πΌ Management Samenvatting
VBA Project Object Model access moet uitgeschakeld zijn om te voorkomen dat macros andere macro code kunnen modificeren (self-modifying malware).
Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
7/10
Implementatie
1u (tech: 0.5u)
Van toepassing op:
β Word
VBA PROJECT ACCESS is MALWARE CAPABILITY: staat toe macros to: Modify other macro code (stealth), Inject malicious code in other documents, Maak aan self-replicating worms, Schakel uit Beveiligingsinstellingen programmatically. ATTACK: Macro virus spreads door VBA project modification. Schakel uit PREVENTS: Code injectie aanvallen attacks, Self-modifying malware, Macro propagation.
PowerShell Modules Vereist
Primary API: Intune / Group Policy
Connection:
Required Modules:
Connection:
RegistryRequired Modules:
Implementatie
Schakel uit VBA project access: Registry policy. EFFECT: Macros kan niet access VBA Object Model.
Vereisten
Word
Implementatie
Intune: Word Macro beveiliging β Trust VBA Project Access is Disabled
Monitoring
Gebruik PowerShell-script trust-vba-project-access-disabled.ps1 (functie Invoke-Monitoring) β Controleren.
Verifieer disabled
Compliance en Auditing
- DISA STIG
- BIO 12.02
Remediatie
Gebruik PowerShell-script trust-vba-project-access-disabled.ps1 (functie Invoke-Remediation) β Herstellen.
Compliance & Frameworks
- BIO: 12.02.01 - Malware prevention
Automation
Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).
PowerShell
<#
.SYNOPSIS
Schakelt VBA Project toegang uit in Word
.DESCRIPTION
CIS O365-WD-000018
.NOTES
Registry: HKCU:\Software\Policies\Microsoft\Office\16.0\WORD\Security, trustvbaprojectaccessdisabled = 1
#>
#Requires -Version 5.1
param([switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf)
$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\WORD\Security"; $ValueName = "trustvbaprojectaccessdisabled"; $ExpectedValue = 1; $ControlID = "O365-WD-000018"
function Test-Compliance { try { if (-not(Test-Path $RegistryPath)) { return $false }; $c = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue; return($c -and $c.$ValueName -eq $ExpectedValue) }catch { return $false } }
function Invoke-Monitoring { Write-Host "Monitoring ${ControlID}" -ForegroundColor Green; try { if (-not(Test-Path $RegistryPath)) { Write-Host "β Non-compliant" -ForegroundColor Red; return $false }; $c = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue; if ($c -and $c.$ValueName -eq $ExpectedValue) { Write-Host "β Compliant" -ForegroundColor Green; return $true }else { Write-Host "β Non-compliant" -ForegroundColor Red; return $false } }catch { Write-Host "β Fout" -ForegroundColor Red; return $false } }
function Invoke-Remediation { Write-Host "Remediating ${ControlID}" -ForegroundColor Yellow; try { if ($WhatIf) { Write-Host "WhatIf" -ForegroundColor Cyan; return $true }; if (-not(Test-Path $RegistryPath)) { New-Item -Path $RegistryPath -Force | Out-Null }; Set-ItemProperty -Path $RegistryPath -Name $ValueName -Value $ExpectedValue -Type DWord -Force; Write-Host "β Ingesteld" -ForegroundColor Green; Start-Sleep -Seconds 1; return Invoke-Monitoring }catch { Write-Host "β Fout" -ForegroundColor Red; return $false } }
function Invoke-Revert { Write-Host "Reverting ${ControlID}" -ForegroundColor Yellow; try { if ($WhatIf) { Write-Host "WhatIf" -ForegroundColor Cyan; return $true }; if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue; Write-Host "β Verwijderd" -ForegroundColor Green }; return $true }catch { Write-Host "β Fout" -ForegroundColor Red; return $false } }
try { if ($Monitoring) { exit $(if (Invoke-Monitoring) { 0 }else { 1 }) }elseif ($Remediation) { exit $(if (Invoke-Remediation) { 0 }else { 1 }) }elseif ($Revert) { exit $(if (Invoke-Revert) { 0 }else { 1 }) }else { Write-Host "Gebruik: .\trust-vba-project-access-disabled.ps1 [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow } }catch { Write-Host "β Fout" -ForegroundColor Red; exit 1 }
Risico zonder implementatie
Risico zonder implementatie
High: Hoog risico: VBA access is self-modifying malware, macro worms.
Management Samenvatting
Schakel uit VBA project access. voorkomt Code injectie aanvallen. Implementatie: 30-60 min.
- Implementatietijd: 1 uur
- FTE required: 0.01 FTE