L1 BIO 12.06.01 CIS Office - Trusted publisher

Publisher: Require Trusted Publisher For Add-ins

πŸ“… 2025-10-30
β€’
⏱️ 2 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Require trusted publisher for Publisher add-ins - verifies add-in code signing certificate (prevents unsigned/untrusted add-ins).

Aanbeveling
IMPLEMENT
Risico zonder
Medium
Risk Score
6/10
Implementatie
3u (tech: 1u)
Van toepassing op:
βœ“ Microsoft Publisher

Add-in trust = code signing: Publisher add-ins: Extend functionality (COM add-ins), Unsigned: No verification (malware risk), Signed + trusted: Certificate in Trusted Publishers store (auto-allow), Signed (not trusted): User prompt (install certificate?), Unsigned: BLOCKED. Defense: Only pre-approved (trusted) add-ins auto-load. Enterprise: Code-sign corporate add-ins β†’ push certificate to Trusted Publishers (GPO/Intune).

PowerShell Modules Vereist
Primary API: Intune / GPO
Connection: Registry-based
Required Modules:

Implementatie

Require trusted publisher: Policy: Require that application add-ins are signed by Trusted Publisher: Enabled, Effect: Unsigned: BLOCKED, Signed (trusted): Auto-allow, Signed (not trusted): User prompt (install to Trusted Publishers?).

Vereisten

  1. Publisher 2016+
  2. Code signing infrastructure
  3. Trusted Publishers: Certificate deployment (GPO/Intune)
  4. Intune of GPO

Implementatie

Intune Settings Catalog: Publisher\Security\Trust Center β†’ Require that application add-ins are signed by Trusted Publisher: Enabled. Certificate deployment: Intune.

Compliance

CIS Office Benchmark L1, BIO 12.06.

Monitoring

Gebruik PowerShell-script addins-trusted-publisher-required.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script addins-trusted-publisher-required.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Dwingt vertrouwde uitgever handtekening voor add-ins in Publisher .DESCRIPTION Dit script implementeert CIS control O365-PU-000001 voor het afdwingen dat applicatie add-ins digitaal ondertekend moeten zijn door een vertrouwde uitgever in Microsoft Publisher. Dit voorkomt uitvoering van onveilige add-ins zonder expliciete verificatie. .REQUIREMENTS - PowerShell 5.1 of hoger - Lokale administrator rechten voor registry wijzigingen - Microsoft Publisher geΓ―nstalleerd .PARAMETER Monitoring Controleert de huidige compliance status .PARAMETER Remediation Past de aanbevolen configuratie toe .PARAMETER Revert Herstelt de originele configuratie .PARAMETER WhatIf Toont wat er zou gebeuren zonder wijzigingen door te voeren .EXAMPLE .\addins-trusted-publisher-required.ps1 -Monitoring Controleert of add-in handtekening is vereist .EXAMPLE .\addins-trusted-publisher-required.ps1 -Remediation Dwingt add-in handtekening door vertrouwde uitgever .NOTES Registry pad: HKCU:\Software\Policies\Microsoft\Office\16.0\Publisher\Security\TrustCenter Waarde: RequireAddinSig = 1 CIS Control: O365-PU-000001 DISA STIG: Microsoft Office 365 ProPlus v3r3 #> #Requires -Version 5.1 param( [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) # Globale variabelen $RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\Publisher\Security\TrustCenter" $ValueName = "RequireAddinSig" $ExpectedValue = 1 $ControlID = "O365-PU-000001" function Test-Compliance { try { if (-not (Test-Path $RegistryPath)) { return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue return ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue) } catch { return $false } } function Invoke-Monitoring { Write-Host "Monitoring ${ControlID}: Vertrouwde uitgever handtekening voor add-ins afdwingen" -ForegroundColor Green try { if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry pad bestaat niet: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue) { Write-Host "βœ“ Control compliant: ${ValueName} = $ExpectedValue (Add-ins vereisen vertrouwde uitgever handtekening)" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$ValueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: ${ValueName} = $actualValue (Expected: $ExpectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Fout bij controleren registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating ${ControlID}: Vertrouwde uitgever handtekening voor add-ins afdwingen" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host "WhatIf: Zou registry waarde instellen: ${ValueName} = $ExpectedValue" -ForegroundColor Cyan return $true } if (-not (Test-Path $RegistryPath)) { Write-Host "Registry pad aanmaken: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } Set-ItemProperty -Path $RegistryPath -Name $ValueName -Value $ExpectedValue -Type DWord -Force Write-Host "βœ“ Registry waarde succesvol ingesteld: ${ValueName} = $ExpectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 return Invoke-Monitoring } catch { Write-Host "βœ— Fout bij configureren registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Revert { Write-Host "Reverting ${ControlID}: Add-in handtekening instelling herstellen" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host "WhatIf: Zou registry waarde verwijderen: ${ValueName}" -ForegroundColor Cyan return $true } if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue Write-Host "βœ“ Registry waarde verwijderd: ${ValueName}" -ForegroundColor Green } return $true } catch { Write-Host "βœ— Fout bij herstellen registry instelling: $($_.Exception.Message)" -ForegroundColor Red return $false } } # Hoofd uitvoering try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } elseif ($Revert) { $result = Invoke-Revert exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Gebruik: .\addins-trusted-publisher-required.ps1 [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow Write-Host " -Monitoring: Controleer huidige compliance status" -ForegroundColor White Write-Host " -Remediation: Pas aanbevolen configuratie toe" -ForegroundColor White Write-Host " -Revert: Herstel originele configuratie" -ForegroundColor White Write-Host " -WhatIf: Toon wat er zou gebeuren" -ForegroundColor White Write-Host "" Write-Host "Handmatige configuratie:" -ForegroundColor Cyan Write-Host "Group Policy: User Configuration > Administrative Templates > Microsoft Publisher 2016" -ForegroundColor White Write-Host "> Publisher Options > Security > Trust Center" -ForegroundColor White Write-Host "> Require that application add-ins are signed by Trusted Publisher: Enabled" -ForegroundColor White } } catch { Write-Host "βœ— Onverwachte fout: $($_.Exception.Message)" -ForegroundColor Red exit 1 }

Risico zonder implementatie

Risico zonder implementatie
Medium: Medium: Unsigned Publisher add-ins = malware risk.

Management Samenvatting

Require Publisher add-ins: Trusted publisher (code signing). Unsigned blocked. Implementatie: 1-3 uur.