BIO 12.02.01

Word: Block Word 2.x And Earlier Binary Files

πŸ“… 2025-10-30
β€’
⏱️ 3 minuten lezen
β€’
🟒 Should-Have

πŸ’Ό Management Samenvatting

Block Word 2.x and earlier binary files (.doc format from 1980s-1990s) - ANCIENT formats met unpatched vulnerabilities + zero business use.

Aanbeveling
IMPLEMENT
Risico zonder
Medium
Risk Score
4/10
Implementatie
2u (tech: 1u)
Van toepassing op:
βœ“ Microsoft Word

Word 2.x = ANCIENT (1987-1993): Format age: 30+ years old (pre-internet era), Vulnerabilities: Buffer overflows, memory corruption (no modern mitigations), Patches: NONE (Microsoft stopped support 20+ years ago), Attack vector: Malicious Word 2.x file β†’ exploit ancient parser β†’ code execution. Business use: ZERO (who has Word 2.x documents from 1990?). Modern Word: Opens .docx (2007+), NOT ancient .doc variants.

PowerShell Modules Vereist
Primary API: Intune / GPO
Connection: Registry-based
Required Modules:

Implementatie

Block Word 2.x binary: File types: .doc (Word 2.0), .dot (Word 2.0 templates), Earlier: Word 1.x, Action: Block open + save (cannot open these files), User message: 'File format blocked by administrator', Zero business impact: No modern organization uses Word 2.x files.

Vereisten

  1. Word 2016+
  2. Intune of GPO

Implementatie

Intune Settings Catalog: Word\Security\Trust Center\File Block Settings β†’ Word 2 and earlier binary documents and templates: Block (Open + Save).

Compliance

DISA STIG Office, BIO 12.02 (Block legacy formats), CIS Office Benchmark.

Monitoring

Gebruik PowerShell-script word2-earlier-binary-blocked.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script word2-earlier-binary-blocked.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Blokkeert Word 2 en oudere binary bestanden .DESCRIPTION CIS O365-WD-000008 .NOTES Registry: HKCU:\Software\Policies\Microsoft\Office\16.0\WORD\Security, word2earlierbinaryblocked = 1 #> #Requires -Version 5.1 param([switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf) $RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\WORD\Security"; $ValueName = "word2earlierbinaryblocked"; $ExpectedValue = 1; $ControlID = "O365-WD-000008" function Test-Compliance { try { if (-not(Test-Path $RegistryPath)) { return $false }; $c = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue; return($c -and $c.$ValueName -eq $ExpectedValue) }catch { return $false } } function Invoke-Monitoring { Write-Host "Monitoring ${ControlID}" -ForegroundColor Green; try { if (-not(Test-Path $RegistryPath)) { Write-Host "βœ— Non-compliant" -ForegroundColor Red; return $false }; $c = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue; if ($c -and $c.$ValueName -eq $ExpectedValue) { Write-Host "βœ“ Compliant" -ForegroundColor Green; return $true }else { Write-Host "βœ— Non-compliant" -ForegroundColor Red; return $false } }catch { Write-Host "βœ— Fout" -ForegroundColor Red; return $false } } function Invoke-Remediation { Write-Host "Remediating ${ControlID}" -ForegroundColor Yellow; try { if ($WhatIf) { Write-Host "WhatIf" -ForegroundColor Cyan; return $true }; if (-not(Test-Path $RegistryPath)) { New-Item -Path $RegistryPath -Force | Out-Null }; Set-ItemProperty -Path $RegistryPath -Name $ValueName -Value $ExpectedValue -Type DWord -Force; Write-Host "βœ“ Ingesteld" -ForegroundColor Green; Start-Sleep -Seconds 1; return Invoke-Monitoring }catch { Write-Host "βœ— Fout" -ForegroundColor Red; return $false } } function Invoke-Revert { Write-Host "Reverting ${ControlID}" -ForegroundColor Yellow; try { if ($WhatIf) { Write-Host "WhatIf" -ForegroundColor Cyan; return $true }; if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue; Write-Host "βœ“ Verwijderd" -ForegroundColor Green }; return $true }catch { Write-Host "βœ— Fout" -ForegroundColor Red; return $false } } try { if ($Monitoring) { exit $(if (Invoke-Monitoring) { 0 }else { 1 }) }elseif ($Remediation) { exit $(if (Invoke-Remediation) { 0 }else { 1 }) }elseif ($Revert) { exit $(if (Invoke-Revert) { 0 }else { 1 }) }else { Write-Host "Gebruik: .\word2-earlier-binary-blocked.ps1 [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow } }catch { Write-Host "βœ— Fout" -ForegroundColor Red; exit 1 }

Risico zonder implementatie

Risico zonder implementatie
Medium: Medium: Word 2.x files = ancient unpatched vulnerabilities (30+ year old code).

Management Samenvatting

Block Word 2.x binary files. Ancient format (1987-1993). Zero business use. Unpatched vulnerabilities. Implementatie: 1-2 uur.