L1 BIO 12.02.01 CIS Office - Protected View

PowerPoint: Protected View If File Validation Fails

πŸ“… 2025-10-30
β€’
⏱️ 2 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Open failed validation files in Protected View - allows viewing corrupted/suspicious files WITHOUT exploit risk (read-only sandbox).

Aanbeveling
IMPLEMENT
Risico zonder
Medium
Risk Score
5/10
Implementatie
2u (tech: 1u)
Van toepassing op:
βœ“ Microsoft PowerPoint

File validation failure = potential exploit: Failed validation: File structure invalid (corruption OR malicious crafting), Protected View: Read-only mode (macros disabled, editing disabled, exploits cannot trigger). Use case balance: 'Do not open' (stricter): Cannot view file at all, 'Protected View' (THIS setting): Can view BUT cannot edit (balance: visibility + safety).

PowerShell Modules Vereist
Primary API: Intune / GPO
Connection: Registry-based
Required Modules:

Implementatie

Protected View on failure: Policy: File validation failure β†’ Protected View, Effect: User can VIEW file (read-only), Cannot edit (no 'Enable editing' for failed validation), Safe investigation: Security team can examine suspicious files safely.

Vereisten

  1. PowerPoint 2016+
  2. File validation enabled
  3. Intune of GPO

Implementatie

Intune Settings Catalog: PowerPoint\Security\Trust Center\Protected View β†’ Turn off Protected View for files from unsafe locations: Disabled (keep Protected View ON).

Compliance

CIS Office Benchmark, BIO 12.02.

Monitoring

Gebruik PowerShell-script file-validation-fails-protected-view.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script file-validation-fails-protected-view.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Dwingt bestanden die bestandsvalidatie niet doorstaan te openen in Protected View in PowerPoint .DESCRIPTION Dit script implementeert CIS control O365-PT-000012 voor het openen van bestanden die bestandsvalidatie niet doorstaan in Protected View in Microsoft PowerPoint. Dit beschermt tegen potentieel schadelijke bestanden die de validatie niet hebben gehaald. .REQUIREMENTS - PowerShell 5.1 of hoger - Lokale administrator rechten voor registry wijzigingen - Microsoft PowerPoint geΓ―nstalleerd .PARAMETER Monitoring Controleert de huidige compliance status .PARAMETER Remediation Past de aanbevolen configuratie toe .PARAMETER Revert Herstelt de originele configuratie .PARAMETER WhatIf Toont wat er zou gebeuren zonder wijzigingen door te voeren .EXAMPLE .\file-validation-fails-protected-view.ps1 -Monitoring Controleert of niet-gevalideerde bestanden in Protected View worden geopend .EXAMPLE .\file-validation-fails-protected-view.ps1 -Remediation Dwingt Protected View voor niet-gevalideerde bestanden .NOTES Registry pad: HKCU:\Software\Policies\Microsoft\Office\16.0\POWERPOINT\Security Waarde: filevalidationfailsprotectedview = 1 CIS Control: O365-PT-000012 DISA STIG: Microsoft Office 365 ProPlus v3r3 #> #Requires -Version 5.1 param( [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) # Globale variabelen $RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\POWERPOINT\Security" $ValueName = "filevalidationfailsprotectedview" $ExpectedValue = 1 $ControlID = "O365-PT-000012" function Test-Compliance { try { if (-not (Test-Path $RegistryPath)) { return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue return ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue) } catch { return $false } } function Invoke-Monitoring { Write-Host "Monitoring ${ControlID}: Protected View voor niet-gevalideerde bestanden" -ForegroundColor Green try { if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry pad bestaat niet: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue) { Write-Host "βœ“ Control compliant: ${ValueName} = $ExpectedValue" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$ValueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: ${ValueName} = $actualValue (Expected: $ExpectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Fout bij controleren registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating ${ControlID}: Protected View voor niet-gevalideerde bestanden" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host "WhatIf: Zou registry waarde instellen: ${ValueName} = $ExpectedValue" -ForegroundColor Cyan return $true } if (-not (Test-Path $RegistryPath)) { Write-Host "Registry pad aanmaken: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } Set-ItemProperty -Path $RegistryPath -Name $ValueName -Value $ExpectedValue -Type DWord -Force Write-Host "βœ“ Registry waarde succesvol ingesteld: ${ValueName} = $ExpectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 return Invoke-Monitoring } catch { Write-Host "βœ— Fout bij configureren registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Revert { Write-Host "Reverting ${ControlID}: Protected View instelling herstellen" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host "WhatIf: Zou registry waarde verwijderen: ${ValueName}" -ForegroundColor Cyan return $true } if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue Write-Host "βœ“ Registry waarde verwijderd: ${ValueName}" -ForegroundColor Green } return $true } catch { Write-Host "βœ— Fout bij herstellen registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } # Hoofd uitvoering try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } elseif ($Revert) { $result = Invoke-Revert exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Gebruik: .\file-validation-fails-protected-view.ps1 [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow Write-Host " -Monitoring: Controleer huidige compliance status" -ForegroundColor White Write-Host " -Remediation: Pas aanbevolen configuratie toe" -ForegroundColor White Write-Host " -Revert: Herstel originele configuratie" -ForegroundColor White Write-Host " -WhatIf: Toon wat er zou gebeuren" -ForegroundColor White } } catch { Write-Host "βœ— Onverwachte fout: $($_.Exception.Message)" -ForegroundColor Red exit 1 }

Risico zonder implementatie

Risico zonder implementatie
Medium: Medium: No Protected View = failed validation files executable (exploit risk).

Management Samenvatting

PowerPoint: Failed validation β†’ Protected View. Safe viewing. Implementatie: 1-2 uur.