L1 BIO 12.02.01 CIS Office - Macro security

Visio: Disable All Macros Except Digitally Signed

πŸ“… 2025-10-30
β€’
⏱️ 3 minuten lezen
β€’
πŸ”΄ Must-Have

πŸ’Ό Management Samenvatting

Disable all Visio macros except digitally signed - ONLY signed macros can run (unsigned macros BLOCKED, no user override).

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
8/10
Implementatie
4u (tech: 1u)
Van toepassing op:
βœ“ Microsoft Visio

Visio macro attacks: Visio files (.vsd, .vsdx, .vsdm): Diagrams, flowcharts, VBA macros: Automation (shape manipulation, data links - commonly used), Unsigned macros: Malware vector (no verification), Attack: Malicious .vsdm file (macro malware) β†’ email attachment β†’ user opens β†’ unsigned macro BLOCKED. Signed macros: Code signing certificate (publisher identity verified), Trusted: Certificate in Trusted Publishers β†’ auto-run, Not trusted: User prompt (add to trusted?), Unsigned: BLOCKED (no user override - protection against social engineering). Enterprise: Code-sign internal Visio templates/stencils β†’ push certificate (auto-allow).

PowerShell Modules Vereist
Primary API: Intune / GPO
Connection: Registry-based
Required Modules:

Implementatie

Signed macros only: Policy: VBA Macro Notification Settings: Disable all except digitally signed macros, Effect: Unsigned macros: BLOCKED (notification: 'Macros have been disabled'), Signed (trusted): Auto-run, Signed (not trusted): User prompt (trust publisher?), User override: NOT possible (unsigned always blocked).

Vereisten

  1. Visio 2016+
  2. Code signing infrastructure (if internal macros)
  3. Trusted Publishers: Certificate deployment (GPO/Intune)
  4. Intune of GPO

Implementatie

Gebruik PowerShell-script macro-notification-signed-only.ps1 (functie Invoke-Implementation) – Implementeren.

Intune Settings Catalog: Visio\Security\Trust Center β†’ VBA Macro Notification Settings: Disable all except digitally signed macros. Certificate deployment: Intune (Trusted Publishers).

Compliance

CIS Office Benchmark L1, BIO 12.02 (Macro blocking), DISA STIG, Microsoft Security Baseline.

Monitoring

Gebruik PowerShell-script macro-notification-signed-only.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script macro-notification-signed-only.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# ================================================================================ POWERSHELL SCRIPT - Nederlandse Baseline voor Veilige Cloud ================================================================================ .SYNOPSIS Visio: Macro Notification voor Signed Macros Only .DESCRIPTION Implementeert, monitort en herstelt: Visio: Macro Notification voor Signed Macros Only .NOTES Filename: macro-notification-signed-only.ps1 Author: Nederlandse Baseline voor Veilige Cloud Version: 1.0 Workload: office Category: visio #> #Requires -Version 5.1 [CmdletBinding()] param() $ErrorActionPreference = 'Stop' function Invoke-Implementation { <# .SYNOPSIS Implementeert de configuratie #> [CmdletBinding()] param() Write-Host "[INFO] Invoke-Implementation - Visio: Macro Notification voor Signed Macros Only" -ForegroundColor Cyan Invoke-Remediation } function Invoke-Monitoring { <# .SYNOPSIS Controleert de huidige configuratie status #> [CmdletBinding()] param() try { Write-Host " ========================================" -ForegroundColor Cyan Write-Host "Visio: Macro Notification voor Signed Macros Only - Monitoring" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan # TODO: Implementeer monitoring logica voor Visio: Macro Notification voor Signed Macros Only Write-Host "[INFO] Monitoring check voor Visio: Macro Notification voor Signed Macros Only" -ForegroundColor Yellow Write-Host "[OK] Monitoring check completed" -ForegroundColor Green } catch { Write-Error "Monitoring failed: $_" throw } } function Invoke-Remediation { <# .SYNOPSIS Herstelt de configuratie naar de gewenste staat #> [CmdletBinding()] param() try { Write-Host " ========================================" -ForegroundColor Cyan Write-Host "Visio: Macro Notification voor Signed Macros Only - Remediation" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan # TODO: Implementeer remediation logica voor Visio: Macro Notification voor Signed Macros Only Write-Host "[INFO] Remediation voor Visio: Macro Notification voor Signed Macros Only" -ForegroundColor Yellow Write-Host "[OK] Remediation completed" -ForegroundColor Green } catch { Write-Error "Remediation failed: $_" throw } }

Risico zonder implementatie

Risico zonder implementatie
High: Hoog: Unsigned Visio macros = malware risk (common in Visio automation).

Management Samenvatting

Visio macros: Signed ONLY. Unsigned blocked (no override). Code signing required. Business impact: Medium (Visio macros common). Implementatie: 1-4 uur.