L2 BIO 12.02.01 CIS Office Benchmark - File Block

Excel: Block Excel 4 Workbooks En Add-ins

πŸ“… 2025-10-30
β€’
⏱️ 4 minuten lezen
β€’
🟒 Should-Have

πŸ’Ό Management Samenvatting

Block Excel 4 workbooks (.xlw) en add-ins (.xla) - extreme legacy formats (Excel 4.0 van 1992) die NO legitimate business purpose hebben en gebruikt worden door malware voor obfuscation.

Aanbeveling
IMPLEMENT
Risico zonder
Medium
Risk Score
5/10
Implementatie
1.5u (tech: 1u)
Van toepassing op:
βœ“ Microsoft Excel

Excel 4 formats is 30+ jaar oud, NO modern business use, malware gebruikt legacy formats omdat: Low antivirus detectie, Bypasses modern beveiligingscontroles, Users don't recognize as dangerous. Blocked formats: .xlw (Excel 4 workbooks), .xla (Excel 4 add-ins - executable code), .xlm (macro sheets).

Implementatie

File Block Settings: Block Excel 4 formats completely (open blocked, save blocked), Users see error: 'Deze file type is geweest blocked', nul business impact (NO legitimate .xlw/.xla files in 2025).

Vereisten

  1. Office 2016+
  2. Intune configuration profile of GPO

Implementatie

Intune Settings Catalog β†’ Excel\Security\Vertrouwenscentrum\File Block Settings β†’ Excel 4 workbooks: Block (open/save), Excel 4 add-ins: Block.

monitoring

Gebruik PowerShell-script excel4-macros-addins-blocked.ps1 (functie Invoke-Monitoring) – Controleren.

monitor blocked file attempts (zou moeten zijn nul - if any: investigate malware).

Compliance en Auditing

Legacy format blocking: CIS Office Benchmark (File Block Settings), BIO 12.02 (aanvalsoppervlak reduction).

Remediatie

Gebruik PowerShell-script excel4-macros-addins-blocked.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Blokkeert Excel 4 macrosheets en add-in bestanden voor Open/Save operaties .DESCRIPTION Dit script implementeert CIS control O365-EX-000028 voor het blokkeren van Excel 4 macrosheets en add-in bestanden in Microsoft Excel. Deze legacy bestandsformaten kunnen beveiligingsrisico's vormen en moeten worden geblokkeerd. .REQUIREMENTS - PowerShell 5.1 of hoger - Lokale administrator rechten voor registry wijzigingen - Microsoft Excel geΓ―nstalleerd .PARAMETER Monitoring Controleert de huidige compliance status .PARAMETER Remediation Past de aanbevolen configuratie toe .PARAMETER Revert Herstelt de originele configuratie .PARAMETER WhatIf Toont wat er zou gebeuren zonder wijzigingen door te voeren .EXAMPLE .\excel4-macros-addins-blocked.ps1 -Monitoring Controleert of Excel 4 macrosheets en add-ins zijn geblokkeerd .EXAMPLE .\excel4-macros-addins-blocked.ps1 -Remediation Blokkeert Excel 4 macrosheets en add-in bestanden .NOTES Registry pad: HKCU:\Software\Policies\Microsoft\Office\16.0\Excel\Security\FileBlock\ExcelFiles Waarde: Excel4MacroSheetsAndAddins = 1 CIS Control: O365-EX-000028 DISA STIG: Microsoft Office 365 ProPlus v3r3 #> #Requires -Version 5.1 param( [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) # Globale variabelen $RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\Excel\Security\FileBlock\ExcelFiles" $ValueName = "Excel4MacroSheetsAndAddins" $ExpectedValue = 1 $ControlID = "O365-EX-000028" function Test-Compliance { try { if (-not (Test-Path $RegistryPath)) { return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue return ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue) } catch { return $false } } function Invoke-Monitoring { Write-Host "Monitoring ${ControlID}: Excel 4 macrosheets en add-ins blokkeren" -ForegroundColor Green try { if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry pad bestaat niet: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue) { Write-Host "βœ“ Control compliant: ${ValueName} = $ExpectedValue (Excel 4 macrosheets en add-ins geblokkeerd)" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$ValueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: ${ValueName} = $actualValue (Expected: $ExpectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Fout bij controleren registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating ${ControlID}: Excel 4 macrosheets en add-ins blokkeren" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host "WhatIf: Zou registry waarde instellen: ${ValueName} = $ExpectedValue" -ForegroundColor Cyan return $true } if (-not (Test-Path $RegistryPath)) { Write-Host "Registry pad aanmaken: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } Set-ItemProperty -Path $RegistryPath -Name $ValueName -Value $ExpectedValue -Type DWord -Force Write-Host "βœ“ Registry waarde succesvol ingesteld: ${ValueName} = $ExpectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 return Invoke-Monitoring } catch { Write-Host "βœ— Fout bij configureren registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Revert { Write-Host "Reverting ${ControlID}: Excel 4 macrosheets en add-ins blokkering herstellen" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host "WhatIf: Zou registry waarde verwijderen: ${ValueName}" -ForegroundColor Cyan return $true } if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue Write-Host "βœ“ Registry waarde verwijderd: ${ValueName}" -ForegroundColor Green } return $true } catch { Write-Host "βœ— Fout bij herstellen registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } # Hoofd uitvoering try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } elseif ($Revert) { $result = Invoke-Revert exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Gebruik: .\excel4-macros-addins-blocked.ps1 [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow Write-Host " -Monitoring: Controleer huidige compliance status" -ForegroundColor White Write-Host " -Remediation: Pas aanbevolen configuratie toe" -ForegroundColor White Write-Host " -Revert: Herstel originele configuratie" -ForegroundColor White Write-Host " -WhatIf: Toon wat er zou gebeuren" -ForegroundColor White Write-Host "" Write-Host "Handmatige configuratie:" -ForegroundColor Cyan Write-Host "Group Policy: User Configuration > Administrative Templates > Microsoft Excel 2016" -ForegroundColor White Write-Host "> Excel Options > Security > Trust Center > File Block Settings" -ForegroundColor White Write-Host "> Excel 4 macrosheets and add-in files: Enabled: Open/Save blocked, use open policy" -ForegroundColor White } } catch { Write-Host "βœ— Onverwachte fout: $($_.Exception.Message)" -ForegroundColor Red exit 1 }

Risico zonder implementatie

Risico zonder implementatie
Medium: Medium: Excel 4 formats misbruikt door malware. NO business impact (30 jaar oud).

Management Samenvatting

Blokkeer Excel 4 workbooks (.xlw) en add-ins (.xla). Legacy 1992 formats. nul business use. Implementatie: 1 uur.