Publisher: Set Automation Security Level To UI Prompted
π 2025-10-30
β’
β±οΈ 3 minuten lezen
β’
π’ Should-Have
πΌ Management Samenvatting
Automation Security Level UI Prompted voorkomt die Publisher automatische COM automation zonder gebruikerstoestemming - defense against external applications controlling Publisher.
Aanbeveling
IMPLEMENT
Risico zonder
Medium
Risk Score
5/10
Implementatie
2u (tech: 1u)
Van toepassing op:
β Microsoft Publisher
COM automation is security risk: External apps can control Publisher programmatically, Malware kan gebruiken COM to execute Publisher actions, No user awareness if automatic. UI Prompted: User MOET approval geven voor COM automation.
Implementatie
Automation security: User prompted voor COM automation approval, Malicious external control blocked, Legitimate automation vereist expliciete toestemming.
Gebruik PowerShell-script automation-security-level-ui-prompted.ps1 (functie Invoke-Monitoring) β Controleren.
Remediatie
Gebruik PowerShell-script automation-security-level-ui-prompted.ps1 (functie Invoke-Remediation) β Herstellen.
Compliance & Frameworks
CIS M365: Control Office - Automation (L2) -
BIO: 12.06.01 -
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Stelt Publisher automation security level in op UI prompted
.DESCRIPTION
Dit script implementeert CIS control O365-PU-000001 voor het instellen van Publisher
automation security level op "By UI (prompted)" in Microsoft Publisher. Dit zorgt ervoor
dat gebruikers worden gewaarschuwd voordat automation code wordt uitgevoerd.
.REQUIREMENTS
- PowerShell 5.1 of hoger
- Lokale administrator rechten voor registry wijzigingen
- Microsoft Publisher geΓ―nstalleerd
.PARAMETER Monitoring
Controleert de huidige compliance status
.PARAMETER Remediation
Past de aanbevolen configuratie toe
.PARAMETER Revert
Herstelt de originele configuratie
.PARAMETER WhatIf
Toont wat er zou gebeuren zonder wijzigingen door te voeren
.EXAMPLE
.\automation-security-level-ui-prompted.ps1 -Monitoring
Controleert of automation security level op UI prompted staat
.EXAMPLE
.\automation-security-level-ui-prompted.ps1 -Remediation
Stelt automation security level in op UI prompted
.NOTES
Registry pad: HKCU:\Software\Policies\Microsoft\Office\16.0\Publisher\Security
Waarde: AutomationSecurity = 2
CIS Control: O365-PU-000001
DISA STIG: Microsoft Office 365 ProPlus v3r3
#>#Requires -Version 5.1param(
[switch]$Monitoring,
[switch]$Remediation,
[switch]$Revert,
[switch]$WhatIf
)
# Globale variabelen$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\Publisher\Security"
$ValueName = "AutomationSecurity"
$ExpectedValue = 2$ControlID = "O365-PU-000001"
functionTest-Compliance {
try {
if (-not (Test-Path$RegistryPath)) {
return$false
}
$currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue
return ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue)
}
catch {
return$false
}
}
function Invoke-Monitoring {
Write-Host "Monitoring ${ControlID}: Automation security level instellen op UI prompted" -ForegroundColor Green
try {
if (-not (Test-Path$RegistryPath)) {
Write-Host "β Registry pad bestaat niet: $RegistryPath" -ForegroundColor Red
return$false
}
$currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue
if ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue) {
Write-Host "β Control compliant: ${ValueName} = $ExpectedValue (UI prompted)" -ForegroundColor Green
return$true
}
else {
$actualValue = if ($currentValue) { $currentValue.$ValueName } else { "Not Set" }
Write-Host "β Control non-compliant: ${ValueName} = $actualValue (Expected: $ExpectedValue)" -ForegroundColor Red
return$false
}
}
catch {
Write-Host "β Fout bij controleren registry instelling: $($_.Exception.Message)" -ForegroundColor Red
return$false
}
}
function Invoke-Remediation {
Write-Host "Remediating ${ControlID}: Automation security level instellen op UI prompted" -ForegroundColor Yellow
try {
if ($WhatIf) {
Write-Host "WhatIf: Zou registry waarde instellen: ${ValueName} = $ExpectedValue" -ForegroundColor Cyan
return$true
}
if (-not (Test-Path$RegistryPath)) {
Write-Host "Registry pad aanmaken: $RegistryPath" -ForegroundColor Yellow
New-Item -Path $RegistryPath -Force | Out-Null
}
Set-ItemProperty -Path $RegistryPath -Name $ValueName -Value $ExpectedValue -Type DWord -Force
Write-Host "β Registry waarde succesvol ingesteld: ${ValueName} = $ExpectedValue" -ForegroundColor Green
Start-Sleep -Seconds 1return Invoke-Monitoring
}
catch {
Write-Host "β Fout bij configureren registry instelling: $($_.Exception.Message)" -ForegroundColor Red
return$false
}
}
function Invoke-Revert {
Write-Host "Reverting ${ControlID}: Automation security level herstellen" -ForegroundColor Yellow
try {
if ($WhatIf) {
Write-Host "WhatIf: Zou registry waarde verwijderen: ${ValueName}" -ForegroundColor Cyan
return$true
}
if (Test-Path$RegistryPath) {
Remove-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue
Write-Host "β Registry waarde verwijderd: ${ValueName}" -ForegroundColor Green
}
return$true
}
catch {
Write-Host "β Fout bij herstellen registry instelling: $($_.Exception.Message)" -ForegroundColor Red
return$false
}
}
# Hoofd uitvoeringtry {
if ($Monitoring) {
$result = Invoke-Monitoring
exit $(if ($result) { 0 } else { 1 })
}
elseif ($Remediation) {
$result = Invoke-Remediation
exit $(if ($result) { 0 } else { 1 })
}
elseif ($Revert) {
$result = Invoke-Revert
exit $(if ($result) { 0 } else { 1 })
}
else {
Write-Host "Gebruik: .\automation-security-level-ui-prompted.ps1 [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow
Write-Host " -Monitoring: Controleer huidige compliance status" -ForegroundColor White
Write-Host " -Remediation: Pas aanbevolen configuratie toe" -ForegroundColor White
Write-Host " -Revert: Herstel originele configuratie" -ForegroundColor White
Write-Host " -WhatIf: Toon wat er zou gebeuren" -ForegroundColor White
Write-Host ""
Write-Host "Handmatige configuratie:" -ForegroundColor Cyan
Write-Host "Group Policy: User Configuration > Administrative Templates > Microsoft Publisher 2016" -ForegroundColor White
Write-Host "> Publisher Options > Security" -ForegroundColor White
Write-Host "> Publisher Automation Security Level: Enabled: By UI (prompted)" -ForegroundColor White
}
}
catch {
Write-Host "β Onverwachte fout: $($_.Exception.Message)" -ForegroundColor Red
exit 1
}
Risico zonder implementatie
Risico zonder implementatie
Medium: Medium: COM automation Zonder prompts is external malicious control.