Praetorian Prefect » tutorial http://praetorianprefect.com Information security, a little slower...a little deeper Thu, 29 Jul 2010 16:38:31 +0000 http://wordpress.org/?v=2.9.2 en hourly 1 Using Group Policy to Disable JavaScript in Adobe PDF Files http://praetorianprefect.com/archives/2010/01/disable-acrobat-reader-pdf-in-the-enterprise/ http://praetorianprefect.com/archives/2010/01/disable-acrobat-reader-pdf-in-the-enterprise/#comments Thu, 14 Jan 2010 03:37:42 +0000 Simon Price http://praetorianprefect.com/?p=2856 posted instructions for users to disable JavaScript, giving them the option to enable it only when necessary. However, if you have made the decision to make this change across your enterprise or to a specific user base, this manual process is not practical. Therefore, a Group Policy Object is best to handle the task at hand.]]> adobelq

Adobe’s implementation of Javascript in PDF documents, referred to as Acrobat JavaScript, appears to have been originally introduced based on the popularity of PDF eForms. Javascript allows for some dynamic behaviors in PDF’s, including calculations, responses to user actions, user data validation, and the integration of other dynamic capabilities.

We have previously posted instructions for users to disable JavaScript, giving them the option to enable it only when necessary. However, if you have made the decision to make this change across your enterprise or to a specific user base, this manual process is not practical. Therefore, a Group Policy Object is best to handle the task at hand.

The following is a custom ADM file

CLASS USER

CATEGORY "Adobe Reader"
     POLICY "Version 8.0 JavaScript Settings"
        KEYNAME "SOFTWARE\Adobe\Acrobat Reader\8.0\JSPrefs" 
        PART "Enable JavaScript"
            CHECKBOX
            VALUENAME "bEnableJS"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
        PART "Enable menu items JavaScript execution privileges" 
            CHECKBOX
            VALUENAME "bEnableMenuItems"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
        PART "Enable global object security policy"
            CHECKBOX
            VALUENAME "bEnableGlobalSecurity"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
        PART "Debugger: Show console on errors and messages"
            CHECKBOX
            VALUENAME "bConsoleOpen"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
    END POLICY
    POLICY "Version 9.0 JavaScript Settings"
        KEYNAME "SOFTWARE\Adobe\Acrobat Reader\9.0\JSPrefs" 
        PART "Enable JavaScript"
            CHECKBOX
            VALUENAME "bEnableJS"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
        PART "Enable menu items JavaScript execution privileges" 
            CHECKBOX
            VALUENAME "bEnableMenuItems"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
        PART "Enable global object security policy"
            CHECKBOX
            VALUENAME "bEnableGlobalSecurity"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
        PART "Debugger: Show console on errors and messages"
            CHECKBOX
            VALUENAME "bConsoleOpen"
            VALUEON NUMERIC 1
            VALUEOFF NUMERIC 0
        END PART
    END POLICY
END CATEGORY

Note: If you use the newer admx/adml for custom group policy, you can implement these settings as well. You can find the ADMX syntax guide here.

Save the custom ADM file where your GPO editor can browse to it. In Computer Configuration, Administrative Templates, right click and select Add/Remove templates. Once you add the template, if you are using XP/2003 you’ll have to ensure your filtering is setup to see “unmanaged” group policies, which are basically custom ADM entries which tattoo the registry. Under filtering, in your GPO editor, uncheck the option as shown:

gpedit

gpedit


Once the ADM is added, and the filter option is cleared, you will see the configuration entries for Adobe Reader. Note in the figure there are settings for both versions 8 and 9. I had to separate these since the registry locations differ based on versions, but you can edit the ADM file to just have the version you are using.

Adobe Settings in GPO

Adobe Settings in GPO

When configuring the GPO setting, you have four options in the form of checkboxes, which mirrors the JavaScript settings in the Adobe Reader preferences pane. Here, you would choose to have the global object security policy enabled and the other three settings disabled (note that JavaScript is the first setting).

Detailed settings

Detailed settings

With the GPO settings configured, you can link it to an organization unit (OU), a site, or a domain to deploy it. Remember that it is a user side GPO, so your user objects where the GPO is linked in AD will apply these settings.

Related Posts:


]]> http://praetorianprefect.com/archives/2010/01/disable-acrobat-reader-pdf-in-the-enterprise/feed/ 2