BIO 12.02.01 ISO A.8.7

Outlook Vertrouwde Zones Geblokkeerd

πŸ“… 2025-10-30
β€’
⏱️ 6 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Outlook moet worden geconfigureerd om IE vertrouwde Sites zone te blokkeren, omdat malicious emails anders volledige browser privileges kunnen krijgen via vertrouwde Zone bypass.

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
7/10
Implementatie
2u (tech: 1u)
Van toepassing op:
βœ“ Outlook

vertrouwde ZONE BYPASS RISICO: Outlook gebruikt Internet Explorer security zones voor HTML email rendering. ZONDER BLOCKING: Emails van 'trusted' sites krijgen volledige browser privileges (ActiveX, scripts), Aanvallers kunnen domains toevoegen aan vertrouwde Sites (via malware/social engineering), Malicious emails van deze domains krijgen elevated privileges. ATTACK SCENARIO: Attacker compromittes legitimate website die in vertrouwde Sites staat β†’ Sends phishing email van deze domain β†’ Outlook renders met vertrouwde Zone privileges β†’ ActiveX/scripts execute zonder restricties β†’ Malware deployment. BLOCKTRUSTEDZONES MITIGATION: Email rendering gebruikt ALTIJD Restricted Sites zone (meest restrictief), Zelfs als sender domain in vertrouwde Sites staat β†’ Geen elevated privileges, Blokkeert vertrouwde Zone bypass attacks.

PowerShell Modules Vereist
Primary API: Intune / Group Policy
Connection: Registry
Required Modules:

Implementatie

Block vertrouwde zones: HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security\blocktrustedzones is 1. DISA STIG O365-OU-000009. EFFECT: Alle emails rendered in Restricted Sites zone (regardless of domain trust), ActiveX/scripts disabled in emails, Consistent security enforcement.

Vereisten

  1. Outlook (M365 Apps)
  2. Internet Explorer zones geconfigureerd

Implementatie

Gebruik PowerShell-script block-trusted-zones.ps1 (functie Invoke-Remediation) – Block vertrouwde zones in email rendering.

Intune: Outlook Security β†’ Block vertrouwde zones is ingeschakeld

monitoring

Gebruik PowerShell-script block-trusted-zones.ps1 (functie Invoke-Monitoring) – Verify blocktrustedzones is 1.

Compliance en Auditing

  1. DISA STIG O365-OU-000009
  2. BIO 12.02
  3. ISO 27001 A.8.7

Remediatie

Gebruik PowerShell-script block-trusted-zones.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
# Control: O365-OU-000009 - block trusted zones #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000009: block trusted zones" -ForegroundColor Green try { $valueName = "blocktrustedzones" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { Write-Host " Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host " Compliant: Trusted zones are blocked" -ForegroundColor Green return $true } else { Write-Host " Non-Compliant: Trusted zones not blocked" -ForegroundColor Red return $false } } catch { Write-Host " Error during monitoring: $_" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating O365-OU-000009: block trusted zones" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host " [WhatIf] Would set registry value" -ForegroundColor Cyan return $true } $valueName = "blocktrustedzones" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { New-Item -Path $RegistryPath -Force | Out-Null Write-Host " Created registry path: $RegistryPath" -ForegroundColor Green } Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host " Set $valueName to $expectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 return Invoke-Monitoring } catch { Write-Host " Error during remediation: $_" -ForegroundColor Red return $false } } function Invoke-Revert { Write-Host "Reverting O365-OU-000009: block trusted zones" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host " [WhatIf] Would remove registry value" -ForegroundColor Cyan return $true } $valueName = "blocktrustedzones" if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue Write-Host " Removed registry value: $valueName" -ForegroundColor Green } return $true } catch { Write-Host " Error during revert: $_" -ForegroundColor Red return $false } } # Main execution try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } elseif ($Revert) { $result = Invoke-Revert exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow } } catch { Write-Host "Script execution error: $_" -ForegroundColor Red exit 1 }

Risico zonder implementatie

Risico zonder implementatie
High: Hoog risico: vertrouwde zone bypass is malicious emails krijgen elevated browser privileges, kunnen ActiveX/scripts uitvoeren.

Management Samenvatting

Blokkeer IE vertrouwde Sites zone in Outlook emails (blocktrustedzones=1). Alle emails rendered in Restricted zone. DISA STIG vereist. Implementatie: 1-2 uur.