Title

Access restriction settings for published calendars in Outlook. (Cat II impact)

Discussion

By default, users can share their calendars with others by publishing them to the Microsoft Office Online Calendar Sharing Services and to a server that supports the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol. Office Online allows users to choose whether to restrict access to their calendars to people they invite, or allow unrestricted access to anyone who knows the URL to reach the calendar. DAV access restrictions can only be achieved through server and folder permissions, and might require the assistance of a server administrator to set up and maintain. If a calendar is visible to anyone on Office Online or third-party DAV servers, sensitive information might be revealed contained in calendar appointments.

Check Content

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Tools \ Options -> Preferences -> Calendar Options -> Microsoft Office Online Sharing Service “Access to published calendars” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubCal Criteria: If the value RestrictedAccessOnly is REG_DWORD = 1, this is not a finding.

Fix Text

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Tools \ Options -> Preferences -> Calendar Options -> Microsoft Office Online Sharing Service “Access to published calendars” will be set to “Enabled”.

Additional Identifiers

Rule ID: SV-18641r1_rule

Vulnerability ID: V-17546

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.