-
Notifications
You must be signed in to change notification settings - Fork 0
/
vlComplianceSettings.ps1
134 lines (117 loc) · 6.98 KB
/
vlComplianceSettings.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
#Requires -RunAsAdministrator
#Requires -Version 3
<#
.SYNOPSIS
- Disable Microsoft Office macro execution, by querying all currently logged on users (a running shell (explorer.exe)) and setting the appropriate values via registry under HKU:\<SID>\SOFTWARE\Policies\Microsoft\Office
- Disable Microsoft Office DDE execution (https://docs.microsoft.com/en-us/security-updates/securityadvisories/2017/4053440)
- Disable web search in start menu by modifying BingSearchEnabled and CortanaConsent values
.NOTES
Author: vast limits GmbH
Version: 1.0.3
.DESCRIPTION
1.0.3: As the only product, Outlook does not use 'VBAWarnings' for controlling macro behaviour. Instead 'Level' is being used
1.0.2: Fixed an error while determining the 'HKU:\<SID>\SOFTWARE\Policies\Microsoft\Office' path
1.0.1: Minor bugfixes
1.0.0: Initial release
#>
Try {
#region variables
# Adjust variables to your needs
$ErrorActionPreference = 'Continue'
If(!(Test-Path -Path "$env:programdata\vast limits")) { New-Item -Path $env:programdata -Name "vast limits" -ItemType Directory -Force }
$ScriptPath = "$env:programdata\vast limits\"
$Log = "vlComplianceSettings.log"
Start-Transcript -Path $($ScriptPath+$Log) | Out-Null
$LoggedOnUsers = @{}
$OfficeVersions = @(
"16.0", #2016, 2019, 365
"15.0", #2013
"14.0", #2010
"12.0", #2007
"11.0") #2003
$MacroKeys = @(
"Access\Security",
"Excel\Security",
"MS Project\Security",
"Outlook\Security",
"PowerPoint\Security",
"Publisher\Security",
"Visio\Security",
"Word\Security")
#endregion
Write-Verbose "Querying logged on user(s) and determining SID." -Verbose
(Get-Process -Name explorer -IncludeUserName).Username | ForEach {$LoggedOnUsers.Add( $_, ((New-Object security.principal.ntaccount $_).translate([security.principal.securityidentifier]).Value))}
Write-Verbose "Creating PSDrive for HKU." -Verbose
New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS -ErrorAction SilentlyContinue | Out-Null
Write-Verbose ">> Disable Microsoft Office macro execution." -Verbose
ForEach($sid in $LoggedOnUsers.Values) {
Write-Verbose "> Processing SID $sid" -Verbose
ForEach($version in $OfficeVersions) {
Push-Location
If(Test-Path -Path "HKU:\$sid\SOFTWARE\Microsoft\Office\$version\") {
Write-Verbose "Detected Office $version" -Verbose
If(!(Test-Path -Path "HKU:\$sid\SOFTWARE\Policies\Microsoft\Office\$version\")) { New-Item -Path "HKU:\$($sid)\SOFTWARE\Policies\Microsoft\Office\$($version)\" -Force | Out-Null }
Set-Location -Path "HKU:\$sid\SOFTWARE\Policies\Microsoft\Office\$version\"
ForEach($macrokey in $MacroKeys) {
If($macrokey -match "Outlook") { $macrocontrolkey = "Level" }
Else { $macrocontrolkey = "VBAWarnings" }
If(Test-Path -Path (-join("$((Get-Location).Path)","$($macrokey)"))) { New-ItemProperty -Name $macrocontrolkey -Path (-join("$((Get-Location).Path)","$($macrokey)")) -PropertyType DWORD -Value 4 -Force | Out-Null }
Else { New-Item -Name $macrokey -Force | New-ItemProperty -Name $macrocontrolkey -PropertyType DWORD -Value 4 -Force | Out-null }
}
Write-Verbose "Office $version macros disabled." -Verbose
}
Pop-Location
}
}
Write-Verbose ">> Disable Microsoft Office Dynamic Data Exchange (DDE) execution." -Verbose
ForEach($sid in $LoggedOnUsers.Values) {
Write-Verbose "> Processing SID $sid" -Verbose
ForEach($version in $OfficeVersions) {
Push-Location
If(Test-Path -Path "HKU:\$sid\SOFTWARE\Microsoft\Office\$version\") {
Write-Verbose "Detected Office $version" -Verbose
Set-Location -Path "HKU:\$sid\SOFTWARE\Microsoft\Office\$version\"
If($version -ge "14.0") {
If(Test-Path (-join("$((Get-Location).Path)","Excel\Security\"))) { New-ItemProperty -Name "WorkbookLinkWarnings" -Path (-join("$((Get-Location).Path)","Excel\Security\")) -PropertyType DWORD -Value 2 -Force | Out-Null }
Else { New-Item -Name "Excel\Security\" -Force | New-ItemProperty -Name "WorkbookLinkWarnings" -PropertyType DWORD -Value 2 -Force | Out-Null }
If(Test-Path (-join("$((Get-Location).Path)","Word\Options\"))) { New-ItemProperty -Name "DontUpdateLinks" -Path (-join("$((Get-Location).Path)","Word\Options\")) -PropertyType DWORD -Value 1 -Force | Out-Null }
Else { New-Item -Name "Word\Options\" -Force | New-ItemProperty -Name "DontUpdateLinks" -PropertyType DWORD -Value 1 -Force | Out-Null }
If(Test-Path (-join("$((Get-Location).Path)","Word\Options\WordMail"))) { New-ItemProperty -Name "DontUpdateLinks" -Path (-join("$((Get-Location).Path)","Word\Options\WordMail")) -PropertyType DWORD -Value 1 -Force | Out-Null }
Else { New-Item -Name "Word\Options\WordMail" -Force | New-ItemProperty -Name "DontUpdateLinks" -PropertyType DWORD -Value 1 -Force | Out-Null }
Write-Verbose "Office $version DDE execution disabled." -Verbose
}
ElseIf($version -eq "12.0") {
If(Test-Path (-join("$((Get-Location).Path)","Word\Options\vpref"))) { New-ItemProperty -Name "fNoCalclinksOnopen_90_1" -Path (-join("$((Get-Location).Path)","Word\Options\vpref")) -PropertyType DWORD -Value 1 -Force | Out-Null }
Else { New-Item -Name "Word\Options\vpref" -Force | New-ItemProperty -Name "fNoCalclinksOnopen_90_1" -PropertyType DWORD -Value 1 -Force | Out-Null }
Write-Verbose "Office $version DDE execution disabled." -Verbose
}
Else { Write-Verbose "No applicable Microsoft Office version detected." -Verbose }
}
Pop-Location
}
}
Write-Verbose ">> Disable web search in start menu." -Verbose
ForEach($sid in $LoggedOnUsers.Values) {
Write-Verbose "> Processing SID $sid" -Verbose
Push-Location
If(Test-Path -Path "HKU:\$sid\Software\Microsoft\Windows\CurrentVersion\Search\") {
Set-Location -Path "HKU:\$sid\Software\Microsoft\Windows\CurrentVersion\Search\"
New-ItemProperty -Name "BingSearchEnabled" -Path $((Get-Location).Path) -PropertyType DWORD -Value 0 -Force | Out-Null
New-ItemProperty -Name "CortanaConsent" -Path $((Get-Location).Path) -PropertyType DWORD -Value 0 -Force | Out-Null
}
Else {
New-Item -Path "HKU:\$sid\Software\Microsoft\Windows\CurrentVersion\Search" -Force | Set-Location
New-ItemProperty -Name "BingSearchEnabled" -Path $((Get-Location).Path) -PropertyType DWORD -Value 0 -Force | Out-Null
New-ItemProperty -Name "CortanaConsent" -Path $((Get-Location).Path) -PropertyType DWORD -Value 0 -Force | Out-Null
}
Write-Verbose "Start menu web search disabled." -Verbose
Pop-Location
}
}
Catch {
ErrorMessage = $_.Exception.Message
Write-Error $ErrorMessage
}
Finally {
Stop-Transcript | Out-Null
}