2.3.18.4 Ensure 'Never allow users to specify groups when restricting permission for documents' is set to 'Enabled'

Information

This policy setting controls whether Office users can assign permissions to distribution lists when using Information Rights Management.

The recommended state for this setting is: Enabled.

Rationale:

By default, Office users can specify distribution lists when using Information Rights Management (IRM) to restrict access to Excel workbooks, InfoPath templates, Outlook e-mail messages, PowerPoint presentations, or Word documents. If users are not fully aware of the distribution list's membership before assigning it permission to open or modify a document, sensitive information could be at risk.

Impact:

Enabling this setting could cause some disruptions for Office users who are accustomed to specifying distribution groups when defining permissions for a document. These users will have to list users individually in the Permission dialog box to assign them permission to read or modify the document. Users who do not use Information Rights Management will not be affected by this setting.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled:

User Configuration\Administrative Templates\Microsoft Office 2016\Manage Restricted Permissions\Never Allow Users to Specify Groups When Restricting Permission for Documents

Default Value:

Disabled. (Users can specify dist. lists when using IRM.)

See Also

https://workbench.cisecurity.org/benchmarks/12129

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2

Plugin: Windows

Control ID: da0776ea2c0f8066a43eb1c852a8c9f4d2a95178fa8db8bf92ad51c2cdb732a6