L1 BIO 12.02.01 CIS Office - File block behavior

PowerPoint: Default File Block Behavior (Do Not Open)

πŸ“… 2025-10-30
β€’
⏱️ 2 minuten lezen
β€’
🟒 Should-Have

πŸ’Ό Management Samenvatting

Default file block behavior = what happens when blocked file type opened - aanbeveling: 'Do not open' (strict block, no override).

Aanbeveling
IMPLEMENT
Risico zonder
Low
Risk Score
3/10
Implementatie
2u (tech: 1u)
Van toepassing op:
βœ“ Microsoft PowerPoint

File block behavior options: 'Do not open': Blocked files CANNOT open (strict - AANBEVOLEN), 'Open in Protected View': Blocked files open read-only (allows viewing maar no editing - less strict), 'Open in Protected View + allow editing': User can enable editing (WEAK - defeats purpose). Best practice: 'Do not open' = Cannot open legacy/dangerous formats (PowerPoint 97-2003, Word 2.x, etc.) β†’ forces modern formats.

PowerShell Modules Vereist
Primary API: Intune / GPO
Connection: Registry-based
Required Modules:

Implementatie

Do not open: Policy: Set default file block behavior: Blocked files are not opened, Effect: User opens blocked file type β†’ error message 'File format blocked', No override: User CANNOT open (forced compliance), Modern formats: .pptx works (not blocked).

Vereisten

  1. PowerPoint 2016+
  2. File block settings configured (block legacy formats)
  3. Intune of GPO

Implementatie

Intune Settings Catalog: PowerPoint\Security\Trust Center\File Block Settings β†’ Set default file block behavior: Blocked files are not opened (strict).

Compliance

CIS Office Benchmark, DISA STIG, BIO 12.02.

Monitoring

Gebruik PowerShell-script default-file-block-behavior.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script default-file-block-behavior.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Stelt standaard file block gedrag in zodat geblokkeerde bestanden niet worden geopend in PowerPoint .DESCRIPTION Dit script implementeert CIS control O365-PT-000004 voor het instellen van het standaard file block gedrag in Microsoft PowerPoint. Dit zorgt ervoor dat geblokkeerde bestanden niet worden geopend, wat de beveiliging verbetert tegen potentieel schadelijke bestanden. .REQUIREMENTS - PowerShell 5.1 of hoger - Lokale administrator rechten voor registry wijzigingen - Microsoft PowerPoint geΓ―nstalleerd .PARAMETER Monitoring Controleert de huidige compliance status .PARAMETER Remediation Past de aanbevolen configuratie toe .PARAMETER Revert Herstelt de originele configuratie .PARAMETER WhatIf Toont wat er zou gebeuren zonder wijzigingen door te voeren .EXAMPLE .\default-file-block-behavior.ps1 -Monitoring Controleert of geblokkeerde bestanden niet worden geopend .EXAMPLE .\default-file-block-behavior.ps1 -Remediation Stelt in dat geblokkeerde bestanden niet worden geopend .NOTES Registry pad: HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\Security\FileBlock Waarde: OpenInProtectedView = 0 CIS Control: O365-PT-000004 DISA STIG: Microsoft Office 365 ProPlus v3r3 #> #Requires -Version 5.1 param( [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) # Globale variabelen $RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\Security\FileBlock" $ValueName = "OpenInProtectedView" $ExpectedValue = 0 $ControlID = "O365-PT-000004" function Test-Compliance { try { if (-not (Test-Path $RegistryPath)) { return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue return ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue) } catch { return $false } } function Invoke-Monitoring { Write-Host "Monitoring ${ControlID}: Standaard file block gedrag instellen" -ForegroundColor Green try { if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry pad bestaat niet: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue) { Write-Host "βœ“ Control compliant: ${ValueName} = $ExpectedValue (Geblokkeerde bestanden worden niet geopend)" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$ValueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: ${ValueName} = $actualValue (Expected: $ExpectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Fout bij controleren registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating ${ControlID}: Standaard file block gedrag instellen" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host "WhatIf: Zou registry waarde instellen: ${ValueName} = $ExpectedValue" -ForegroundColor Cyan return $true } if (-not (Test-Path $RegistryPath)) { Write-Host "Registry pad aanmaken: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } Set-ItemProperty -Path $RegistryPath -Name $ValueName -Value $ExpectedValue -Type DWord -Force Write-Host "βœ“ Registry waarde succesvol ingesteld: ${ValueName} = $ExpectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 return Invoke-Monitoring } catch { Write-Host "βœ— Fout bij configureren registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Revert { Write-Host "Reverting ${ControlID}: Standaard file block gedrag herstellen" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host "WhatIf: Zou registry waarde verwijderen: ${ValueName}" -ForegroundColor Cyan return $true } if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue Write-Host "βœ“ Registry waarde verwijderd: ${ValueName}" -ForegroundColor Green } return $true } catch { Write-Host "βœ— Fout bij herstellen registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } # Hoofd uitvoering try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } elseif ($Revert) { $result = Invoke-Revert exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Gebruik: .\default-file-block-behavior.ps1 [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow Write-Host " -Monitoring: Controleer huidige compliance status" -ForegroundColor White Write-Host " -Remediation: Pas aanbevolen configuratie toe" -ForegroundColor White Write-Host " -Revert: Herstel originele configuratie" -ForegroundColor White Write-Host " -WhatIf: Toon wat er zou gebeuren" -ForegroundColor White Write-Host "" Write-Host "Handmatige configuratie:" -ForegroundColor Cyan Write-Host "Group Policy: User Configuration > Administrative Templates > Microsoft PowerPoint 2016" -ForegroundColor White Write-Host "> PowerPoint Options > Security > Trust Center > File Block Settings" -ForegroundColor White Write-Host "> Set default file block behavior: Enabled: Blocked files are not opened" -ForegroundColor White } } catch { Write-Host "βœ— Onverwachte fout: $($_.Exception.Message)" -ForegroundColor Red exit 1 }

Risico zonder implementatie

Risico zonder implementatie
Low: Low: 'Open in Protected View' = user can enable editing (bypasses block).

Management Samenvatting

PowerPoint file block behavior: 'Do not open' (strict). No override. Forces modern formats. Implementatie: 1-2 uur.