Ideally, you’ve enabled and configured all of the product’s security mechanisms and are now ready to assign trust to elements in your workflows. Available trust mechanisms include:
Privileged locations (PLs) are synonumous with “trusted locations.” PLs are the primary way that users and administrators can specify trusted content that should be exempt from security retrictions. The feature behaves as follows:
|9.0||Privileged locations introduced as a way to assign trust to content blocked when enhanced security is enabled.|
|8.1.7||Enhanced security added for 8.1.7.|
|8.2 & 9.3||
|9.5 & 10.1.2||
To specify a privileged location through the user interface:
Go to Preferences > Security (Enhanced).
Set a privileged location by selecting one of the following buttons:
- Add File: A file is defined by a path, so its security settings will be invalid if that file is moved.
- Add Folder Path: Prior to 10.1, trust is not recursive. With 10.1 and later, trust is recursive but can be disabled via a registry preference.
- Add Host: Enter the complete name of the root URL only with no wildcards. For example,
www.adobe.com/lc. To specify HTTPS, select Secure Connections Only.
Whenever a PDF opens that contains content which is blocked by a security feature, a Yellow Message Bar (YMB) appears. If the feature has not been disabled by the administrator, users can trust the document on-the-fly as follows:
YMB with trust options
The application stores information about privileged location trust in the registry and plist. Once a file is trusted via the UI or YMB, a
t<unique id> is added to each of the cabs under
cTrustedFolders|cTrustedSites. The container cab determines which restriction the document can bypass. For example, a tID under
cCrossDomain allows cross domain access. For a complete list of available preferences see the Preference Reference.
While you can create PLs manually at the registry level, it’s easier to use the UI and then propagate those settings across your organization with the Wizard or post deployment via GPO or some other method. If you do decide to manually edit the registry, note the following:
TrustManager\cTrustedFolderscontains cabs for trusted folders AND files.
TrustManager\cTrustedSitescontains cabs for trusted http and https hosts.
[HKEY_CURRENT_USER\Software\Adobe\<product name>\<version>\TrustManager\cTrustedFolders\cCrossdomain] "t3"="C:\\Documents and Settings\\username\\My Documents\\acrobat_logo16.png"
Protected View: trust set in the registry
Recursivity is on by default with 10.1. Prior to 10.1, if you make a folder a privileged location its subdirectories are not automatically included. To make trust recursive, do the following:
Registry Configuration: Recursive trust
[HKEY_CURRENT_USER\Software\Adobe\<product name>\<version>\TrustManager\cTrustedFolders\cScriptInjection] t5_recursive"="C:\\Aardvark"
You can disable and lock the ability to add privileged locations by setting the preferences as shown in the example below. This feature allows administrators to control what users can trust. Simply lock the feature and provide your own trust list to user machines. To do so, set the following:
11.0 introduces support for locking on Macintosh.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown] "bDisableTrustedFolders"=dword:00000001 "bDisableTrustedSites"=dword:00000001
10.x products support the use of wildcard matching of subdomain components for trusted host URLs. For example, for a basic URL of a.b.c.adobe.com, you can wildcard on all of a, b, or c. It is required that at least the first subdomain is specified (adobe in this case). So
lcforms.*.adobe.com works, but
lcforms.corp.*.com will not.
Wild cards also work with IP addresses. For example, when
http:// 126.96.36.199 or its wildcard combinations such as
153.*.154.* are added to OS trusted locations, then the File opens outside PV.
You can also elevate Trusted Win OS zones to privileged locations since these are already under IT control. Prior to 10.1.2/9.5,
bTrustOSTrustedSites provided trust for Trusted Sites. Beginning with 10.1.2 and 9.5, trust is also extended to Local Intranet Zones.
Choosing Trust sites from my Win OS security zones extends trust to files when PV is set to Potentially unsafe locations. When set to All Files, then OS trusted sites does allow PDFs to open outside of PV.
To make Internet Explorer’s trusted sites and zones behave as PLs:
[HKEY_CURRENT_USER\Software\Adobe\<product name>\<version>\TrustManager] "bTrustOSTrustedSites"=dword:00000001
Windows OS trust can be locked so that users can’t change the setting via the UI as follows by setting
bDisableOSTrustedSites as follows:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown] "bDisableOSTrustedSites"=dword:00000000
URLs can be blocked or allowed globally, or URL-specific settings can be created. See Internet access for details.
11.0 introduces the ability to elevate any certified document to a privileged location for the Windows and Macintosh versions of Reader and Acrobat. When set, certified documents become trusted for exemption from the same security restrictions from which other privileged locations are exempt. Note the following:
To enable this feature:
To lock the setting, set the following:
Trust can be configured on a per-certificate basis so that certified documents signed with a specific certificate can be made exempt from some security restrictions. For the certification signature, the signature must be valid and the certificate must chain to a valid and trusted root certificate.
To set certificate trust:
Do one of the following to open the Trusted Identities List:
- 9.x: Choose Security > Manage Trusted Identities and from the Display drop down list, choose Certificates.
- 10.x: Choose Tools > Sign and Certify > More Sign and Certify > Manage Trusted Identities and From the Display drop down list, choose Certificates.
- 11.x: Choose Edit > Preferences > Signatures > Identities and Trusted Certificates > More and select Trusted Certificates.
Select a certificate.
Choose Edit Trust.
Check one or more of the following.
Certificate trust options
For details about setting up trust for cross domain access other than via privileged locations, see Cross Domain Configuration.
Preference configuration can be a mystery if you don’t take to time to understand related features and how they interact. For example, enhanced security settings interact with certificate trust settings and Trust Manager settings. The following provides just one use case where two settings must be configured to get one feature to work as expected.
Since reference XObjects access external content, security is a concern. Therefore, XObject (external stream) access requires that such access be granted though the user interface (or registry) and that the referencing document is specified as trust-worthy when cross domain access is involved.
To configure XObject access:
To configure external content access:
To configure trust via the registry:
HKEY_CURRENT_USER\Software\Adobe\<product name>\<version>\TrustManager\cTrustedFolders\cCrossdomainand repeat the same steps. Use the same ID and value.
Other XObject settings can be configured via the UI or in the registry as described in the Preference Reference for Acrobat and Adobe Reader.