L1 BIO 12.02.01 ISO A.12.2.1 CIS Office - VBA object model

PowerPoint: Disable Trust Access To VBA Project Object Model

πŸ“… 2025-10-30
β€’
⏱️ 3 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Disable VBA project object model access - prevents macros from self-modifying code (metamorphic malware technique).

Aanbeveling
IMPLEMENT
Risico zonder
Medium
Risk Score
6/10
Implementatie
2u (tech: 1u)
Van toepassing op:
βœ“ Microsoft PowerPoint

VBA object model = self-modifying code: VBA Object Model: Programmatic access to VBA project (macros can edit macros), Attack: Malicious macro β†’ accesses VBA object model β†’ injects MORE malware code β†’ self-replicating virus, Metamorphic malware: Changes its own code (evades signature-based detection), Legacy feature: Developers use for automation (maar security risk). Defense: Disable object model access β†’ macros CANNOT modify themselves β†’ self-replication blocked.

PowerShell Modules Vereist
Primary API: Intune / GPO
Connection: Registry-based
Required Modules:

Implementatie

Disable VBA object model: Policy: Trust access to VBA project object model: Disabled, Effect: Macros cannot programmatically access/modify VBA projects, Developer impact: VBA automation tools don't work (acceptable trade-off), Malware: Cannot self-replicate via object model.

Vereisten

  1. PowerPoint 2016+
  2. Intune of GPO

Implementatie

Intune Settings Catalog: PowerPoint\Security\Trust Center β†’ Trust access to VBA project object model: Disabled.

Compliance

CIS Office Benchmark L1, BIO 12.02, ISO 27001 A.12.2.1.

Monitoring

Gebruik PowerShell-script trust-vba-project-access-disabled.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script trust-vba-project-access-disabled.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Schakelt vertrouwde toegang tot Visual Basic Project uit in PowerPoint .DESCRIPTION Dit script implementeert CIS control O365-PT-000006 voor het uitschakelen van vertrouwde toegang tot Visual Basic Project in Microsoft PowerPoint. Dit voorkomt dat macros programmatisch toegang krijgen tot VBA projecten zonder gebruikersinterventie. .REQUIREMENTS - PowerShell 5.1 of hoger - Lokale administrator rechten voor registry wijzigingen - Microsoft PowerPoint geΓ―nstalleerd .PARAMETER Monitoring Controleert de huidige compliance status .PARAMETER Remediation Past de aanbevolen configuratie toe .PARAMETER Revert Herstelt de originele configuratie .PARAMETER WhatIf Toont wat er zou gebeuren zonder wijzigingen door te voeren .EXAMPLE .\trust-vba-project-access-disabled.ps1 -Monitoring Controleert of VBA Project toegang is uitgeschakeld .EXAMPLE .\trust-vba-project-access-disabled.ps1 -Remediation Schakelt VBA Project toegang uit .NOTES Registry pad: HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\Security Waarde: AccessVBOM = 0 CIS Control: O365-PT-000006 DISA STIG: Microsoft Office 365 ProPlus v3r3 #> #Requires -Version 5.1 param( [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) # Globale variabelen $RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\PowerPoint\Security" $ValueName = "AccessVBOM" $ExpectedValue = 0 $ControlID = "O365-PT-000006" function Test-Compliance { try { if (-not (Test-Path $RegistryPath)) { return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue return ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue) } catch { return $false } } function Invoke-Monitoring { Write-Host "Monitoring ${ControlID}: VBA Project toegang uitschakelen" -ForegroundColor Green try { if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry pad bestaat niet: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue) { Write-Host "βœ“ Control compliant: ${ValueName} = $ExpectedValue (VBA Project toegang uitgeschakeld)" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$ValueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: ${ValueName} = $actualValue (Expected: $ExpectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Fout bij controleren registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating ${ControlID}: VBA Project toegang uitschakelen" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host "WhatIf: Zou registry waarde instellen: ${ValueName} = $ExpectedValue" -ForegroundColor Cyan return $true } if (-not (Test-Path $RegistryPath)) { Write-Host "Registry pad aanmaken: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } Set-ItemProperty -Path $RegistryPath -Name $ValueName -Value $ExpectedValue -Type DWord -Force Write-Host "βœ“ Registry waarde succesvol ingesteld: ${ValueName} = $ExpectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 return Invoke-Monitoring } catch { Write-Host "βœ— Fout bij configureren registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Revert { Write-Host "Reverting ${ControlID}: VBA Project toegang herstellen" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host "WhatIf: Zou registry waarde verwijderen: ${ValueName}" -ForegroundColor Cyan return $true } if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue Write-Host "βœ“ Registry waarde verwijderd: ${ValueName}" -ForegroundColor Green } return $true } catch { Write-Host "βœ— Fout bij herstellen registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } # Hoofd uitvoering try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } elseif ($Revert) { $result = Invoke-Revert exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Gebruik: .\unblock-automatic-download-linked-images-disabled.ps1 [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow Write-Host " -Monitoring: Controleer huidige compliance status" -ForegroundColor White Write-Host " -Remediation: Pas aanbevolen configuratie toe" -ForegroundColor White Write-Host " -Revert: Herstel originele configuratie" -ForegroundColor White Write-Host " -WhatIf: Toon wat er zou gebeuren" -ForegroundColor White Write-Host "" Write-Host "Handmatige configuratie:" -ForegroundColor Cyan Write-Host "Group Policy: User Configuration > Administrative Templates > Microsoft PowerPoint 2016" -ForegroundColor White Write-Host "> PowerPoint Options > Security > Trust Center > Macro Settings" -ForegroundColor White Write-Host "> Scan encrypted macros in PowerPoint Open XML presentations: Enabled: Scan encrypted macros" -ForegroundColor White } } catch { Write-Host "βœ— Onverwachte fout: $($_.Exception.Message)" -ForegroundColor Red exit 1 }

Risico zonder implementatie

Risico zonder implementatie
Medium: Medium: VBA object model = self-modifying malware (metamorphic viruses).

Management Samenvatting

Disable VBA project object model access. Self-replicating malware prevention. Implementatie: 1-2 uur.