Word: Schakel In Beveiligde Weergave Voor Internet Zone
π 2025-10-30
β’
β±οΈ 4 minuten lezen
β’
π΄ Must-Have
πΌ Management Samenvatting
Beveiligde weergave voor internet zone opent downloaded Word documents in read-only sandbox om macros en exploits te blokkeren - PRIMARY defense tegen phishing Word attachments.
Aanbeveling
Verifieer ingeschakeld
Risico zonder
Critical
Risk Score
9/10
Implementatie
1u (tech: 0.5u)
Van toepassing op:
β Microsoft Word
Internet Word files is #1 ransomware delivery (email attachments, downloads). Beveiligde weergave: Read-only sandbox, Macros disabled, Exploits contained. User moet explicit 'Schakel in Editing'.
CIS Office Benchmark, BIO 12.02 (Bescherming tegen malware).
Monitoring
Gebruik PowerShell-script internet-zone-protected-view-enabled.ps1 (functie Invoke-Monitoring) β Controleren.
Remediatie
Gebruik PowerShell-script internet-zone-protected-view-enabled.ps1 (functie Invoke-Remediation) β Herstellen.
Compliance & Frameworks
CIS M365: Control Office - Beveiligde weergave (L1) -
BIO: 12.02.01 -
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Dwingt bestanden uit de internet zone te openen in Protected View in Word
.DESCRIPTION
Dit script implementeert CIS control O365-WD-000003 voor het openen van bestanden uit
de internet zone in Protected View in Microsoft Word.
.REQUIREMENTS
- PowerShell 5.1 of hoger
- Lokale administrator rechten voor registry wijzigingen
- Microsoft Word geΓ―nstalleerd
.PARAMETER Monitoring
Controleert de huidige compliance status
.PARAMETER Remediation
Past de aanbevolen configuratie toe
.PARAMETER Revert
Herstelt de originele configuratie
.PARAMETER WhatIf
Toont wat er zou gebeuren zonder wijzigingen door te voeren
.EXAMPLE
.\internet-zone-protected-view-enabled.ps1 -Monitoring
.EXAMPLE
.\internet-zone-protected-view-enabled.ps1 -Remediation
.NOTES
Registry pad: HKCU:\Software\Policies\Microsoft\Office\16.0\Word\Security\ProtectedView
Waarde: DisableInternetFilesInPV = 0
CIS Control: O365-WD-000003
DISA STIG: Microsoft Office 365 ProPlus v3r3
#>#Requires -Version 5.1param([switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf)
$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\Word\Security\ProtectedView"
$ValueName = "DisableInternetFilesInPV"
$ExpectedValue = 0$ControlID = "O365-WD-000003"
functionTest-Compliance {
try {
if (-not (Test-Path$RegistryPath)) { return$false }
$currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue
return ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue)
}
catch { return$false }
}
function Invoke-Monitoring {
Write-Host "Monitoring ${ControlID}: Internet zone bestanden in Protected View" -ForegroundColor Green
try {
if (-not (Test-Path$RegistryPath)) {
Write-Host "β Registry pad bestaat niet: $RegistryPath" -ForegroundColor Red
return$false
}
$currentValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue
if ($currentValue -and $currentValue.$ValueName -eq $ExpectedValue) {
Write-Host "β Control compliant: ${ValueName} = $ExpectedValue" -ForegroundColor Green
return$true
}
else {
$actualValue = if ($currentValue) { $currentValue.$ValueName } else { "Not Set" }
Write-Host "β Control non-compliant: ${ValueName} = $actualValue (Expected: $ExpectedValue)" -ForegroundColor Red
return$false
}
}
catch {
Write-Host "β Fout: $($_.Exception.Message)" -ForegroundColor Red
return$false
}
}
function Invoke-Remediation {
Write-Host "Remediating ${ControlID}: Internet zone bestanden in Protected View" -ForegroundColor Yellow
try {
if ($WhatIf) {
Write-Host "WhatIf: Zou registry waarde instellen: ${ValueName} = $ExpectedValue" -ForegroundColor Cyan
return$true
}
if (-not (Test-Path$RegistryPath)) { New-Item -Path $RegistryPath -Force | Out-Null }
Set-ItemProperty -Path $RegistryPath -Name $ValueName -Value $ExpectedValue -Type DWord -Force
Write-Host "β Registry waarde succesvol ingesteld: ${ValueName} = $ExpectedValue" -ForegroundColor Green
Start-Sleep -Seconds 1return Invoke-Monitoring
}
catch {
Write-Host "β Fout: $($_.Exception.Message)" -ForegroundColor Red
return$false
}
}
function Invoke-Revert {
Write-Host "Reverting ${ControlID}" -ForegroundColor Yellow
try {
if ($WhatIf) {
Write-Host "WhatIf: Zou registry waarde verwijderen: ${ValueName}" -ForegroundColor Cyan
return$true
}
if (Test-Path$RegistryPath) {
Remove-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue
Write-Host "β Registry waarde verwijderd: ${ValueName}" -ForegroundColor Green
}
return$true
}
catch {
Write-Host "β Fout: $($_.Exception.Message)" -ForegroundColor Red
return$false
}
}
try {
if ($Monitoring) {
$result = Invoke-Monitoring
exit $(if ($result) { 0 } else { 1 })
}
elseif ($Remediation) {
$result = Invoke-Remediation
exit $(if ($result) { 0 } else { 1 })
}
elseif ($Revert) {
$result = Invoke-Revert
exit $(if ($result) { 0 } else { 1 })
}
else {
Write-Host "Gebruik: .\internet-zone-protected-view-enabled.ps1 [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow
}
}
catch {
Write-Host "β Onverwachte fout: $($_.Exception.Message)" -ForegroundColor Red
exit 1
}
Risico zonder implementatie
Risico zonder implementatie
Critical: KRITIEK: Internet Word files zonder Beveiligde weergave is automatische ransomware delivery (Emotet, TrickBot).
Management Samenvatting
Beveiligde weergave internet zone. Standaard ingeschakeld Office 2013+. PRIMARY ransomware defense. Verify: 30 min.