Veilige Cloud Version: 1.0 DISA STIG: O365-EX-000016 .PARAMETER Monitoring Controleert huidige registry setting .PARAMETER Remediation Past registry setting aan .PARAMETER Revert Verwijdert registry setting .EXAMPLE .\ask-update-automatic-links.ps1 -Monitoring #> #Requires -Version 5.1 [CmdletBinding()] param( [Parameter()][switch]$Monitoring, [Parameter()][switch]$Remediation, [Parameter()][switch]$Revert, [Parameter()][switch]$WhatIf ) $ErrorActionPreference = 'Stop' $PolicyName = "Excel - Ask to Update Automatic Links" $RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\Excel\Options" $RegistryValueName = "UpdateLinks" $ExpectedValue = 1 function Test-Compliance { try { if (-not (Test-Path $RegistryPath)) { return @{ IsCompliant = $false; RegistryPathExists = $false; CurrentValue = $null; ExpectedValue = $ExpectedValue } } $regValue = Get-ItemProperty -Path $RegistryPath -Name $RegistryValueName -ErrorAction SilentlyContinue $currentValue = if ($regValue) { $regValue.$RegistryValueName } else { $null } return @{ IsCompliant = ($currentValue -eq $ExpectedValue) RegistryPathExists = $true CurrentValue = $currentValue ExpectedValue = $ExpectedValue } } catch { return @{ IsCompliant = $false; Error = $_.Exception.Message } } } function Invoke-Monitoring { Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "$PolicyName" -ForegroundColor Cyan Write-Host "Nederlandse Baseline voor Veilige Cloud" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan $result = Test-Compliance Write-Host "`nRegistry Path: $RegistryPath" -ForegroundColor Gray Write-Host "Value Name: $RegistryValueName" -ForegroundColor Gray Write-Host "Expected Value: $($result.ExpectedValue) (Ask before updating)" -ForegroundColor Gray if (-not $result.RegistryPathExists) { Write-Host "`nStatus: [FAIL] NON-COMPLIANT" -ForegroundColor Red return $result } Write-Host "Current Value: $($result.CurrentValue)" -ForegroundColor $(if ($result.IsCompliant) { 'Green' } else { 'Red' }) if ($result.IsCompliant) { Write-Host "`nStatus: [OK] COMPLIANT" -ForegroundColor Green } else { Write-Host "`nStatus: [FAIL] NON-COMPLIANT" -ForegroundColor Red } return $result } function Invoke-Remediation { Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "REMEDIATION: $PolicyName" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan try { if (-not (Test-Path $RegistryPath)) { New-Item -Path $RegistryPath -Force | Out-Null Write-Host "[OK] Registry path created" -ForegroundColor Green } Set-ItemProperty -Path $RegistryPath -Name $RegistryValueName -Value $ExpectedValue -Type DWord -Force Write-Host "[OK] UpdateLinks = $ExpectedValue configured" -ForegroundColor Green Start-Sleep -Milliseconds 500 return Test-Compliance } catch { Write-Host "`n[FAIL] ERROR: $_" -ForegroundColor Red throw } } function Invoke-Revert { try { if (Test-Path $RegistryPath) { $regValue = Get-ItemProperty -Path $RegistryPath -Name $RegistryValueName -ErrorAction SilentlyContinue if ($regValue) { Remove-ItemProperty -Path $RegistryPath -Name $RegistryValueName -Force Write-Host "[OK] Registry value removed" -ForegroundColor Green } } } catch { Write-Host "[FAIL] ERROR: $_" -ForegroundColor Red throw } } try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result.IsCompliant) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result.IsCompliant) { 0 } else { 1 }) } elseif ($Revert) { Invoke-Revert exit 0 } else { Write-Host "`nUsage: .\ask-update-automatic-links.ps1 [-Monitoring] [-Remediation] [-Revert]" -ForegroundColor Yellow } } catch { Write-Error "Script failed: $_" exit 2 }

Risico zonder implementatie

Risico zonder implementatie
Medium: Medium: automatische external links is data exfiltration, credential harvesting (SMB connections), ungeautoriseerde network activity.

Management Samenvatting

Prompt voordat updating Excel external links. gebruikerstoestemming VEREIST voor external connections. Blokkeert automatische data exfiltration. Implementeeratie: 1-3 uur.