Introduced in version 9.0-8.17 and enabled by default for the 9.3 and 8.2 updates, enhanced security “hardens” your application against risky actions by doing the following for any document not specifically trusted:
The feature is designed to let you decide what content to trust and help you selectively bypass those restrictions for trusted files, folders, and hosts. These trusted domains–called privileged locations–are exempt from enhanced security rules. There are several other methods for establishing trust, and just as you tune your browser, so should you tune your application so that it operates at a risk level appropriate for your environment.
Enhanced security: effect on workflows
This feature interacts with other features that also assign trust. When content is trusted as a result of a cross domain policy file, for example, that content is not subject to enhanced security restrictions. It is important to understand the various ways that trust can be assigned prior to configuring applications and setting up workflows. Workflows should be designed for compatibility with enhanced security enabled, so keep in mind that the following features interact with enhanced security:
Internet access permissions: While enhanced security prevents access to different origin locations that try to return data, scripts, or content to the calling PDF, internet access can be set on a per site basis via the Trust Manager. Trust Manager settings may or may not override enhanced security settings depending on your application version and particular workflow.
Import and export of FDF, XFDF (form), and XDP data: Data file behavior is fundamentally altered when this feature is on.
Certified document workflows: Access to a certified document may or may not be allowed depending on whether:
- The signing certificate’s fingerprint is in a cross domain policy file, or
- The signing certificate is trusted or chains up to a trust anchor that is trusted for privileged networked operations.
|9.0||Enhanced security introduced.|
|9.1||Support added for bypassing enhanced security restrictions by assigning trust to certified documents when the SHA1 hash of the public key is specified in a cross domain policy file. Certificates can be trusted for privileged networked operations such as cross domain access.|
|8.1.7 & 9.2||Enhanced security added for 8.1.7.|
|8.2 & 9.3||
The following preference rules apply irrespective of the user’s platform:
To enable enhanced security, do the following:
The UI sets the following
[HKEY_CURRENT_USER\Software\Adobe\<product name>\<version>\TrustManager] "bEnhancedSecurityStandalone"=dword:00000001 "bEnhancedSecurityInBrowser"=dword:00000001
When viewing a PDF in a browser, users do not have direct access to the application’s Preferences panel. To configure enhanced security while browsing on the fly, right click on the PDF displayed in the browser and choose Page Display Preferences. For versions 9.x and 8.2 and later, enhanced security settings are managed separately for the application running as a standalone application versus in a browser.
Enhanced security panel: Windows
Enhanced security can be locked as enabled or disabled. To do so:
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown.
Right click and choose New > DWORD Value.
Create bEnhancedSecurityStandalone and/or bEnhancedSecurityInBrowser.
Right click on the key and choose Modify.
Set the value as follows:
- 0: Disables enhanced security and locks the feature.
- 1: Enables enhanced security and locks the feature.
Registry Configuration: Enhanced security locked as enabled
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown] "bEnhancedSecurityStandalone"=dword:00000001 "bEnhancedSecurityInBrowser"=dword:00000001
Enhanced security preferences cannot be locked on Macintosh systems.
Before continuing, install some plist editor such as PlistEdit Pro. Change the root path to reflect the product (Acrobat or Reader) and version number (9.0 or 8.0) you are using.
To configure the settings:
Navigate to the .plist file:
- Mactel: UserLibraryPreferencescom.adobe.Acrobat.Pro_x86_9.0.plist
- Mactel: UserLibraryPreferencescom.adobe.Acrobat.Pro_x86_8.0.plist
- PowerPC machine: UserLibraryPreferencescom.adobe.Acrobat.Pro_ppc_8.0.plist
- PowerPC machine: UserLibraryPreferencescom.adobe.Acrobat.Pro_ppc_9.0.plist
- PowerPC machine: UserLibraryPreferencescom.adobe.Reader_ppc_8.0.plist
- PowerPC machine: UserLibraryPreferencescom.adobe.Reader_ppc_9.0.plist
Go to TrustManager.
Set EnhancedSecurityInBrowser (Boolean YES/NO).
Set EnhancedSecurityStandalone (Boolean YES/NO).
Exit the editor.
Do not configure Number. For 8.x, only one key (bEnhancedSecurityStandalone) controls behavior for both standalone and browser modes. Do not set EnhancedSecurityInBrowser.
Preferences: Enhanced security settings for UNIX
Enhanced security preferences cannot be locked on UNIX systems.
To configure the settings:
Navigate to the .preferences file. For example:
Navigate to /TrustManager.
Add and set the keys in the file.
Save and exit.
For 8.x, only one key (bEnhancedSecurityStandalone) controls behavior for both standalone and browser modes. Do not set bEnhancedSecurityInBrowser.
Preferences: Enhanced security settings for UNIX
/TrustManager [/c << /EnhancedSecurityInBrowser [/b false] /EnhancedSecurityStandalone [/b false] >>]
There are several ways to assign trust so that this feature works in a trusted context:
[HKCU\Software\Adobe\<product name>\<version>\TrustManager\(cTrustedSites or TrustedFolders)\cCrossdomain] [HKCU\Software\Adobe\<product name>\<version>\TrustManager\(cTrustedSites or TrustedFolders)\cDataInjection] [HKCU\Software\Adobe\<product name>\<version>\TrustManager\(cTrustedSites or TrustedFolders)\cExternalStream] [HKCU\Software\Adobe\<product name>\<version>\TrustManager\(cTrustedSites or TrustedFolders)\cScriptInjection] [HKCU\Software\Adobe\<product name>\<version>\TrustManager\(cTrustedSites or TrustedFolders)\cSilentPrint] [HKCU\Software\Adobe\<product name>\<version>\TrustManager\(cTrustedSites or TrustedFolders)\cWeblink]
The most common way to assign trust to files, folders, and hosts is via privileged locations.
There are two ways to control internet access:
When enhanced security is on, a certified document can bypass its restrictions if the following conditions are true:
Configure certificate trust as described in 9.4 Per-certificate trust.
Setting certificate trust
Enhanced security’s cross domain restrictions can also be bypassed and managed at the server.
Managing cross domain access at the server
Clients have the capability of automatically detecting and using crossdomain.xml policy files to access content from a different origin. Administrators can configure the policy file as needed so that clients can access trusted content. For more information, see the Cross Domain Policy File Specification.
Enabling cross domain access for specific PDFs
For a PDF that comes from a server, the server has a domain and hence the PDF has a domain; however, a stand-alone PDF residing on a user’s machine has no domain. When such a PDF accesses a server, Acrobat’s default behavior is to consider that communication as cross domain.
To allow a “domain-less,” local PDF to access a server, it must be signed either with a certification signature or a “reader enabled” signature (the hidden signature applied during Reader enablement) and registered in a cross domain policy file. Again, the signature can be one of two types:
The fingerprint for the certificate that was used for the signing is registered in the cross domain file on the server. In effect, the cross domain file on the server is saying “files signed with this certificate may access this server.” To register the fingerprint, an administrator extracts the SHA-1 hash of the public key from the signing certificate and places it in the cross domain policy file.
The user experience with enhanced security enabled and there is untrusted content in the workflow is significantly different than when enhanced security is disabled. The feature is specifically designed so that users and admins can preconfigure trust or assign it on the fly so that workflows remain operational even with the extra security and restrictions that enhanced security provides.
XFDF, FDF, and XDP files are data files which simplify moving form, certificate, server, and other data from one machine to another. This data transfer usually involves some mechanism such as data injection into a PDF form field, installing files, executing a script, and so on. Because these actions represent a potential security risk, enhanced security restricts this functionality unless the data containing file has been assigned trust in some way. Trust assignment can occur via privileged locations, a trusted certificate, or by cross domain policy files. Rules for opening a PDF via FDF lists the high level rules defining the behavior.
If you distribute forms that request data from a server, the user may find that filled form fields become blank after being asked to trust a document from the Yellow Message Bar. If you find that your workflow is impaired, Adobe recommends that you leave enhanced security enabled and assign trust as needed via one of the available methods prior to sending such a form.
XFDF and XDP files use the same rules as FDF with the following exceptions:
|Action||Data file location||PDF location||8.x behavior||9.x behavior|
|Opening a target PDF||local||local||PDF opens. No authentication required.||No change.|
|Opening a target PDF||local||server||PDF opens||Allow via dialog or enable enhanced security and set privileged location.|
|Opening a target PDF||server||server||PDF opens. No authentication required.||No change.|
|Opening a target PDF||https server||local||Blocked||Http hosted FDFs cannot open local files.|
|Data injection||n/a||n/a||Allowed||Allowed if: * Data retuned via a form submit with url#FDF. * FDF has no /F or /UF key. * cross-domain policy permits it.|
|Data injection||server||browser||Allowed||Allowed if: * Link to PDF contains #FDF=url. * FDF has no /F or UF key. * cross domain policy permits it.|
|Data injection||server||Acrobat/Reader||Allowed||Allowed if: * PDF makes EFS POST/GET and FDF sends data in https response to same PDF. * cross domain policy permits it.|
|Data injection||Varied||Varied||Allowed||Allow via dialog or enable enhanced security and set privileged location.|
|Script injection||Any||Any||Allowed||Blocked if enhanced security is on and FDF is not in a privileged location.|
FDF restriction examples
The following are examples of disallowed actions when enhanced security is on:
FDF permissions examples
The following are examples of scenarios where FDF data injection does need a user-authorization dialog when enhanced security is on:
Beginning with the 9.3 and 8.2 updates, a non-intrusive Yellow Message Bar (YMB) that doesn’t block workflows replaces many of the modal dialogs. Depending on how the client is configured, the YMB appears at the top of the document and offers the user to trust the document “once” or “always.”
Pre 9.3 and 8.2, the application displayed modal dialogs whenever a risky behavior was invoked. The user had to click through the dialog to continue.
Enhanced Security: Data access dialog (pre 9.3 and 8.2)
With 9.3 and 8.2, many warning messages were moved to an unobtrusive Yellow Message Bar at the top of the document. If the administrator has not disabled the feature, users can choose to trust a document once or always for the particular action. A choice of “always” adds the document or host to the privileged locations list. The message and the options button choices varies depending on the type of blocked content.
Workflows where end users or administrators assign trust to files, folders, and hosts avoid the appearance of the YMB and most other modal dialogs.
Yellow Message Bar: Cross domain access
The default settings are similar to 9.3.4. See Changes across releases.
The default settings for 9.3 and 8.2 are as follows:
End users have the option to disable the feature or to leave it enabled and add privileged locations for trusted files, folders, and hosts. Adobe recommends that enhanced security is enabled and care exercised when assigning trust.
Administrators can of course configure all the options as well as lock down the user interface so that users can’t change the settings. In many enterprise settings, admins will enable enhanced security, preconfigure trust, and lock all settings. See the examples below.
Default enhanced security settings (Windows 9.3 and 8.2)
[HKEY_CURRENT_USER\Software\Adobe\<product name>\<version>\TrustManager] "bTrustOSTrustedSites"=dword:00000001 "bEnhancedSecurityStandalone"=dword:00000001 "bEnhancedSecurityInBrowser"=dword:00000001
The following examples show the most restrictive settings with the features locked. This results in the following:
10.x products use the same settings.
Most restrictive enhanced security settings: 9.x and 10.x
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\<Adobe Acrobat OR Acrobat Reader><9.0 or 10.0>\FeatureLockDown] "bEnhancedSecurityStandalone"=dword:00000001 "bEnhancedSecurityInBrowser"=dword:00000001 "bDisableTrustedFolders"=dword:00000001 "bDisableTrustedSites"=dword:00000001 "bDisableOSTrustedSites"=dword:00000001
“Secure by default” is Adobe’s recommended best practice. However, you can disable all the features if you are already operating within a secured environment. The following examples show the least restrictive settings with the features not locked.
10.x products use the same settings.
Least restrictive enhanced security settings: 9.x and 10.x
[HKEY_CURRENT_USER\Software\Adobe\(Adobe Acrobat or Acrobat Reader)\(9.0 or 10.0)\TrustManager] "bEnhancedSecurityStandalone"=dword:00000000 "bEnhancedSecurityInBrowser"=dword:00000000 "bTrustOSTrustedSites"=dword:00000001