L1 BIO 12.02.01 CIS Office - Macro blocking

Project: Block VBA Macros From Internet

πŸ“… 2025-10-30
β€’
⏱️ 3 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Block VBA macros from internet in Project files - prevents macro-based malware in downloaded .mpp files (defense in depth).

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
8/10
Implementatie
2u (tech: 1u)
Van toepassing op:
βœ“ Microsoft Project

Project macro attacks: Project files (.mpp): Can contain VBA macros (automation), Internet files: Email attachments, downloads (untrusted source), MOTW: Mark-of-the-Web (Windows flags internet files), Attack: Malicious .mpp file (macro malware) β†’ email attachment β†’ user opens β†’ macro runs β†’ infection. Block internet macros: MOTW-tagged files: Macros BLOCKED (no execution), Trusted files: Macros allowed (internal network, SharePoint). Defense: Same as Excel/Word macro blocking (maar Project-specific).

PowerShell Modules Vereist
Primary API: Intune / GPO
Connection: Registry-based
Required Modules:

Implementatie

Block Project macros: Policy: Block macros from running in Office files from the Internet: Enabled, Effect: .mpp files from internet/email: Macros BLOCKED (notification bar: 'Macros have been disabled'), Internal files: Macros work (if macro settings allow), MOTW: Windows Mark-of-the-Web (Zone.Identifier stream) = internet flag.

Vereisten

  1. Project 2016+
  2. Intune of GPO
  3. Mark-of-the-Web: Windows feature (automatic)

Implementatie

Intune Settings Catalog: Project\Security\Trust Center β†’ Block macros from running in Office files from the Internet: Enabled. MOTW = automatic (Windows).

Compliance

CIS Office Benchmark L1, BIO 12.02 (Macro blocking), DISA STIG, Microsoft Security Baseline.

Monitoring

Gebruik PowerShell-script vba-macros-blocked.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script vba-macros-blocked.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Blokkeert VBA macros behalve digitaal ondertekende in Project .DESCRIPTION Dit script implementeert CIS control O365-PR-000003 voor het blokkeren van VBA macros behalve digitaal ondertekende macros in Microsoft Project. Dit voorkomt uitvoering van potentieel schadelijke niet-ondertekende macros. .REQUIREMENTS - PowerShell 5.1 of hoger - Lokale administrator rechten voor registry wijzigingen - Microsoft Project geΓ―nstalleerd .PARAMETER Monitoring Controleert de huidige compliance status .PARAMETER Remediation Past de aanbevolen configuratie toe .PARAMETER Revert Herstelt de originele configuratie .PARAMETER WhatIf Toont wat er zou gebeuren zonder wijzigingen door te voeren .EXAMPLE .\vba-macros-blocked.ps1 -Monitoring Controleert of alleen ondertekende macros zijn toegestaan .EXAMPLE .\vba-macros-blocked.ps1 -Remediation Blokkeert niet-ondertekende VBA macros .NOTES Registry pad: HKCU:\Software\Policies\Microsoft\Office\16.0\MS Project\Security Waarde: VBAWarnings = 2 CIS Control: O365-PR-000003 #> #Requires -Version 5.1 param( [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) # Globale variabelen $RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\MS Project\Security" $ValueName = "VBAWarnings" $ExpectedValue = 2 $ControlID = "O365-PR-000003" function Test-Compliance { try { if (-not (Test-Path $RegistryPath)) { return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue return ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue) } catch { return $false } } function Invoke-Monitoring { Write-Host "Monitoring ${ControlID}: VBA macros blokkeren behalve digitaal ondertekende" -ForegroundColor Green try { if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry pad bestaat niet: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue) { Write-Host "βœ“ Control compliant: ${ValueName} = $ExpectedValue (Alleen ondertekende macros toegestaan)" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$ValueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: ${ValueName} = $actualValue (Expected: $ExpectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Fout bij controleren registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating ${ControlID}: VBA macros blokkeren behalve digitaal ondertekende" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host "WhatIf: Zou registry waarde instellen: ${ValueName} = $ExpectedValue" -ForegroundColor Cyan return $true } if (-not (Test-Path $RegistryPath)) { Write-Host "Registry pad aanmaken: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } Set-ItemProperty -Path $RegistryPath -Name $ValueName -Value $ExpectedValue -Type DWord -Force Write-Host "βœ“ Registry waarde succesvol ingesteld: ${ValueName} = $ExpectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 return Invoke-Monitoring } catch { Write-Host "βœ— Fout bij configureren registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Revert { Write-Host "Reverting ${ControlID}: VBA macro instellingen herstellen" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host "WhatIf: Zou registry waarde verwijderen: ${ValueName}" -ForegroundColor Cyan return $true } if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue Write-Host "βœ“ Registry waarde verwijderd: ${ValueName}" -ForegroundColor Green } return $true } catch { Write-Host "βœ— Fout bij herstellen registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } # Hoofd uitvoering try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } elseif ($Revert) { $result = Invoke-Revert exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Gebruik: .\vba-macros-blocked.ps1 [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow Write-Host " -Monitoring: Controleer huidige compliance status" -ForegroundColor White Write-Host " -Remediation: Pas aanbevolen configuratie toe" -ForegroundColor White Write-Host " -Revert: Herstel originele configuratie" -ForegroundColor White Write-Host " -WhatIf: Toon wat er zou gebeuren" -ForegroundColor White } } catch { Write-Host "βœ— Onverwachte fout: $($_.Exception.Message)" -ForegroundColor Red exit 1 }

Risico zonder implementatie

Risico zonder implementatie
High: Hoog: Project macro malware via email/downloads.

Management Samenvatting

Block Project VBA macros from internet (MOTW). Malware prevention. Internal macros: OK. Implementatie: 1-2 uur.