2.17.1 Ensure 'Prevent Users From Changing Permissions on Rights Managed Content' is set to Disabled

Information

This policy setting controls whether Office users can change permissions for content that is protected with Information Rights Management (IRM). The Information Rights Management feature of Office allows individuals and administrators to specify access permissions to Word documents, Excel workbooks, PowerPoint presentations, InfoPath templates and forms, and Outlook e-mail messages. This functionality helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people. The recommended state for this setting is: Disabled. The Information Rights Management feature of the Office release allows individuals and administrators to specify access permissions to Word documents, Excel workbooks, PowerPoint presentations, InfoPath templates and forms, and Outlook e-mail messages. This functionality helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people. This setting can be used to prevent Office users from changing the IRM permissions of a document. If this setting is Enabled, users can open and edit documents for which they have the appropriate permissions, but they cannot create new rights-managed content, add IRM to existing documents, change existing IRM permissions, or remove IRM from documents. This configuration can prevent users from making effective use of IRM to protect documents

Solution

To implement the recommended configuration state, set the following Group Policy setting to Disabled. User Configuration\Administrative Templates\Microsoft Office 2016\Manage Restricted Permissions\Prevent Users From Changing Permissions on Rights Managed Content Impact: Disabling this setting enforces the Office default configuration, and is therefore unlikely to cause significant usability issues for most users.

See Also

https://workbench.cisecurity.org/files/571

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3

Plugin: Windows

Control ID: 13c34f0c2421284b64e7418858569899c56ad16d0d1c0686c89f059aadcd0a8c