4.2 Set 'Prevent users from changing permissions on rights managed content' to 'Disabled'

Information

This policy setting controls whether Office 2010 users can change permissions for content
that is protected with Information Rights Management (IRM).
The Information Rights Management feature of Office 2010 allows individuals and
administrators to specify access permissions to Word documents, Excel workbooks,
PowerPoint presentations, InfoPath templates and forms, and Outlook e-mail messages.
This functionality helps prevent sensitive information from being printed, forwarded, or
copied by unauthorized people.
If you enable this policy setting, users can open and edit documents for which they have the
appropriate permissions, but they cannot create new rights-managed content, add IRM to
existing documents, change existing IRM permissions, or remove IRM from documents.
If you disable or do not configure this policy setting, Office 2010 users can add, remove, or
change IRM permissions for documents if they are authorized to do so. The recommended
state for this setting is- Disabled.


*Rationale*

The Information Rights Management feature of the Office 2010 release allows individuals
and administrators to specify access permissions to Word 2010 documents, Excel 2010
workbooks, PowerPoint 2010 presentations, InfoPath 2010 templates and forms, and
Outlook 2010 e-mail messages. This functionality helps prevent sensitive information from
being printed, forwarded, or copied by unauthorized people.
This setting can be used to prevent Office 2010 users from changing the IRM permissions of
a document. If this setting is Enabled, users can open and edit documents for which they
have the appropriate permissions, but they cannot create new rights-managed content, add
IRM to existing documents, change existing IRM permissions, or remove IRM from
documents. This configuration can prevent users from making effective use of IRM to
protect documents.

Solution

To implement the recommended configuration state, set the following Group Policy setting
to Disabled.

User Configuration\Administrative Templates\Microsoft Office 2010\Manage Restricted
Permissions\Prevent users from changing permissions on rights managed content

Impact-Disabling this setting enforces the Office 2010 default configuration, and is therefore
unlikely to cause significant usability issues for most users.5 Security and Privacy Settings

See Also

https://workbench.cisecurity.org/files/530

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3

Plugin: Windows

Control ID: 4fb77db36aeebb07f8afb29b33cc0579c38eaf6379e3d7198a33abd09ee59c18