Title

Publishing calendars to Office Online must be prevented. (Cat II impact)

Discussion

Outlook users can share their calendars with selected others by publishing them to the Microsoft Office Outlook Calendar Sharing Service. Users can control who can view their calendar and at what level of detail. When an organization has policies that govern access to external resources such as Office Online, allowing users to publish their calendars will enable them to violate those policies.

Check Content

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> Preferences -> Calendar Options -> Office.com Sharing Service "Prevent publishing to Office.com" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\pubcal Criteria: If the value DisableOfficeOnline is REG_DWORD = 1, this is not a finding.

Fix Text

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> Preferences -> Calendar Options -> Office.com Sharing Service "Prevent publishing to Office.com" to "Enabled".

Additional Identifiers

Rule ID: SV-53869r1_rule

Vulnerability ID: V-17763

Group Title: DTOO216 - Publishing to Office Online

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.