Adobe’s implementation of Javascript in PDF documents, referred to as Acrobat JavaScript, appears to have been originally introduced based on the popularity of PDF eForms. Javascript allows for some dynamic behaviors in PDF’s, including calculations, responses to user actions, user data validation, and the integration of other dynamic capabilities.
We have previously posted instructions for users to disable JavaScript, giving them the option to enable it only when necessary. However, if you have made the decision to make this change across your enterprise or to a specific user base, this manual process is not practical. Therefore, a Group Policy Object is best to handle the task at hand.
The following is a custom ADM file
CLASS USER
CATEGORY "Adobe Reader"
POLICY "Version 8.0 JavaScript Settings"
KEYNAME "SOFTWARE\Adobe\Acrobat Reader\8.0\JSPrefs"
PART "Enable JavaScript"
CHECKBOX
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
PART "Enable menu items JavaScript execution privileges"
CHECKBOX
VALUENAME "bEnableMenuItems"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
PART "Enable global object security policy"
CHECKBOX
VALUENAME "bEnableGlobalSecurity"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
PART "Debugger: Show console on errors and messages"
CHECKBOX
VALUENAME "bConsoleOpen"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
END POLICY
POLICY "Version 9.0 JavaScript Settings"
KEYNAME "SOFTWARE\Adobe\Acrobat Reader\9.0\JSPrefs"
PART "Enable JavaScript"
CHECKBOX
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
PART "Enable menu items JavaScript execution privileges"
CHECKBOX
VALUENAME "bEnableMenuItems"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
PART "Enable global object security policy"
CHECKBOX
VALUENAME "bEnableGlobalSecurity"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
PART "Debugger: Show console on errors and messages"
CHECKBOX
VALUENAME "bConsoleOpen"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
END POLICY
END CATEGORY
Note: If you use the newer admx/adml for custom group policy, you can implement these settings as well. You can find the ADMX syntax guide here.
Save the custom ADM file where your GPO editor can browse to it. In Computer Configuration, Administrative Templates, right click and select Add/Remove templates. Once you add the template, if you are using XP/2003 you’ll have to ensure your filtering is setup to see “unmanaged” group policies, which are basically custom ADM entries which tattoo the registry. Under filtering, in your GPO editor, uncheck the option as shown:
gpedit
Once the ADM is added, and the filter option is cleared, you will see the configuration entries for Adobe Reader. Note in the figure there are settings for both versions 8 and 9. I had to separate these since the registry locations differ based on versions, but you can edit the ADM file to just have the version you are using.
Adobe Settings in GPO
When configuring the GPO setting, you have four options in the form of checkboxes, which mirrors the JavaScript settings in the Adobe Reader preferences pane. Here, you would choose to have the global object security policy enabled and the other three settings disabled (note that JavaScript is the first setting).
Detailed settings
With the GPO settings configured, you can link it to an organization unit (OU), a site, or a domain to deploy it. Remember that it is a user side GPO, so your user objects where the GPO is linked in AD will apply these settings.
Related Posts:
- March’s Patch Tuesday
- Press F1 for Help, pwned.
- Regular or Decaf? Tool launched to combat COFEE
- Six Bulletins in Last Patch Tuesday of 2009
- Remote SMB Exploit: Crashing Windows 7 and Server 2008
Social comments and analytics for this post…
This post was mentioned on Twitter by danielkennedy74: Using Group Policy to Disable JavaScript in Adobe PDF Files – http://bit.ly/4u6DIb...
[...] Praetorian Prefect | Using Group Policy to Disable JavaScript in Adobe PDF Files. [...]