On Windows, Acrobat 10.1 introduced a sandbox called Protected View (PV). With 11.0, the feature is improved and extended to Reader. PV is a highly secure, read-only mode that blocks most actions and application behavior until the user decides whether or not to trust the document.
In Reader, Protected View is only supported when Protected Mode is enabled. There can by no HKCU or HKLM Protected Mode registry preference set to 0 (off) when Protected View is enabled.
PV is another defense-in-depth feature that is tightly integrated with the existing enhanced security feature. PV in Acrobat leverages the successful sandbox implementation already in place for Adobe Reader while providing a user experience that should be familiar to Microsoft Office 2010 users.
Under the covers, the PV sandbox is similar to Reader’s Protected Mode sandbox, but is built on a stronger model which provides greater protections. Just like Reader, Acrobat strictly confines the execution environment of untrusted programs; that is, any PDF and the processes it invokes. When PV is enabled, Acrobat assumes some or all PDFs are potentially malicious based on user preferences and confines processing to a restricted sandbox.
Due to the rich nature of Acrobat’s capabilities, Acrobat’s behavior with PV enabled is slightly more complex than Reader’s. The Acrobat team has specifically tailored application behavior for two types of scenarios: viewing PDFs with the standalone application and viewing PDFs with a browser. The rationale behind providing two protection experiences was driven by a need to preserve usability as well as the right level of functionality and security in each mode.
With 11.x, PV behaviors in the standalone product and the browser are identical.
In the standalone application, behavior is simple and parallels the Protected View provided by Office 2010. During a file download and/or save, web browsers and email programs typically mark documents such as Internet files and attachments with a “potentially unsafe” flag. When you open such a document, Acrobat displays a warning bar at the top of the viewing window. In this state, many of Acrobat’s features that interact with and change the document are disabled and the associated menu items are greyed out in order to limit user interaction.
The view is essentially read-only, and the disabled features prevent any embedded or tag-along malicious content from tampering with your system. Once you’ve decided to trust the document, choosing Enable All Features exits PV, re-enables all menu items, and provides permanent trust for the file by adding to enhanced security’s list of privileged locations (see Integration with enhanced security. The document is now open in a full, unsandboxed Acrobat process.
Protected View: Yellow message bar
When a PDF is opened in a browser, Protected View provides a streamlined experience that doesn’t utilize a warning bar. Instead, browser-based PDFs provide a Reader-like experience for documents that have been “rights enabled.” That is, all of Reader’s features are available in addition to features that become enabled when a document author uses Acrobat to extend features to Reader users. These features include signing existing form fields, adding new signature fields, saving form data, etc.
In this respect, a PDF in the browser’s Protected View is more capable than a PDF in the standalone Protected View. On the other hand, the browser-based capabilities are always limited while the standalone application enables users to achieve full functionality with a single click of a button.
|Drag-drop PDFs to the reading or navigation pane||No||Yes|
|Pan and Zoom||No||No|
|Full screen mode||No||Yes|
|Drag-drop PDFs to the reading or navigation pane||No||No|
|Pan and Zoom||No||No|
|Full screen mode||No||No|
Protected View can be enabled, disabled, and configured in other ways to provide the level of security you need. That is, you decide when and how to use Protected View based on your level of trust for the PDFs you interact with.
Registry configuration enables pre and post deployment configuration via the Customization Wizard, scripts, GPO, and other IT-centric methodologies. The application often uses internal keys that aren’t visible by default. If the requisite key does not exist, manually create it.
There are several ways to assign trust so that this feature works in a trusted context:
[HKCU\Software\Adobe\<product name>\<version>\TrustManager\<cTrustedSites or TrustedFolders>\] "(All of the cabs are populated)"
Protected View can be locked so that the end user cannot change the setting. When locked, the user interface is disabled (greyed out). To do so, simply set the HKLM key as you would HKCU:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown] "iProtectedView"
Logging is available for users who need to troubleshoot problems where a workflow or plugin does not work when Protected Mode is enabled. The log may provide guidance as to whether a custom policy file should be used to re-enable broken workflows or plugins.
In addition to enabling logging via the UI (above), you can turn on logging and configure a log file location via the registry.
To enable logging, specify a log file location:
Policy logging for a policy violation:
[08:12/13:46:16] real_path: \BaseNamedObjects\ZonesCacheCounterMutex [08:12/13:46:16] Consider modifying policy using this policy rule: MUTANT_ALLOW_ANY [08:12/13:46:16] NtCreateMutant: STATUS_ACCESS_DENIED [08:12/13:46:16] real_path: \BaseNamedObjects\ZonesLockedCacheCounterMutex [08:12/13:46:16] Consider modifying policy using this policy rule: MUTANT_ALLOW_ANY [08:12/13:46:16] NtCreateKey: STATUS_ACCESS_DENIED [08:12/13:46:16] real path: \REGISTRY\USER\S-1-5-21-762979615-2031575299-929701000-51250\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [08:12/13:46:16] Consider modifying policy using this policy rule: REG_ALLOW_ANY [08:12/13:46:16] NtCreateKey: STATUS_ACCESS_DENIED [08:12/13:46:16] real path: \REGISTRY\USER\S-1-5-21-762979615-2031575299-929701000-51250\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [08:12/13:46:16] Consider modifying policy using this policy rule: REG_ALLOW_ANY
Protected view prevents a number of actions which IT can bypass by creating a white list of allowed actions. The component that reads these policies is called a “broker.” The broker performs actions based on those policies, and when an admin provides a properly configured policy file, the broker can bypass the application’s default restrictions.
The broker first reads and applies all custom policies prior to applying the default policies. Since custom policies take precedence, they are useful for fixing broken workflows, supporting third party plug-ins, and cases where an unsupported machine configurations cause the Protected Mode to impair required functionality.
Configurable policies have two requirements:
D:\Program Files (x86)\Adobe\Acrobat (version)\Acrobat\
To allow the application to read and use a policy file, registry configuration is required. To enable policy files:
While you can verify whether the application has Protected View enabled by viewing the Enhanced Security panel, it is also possible to verify the document you are currently viewing is subject to Protected View’s protections.
When using the standalone application, verification should be obvious since a document that opens in Protected View displays the Yellow Message Bar.
To verify if the browser-based document you are viewing is opened in Protected View:
When Protected View cannot launch due to an unsupported configuration, a dialog alerts the user of the incompatibility and provides the user with the option to disable Protected View.
Unsupported configurations for Acrobat running in Protected View change across releases as the product evolves. For example, Protected Mode supports Citrix and Windows Terminal Services deployments with 10.1. For a list of unsupported configurations and workarounds, see http://kb2.adobe.com/cps/860/cpsid_86063.html.
Unsupported configuration dialog for 10.x
Unsupported configuration dialog for 11.x
Some of the high-level design criteria for Protected View include the following:
Due to the fundamental differences in OS and product implementations, sandbox designs must be tailored to each environment. The current release includes support for the following:
When should Protected View be enabled or disabled?
Protected View should be enabled all the time for casual users who interact with PDFs in unsecure environments. There are a limited number of cases where you might want to disable Protected View:
How many processes should be running when I use Protected View?
Open the process explorer or task manager. When in Protected View, two AcroRd32.exe processes will be running alongside the Acrobat.exe process. More processes will appear based on how many browser instances you have viewing a PDF, invoked shell extensions, and iFilter.
Protected View: processes