L1 BIO 13.01.03 ISO A.13.1.3 CIS Office - Network trusted locations

PowerPoint: Disable Network Trusted Locations

πŸ“… 2025-10-30
β€’
⏱️ 3 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Disable network trusted locations in PowerPoint - network shares CANNOT be trusted locations (MITM risk + compromised shares).

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
8/10
Implementatie
2u (tech: 1u)
Van toepassing op:
βœ“ Microsoft PowerPoint

Network trusted locations = security bypass: Trusted location: PowerPoint files bypass ALL security (macros auto-enabled, no Protected View, no warnings), Network shares: UNC paths (\\fileserver\share), Security risk: MITM attacks (attacker intercepts network traffic β†’ injects malicious PowerPoint), Compromised file server (attacker modifies files on share β†’ trusted location = bypasses security), Lateral movement (attacker on internal network). CIS/Microsoft: NEVER allow network trusted locations (only local paths C:\ with strict access control).

PowerShell Modules Vereist
Primary API: Intune / GPO
Connection: Registry-based
Required Modules:

Implementatie

Disable network trusted locations: Policy: Allow Trusted Locations on the network: Disabled, Effect: Network UNC paths CANNOT be added as trusted locations (policy blocks), Trusted locations: Local paths ONLY (C:\TrustedPPT - with file system permissions), Network PowerPoint files: Full security checks (Protected View, macro prompts).

Vereisten

  1. PowerPoint 2016+
  2. Intune of GPO

Implementatie

Intune Settings Catalog: PowerPoint\Security\Trust Center\Trusted Locations β†’ Allow Trusted Locations on the network: Disabled.

Compliance

CIS Office Benchmark L1, Microsoft Security Baseline, BIO 13.01, ISO 27001 A.13.1.3.

Monitoring

Gebruik PowerShell-script network-trusted-locations-disabled.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script network-trusted-locations-disabled.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Schakelt vertrouwde netwerk locaties uit in PowerPoint .DESCRIPTION Dit script implementeert CIS control O365-PT-000013 voor het uitschakelen van vertrouwde netwerk locaties in Microsoft PowerPoint. Dit voorkomt dat bestanden van netwerk locaties automatisch als vertrouwd worden behandeld, wat een beveiligingsrisico kan vormen. .REQUIREMENTS - PowerShell 5.1 of hoger - Lokale administrator rechten voor registry wijzigingen - Microsoft PowerPoint geΓ―nstalleerd .PARAMETER Monitoring Controleert de huidige compliance status .PARAMETER Remediation Past de aanbevolen configuratie toe .PARAMETER Revert Herstelt de originele configuratie .PARAMETER WhatIf Toont wat er zou gebeuren zonder wijzigingen door te voeren .EXAMPLE .\network-trusted-locations-disabled.ps1 -Monitoring Controleert of netwerk vertrouwde locaties zijn uitgeschakeld .EXAMPLE .\network-trusted-locations-disabled.ps1 -Remediation Schakelt netwerk vertrouwde locaties uit .NOTES Registry pad: HKCU:\Software\Policies\Microsoft\Office\16.0\POWERPOINT\Security Waarde: networktrustedlocationsdisabled = 1 CIS Control: O365-PT-000013 DISA STIG: Microsoft Office 365 ProPlus v3r3 #> #Requires -Version 5.1 param( [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) # Globale variabelen $RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\POWERPOINT\Security" $ValueName = "networktrustedlocationsdisabled" $ExpectedValue = 1 $ControlID = "O365-PT-000013" function Test-Compliance { try { if (-not (Test-Path $RegistryPath)) { return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue return ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue) } catch { return $false } } function Invoke-Monitoring { Write-Host "Monitoring ${ControlID}: Netwerk vertrouwde locaties uitschakelen" -ForegroundColor Green try { if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry pad bestaat niet: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue) { Write-Host "βœ“ Control compliant: ${ValueName} = $ExpectedValue" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$ValueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: ${ValueName} = $actualValue (Expected: $ExpectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Fout bij controleren registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating ${ControlID}: Netwerk vertrouwde locaties uitschakelen" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host "WhatIf: Zou registry waarde instellen: ${ValueName} = $ExpectedValue" -ForegroundColor Cyan return $true } if (-not (Test-Path $RegistryPath)) { Write-Host "Registry pad aanmaken: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } Set-ItemProperty -Path $RegistryPath -Name $ValueName -Value $ExpectedValue -Type DWord -Force Write-Host "βœ“ Registry waarde succesvol ingesteld: ${ValueName} = $ExpectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 return Invoke-Monitoring } catch { Write-Host "βœ— Fout bij configureren registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Revert { Write-Host "Reverting ${ControlID}: Netwerk vertrouwde locaties instelling herstellen" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host "WhatIf: Zou registry waarde verwijderen: ${ValueName}" -ForegroundColor Cyan return $true } if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue Write-Host "βœ“ Registry waarde verwijderd: ${ValueName}" -ForegroundColor Green } return $true } catch { Write-Host "βœ— Fout bij herstellen registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } # Hoofd uitvoering try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } elseif ($Revert) { $result = Invoke-Revert exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Gebruik: .\outlook-attachments-protected-view-enabled.ps1 [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow Write-Host " -Monitoring: Controleer huidige compliance status" -ForegroundColor White Write-Host " -Remediation: Pas aanbevolen configuratie toe" -ForegroundColor White Write-Host " -Revert: Herstel originele configuratie" -ForegroundColor White Write-Host " -WhatIf: Toon wat er zou gebeuren" -ForegroundColor White } } catch { Write-Host "βœ— Onverwachte fout: $($_.Exception.Message)" -ForegroundColor Red exit 1 }

Risico zonder implementatie

Risico zonder implementatie
High: Hoog: Network trusted locations = MITM attacks + compromised shares bypass security.

Management Samenvatting

Disable PowerPoint network trusted locations. MITM defense. Local paths only. Implementatie: 1-2 uur.