Check: DTOO218 - Outlook
Microsoft Outlook 2010 STIG:
DTOO218 - Outlook
(in versions v1 r13 through v1 r12)
Title
Level of calendar details that a user can publish must be restricted. (Cat II impact)
Discussion
Outlook users can share their calendars with selected others by publishing them to the Microsoft Office Outlook Calendar Sharing Service. Users can choose from three levels of detail: • Availability only. Authorized visitors will see the user's time marked as Free, Busy, tentative, or Out of Office, but will not be able to see the subjects or details of calendar items. • Limited details. Authorized visitors can see the user's availability and the subjects of calendar items only. They will not be able to view the details of calendar items. Optionally, users can allow visitors to see the existence of private items. • Full details. Authorized visitors can see the full details of calendar items. Optionally, users can allow visitors to see the existence of private items and to access attachments within calendar items. If users are allowed to publish limited or full details, sensitive information in their calendars could become exposed to parties who are not authorized to have that information.
Check Content
The policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2010 -> Outlook Options -> Preferences -> Calendar Options -> Office.com Sharing Service “Restrict level of calendar details users can publish” must be “Enabled (Disables ‘Full details’ and ‘Limited details’)”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\14.0\outlook\options\pubcal Criteria: If the value PublishCalendarDetailsPolicy is REG_DWORD = 4000 (hex) or 16384 (Decimal), this is not a finding.
Fix Text
Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2010 -> Outlook Options -> Preferences -> Calendar Options -> Office.com Sharing Service “Restrict level of calendar details users can publish” to “Enabled (Disables ‘Full details’ and ‘Limited details’)”.
Additional Identifiers
Rule ID: SV-33516r1_rule
Vulnerability ID: V-17776
Group Title: DTOO218 - Calendar details published by users
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |