Hardening Adobe Reader 11 Using Group Policy

Due to its ubiquitous install base Adobe Reader (AR) has historically been leveraged by malware to facilitate infections.  Sandboxing technology implemented in AR11 largely addresses the problem. The sandbox has however been bypassed using flaw in AR’s JavaScript engine. AR has built in JavaScript engine that itself was the source of most security vulnerabilities in Adobe Reader. The JS is very rarely used in PDF documents and therefore it can be safely disabled.

With the release of version 11, Adobe has published a Group Policy template that can be leveraged to mitigate most of the avenues that attackers use to exploit our systems. 

The template files can be downloaded here:

They are provided in the standard GPO template format used since Windows 2008. There are two files: reader11.admx and reader11.adml. The files need to copied to different locations depending on whether you use local or central GPO stores. 

More information on GPO central store can be found here: http://support.microsoft.com/kb/929841

Supposing we use local store, .admx file should be copied to %SYSTEMROOT%\PolicyDefinitions 
and the .adml file to 

At this point we should see the following in Group Policy Management Console (GPMC):

It is important to note that computer level settings are actual GP settings. This means that users cannot alter the configuration. Also the settings are reverted to their defaults when policy is removed. User level settings are treated as preferences and as such can be altered by users. Also they do not revert to defaults when GPO is removed. 

Security wise we should consider enabling the following settings:

Computer Level>AR>Preferences>Startup: Enable Protected Mode at Startup 

User level>AR>Preferences>Security>Enable Acrobat JavaScript (we obviously want to set this to DISABLED)

As always do test the settings before large scale rollout.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.