With the release of version 11, Adobe has published a Group Policy template that can be leveraged to mitigate most of the avenues that attackers use to exploit our systems.
The template files can be downloaded here:
They are provided in the standard GPO template format used since Windows 2008. There are two files: reader11.admx and reader11.adml. The files need to copied to different locations depending on whether you use local or central GPO stores.
More information on GPO central store can be found here: http://support.microsoft.com/kb/929841
Supposing we use local store, .admx file should be copied to %SYSTEMROOT%\PolicyDefinitions
and the .adml file to
At this point we should see the following in Group Policy Management Console (GPMC):
It is important to note that computer level settings are actual GP settings. This means that users cannot alter the configuration. Also the settings are reverted to their defaults when policy is removed. User level settings are treated as preferences and as such can be altered by users. Also they do not revert to defaults when GPO is removed.
Security wise we should consider enabling the following settings:
Computer Level>AR>Preferences>Startup: Enable Protected Mode at Startup
More info on Protected Mode: http://helpx.adobe.com/reader/using/protected-mode-windows.html
As always do test the settings before large scale rollout.