Detections
Analytics

1.9.8.1.2.4 Ensure 'Restrict level of calendar details users can publish' is set to Enabled:Disables 'Full details' and 'Limited details'

Information

This policy setting controls the level of calendar details that Outlook users can publish to the Microsoft Outlook Calendar Sharing Service.

 If you enable this policy setting, you can choose from three levels of detail:

 * All options are available - This level of detail is the default configuration.

 * Disables 'Full details'

 * Disables 'Full details' and 'Limited details'

 If you disable or do not configure this policy setting, Outlook users can share their calendars with selected others by publishing them to the Microsoft Outlook Calendar Sharing Service. Users can choose from three levels of detail:

 * Availability only - Authorized visitors will see the user's time marked as Free, Busy, Tentative, or Out of Office, but will not be able to see the subjects or details of calendar items.

 * Limited details - Authorized visitors can see the user's availability and the subjects of calendar items only. They will not be able to view the details of calendar items. Optionally, users can allow visitors to see the existence of private items.

 * Full details - Authorized visitors can see the full details of calendar items. Optionally, users can allow visitors to see the existence of private items. The recommended state for this setting is: Enabled:Disables 'Full details' and 'Limited details'.

 Rationale:

 By default, Outlook users can share their calendars with selected others by publishing them to the Microsoft Office Outlook Calendar Sharing Service. Users can choose from three levels of detail:

 * Availability only. Authorized visitors will see the user's time marked as Free, Busy, Tentative, or Out of Office, but will not be able to see the subjects or details of calendar items.

 * Limited details. Authorized visitors can see the user's availability and the subjects of calendar items only. They will not be able to view the details of calendar items. Optionally, users can allow visitors to see the existence of private items.

 * Full details. Authorized visitors can see the full details of calendar items. Optionally, users can allow visitors to see the existence of private items and to access attachments within calendar items.

 If users are allowed to publish limited or full details, sensitive information in their calendars could become exposed to parties who are not authorized to have that information.

Solution

To implement the recommended configuration state, set the following Group Policy setting to Enabled.

 User Configuration\Administrative Templates\Microsoft Outlook 2016\Outlook Options\Preferences\Calendar Options\Office.com Sharing Service\Restrict level of calendar details users can publish

 Then set the Restrict level of calendar details users can publish option to Disables 'Full details' and 'Limited details'.

 Impact:

 Choosing Disables 'Full details' or Disables 'Full details' and 'Limited details' could cause disruptions for Outlook users who rely on the ability to publish details of their appointments to the Microsoft Office Outlook Calendar Sharing Service. These users will have to communicate appointment details to outside parties by other means.

See Also

https://workbench.cisecurity.org/files/553

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Windows

Control ID: 24167b12856f4768332bf68bc60cf9d267150c42a28367a630a7ee45a444001d