6.4 Set 'Always require users to connect to verify permission' to 'Enabled'

Information

This policy setting controls whether users are required to connect to the Internet or a local
network to have their licenses confirmed every time they attempt to open Excel
workbooks, InfoPath forms or templates, Outlook e-mail messages, PowerPoint
presentations, or Word documents that are protected by Information Rights Management
(IRM). This policy is useful if you want to log the usage of files with restricted permissions
on the server. If you enable this policy setting, users are required to connect to verify
permissions. This policy setting will only affect protected files created on machines where
the policy is enabled. If you disable or do not configure this policy setting, users are not
required to connect to the network to verify permissions. The recommended state for this
setting is- Enabled.

*Rationale*

By default, users are not required to connect to the network to verify permissions. If users
do not need their licenses confirmed when attempting to open Office 2010 documents, they
might be able to access documents after their licenses have been revoked. Also, it is not
possible to log the usage of files with restricted permissions if users' licenses are not
confirmed.

Solution

To implement the recommended configuration state, set the following Group Policy setting
to Enabled.

User Configuration\Administrative Templates\Microsoft Office 2010\Manage Restricted
Permissions\Always require users to connect to verify permission

Impact-Enabling this setting could create problems for users who need to open rights-managed
files when they are not connected to the Internet, such as mobile users. Consider surveying
your organization to determine users' need for offline use of rights-managed files before
enabling this setting.

See Also

https://workbench.cisecurity.org/files/530

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Windows

Control ID: daa2fb1c484fa951af163853124af947670fbb7cdeace15f4b77a00a4e326d0c