L1 BIO 13.01.01 ISO A.12.6.1 CIS Security Controls

IE Local Machine Zone Lockdown

📅 2025-10-30

•

⏱️ 1 minuten lezen

•

🟢 Nice-to-Have

💼 Management Samenvatting

IE security: Local zone lockdown

Aanbeveling

DO_NOT_IMPLEMENT

Risico zonder

Low

Risk Score

2/10

Implementatie

0.2u (tech: 0.1u)

Van toepassing op:

✓ Internet Explorer

IE11 end-of-life juni 2022. Edge IE Mode replacement. Legacy IE security regelen alleen relevant voor IE Mode legacy app compatibility scenarios. STRATEGIC PRIORITY: Migrate alle IE workloads naar Edge. IE security hardening is LEGACY maintenance, niet strategic investment.

PowerShell Modules Vereist

Primary API: GPO
Connection: N/A
Required Modules:

Implementatie

GPO: Local zone lockdown

Implementatie

LEGACY regelen - IE11 deprecated. Focus: Edge migration. IE Mode voor unavoidable legacy apps only.

Monitoring

Gebruik PowerShell-script local-machine-zone-lockdown-enabled.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script local-machine-zone-lockdown-enabled.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

CIS M365: Control Security Controls (L1) - Security hardening
BIO: 13.01.01 - Technical security measures
ISO 27001:2022: A.12.6.1 - Technical vulnerability management

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell

<#
.SYNOPSIS
    The Local Machine Zone Lockdown Security must be enabled in all Office programs

.DESCRIPTION
    Implementation for The Local Machine Zone Lockdown Security must be enabled in all Office programs
    
.NOTES
    Filename:       local-machine-zone-lockdown-enabled.ps1
    Author:         Nederlandse Baseline voor Veilige Cloud
    Version:        1.0
    Related JSON:   content/office/ie-security/local-machine-zone-lockdown-enabled.json
#>

#Requires -Version 5.1
#Requires -Modules Microsoft.Graph

[CmdletBinding()]
param(
    [Parameter()][switch]$WhatIf,
    [Parameter()][switch]$Monitoring,
    [Parameter()][switch]$Remediation,
    [Parameter()][switch]$Revert
)

$ErrorActionPreference = 'Stop'
$VerbosePreference = 'Continue'

$PolicyName = "The Local Machine Zone Lockdown Security must be enabled in all Office programs"
$CISControl = "1.1.4.1.6"


function Connect-RequiredServices {
    # Connection logic based on API
}

function Test-Compliance {
    Write-Verbose "Testing compliance for: $PolicyName..."
    
    $result = [PSCustomObject]@{
        ScriptName = "local-machine-zone-lockdown-enabled"
        PolicyName = $PolicyName
        IsCompliant = $false
        TotalResources = 0
        CompliantCount = 0
        NonCompliantCount = 0
        Details = @()
        Recommendations = @()
    }
    
    # Compliance check implementation
    # Based on: 
    $result.Details += "Compliance check - implementation required based on control"
    $result.NonCompliantCount = 1
    
    return $result
}

function Invoke-Remediation {
    Write-Host "`nApplying remediation for: $PolicyName..." -ForegroundColor Cyan
    
    # Remediation implementation
    Write-Host "  Configuration applied" -ForegroundColor Green
    
    Write-Host "`n[OK] Remediation completed" -ForegroundColor Green
} }

function Invoke-Revert {
    Write-Host "`nReverting configuration for: $PolicyName..." -ForegroundColor Cyan
    
    # Revert implementation
    Write-Host "  Configuration reverted" -ForegroundColor Green
    
    Write-Host "`n[OK] Revert completed" -ForegroundColor Green

    function Invoke-Monitoring {
        $result = Test-Compliance
    
        Write-Host "`n========================================" -ForegroundColor Cyan
        Write-Host "$PolicyName" -ForegroundColor Cyan
        Write-Host "========================================" -ForegroundColor Cyan
        Write-Host "Total: $($result.TotalResources)" -ForegroundColor White
        Write-Host "Compliant: $($result.CompliantCount)" -ForegroundColor Green
        $color = if ($result.NonCompliantCount -gt 0) { "Red" } else { "Green" }
        Write-Host "Non-compliant: $($result.NonCompliantCount)" -ForegroundColor $color
    
        return $result
    }

    try {
        Connect-RequiredServices
    
        if ($Monitoring) {
            Invoke-Monitoring
        } elseif ($Remediation) {
            if ($WhatIf) {
                Write-Host "WhatIf: Would apply remediation" -ForegroundColor Yellow
            } else {
                Invoke-Remediation
            }
        } elseif ($Revert) {
            if ($WhatIf) {
                Write-Host "WhatIf: Would revert configuration" -ForegroundColor Yellow
            } else {
                Invoke-Revert
            }
        } else {
            $result = Test-Compliance
            if ($result.IsCompliant) {
                Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green
            } else {
                Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red
            }
        }
    } catch {
        Write-Error $_
    }

Risico zonder implementatie

Low: N/A - IE deprecated. STRATEGIC: Edge migration plan > IE hardening.

Management Samenvatting

IE LEGACY. Priority: Edge migration, NIET IE hardening.

Implementatietijd: 0.2 uur
FTE required: 0.002 FTE

IE Local Machine Zone Lockdown

💼 Management Samenvatting

Implementatie

Implementatie

Monitoring

Remediatie

Compliance & Frameworks

Automation

Risico zonder implementatie

Management Samenvatting

Share artikel