WebDAV can expose private meetings/appointments to users who should not see them.
This is quite frequently asked and with surprise & worries mixed together… Why WebDAV is able to see my Private meetings/appointments? Isn’t this a security breach? How can I get it fixed?
The answer is very simple, not this is not a bug. This is how it should work and then comes a even bigger surprise “FTW” from the receiver of this message.
Let’s understand why this is so and what you should do and what you should not do to prevent such scenarios.
There is no such thing as Private appointments/meetings in real sense and it’s a feature of the email client like Outlook/OWA. Exchange Server treat all items as same. Every calendar item has a field name “Sensitivity” which can store a value of “Normal”, “Personal”, “Private” & “Confidential”.
In case of Private appointments this is marked as “Private” which allow the email client (Outlook/OWA) to decide if this should be displayed to the user or not. With that said, this is decided at the business logic layer in the email client.
Now coming to the WebDAV, it has no business logic of itself and gives the requestor a raw output of the items/properties and leave it up to the client how they want to process those items. If you are writing a email client and want to have the same behavior as Outlook does then you should honor the value of Sensitivity before displaying the Item to the user.
Exchange Server does not support Item level permissions and this is just a way to give users some sort of liberty to share restricted items when all the users are using Outlook or OWA. If you have users in your organization which may use other email clients then you should not give them Read access to your calendar/Tasks folder. This will prevent them from reading your private (or not so private?) items.
This has been documented here as well: