πΌ Management Samenvatting
Trust toegang tot VBA Project Object Model blokkeren voorkomt dat VBA code zichzelf kan modificeren of andere workbooks kan infecteren - kritieke defense tegen self-replicating macro malware.
Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
8/10
Implementatie
2u (tech: 1u)
Van toepassing op:
β Microsoft Excel
VBA Object Model access is malware replication: VBA code can modify andere workbooks' macros (worm behavior), Self-modifying code (polymorphic malware), Auto-infection (open workbook β macro infects it β spreads). Attack: Macro malware met VBA object model access β infects alle opened workbooks β spreads via network shares β ransomware delivery to entire organization. Zonder block: Macro viruses can spread (1990s-style worms), Polymorphic malware (code changes is AV evasion), Automated infection (no user interaction nadat initial schakel in).
Implementatie
Blokkeer VBA Object Model: Registry: AccessVBOM is 0 (disabled), Effect: VBA code kan niet modify own code of andere workbooks, Legitimate development scenarios: developers need handmatige exception (Vertrouwenscentrum β Trust access), Malware impact: infection stopped (cannot spread to andere workbooks).
Vereisten
- Office 2016+
- Intune configuration profile of GPO
- Developer exception process (if VBA development needed)
Implementatie
Intune Settings Catalog: Excel\Security\Vertrouwenscentrum\Macro Settings β Trust toegang tot de VBA project object model: Disabled (Standaard aanbevolen). Exception: VBA developers can Schakel in manually per machine (not via policy).
Monitoring
Gebruik PowerShell-script trust-vba-project-access-disabled.ps1 (functie Invoke-Monitoring) β Controleren.
Monitor VBA object model access attempts (Office telemetry), investigate enige workbook requiring object model access (malware?).
Compliance en Auditing
VBA object model block: CIS Office Benchmark (Schakel uit VBA object model), BIO 12.02 (Malware replication prevention), ISO 27001 A.12.2.1 (Bescherming tegen malware).
Remediatie
Gebruik PowerShell-script trust-vba-project-access-disabled.ps1 (functie Invoke-Remediation) β Herstellen.
Compliance & Frameworks
- CIS M365: Control Office Benchmark - VBA (L1) -
- BIO: 12.02.01 -
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Schakelt vertrouwde toegang tot Visual Basic Project uit in Excel
.DESCRIPTION
Dit script implementeert CIS control O365-EX-000014 voor het uitschakelen van vertrouwde
toegang tot Visual Basic Project in Microsoft Excel. Dit voorkomt dat macros programmatisch
toegang krijgen tot VBA projecten zonder gebruikersinterventie.
.REQUIREMENTS
- PowerShell 5.1 of hoger
- Lokale administrator rechten voor registry wijzigingen
- Microsoft Excel geΓ―nstalleerd
.PARAMETER Monitoring
Controleert de huidige compliance status
.PARAMETER Remediation
Past de aanbevolen configuratie toe
.PARAMETER Revert
Herstelt de originele configuratie
.PARAMETER WhatIf
Toont wat er zou gebeuren zonder wijzigingen door te voeren
.EXAMPLE
.\trust-vba-project-access-disabled.ps1 -Monitoring
Controleert of VBA Project toegang is uitgeschakeld
.EXAMPLE
.\trust-vba-project-access-disabled.ps1 -Remediation
Schakelt VBA Project toegang uit
.NOTES
Registry pad: HKCU:\Software\Policies\Microsoft\Office\16.0\Excel\Security
Waarde: AccessVBOM = 0
CIS Control: O365-EX-000014
DISA STIG: Microsoft Office 365 ProPlus v3r3
#>
#Requires -Version 5.1
param(
[switch]$Monitoring,
[switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf
)
# Globale variabelen
$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\Excel\Security"
$ValueName = "AccessVBOM"
$ExpectedValue = 0
$ControlID = "O365-EX-000014"
function Test-Compliance {
try {
if (-not (Test-Path $RegistryPath)) {
return $false
}
$currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue
return ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue)
}
catch {
return $false
}
}
function Invoke-Monitoring {
Write-Host "Monitoring ${ControlID}: VBA Project toegang uitschakelen" -ForegroundColor Green
try {
if (-not (Test-Path $RegistryPath)) {
Write-Host "β Registry pad bestaat niet: $RegistryPath" -ForegroundColor Red
return $false
}
$currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue
if ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue) {
Write-Host "β Control compliant: ${ValueName} = $ExpectedValue (VBA Project toegang uitgeschakeld)" -ForegroundColor Green
return $true
}
else {
$actualValue = if ($currentValue) { $currentValue.$ValueName } else { "Not Set" }
Write-Host "β Control non-compliant: ${ValueName} = $actualValue (Expected: $ExpectedValue)" -ForegroundColor Red
return $false
}
}
catch {
Write-Host "β Fout bij controleren registry instelling: $($_.Exception.Message)" -ForegroundColor Red
return $false
}
}
function Invoke-Remediation {
Write-Host "Remediating ${ControlID}: VBA Project toegang uitschakelen" -ForegroundColor Yellow
try {
if ($WhatIf) {
Write-Host "WhatIf: Zou registry waarde instellen: ${ValueName} = $ExpectedValue" -ForegroundColor Cyan
return $true
}
if (-not (Test-Path $RegistryPath)) {
Write-Host "Registry pad aanmaken: $RegistryPath" -ForegroundColor Yellow
New-Item -Path $RegistryPath -Force | Out-Null
}
Set-ItemProperty -Path $RegistryPath -Name $ValueName -Value $ExpectedValue -Type DWord -Force
Write-Host "β Registry waarde succesvol ingesteld: ${ValueName} = $ExpectedValue" -ForegroundColor Green
Start-Sleep -Seconds 1
return Invoke-Monitoring
}
catch {
Write-Host "β Fout bij configureren registry instelling: $($_.Exception.Message)" -ForegroundColor Red
return $false
}
}
function Invoke-Revert {
Write-Host "Reverting ${ControlID}: VBA Project toegang herstellen" -ForegroundColor Yellow
try {
if ($WhatIf) {
Write-Host "WhatIf: Zou registry waarde verwijderen: ${ValueName}" -ForegroundColor Cyan
return $true
}
if (Test-Path $RegistryPath) {
Remove-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue
Write-Host "β Registry waarde verwijderd: ${ValueName}" -ForegroundColor Green
}
return $true
}
catch {
Write-Host "β Fout bij herstellen registry instelling: $($_.Exception.Message)" -ForegroundColor Red
return $false
}
}
# Hoofd uitvoering
try {
if ($Monitoring) {
$result = Invoke-Monitoring
exit $(if ($result) { 0 } else { 1 })
}
elseif ($Remediation) {
$result = Invoke-Remediation
exit $(if ($result) { 0 } else { 1 })
}
elseif ($Revert) {
$result = Invoke-Revert
exit $(if ($result) { 0 } else { 1 })
}
else {
Write-Host "Gebruik: .\trust-vba-project-access-disabled.ps1 [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow
Write-Host " -Monitoring: Controleer huidige compliance status" -ForegroundColor White
Write-Host " -Remediation: Pas aanbevolen configuratie toe" -ForegroundColor White
Write-Host " -Revert: Herstel originele configuratie" -ForegroundColor White
Write-Host " -WhatIf: Toon wat er zou gebeuren" -ForegroundColor White
Write-Host ""
Write-Host "Handmatige configuratie:" -ForegroundColor Cyan
Write-Host "Group Policy: User Configuration > Administrative Templates > Microsoft Excel 2016" -ForegroundColor White
Write-Host "> Excel Options > Security > Trust Center > Macro Settings" -ForegroundColor White
Write-Host "> Trust access to Visual Basic Project: Disabled" -ForegroundColor White
}
}
catch {
Write-Host "β Onverwachte fout: $($_.Exception.Message)" -ForegroundColor Red
exit 1
}
Risico zonder implementatie
Risico zonder implementatie
High: HOOG: VBA object model access is self-replicating macro malware. Worm-like spread over workbooks/network shares.
Management Samenvatting
Schakel uit Trust toegang tot VBA Project Object Model. voorkomt macro malware replication. Implementatie: 1-2 uur. Low business impact (developers can Schakel in manually if needed).
- Implementatietijd: 2 uur
- FTE required: 0.01 FTE