1.3.3 Ensure 'External sharing' of calendars is not available

Information

External calendar sharing allows an administrator to enable the ability for users to share calendars with anyone outside of the organization. Outside users will be sent a URL that can be used to view the calendar.

Rationale:

Attackers often spend time learning about organizations before launching an attack. Publicly available calendars can help attackers understand organizational relationships and determine when specific users may be more vulnerable to an attack, such as when they are traveling.

Impact:

This functionality is not widely used. As a result, it is unlikely that implementation of this setting will cause an impact to most users. Users that do utilize this functionality are likely to experience a minor inconvenience when scheduling meetings or synchronizing calendars with people outside the tenant.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To remediate using the UI:

Navigate to Microsoft 365 admin center https://admin.microsoft.com.

Click to expand Settings select Org settings.

In the Services section click Calendar.

Uncheck Let your users share their calendars with people outside of your organization who have Office 365 or Exchange.

Click Save.

To remediate using PowerShell:

Connect to Exchange Online using Connect-ExchangeOnline.

Run the following Exchange Online PowerShell command:

Set-SharingPolicy -Identity 'Default Sharing Policy' -Enabled $False

Default Value:

Enabled (True)

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|14.6

Plugin: microsoft_azure

Control ID: e857643ecaa881bac138739aadabc02702bcf34aebd7d5f8927ba55bb5ae4549