Title

Prevent publishing to a Web Distributed and Authoring (DAV) server - Outlook. (Cat II impact)

Discussion

By default, Outlook 2007 users can share their calendars with others by publishing them to a server that supports the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol. Unlike the Microsoft Office Online Calendar Sharing Service, which allows users to manage other people's access to their calendars, DAV access restrictions can only be accomplished through server and folder permissions, and might require the assistance of the server administrator to set up and maintain. If these permissions are not managed properly, unauthorized people could access sensitive information.

Check Content

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Tools \ Options -> Preferences -> Calendar Options -> Microsoft Office Online Sharing Service “Prevent publishing to a DAV server” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubCal\ Criteria: If the value DisableDav is REG_DWORD = 1, this is not a finding.

Fix Text

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Tools \ Options -> Preferences -> Calendar Options -> Microsoft Office Online Sharing Service “Prevent publishing to a DAV server” will be set to “Enabled”.

Additional Identifiers

Rule ID: SV-18962r1_rule

Vulnerability ID: V-17762

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.