πΌ Management Samenvatting
Word Macro Notification 'Schakel uit alle except digitally signed macros' Blokkeert unsigned macros om ransomware delivery via Word documents te voorkomen - #1 Aanvalsvector.
Aanbeveling
Implementeer
Risico zonder
Critical
Risk Score
9/10
Implementatie
3u (tech: 1u)
Van toepassing op:
β Microsoft Word
Word macros is PRIMARY ransomware delivery: Emotet, TrickBot, Dridex via Word email attachments. Unsigned macros is ALTIJD verdacht. Alleen digitally signed macros door vertrouwde publisher zijn veilig.
Implementatie
Registry: VBAWarnings is 3 (Schakel uit alle except digitally signed). Unsigned macros blocked automatische (no 'Schakel in' button). Signed macros prompt FIRST time only.
Vereisten
- Office 2016+
- Code signing certificates (internal macros)
- Intune of GPO
Implementeeratie
Intune Settings Catalog: Word\Security\Vertrouwenscentrum β Macro Notification Settings: 'Schakel uit alle except digitally signed macros'.
Compliance en Auditing
CIS Office Benchmark (Macro settings), BIO 12.06, ISO 27001 A.14.2.9.
Monitoring
Gebruik PowerShell-script macro-notification-signed-only.ps1 (functie Invoke-Monitoring) β Controleren.
Remediatie
Gebruik PowerShell-script macro-notification-signed-only.ps1 (functie Invoke-Remediation) β Herstellen.
Compliance & Frameworks
- CIS M365: Control Office - Macros (L1) -
- BIO: 12.06.01 -
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Dwingt alleen digitaal ondertekende macros in Word
.DESCRIPTION
CIS control O365-WD-000018 - Alleen digitaal ondertekende macros toestaan
.NOTES
Registry: HKCU:\Software\Policies\Microsoft\Office\16.0\Word\Security
Waarde: VBAWarnings = 2
#>
#Requires -Version 5.1
param([switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf)
$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\Word\Security"; $ValueName = "VBAWarnings"; $ExpectedValue = 2; $ControlID = "O365-WD-000018"
function Test-Compliance { try { if (-not(Test-Path $RegistryPath)) { return $false }; $c = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue; return($c -and $c.$ValueName -eq $ExpectedValue) }catch { return $false } }
function Invoke-Monitoring { Write-Host "Monitoring ${ControlID}: Alleen digitaal ondertekende macros" -ForegroundColor Green; try { if (-not(Test-Path $RegistryPath)) { Write-Host "β Registry pad bestaat niet" -ForegroundColor Red; return $false }; $c = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue; if ($c -and $c.$ValueName -eq $ExpectedValue) { Write-Host "β Control compliant: ${ValueName} = $ExpectedValue" -ForegroundColor Green; return $true }else { $a = if ($c) { $c.$ValueName }else { "Not Set" }; Write-Host "β Control non-compliant: ${ValueName} = $a (Expected: $ExpectedValue)" -ForegroundColor Red; return $false } }catch { Write-Host "β Fout: $($_.Exception.Message)" -ForegroundColor Red; return $false } }
function Invoke-Remediation { Write-Host "Remediating ${ControlID}" -ForegroundColor Yellow; try { if ($WhatIf) { Write-Host "WhatIf: Zou registry waarde instellen" -ForegroundColor Cyan; return $true }; if (-not(Test-Path $RegistryPath)) { New-Item -Path $RegistryPath -Force | Out-Null }; Set-ItemProperty -Path $RegistryPath -Name $ValueName -Value $ExpectedValue -Type DWord -Force; Write-Host "β Registry waarde ingesteld" -ForegroundColor Green; Start-Sleep -Seconds 1; return Invoke-Monitoring }catch { Write-Host "β Fout: $($_.Exception.Message)" -ForegroundColor Red; return $false } }
function Invoke-Revert { Write-Host "Reverting ${ControlID}" -ForegroundColor Yellow; try { if ($WhatIf) { Write-Host "WhatIf: Zou registry waarde verwijderen" -ForegroundColor Cyan; return $true }; if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue; Write-Host "β Registry waarde verwijderd" -ForegroundColor Green }; return $true }catch { Write-Host "β Fout: $($_.Exception.Message)" -ForegroundColor Red; return $false } }
try { if ($Monitoring) { $result = Invoke-Monitoring; exit $(if ($result) { 0 }else { 1 }) }elseif ($Remediation) { $result = Invoke-Remediation; exit $(if ($result) { 0 }else { 1 }) }elseif ($Revert) { $result = Invoke-Revert; exit $(if ($result) { 0 }else { 1 }) }else { Write-Host "Gebruik: .\macro-notification-signed-only.ps1 [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow } }catch { Write-Host "β Onverwachte fout: $($_.Exception.Message)" -ForegroundColor Red; exit 1 }
Risico zonder implementatie
Risico zonder implementatie
Critical: KRITIEK: Unsigned Word macros is PRIMARY ransomware vector (Emotet, TrickBot, Dridex). 80%+ Office-based attacks.
Management Samenvatting
Word macros: Schakel uit alle except digitally signed. Blokkeert 80%+ ransomware. Sign internal macros. Implementeeratie: 1-3 uur. CRITICAL.
- Implementatietijd: 3 uur
- FTE required: 0.02 FTE