Title

Access restriction settings for published calendars must be configured. (Cat II impact)

Discussion

Users can share their calendars with others by publishing them to the Microsoft Office Online Calendar Sharing Services and to a server that supports the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol. Office Online allows users to choose whether to restrict access to their calendars to people they invite, or allow unrestricted access to anyone who knows the URL to reach the calendar. DAV access restrictions can only be achieved through server and folder permissions, and might require the assistance of a server administrator to set up and maintain. If a calendar is visible to anyone on Office Online or third-party DAV servers, sensitive calendar information might be revealed.

Check Content

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> Preferences -> Calendar Options -> Office.com Sharing Service "Access to published calendars" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\pubcal Criteria: If the value RestrictedAccessOnly is REG_DWORD = 1, this is not a finding.

Fix Text

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> Preferences -> Calendar Options -> Office.com Sharing Service "Access to published calendars" to "Enabled".

Additional Identifiers

Rule ID: SV-53872r1_rule

Vulnerability ID: V-17546

Group Title: DTOO219 - Access to Published Calendars

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.