Adobe Reader and Adobe Acrobat have become two of the biggest security holes on Windows computers. It’s important to keep them patched. There are also a couple of registry changes that can help by disabling JavaScript and disabling the ability to launch external programs. After barely dodging this /Launch attack a few days ago, I decided to use Windows Server 2003 Group Policy to make the registry changes.
Create the Logon Scripts
The registry keys that affect these security settings are under HKEY_CURRENT_USER, which means the simplest way to change them is when the user logs on. This also has the advantage of resetting the values at each logon.
The JavaScript script is based on this post in the independent Acrobat Users forum; see this Adobe document for more information. You do lose the ability to fill in PDF forms if JavaScript is disabled, but Reader prompts you to re-enable for a form (not always desirable in my opinion). The /Launch script is based on this Adobe blog post. Please read the scripts and make sure they do what you want to do; use them at your own risk.
These scripts are designed to create or change the registry keys for both Adobe Reader and Adobe Acrobat, versions 6.0 through 9.0. Yes they create more registry keys than you need, but that doesn’t hurt anything. Don’t use spaces the the file names or the Group Policy Object shown below won’t work. You can copy and paste the files below, or download them as a zip file: Adobe_Security_Scripts.zip (646.00 bytes). (If you download, make sure you can open them without prompting, as they will be flagged as coming from the Internet.)
Disable_Adobe_Javascript.reg
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs]
“bConsoleOpen”=dword:00000000
“bEnableJS”=dword:00000000
“bEnableMenuItems”=dword:00000000
[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs]
“bConsoleOpen”=dword:00000000
“bEnableJS”=dword:00000000
“bEnableMenuItems”=dword:00000000
[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\7.0\JSPrefs]
“bConsoleOpen”=dword:00000000
“bEnableJS”=dword:00000000
“bEnableMenuItems”=dword:00000000
[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\6.0\JSPrefs]
“bConsoleOpen”=dword:00000000
“bEnableJS”=dword:00000000
“bEnableMenuItems”=dword:00000000
[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0\JSPrefs]
“bConsoleOpen”=dword:00000000
“bEnableJS”=dword:00000000
“bEnableMenuItems”=dword:00000000
[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\8.0\JSPrefs]
“bConsoleOpen”=dword:00000000
“bEnableJS”=dword:00000000
“bEnableMenuItems”=dword:00000000
[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\7.0\JSPrefs]
“bConsoleOpen”=dword:00000000
“bEnableJS”=dword:00000000
“bEnableMenuItems”=dword:00000000
[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\6.0\JSPrefs]
“bConsoleOpen”=dword:00000000
“bEnableJS”=dword:00000000
“bEnableMenuItems”=dword:00000000
Disable_Adobe_Launch.reg
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\Originals]
“bAllowOpenFile”=dword:00000000
“bSecureOpenFile”=dword:00000001
[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\Originals]
“bAllowOpenFile”=dword:00000000
“bSecureOpenFile”=dword:00000001
[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\7.0\Originals]
“bAllowOpenFile”=dword:00000000
“bSecureOpenFile”=dword:00000001
[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\6.0\Originals]
“bAllowOpenFile”=dword:00000000
“bSecureOpenFile”=dword:00000001
[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0\Originals]
“bAllowOpenFile”=dword:00000000
“bSecureOpenFile”=dword:00000001
[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\8.0\Originals]
“bAllowOpenFile”=dword:00000000
“bSecureOpenFile”=dword:00000001
[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\7.0\Originals]
“bAllowOpenFile”=dword:00000000
“bSecureOpenFile”=dword:00000001
[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\6.0\Originals]
“bAllowOpenFile”=dword:00000000
“bSecureOpenFile”=dword:00000001
Create the Group Policy Object
- Copy the files above to your domain controller’s \\SysVol\domainname.local\scripts folder.
- Create a new Group Policy Object called Adobe Security and link it to the root of the domain, or to an OU that affects all computers (assuming Adobe Reader runs on servers and clients).
- Edit the GPO. Under User Configuration > Windows Settings > Scripts, create two Logon “scripts”. Note the use of the /s (“silent”) parameter, which makes the change without asking the user to confirm it.
Script Name: regedit.exe
Script Parameters: /s \\domainname.local\SysVol\domainname.local\scripts\Disable_Javascript.regScript Name: regedit.exe
Script Parameters: /s \\domainname.local\SysVol\domainname.local\scripts\Disable_Launch.reg
- Test the GPO by logging on to a client machine. Open regedit and check the HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader and HKEY_CURRENT_USER\Software\Adobe\Acrobat Acrobat keys. Open Adobe Reader, go to Edit > Preferences, and check the JavaScript and TrustManager options.
There’s a more elegant – and reliable – solution availble. Create your own Group Policy (ADM) templates.
You need to right-click “administrative templates” and select the custom ADM. If you still can’t see your settings right-click it again and do View -> Filtering and untick ‘only show policies that can be fully managed’.
Fully detailed instructions http://thelazyadmin.com/blogs/thelazyadmin/archive/2005/07/05/Creating-Custom-ADM-Templates.aspx