BIO U.13.2.1 ISO A.5.10

Outlook Toegang Tot Gepubliceerde Agenda's Beheren

📅 2025-10-30
⏱️ 6 minuten lezen
🟢 Should-Have

💼 Management Samenvatting

Het beheren van toegang tot gepubliceerde agenda's voorkomt onbedoelde blootstelling van vertrouwelijke vergaderinformatie, persoonlijke schema's, en bedrijfskritieke planningsdata aan ongeautoriseerde partijen via publiek toegankelijke agenda URLs.

Aanbeveling
IMPLEMENT
Risico zonder
Medium
Risk Score
6/10
Implementatie
9u (tech: 4u)
Van toepassing op:
Microsoft Office 365 ProPlus
Microsoft Outlook 2016
Microsoft Outlook 2019
Microsoft Outlook 2021
Microsoft 365 Apps
Outlook voor Windows

Outlook biedt functionaliteit om agenda's te publiceren naar internet via publieke URLs (calendar.live.com, Office 365 calendar publishing). Dit creëert privacy en security risks: **Vertrouwelijke Meeting Informatie Leakage**: Gepubliceerde agendas kunnen blootstellen: Executive meeting schedules (board meetings, strategic planning), Client/customer meetings met organizational names en topics, M&A activities, financial reporting schedules, Product launch timings, security response activities. **Personal Privacy Invasions**: Users publiceren per ongeluk personal calendars met: Medische afspraken, familie activiteiten, vakantie planningen, Private meetings die location/attendance patterns onthullen. **Reconnaissance voor Targeted Attacks**: Aanvallers gebruiken gepubliceerde agendas voor: Identifying wanneer executives niet op kantoor zijn (optimal attack timing), Building profiles van organizational activities en schedules, Planning social engineering attacks (weten wanneer target beschikbaar is), Physical security threats (weten wanneer facilities leeg zijn). **Data Leakage via Calendar Metadata**: Zelfs 'Busy' markers zonder details onthullen: Werkpatronen en availability, Frequency van meetings (indicatie van rol/seniority), Time zones en travel patterns. **credential Exposure**: Published calendar URLs bevatten tokens die, indien leaked, permanente toegang geven totdat revoked. Reële scenarios: Executive calendar gepubliceerd, concurrent ziet strategic meeting schedule. Personal calendar online, stalker gebruikt voor tracking individual's whereabouts. M&A calendar leaked, deal information prematurely exposed. Security team schedule published, attackers plan attacks tijdens known downtime.

PowerShell Modules Vereist
Primary API: Exchange Online / groep beleid
Connection: Exchange PowerShell of Outlook registry settings
Required Modules: ExchangeOnlineManagement

Implementatie

Deze control beheert calendar publishing via meerdere mechanismen: **Exchange Online Calendar Sharing beleidsregels**: Configure organization-wide beleidsregels voor external calendar sharing (block, beperkte detail, of volledige detail). **Outlook Client Settings**: Registry settings die calendar publishing features disablen of restricten. **User Education**: Training over risks van calendar publishing en alternatives (delegate access, meeting scheduling tools zoals FindTime). Best practice: Default DENY external calendar publishing, alleen allow op case-by-case basis met approval process voor legitimate business needs.

Vereisten

Voor het implementeren van calendar publishing controls zijn de volgende vereisten van toepassing:

  1. Exchange Online of Exchange Server 2016+
  2. Exchange Administrator rechten voor sharing beleid configuration
  3. Microsoft Office 2016+ (indien client-side registry controls)
  4. Administrator-rechten voor groep beleid of Intune configuration
  5. ExchangeOnlineManagement PowerShell module voor beleid management
  6. User awareness training over calendar privacy risks
  7. Alternative scheduling solutions (Microsoft Bookings, FindTime) voor legitimate external scheduling needs
  8. Data classification beleid die calendar information als Confidential categoriseert
  9. Incident response process voor leaked calendar URLs

Implementatie

Implementatie vereist multi-layer approach: Exchange beleidsregels, client settings, en user education:

**FASE 1: Exchange Online Sharing beleid Configuration (Primair)**

  1. Connect naar Exchange Online: Connect-ExchangeOnline
  2. Review huidige sharing beleid: Get-SharingPolicy | Format-List
  3. Default beleid typically 'Default Sharing beleid' allows external calendar sharing
  4. **Recommended Configuration**: Schakel uit external calendar publishing: Set-SharingPolicy 'Default Sharing beleid' -Domains @{Remove='*'}
  5. Alternative (limited sharing): Set-SharingPolicy 'Default Sharing beleid' -Domains 'Anonymous:CalendarSharingFreeBusySimple'
  6. Verify configuration: Get-SharingPolicy | Format-List Domains
  7. Test: User moet NIET in staat zijn om calendar te publiceren naar internet

**FASE 2: Outlook Client Registry Settings (Defense-in-Depth)**

  1. **groep beleid**: HKCU\Software\beleidsregels\Microsoft\Office\16.0\OUTLOOK\Options\Calendar
  2. Value: DisableCalendarPublishing is 1 (DWORD) om UI option te disablen
  3. **Intune**: aangepaste OMA-URI beleid voor calendar publishing registry keys
  4. Deze client-side settings zijn backup voor Exchange beleidsregels

**FASE 3: Audit Existing Published Calendars**

  1. Identify users die calendars hebben gepubliceerd VOOR beleid implementation
  2. PowerShell: Get-MailboxCalendarFolder | Where-Object {$_.PublishEnabled -eq $true}
  3. Contact deze users om published calendars te revoken
  4. Revoke published URLs: Set-MailboxCalendarFolder -Identity user@domain.com:\Calendar -PublishEnabled $false
  5. Document legitimate use cases voor exception review

**FASE 4: User Communication en Training**

  1. Communicate beleid change 2 weken voor implementation
  2. Explain risks van calendar publishing (confidentiality, reconnaissance, privacy)
  3. Provide alternatives: Internal calendar sharing (delegate access), Microsoft Bookings voor external appointment scheduling, FindTime voor meeting coordination, Traditional scheduling methods (email, phone)
  4. Maak process voor legitimate exception requests met privacy review

**FASE 5: Alternative Solutions voor Legitimate Needs**

  1. **Microsoft Bookings**: Voor external appointment scheduling (doctor offices, consultants)
  2. **FindTime**: Voor meeting coordination zonder exposing volledige calendar
  3. **Delegate Access**: Voor internal assistants/coordinators
  4. **Limited Detail Sharing**: Voor specific meetings alleen (niet entire calendar)

Monitoring en Controle

Gebruik PowerShell-script access-published-calendars-enabled.ps1 (functie Invoke-Monitoring) – Controleren.

Continue monitoring is essentieel om calendar publishing beleid compliance te waarborgen:

**Monitoring Strategieën:**

  1. **Exchange Sharing beleid Audit**: Monthly review van Get-SharingPolicy configuration
  2. **Published Calendar Detection**: Weekly scan voor published calendars: Get-MailboxCalendarFolder | waar PublishEnabled
  3. **User Behavior Analytics**: Track attempts om calendars te publiceren (blocked door beleid)
  4. **Exception Tracking**: Maintain register van approved exceptions met privacy review dates
  5. **Alternative Solution Adoption**: Monitor Microsoft Bookings/FindTime usage as calendar publishing replacement
  6. **Incident Monitoring**: Track reports van leaked calendar URLs (via security team/helpdesk)

**Key Performance Indicators (KPIs):**

  1. Exchange sharing beleid compliance: 100% enforcement (no ungeautoriseerde calendar publishing)
  2. Published calendars: Target 0 (except approved exceptions)
  3. User awareness: >80% users understand calendar privacy risks (annual survey)
  4. Alternative solution adoption: >50% increase in Bookings/FindTime usage post-implementation
  5. Exception requests: <5 per year, alle met documented privacy review
  6. Incident rate: 0 calendar INFORMATIELEKKEN incidents
  7. User satisfaction: >70% acceptance van beleid (quarterly survey)

Remediatie en Troubleshooting

Gebruik PowerShell-script access-published-calendars-enabled.ps1 (functie Invoke-Remediation) – Herstellen.

Bij detectie van published calendars of beleid violations:

**Incident Response voor Leaked Calendar:**

  1. Immediate revocation: Set-MailboxCalendarFolder -PublishEnabled $false
  2. Assess exposure: Wat was visible in published calendar (meeting details, attendees, locations)?
  3. Notify stakeholders: Inform affected users en security team
  4. Review voor intelligence gathering: Heeft concurrent of adversary calendar information gebruikt?
  5. Document lessons learned: Update training materials met real-world case
  6. Consider breach notification indien personal data exposed (GDPR/AVG requirements)

**Veelvoorkomende Problemen:**

  1. **Probleem**: Executive assistent needs scheduling visibility. **Oplossing**: Use delegate access (internal), not public calendar publishing.
  2. **Probleem**: External consultant needs appointment scheduling. **Oplossing**: Microsoft Bookings page of FindTime for specific meetings.
  3. **Probleem**: Team calendar voor project coordination. **Oplossing**: SharePoint calendar, Teams channel calendar, of shared mailbox calendar (internal only).
  4. **Probleem**: User claims business need voor public calendar. **Oplossing**: Exception request process met privacy impact assessment, approval door security/privacy officer, documented compensating controls (limited detail, short-lived URLs).

Compliance en Auditing

Calendar publishing controls ondersteunen compliance met privacy en security frameworks:

**Framework Mapping:**

  1. **AVG/GDPR**: Artikel 5(1)(f) - Integriteit en vertrouwelijkheid. Calendar information is personal data die beschermd moet worden. Artikel 32 - Security van processing. Published calendars zijn onvoldoende beveiligd.
  2. **BIO (Baseline Informatiebeveiliging Overheid)**: U.13.2.1 - Beleid voor informatieuitwisseling. Calendar publishing is form van information sharing die gecontroleerd moet worden.
  3. **ISO 27001:2022**: A.5.10 - Acceptable use van information. Calendar publishing beleidsregels zijn onderdeel van acceptable use. A.5.34 - Privacy en protection. Calendar data bevat personal information.
  4. **NIS2 Richtlijn**: Artikel 21 - Cybersecurity measures. Data leakage prevention via calendar controls.

**Audit Evidence:**

  1. Exchange sharing beleid configuration: Get-SharingPolicy output
  2. Published calendar audit: Monthly scans met nul published calendars (except approved exceptions)
  3. Exception register: Documented approvals voor legitimate calendar publishing needs
  4. User training records: Attendance lists, quiz results, awareness campaign materials
  5. Incident reports: Documentation van enige calendar leakage incidents met response actions
  6. Alternative solution adoption metrics: Bookings/FindTime usage statistics
  7. Change management documentation: Business case, privacy assessment, implementation plan
  8. Quarterly compliance reviews met calendar privacy KPI tracking

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
# Control: O365-OU-000001 - access published calendars enabled #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000001: access published calendars enabled" -ForegroundColor Green try { $valueName = "accesspublishedcalendarsenabled" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { Write-Host "- Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue.$valueName -eq $expectedValue) { Write-Host "+ Compliant: $valueName = $expectedValue" -ForegroundColor Green return $true } else { Write-Host "- Non-compliant: $valueName = $($currentValue.$valueName) (expected: $expectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "- Error during monitoring: $_" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating O365-OU-000001: access published calendars enabled" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host " [WhatIf] Would set registry value" -ForegroundColor Cyan return $true } $valueName = "accesspublishedcalendarsenabled" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { New-Item -Path $RegistryPath -Force | Out-Null Write-Host " Created registry path: $RegistryPath" -ForegroundColor Green } Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host " Set $valueName to $expectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 return Invoke-Monitoring } catch { Write-Host " Error during remediation: $_" -ForegroundColor Red return $false } } function Invoke-Revert { Write-Host "Reverting O365-OU-000001: access published calendars enabled" -ForegroundColor Yellow try { if ($WhatIf) { Write-Host " [WhatIf] Would remove registry value" -ForegroundColor Cyan return $true } $valueName = "accesspublishedcalendarsenabled" if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue Write-Host " Removed registry value: $valueName" -ForegroundColor Green } return $true } catch { Write-Host " Error during revert: $_" -ForegroundColor Red return $false } } # Main execution try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } elseif ($Revert) { $result = Invoke-Revert exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow } } catch { Write-Host "Script execution error: $_" -ForegroundColor Red exit 1 }

Risico zonder implementatie

Risico zonder implementatie
Medium: medium risico: gepubliceerde agenda's exposen vertrouwelijke meeting informatie, executive schedules, strategic planning, en personal privacy data. Risks: **Competitive intelligence**: Concurrenten zien strategic meeting schedules (M&A, product launches). **Targeted attacks**: Aanvallers gebruiken schedules voor optimal attack timing. **Privacy violations**: Personal medical appointments, family activities exposed. **GDPR violations**: Calendar data is personal data die onvoldoende beschermd is via public URLs. Real-world scenarios: Executive calendar leaked → competitor knew board meeting schedule. Personal calendar online → stalking incident. M&A planning calendar exposed → deal information prematurely public. Deze control is kritiek voor: Executives en C-level (high-value targets), Organizations met M&A activities, Privacy-sensitive industries (legal, healthcare), Compliance-regulated sectors.

Management Samenvatting

Schakel uit calendar publishing naar internet via Exchange sharing beleidsregels. Voorkomt leakage van vertrouwelijke meetings, executive schedules, en personal privacy data. Provide alternatives: Microsoft Bookings, FindTime, delegate access. Kritiek voor executives en privacy compliance. Implementatietijd: 9 uur.