Title

Publishing to a Web Distributed and Authoring (DAV) server must be prevented. (Cat II impact)

Discussion

Outlook users can share their calendars with others by publishing them to a server that supports the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol. Unlike the Microsoft Office Online Calendar Sharing Service, which allows users to manage other people's access to their calendars, DAV access restrictions can only be accomplished through server and folder permissions, and might require the assistance of the server administrator to set up and maintain. If these permissions are not managed properly, unauthorized people could access sensitive information.

Check Content

The policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2010 -> Outlook Options -> Preferences -> Calendar Options -> Office.com Sharing Service “Prevent publishing to a DAV server” must be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\14.0\outlook\options\pubcal Criteria: If the value DisableDav is REG_DWORD = 1, this is not a finding.

Fix Text

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2010 -> Outlook Options -> Preferences -> Calendar Options -> Office.com Sharing Service “Prevent publishing to a DAV server” to “Enabled”.

Additional Identifiers

Rule ID: SV-33514r1_rule

Vulnerability ID: V-17762

Group Title: DTOO217 - Prevent publishing to DAV Servers

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.