Use Group Policy to Enhance Adobe Security

Adobe Reader and Adobe Acrobat have become two of the biggest security holes on Windows computers. It’s important to keep them patched. There are also a couple of registry changes that can help by disabling JavaScript and disabling the ability to launch external programs. After barely dodging this /Launch attack a few days ago, I decided to use Windows Server 2003 Group Policy to make the registry changes.

Create the Logon Scripts

The registry keys that affect these security settings are under HKEY_CURRENT_USER, which means the simplest way to change them is when the user logs on. This also has the advantage of resetting the values at each logon.

The JavaScript script is based on this post in the independent Acrobat Users forum; see this Adobe document for more information. You do lose the ability to fill in PDF forms if JavaScript is disabled, but Reader prompts you to re-enable for a form (not always desirable in my opinion). The /Launch script is based on this Adobe blog post. Please read the scripts and make sure they do what you want to do; use them at your own risk.

These scripts are designed to create or change the registry keys for both Adobe Reader and Adobe Acrobat, versions 6.0 through 9.0. Yes they create more registry keys than you need, but that doesn’t hurt anything. Don’t use spaces the the file names or the Group Policy Object shown below won’t work. You can copy and paste the files below, or download them as a zip file:  Adobe_Security_Scripts.zip (646.00 bytes). (If you download, make sure you can open them without prompting, as they will be flagged as coming from the Internet.)

Disable_Adobe_Javascript.reg

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs]
“bConsoleOpen”=dword:00000000
“bEnableJS”=dword:00000000
“bEnableMenuItems”=dword:00000000

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs]
“bConsoleOpen”=dword:00000000
“bEnableJS”=dword:00000000
“bEnableMenuItems”=dword:00000000

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\7.0\JSPrefs]
“bConsoleOpen”=dword:00000000
“bEnableJS”=dword:00000000
“bEnableMenuItems”=dword:00000000

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\6.0\JSPrefs]
“bConsoleOpen”=dword:00000000
“bEnableJS”=dword:00000000
“bEnableMenuItems”=dword:00000000

[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0\JSPrefs]
“bConsoleOpen”=dword:00000000
“bEnableJS”=dword:00000000
“bEnableMenuItems”=dword:00000000

[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\8.0\JSPrefs]
“bConsoleOpen”=dword:00000000
“bEnableJS”=dword:00000000
“bEnableMenuItems”=dword:00000000

[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\7.0\JSPrefs]
“bConsoleOpen”=dword:00000000
“bEnableJS”=dword:00000000
“bEnableMenuItems”=dword:00000000

[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\6.0\JSPrefs]
“bConsoleOpen”=dword:00000000
“bEnableJS”=dword:00000000
“bEnableMenuItems”=dword:00000000

Disable_Adobe_Launch.reg

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals]
“bAllowOpenFile”=dword:00000000
“bSecureOpenFile”=dword:00000001

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\Originals]
“bAllowOpenFile”=dword:00000000
“bSecureOpenFile”=dword:00000001

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\7.0\Originals]
“bAllowOpenFile”=dword:00000000
“bSecureOpenFile”=dword:00000001

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\6.0\Originals]
“bAllowOpenFile”=dword:00000000
“bSecureOpenFile”=dword:00000001

[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0\Originals]
“bAllowOpenFile”=dword:00000000
“bSecureOpenFile”=dword:00000001

[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\8.0\Originals]
“bAllowOpenFile”=dword:00000000
“bSecureOpenFile”=dword:00000001

[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\7.0\Originals]
“bAllowOpenFile”=dword:00000000
“bSecureOpenFile”=dword:00000001

[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\6.0\Originals]
“bAllowOpenFile”=dword:00000000
“bSecureOpenFile”=dword:00000001

Create the Group Policy Object

  1. Copy the files above to your domain controller’s \\SysVol\domainname.local\scripts folder.
  2. Create a new Group Policy Object called Adobe Security and link it to the root of the domain, or to an OU that affects all computers (assuming Adobe Reader runs on servers and clients).
  3. Edit the GPO. Under User Configuration > Windows Settings > Scripts, create two Logon “scripts”. Note the use of the /s (“silent”) parameter, which makes the change without asking the user to confirm it.

    Script Name:  regedit.exe
    Script Parameters:  /s \\domainname.local\SysVol\domainname.local\scripts\Disable_Javascript.reg

    Script Name:  regedit.exe
    Script Parameters:  /s \\domainname.local\SysVol\domainname.local\scripts\Disable_Launch.reg

    Adobe Security GPO

  4. Test the GPO by logging on to a client machine. Open regedit and check the HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader and HKEY_CURRENT_USER\Software\Adobe\Acrobat Acrobat keys. Open Adobe Reader, go to Edit > Preferences, and check the JavaScript and TrustManager options.

1 thought on “Use Group Policy to Enhance Adobe Security

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.

This site uses Akismet to reduce spam. Learn how your comment data is processed.