1.3 Set 'Access to published calendars' to 'Enabled'

Information

This policy setting determines what restrictions apply to users who publish their calendars
on Office.com or third-party World Wide Web Distributed Authoring and Versioning
(WebDAV) servers. If you enable or disable this policy setting, calendars that are published
on Office.com must have restricted access (users other than the calendar owner/publisher
who wish to view the calendar can only do so if they receive invitations from the calendar
owner), and users cannot publish their calendars to third-party DAV servers. If you do not
configure this policy setting, users can share their calendars with others by publishing
them to the Office.com Calendar Sharing Services and to a server that supports the World
Wide Web Distributed Authoring and Versioning (WebDAV) protocol. Office.com allows
users to choose whether to restrict access to their calendars to people they invite, or allow
unrestricted access to anyone who knows the URL to reach the calendar. DAV access
restrictions can only be achieved through server and folder permissions, and might require
the assistance of a server administrator to set up and maintain. The recommended state for
this setting is- Enabled.

*Rationale*

By default, users can share their calendars with others by publishing them to the Microsoft
Office.com Calendar Sharing Services and to a server that supports the World Wide Web
Distributed Authoring and Versioning (WebDAV) protocol. Office.com allows users to
choose whether to restrict access to their calendars to people they invite, or allow
unrestricted access to anyone who knows the URL to reach the calendar. DAV access
restrictions can only be achieved through server and folder permissions, and might require
the assistance of a server administrator to set up and maintain. If a calendar is visible to
anyone on Office.com or third-party DAV servers, sensitive information might be revealed
contained in calendar appointments.

Solution

To implement the recommended configuration state, set the following Group Policy setting
to Enabled.

User Configuration\Administrative Templates\Microsoft Outlook 2010\Outlook
Options\Preferences\Calendar Options\Office.com Sharing Service\Access to published
calendars

Impact-Most users probably don't want to make their calendars available to every user on
Office.com, so the effect will likely be minimal in most environments.

See Also

https://workbench.cisecurity.org/files/530

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-20

Plugin: Windows

Control ID: b3d0eb09d4856cc0766b8f702a525ba82361c692a4907fe627cd78c7abdc4bf3