L1 BIO 12.06.01 ISO A.12.2.1 CIS Office - Macro settings

PowerPoint: Macro Notification For Signed Macros Only

πŸ“… 2025-10-30
β€’
⏱️ 3 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

PowerPoint macro notification: signed-only - UNSIGNED macros automatic blocked, SIGNED prompt user (publisher verification).

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
8/10
Implementatie
8u (tech: 3u)
Van toepassing op:
βœ“ Microsoft PowerPoint

Unsigned macros = zero trust: No publisher identity (anonymous code), No integrity check (tampered?), Malware = always unsigned (attackers don't sign). Signed macros: Publisher accountability (certificate identifies author), Integrity: Signature breaks if code modified, Trusted publishers: Auto-allow (corporate-signed macros). Defense in depth: Combined with 'block internet macros' (double protection).

PowerShell Modules Vereist
Primary API: Intune / GPO
Connection: Registry-based
Required Modules:

Implementatie

Signed-only policy: Unsigned macros: BLOCKED (no prompt - automatic deny), Signed macros: User prompt 'Enable macros?' (publisher name shown), Trusted publishers: Auto-allow (no prompt - certificates in Trusted Publishers store). Implementation: Requires code signing infrastructure (corporate CA OR commercial certificate).

Vereisten

  1. PowerPoint 2016+
  2. Code signing infrastructure
  3. Corporate macros: Digitally signed
  4. Intune of GPO

Implementatie

Intune Settings Catalog: PowerPoint\Security\Trust Center β†’ VBA Macro Notification Settings: 'Disable all except digitally signed macros'. Corporate macros: Sign with code signing certificate β†’ distribute certificate to Trusted Publishers.

Compliance

CIS Office Benchmark L1, BIO 12.06, ISO 27001 A.12.2.1.

Monitoring

Gebruik PowerShell-script macro-notification-signed-only.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script macro-notification-signed-only.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Dwingt alleen digitaal ondertekende macros in PowerPoint .DESCRIPTION Dit script implementeert CIS control O365-PT-000001 voor het instellen van VBA macro meldingen zodat alleen digitaal ondertekende macros zijn toegestaan in Microsoft PowerPoint. Dit voorkomt uitvoering van potentieel schadelijke niet-ondertekende macros. .REQUIREMENTS - PowerShell 5.1 of hoger - Lokale administrator rechten voor registry wijzigingen - Microsoft PowerPoint geΓ―nstalleerd .PARAMETER Monitoring Controleert de huidige compliance status .PARAMETER Remediation Past de aanbevolen configuratie toe .PARAMETER Revert Herstelt de originele configuratie .PARAMETER WhatIf Toont wat er zou gebeuren zonder wijzigingen door te voeren .EXAMPLE .\macro-notification-signed-only.ps1 -Monitoring Controleert of alleen ondertekende macros zijn toegestaan .EXAMPLE .\macro-notification-signed-only.ps1 -Remediation Dwingt alleen digitaal ondertekende macros .NOTES Registry pad: HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\Security Waarde: VBAWarnings = 2 CIS Control: O365-PT-000001 DISA STIG: Microsoft Office 365 ProPlus v3r3 #> #Requires -Version 5.1 param( [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) # Globale variabelen $RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\Security" $ValueName = "VBAWarnings" $ExpectedValue = 2 $ControlID = "O365-PT-000001" function Test-Compliance { try { if (-not (Test-Path $RegistryPath)) { return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue return ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue) } catch { return $false } } function Invoke-Monitoring { Write-Host "Monitoring ${ControlID}: Alleen digitaal ondertekende macros toestaan" -ForegroundColor Green try { if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry pad bestaat niet: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue) { Write-Host "βœ“ Control compliant: ${ValueName} = $ExpectedValue (Alleen digitaal ondertekende macros toegestaan)" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$ValueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: ${ValueName} = $actualValue (Expected: $ExpectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Fout bij controleren registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating ${ControlID}: Alleen digitaal ondertekende macros toestaan" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host "WhatIf: Zou registry waarde instellen: ${ValueName} = $ExpectedValue" -ForegroundColor Cyan return $true } if (-not (Test-Path $RegistryPath)) { Write-Host "Registry pad aanmaken: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } Set-ItemProperty -Path $RegistryPath -Name $ValueName -Value $ExpectedValue -Type DWord -Force Write-Host "βœ“ Registry waarde succesvol ingesteld: ${ValueName} = $ExpectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 return Invoke-Monitoring } catch { Write-Host "βœ— Fout bij configureren registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Revert { Write-Host "Reverting ${ControlID}: Macro instellingen herstellen" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host "WhatIf: Zou registry waarde verwijderen: ${ValueName}" -ForegroundColor Cyan return $true } if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue Write-Host "βœ“ Registry waarde verwijderd: ${ValueName}" -ForegroundColor Green } return $true } catch { Write-Host "βœ— Fout bij herstellen registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } # Hoofd uitvoering try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } elseif ($Revert) { $result = Invoke-Revert exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Gebruik: .\macro-notification-signed-only.ps1 [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow Write-Host " -Monitoring: Controleer huidige compliance status" -ForegroundColor White Write-Host " -Remediation: Pas aanbevolen configuratie toe" -ForegroundColor White Write-Host " -Revert: Herstel originele configuratie" -ForegroundColor White Write-Host " -WhatIf: Toon wat er zou gebeuren" -ForegroundColor White Write-Host "" Write-Host "Handmatige configuratie:" -ForegroundColor Cyan Write-Host "Group Policy: User Configuration > Administrative Templates > Microsoft PowerPoint 2016" -ForegroundColor White Write-Host "> PowerPoint Options > Security > Trust Center > Macro Settings" -ForegroundColor White Write-Host "> VBA Macro Notification Settings: Enabled: Disable all except digitally signed macros" -ForegroundColor White } } catch { Write-Host "βœ— Onverwachte fout: $($_.Exception.Message)" -ForegroundColor Red exit 1 }

Risico zonder implementatie

Risico zonder implementatie
High: Hoog: Unsigned PowerPoint macros = malware (no publisher verification).

Management Samenvatting

PowerPoint: Unsigned macros blocked, signed prompt. Code signing required. Combined with internet macro block. Implementatie: 3-8 uur.