Title

Internet calendar integration in Outlook must be disabled. (Cat II impact)

Discussion

The Internet Calendar feature in Outlook enables users to publish calendars online (using the webcal:// protocol) and subscribe to calendars that others have published. When users subscribe to an Internet calendar, Outlook queries the calendar at regular intervals and downloads any changes as they are posted. By default, Outlook allows users to subscribe to Internet calendars. When an organization has policies that govern the use of external resources such as Internet calendars, this feature will enable users to violate those policies.

Check Content

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Account Settings -> Internet Calendars "Do not include Internet Calendar integration in Outlook" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\webcal Criteria: If the value Disable is REG_DWORD = 1, this is not a finding.

Fix Text

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Account Settings -> Internet Calendars "Do not include Internet Calendar integration in Outlook" to "Enabled".

Additional Identifiers

Rule ID: SV-242734r960963_rule

Vulnerability ID: V-242734

Group Title: SRG-APP-000141

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.