BIO 09.04.03 ISO A.9.4.3

Outlook: Schakel Uit Netwerkpaden As Hyperlinks

πŸ“… 2025-10-30
β€’
⏱️ 4 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Schakel uit Netwerkpaden as hyperlinks voorkomt NTLM credential harvesting via UNC path links in emails (\\attacker.com\share) die automatische SMB connections maken bij preview.

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
7/10
Implementatie
2u (tech: 1u)
Van toepassing op:
βœ“ Microsoft Outlook

UNC hyperlinks is Diefstal van inloggegevens: Email bevat \\attacker.com\share β†’ user previews email β†’ Outlook auto-converts to hyperlink β†’ SMB connection automatische β†’ NTLM hash sent. Zonder disable: Reading pane preview triggers SMB (no click needed), NTLM hash captured door attacker, Offline hash cracking.

Implementatie

Schakel uit UNC hyperlinks: Netwerkpaden stay plain text (no clickable links), No automatische SMB connections, User moet handmatige copy/paste (deliberate action).

Vereisten

  1. Outlook 2016+
  2. Intune of GPO

Implementatie

Intune Settings Catalog: Outlook\Security β†’ Replace Netwerkpaden met hyperlinks: Disabled.

Compliance en Auditing

BIO 09.04 (credential bescherming), ISO 27001 A.9.4.3.

Monitoring

Gebruik PowerShell-script network-paths-hyperlinks-disabled.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script network-paths-hyperlinks-disabled.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
# Control: O365-OU-000027 - network paths hyperlinks disabled #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000027: network paths hyperlinks disabled" -ForegroundColor Green try { $valueName = "networkpathshyperlinksdisabled" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: $valueName = $expectedValue" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: $valueName = $actualValue (Expected: $expectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating O365-OU-000027: network paths hyperlinks disabled" -ForegroundColor Yellow try { if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } $valueName = "networkpathshyperlinksdisabled" $expectedValue = 1 Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Revert { Write-Host "Reverting O365-OU-000027: network paths hyperlinks disabled " -ForegroundColor Yellow try { if ($WhatIf) { Write-Host " [WhatIf] Would remove registry value" -ForegroundColor Cyan return $true } $valueName = "networkpathshyperlinksdisabled" if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue Write-Host " Removed registry value: $valueName" -ForegroundColor Green } return $true } catch { Write-Host " Error during revert: # Control: O365-OU-000027 - network paths hyperlinks disabled #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000027: network paths hyperlinks disabled" -ForegroundColor Green try { $valueName = "networkpathshyperlinksdisabled" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: $valueName = $expectedValue" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: $valueName = $actualValue (Expected: $expectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating O365-OU-000027: network paths hyperlinks disabled" -ForegroundColor Yellow try { if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } $valueName = "networkpathshyperlinksdisabled" $expectedValue = 1 Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } elseif ($Revert) { $result = Invoke-Revert exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow } } catch { Write-Host "Script execution error: # Control: O365-OU-000027 - network paths hyperlinks disabled #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000027: network paths hyperlinks disabled" -ForegroundColor Green try { $valueName = "networkpathshyperlinksdisabled" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: $valueName = $expectedValue" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: $valueName = $actualValue (Expected: $expectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating O365-OU-000027: network paths hyperlinks disabled" -ForegroundColor Yellow try { if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } $valueName = "networkpathshyperlinksdisabled" $expectedValue = 1 Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Revert { Write-Host "Reverting O365-OU-000027: network paths hyperlinks disabled " -ForegroundColor Yellow try { if ($WhatIf) { Write-Host " [WhatIf] Would remove registry value" -ForegroundColor Cyan return $true } $valueName = "networkpathshyperlinksdisabled" if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue Write-Host " Removed registry value: $valueName" -ForegroundColor Green } return $true } catch { Write-Host " Error during revert: # Control: O365-OU-000027 - network paths hyperlinks disabled #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000027: network paths hyperlinks disabled" -ForegroundColor Green try { $valueName = "networkpathshyperlinksdisabled" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: $valueName = $expectedValue" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: $valueName = $actualValue (Expected: $expectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating O365-OU-000027: network paths hyperlinks disabled" -ForegroundColor Yellow try { if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } $valueName = "networkpathshyperlinksdisabled" $expectedValue = 1 Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: .\network-paths-hyperlinks-disabled.ps1 [-Monitoring] [-Remediation]" -ForegroundColor Yellow Write-Host " -Monitoring: Check current compliance status" -ForegroundColor White Write-Host " -Remediation: Apply recommended configuration" -ForegroundColor White } " -ForegroundColor Red return $false } } # Main execution try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: .\network-paths-hyperlinks-disabled.ps1 [-Monitoring] [-Remediation]" -ForegroundColor Yellow Write-Host " -Monitoring: Check current compliance status" -ForegroundColor White Write-Host " -Remediation: Apply recommended configuration" -ForegroundColor White } " -ForegroundColor Red exit 1 } " -ForegroundColor Red return $false } } # Main execution try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } elseif ($Revert) { $result = Invoke-Revert exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow } } catch { Write-Host "Script execution error: # Control: O365-OU-000027 - network paths hyperlinks disabled #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000027: network paths hyperlinks disabled" -ForegroundColor Green try { $valueName = "networkpathshyperlinksdisabled" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: $valueName = $expectedValue" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: $valueName = $actualValue (Expected: $expectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating O365-OU-000027: network paths hyperlinks disabled" -ForegroundColor Yellow try { if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } $valueName = "networkpathshyperlinksdisabled" $expectedValue = 1 Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Revert { Write-Host "Reverting O365-OU-000027: network paths hyperlinks disabled " -ForegroundColor Yellow try { if ($WhatIf) { Write-Host " [WhatIf] Would remove registry value" -ForegroundColor Cyan return $true } $valueName = "networkpathshyperlinksdisabled" if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue Write-Host " Removed registry value: $valueName" -ForegroundColor Green } return $true } catch { Write-Host " Error during revert: # Control: O365-OU-000027 - network paths hyperlinks disabled #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000027: network paths hyperlinks disabled" -ForegroundColor Green try { $valueName = "networkpathshyperlinksdisabled" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: $valueName = $expectedValue" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: $valueName = $actualValue (Expected: $expectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating O365-OU-000027: network paths hyperlinks disabled" -ForegroundColor Yellow try { if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } $valueName = "networkpathshyperlinksdisabled" $expectedValue = 1 Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: .\network-paths-hyperlinks-disabled.ps1 [-Monitoring] [-Remediation]" -ForegroundColor Yellow Write-Host " -Monitoring: Check current compliance status" -ForegroundColor White Write-Host " -Remediation: Apply recommended configuration" -ForegroundColor White } " -ForegroundColor Red return $false } } # Main execution try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: .\network-paths-hyperlinks-disabled.ps1 [-Monitoring] [-Remediation]" -ForegroundColor Yellow Write-Host " -Monitoring: Check current compliance status" -ForegroundColor White Write-Host " -Remediation: Apply recommended configuration" -ForegroundColor White } " -ForegroundColor Red exit 1 }

Risico zonder implementatie

Risico zonder implementatie
High: Hoog: UNC hyperlinks is NTLM Diefstal van inloggegevens via email preview.

Management Samenvatting

Schakel uit Netwerkpaden hyperlinks. Blokkeert SMB credential harvesting. Implementatie: 1-2 uur.