L1 BIO 13.01.01 ISO A.12.6.1 CIS Security Controls

IE Restrict File Download

📅 2025-10-30

•

⏱️ 1 minuten lezen

•

🟢 Nice-to-Have

💼 Management Samenvatting

IE security: File download restrictions

Aanbeveling

DO_NOT_IMPLEMENT

Risico zonder

Low

Risk Score

2/10

Implementatie

0.2u (tech: 0.1u)

Van toepassing op:

✓ Internet Explorer

IE11 end-of-life juni 2022. Edge IE Mode replacement. Legacy IE security regelen alleen relevant voor IE Mode legacy app compatibility scenarios. STRATEGIC PRIORITY: Migrate alle IE workloads naar Edge. IE security hardening is LEGACY maintenance, niet strategic investment.

PowerShell Modules Vereist

Primary API: GPO
Connection: N/A
Required Modules:

Implementatie

GPO: File download restrictions

Implementatie

LEGACY regelen - IE11 deprecated. Focus: Edge migration. IE Mode voor unavoidable legacy apps only.

Monitoring

Gebruik PowerShell-script restrict-file-download-enabled.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script restrict-file-download-enabled.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

CIS M365: Control Security Controls (L1) - Security hardening
BIO: 13.01.01 - Technical security measures
ISO 27001:2022: A.12.6.1 - Technical vulnerability management

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell

<#
.SYNOPSIS
    Restrict File Download must be enabled in all Office programs

.DESCRIPTION
    Implementation for Restrict File Download must be enabled in all Office programs
    
.NOTES
    Filename:       restrict-file-download-enabled.ps1
    Author:         Nederlandse Baseline voor Veilige Cloud
    Version:        1.0
    Related JSON:   content/office/ie-security/restrict-file-download-enabled.json
#>

#Requires -Version 5.1
#Requires -Modules Microsoft.Graph

[CmdletBinding()]
param(
    [Parameter()][switch]$WhatIf,
    [Parameter()][switch]$Monitoring,
    [Parameter()][switch]$Remediation,
    [Parameter()][switch]$Revert
)

$ErrorActionPreference = 'Stop'
$VerbosePreference = 'Continue'

$PolicyName = "Restrict File Download must be enabled in all Office programs"
$CISControl = "1.1.4.1.12"


function Connect-RequiredServices {
    # Connection logic based on API
}

function Test-Compliance {
    Write-Verbose "Testing compliance for: $PolicyName..."
    
    $result = [PSCustomObject]@{
        ScriptName = "restrict-file-download-enabled"
        PolicyName = $PolicyName
        IsCompliant = $false
        TotalResources = 0
        CompliantCount = 0
        NonCompliantCount = 0
        Details = @()
        Recommendations = @()
    }
    
    # Compliance check implementation
    # Based on: 
    $result.Details += "Compliance check - implementation required based on control"
    $result.NonCompliantCount = 1
    
    return $result
}

function Invoke-Remediation {
    Write-Host "`nApplying remediation for: $PolicyName..." -ForegroundColor Cyan
    
    # Remediation implementation
    Write-Host "  Configuration applied" -ForegroundColor Green
    
    Write-Host "`n[OK] Remediation completed" -ForegroundColor Green
} }

function Invoke-Revert {
    Write-Host "`nReverting configuration for: $PolicyName..." -ForegroundColor Cyan
    
    # Revert implementation
    Write-Host "  Configuration reverted" -ForegroundColor Green
    
    Write-Host "`n[OK] Revert completed" -ForegroundColor Green

    function Invoke-Monitoring {
        $result = Test-Compliance
    
        Write-Host "`n========================================" -ForegroundColor Cyan
        Write-Host "$PolicyName" -ForegroundColor Cyan
        Write-Host "========================================" -ForegroundColor Cyan
        Write-Host "Total: $($result.TotalResources)" -ForegroundColor White
        Write-Host "Compliant: $($result.CompliantCount)" -ForegroundColor Green
        $color = if ($result.NonCompliantCount -gt 0) { "Red" } else { "Green" }
        Write-Host "Non-compliant: $($result.NonCompliantCount)" -ForegroundColor $color
    
        return $result
    }

    try {
        Connect-RequiredServices
    
        if ($Monitoring) {
            Invoke-Monitoring
        } elseif ($Remediation) {
            if ($WhatIf) {
                Write-Host "WhatIf: Would apply remediation" -ForegroundColor Yellow
            } else {
                Invoke-Remediation
            }
        } elseif ($Revert) {
            if ($WhatIf) {
                Write-Host "WhatIf: Would revert configuration" -ForegroundColor Yellow
            } else {
                Invoke-Revert
            }
        } else {
            $result = Test-Compliance
            if ($result.IsCompliant) {
                Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green
            } else {
                Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red
            }
        }
    } catch {
        Write-Error $_
    }

Risico zonder implementatie

Low: N/A - IE deprecated. STRATEGIC: Edge migration plan > IE hardening.

Management Samenvatting

IE LEGACY. Priority: Edge migration, NIET IE hardening.

Implementatietijd: 0.2 uur
FTE required: 0.002 FTE

IE Restrict File Download

💼 Management Samenvatting

Implementatie

Implementatie

Monitoring

Remediatie

Compliance & Frameworks

Automation

Risico zonder implementatie

Management Samenvatting

Share artikel