L1 BIO 12.02.01 ISO A.12.2.1 CIS Office - Protected View

PowerPoint: Enable Protected View For Outlook Attachments

πŸ“… 2025-10-30
β€’
⏱️ 2 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Enable Protected View voor PowerPoint attachments from Outlook - email attachments = #1 malware delivery (read-only sandbox).

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
8/10
Implementatie
2u (tech: 1u)
Van toepassing op:
βœ“ Microsoft PowerPoint

Email attachments = highest risk: Attack vector: Phishing email β†’ malicious PowerPoint attachment β†’ user opens β†’ exploit/malware, Protected View: Email attachment β†’ opens read-only (macros disabled, exploits blocked), User: 'Enable editing' button (informed decision - check sender first). Defense in depth: Combined with 'block internet macros' (double protection).

PowerShell Modules Vereist
Primary API: Intune / GPO
Connection: Registry-based
Required Modules:

Implementatie

Protected View Outlook: Policy: Enable Protected View for Outlook attachments: Enabled, Effect: PowerPoint attachments from email β†’ Protected View (read-only), User: Can enable editing (maar prompted - awareness), Internal emails: ALSO Protected View (internal phishing defense).

Vereisten

  1. PowerPoint 2016+
  2. Outlook integration
  3. Intune of GPO

Implementatie

Intune Settings Catalog: PowerPoint\Security\Trust Center\Protected View β†’ Enable Protected View for Outlook attachments: Enabled.

Compliance

CIS Office Benchmark L1, BIO 12.02, ISO 27001 A.12.2.1.

Monitoring

Gebruik PowerShell-script outlook-attachments-protected-view-enabled.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script outlook-attachments-protected-view-enabled.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Dwingt Protected View voor Outlook bijlagen in PowerPoint .DESCRIPTION Dit script implementeert CIS control O365-PT-000010 voor het openen van Outlook bijlagen in Protected View in Microsoft PowerPoint. Dit beschermt tegen potentieel schadelijke bestanden in e-mail bijlagen. .REQUIREMENTS - PowerShell 5.1 of hoger - Lokale administrator rechten voor registry wijzigingen - Microsoft PowerPoint geΓ―nstalleerd .PARAMETER Monitoring Controleert de huidige compliance status .PARAMETER Remediation Past de aanbevolen configuratie toe .PARAMETER Revert Herstelt de originele configuratie .PARAMETER WhatIf Toont wat er zou gebeuren zonder wijzigingen door te voeren .EXAMPLE .\outlook-attachments-protected-view-enabled.ps1 -Monitoring Controleert of Outlook bijlagen in Protected View worden geopend .EXAMPLE .\outlook-attachments-protected-view-enabled.ps1 -Remediation Dwingt Protected View voor Outlook bijlagen .NOTES Registry pad: HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView Waarde: DisableAttachmentsInPV = 0 CIS Control: O365-PT-000010 DISA STIG: Microsoft Office 365 ProPlus v3r3 #> #Requires -Version 5.1 param( [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) # Globale variabelen $RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\Security\ProtectedView" $ValueName = "DisableAttachmentsInPV" $ExpectedValue = 0 $ControlID = "O365-PT-000010" function Test-Compliance { try { if (-not (Test-Path $RegistryPath)) { return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue return ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue) } catch { return $false } } function Invoke-Monitoring { Write-Host "Monitoring ${ControlID}: Protected View voor Outlook bijlagen inschakelen" -ForegroundColor Green try { if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry pad bestaat niet: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue) { Write-Host "βœ“ Control compliant: ${ValueName} = $ExpectedValue (Outlook bijlagen openen in Protected View)" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$ValueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: ${ValueName} = $actualValue (Expected: $ExpectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Fout bij controleren registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating ${ControlID}: Protected View voor Outlook bijlagen inschakelen" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host "WhatIf: Zou registry waarde instellen: ${ValueName} = $ExpectedValue" -ForegroundColor Cyan return $true } if (-not (Test-Path $RegistryPath)) { Write-Host "Registry pad aanmaken: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } Set-ItemProperty -Path $RegistryPath -Name $ValueName -Value $ExpectedValue -Type DWord -Force Write-Host "βœ“ Registry waarde succesvol ingesteld: ${ValueName} = $ExpectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 return Invoke-Monitoring } catch { Write-Host "βœ— Fout bij configureren registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Revert { Write-Host "Reverting ${ControlID}: Outlook bijlagen Protected View instelling herstellen" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host "WhatIf: Zou registry waarde verwijderen: ${ValueName}" -ForegroundColor Cyan return $true } if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue Write-Host "βœ“ Registry waarde verwijderd: ${ValueName}" -ForegroundColor Green } return $true } catch { Write-Host "βœ— Fout bij herstellen registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } # Hoofd uitvoering try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } elseif ($Revert) { $result = Invoke-Revert exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Gebruik: .\powerpoint97-2003-blocked.ps1 [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow Write-Host " -Monitoring: Controleer huidige compliance status" -ForegroundColor White Write-Host " -Remediation: Pas aanbevolen configuratie toe" -ForegroundColor White Write-Host " -Revert: Herstel originele configuratie" -ForegroundColor White Write-Host " -WhatIf: Toon wat er zou gebeuren" -ForegroundColor White Write-Host "" Write-Host "Handmatige configuratie:" -ForegroundColor Cyan Write-Host "Group Policy: User Configuration > Administrative Templates > Microsoft PowerPoint 2016" -ForegroundColor White Write-Host "> PowerPoint Options > Security > Trust Center > Protected View" -ForegroundColor White Write-Host "> Turn off Protected View for attachments opened from Outlook: Disabled" -ForegroundColor White } } catch { Write-Host "βœ— Onverwachte fout: $($_.Exception.Message)" -ForegroundColor Red exit 1 }

Risico zonder implementatie

Risico zonder implementatie
High: Hoog: Email attachments = #1 malware delivery (no Protected View = direct execution).

Management Samenvatting

PowerPoint: Email attachments β†’ Protected View. Malware defense. User can enable editing (informed). Implementatie: 1-2 uur.