Because Internet access is a potential security risk, end users are provided with the means to manage that risk by controlling what sites can be accessed via the Internet Access panel in the Trust Manager. Note that the Privileged Locations panel in the Security (Enhanced) pane also provides the means to trust specific hosts. However, Trust Manager settings always take precedence for hosts; for example, if www.adobe.com is blocked by the Trust Manager but is marked as a trusted host in Privileged Locations, then that site will be blocked.

Note: The behavior is slightly different for files and folders: for 9.2 and earlier, Trust Manager settings take precedence, while with 9.3, Privileged Locations take precedence. For example, a file or folder which is trusted in Privileged Locations can contain links that Acrobat can follow even if the host in the link is set as Blocked or URLS are set to Block all in Trust Manager. Also, cross domain access always requires specifically trusting those domains as a Privileged Location--simply trusting those sites in the Trust Manager will not work.

The following options are available:

• Allowing or blocking access to all web sites.
• Specifying a list of allowed and blocked web sites.
• Setting the behavior for access to web sites that are not in the specified list to "Always ask," "Allow access," or "Block access."

Summary table

HostPerms	Stores a list of URLs to trust when iURLPerms is set to Custom Setting.
UnknownURLPerms	Specifies whether to ask for, allow, or block access to web sites that are not in the user specified list.
URLPerms	Specifies whether to allow or block all websites or use a custom setting.

The enhanced security feature is designed to limit document behaviors in workflows where those behaviors are perceived as a vulnerability or security risk. In workflows where security is critical, turn this feature on. Administrators lock down the setting so it can't be changed by the user. See also bCrossDomainLogging.

Note: Enhanced security blockes 6 specific behaviors: data injection, script injection, silent printing, web links (if not allowed by Trust Manager settings), cross domain access, and access to external streams.

• If a file, folder, or host is specified as a privileged location, enhanced security restrictions are bypassed.
• Enhanced security preferences are stored under TrustManager, and ES and TM settings sometimes interact.
• All key (tID) names should be unique.

For additional security-related details, refer to the Application Security Guide.

Summary table

EnhancedSecurityInBrowser	Toggles enhanced security when the application is running in the browser.
EnhancedSecurityStandalone	Toggles enhanced security for the standalone application.

Privileged locations are designed to let users and administrators specify trusted content that should be exempt from security retrictions. Security restrictions come from features like the following:

• Enhanced Security: Restricts cross domain access, data injection, and script injection, etc.
• User preferences: User interface controls for Web access, JavaScript, XObject (external streams), multimedia that plays in 3rd party players, and so on.
• Application preferences: Adobe's JS blacklist, high privileged JS, and other items that are blocked by default.

Privileged locations provide a way to bypass these restrictions. A location may be a file, folder, or host, and there can be an end user list in HKCU and an IT-only list in HKLM. IT can disable user interface controls and lock restrictions in place so that end usrs can't change them via features like Enhanced Security and the JavaScript controls. For trusted locations, admins then specify directories and hosts that are known to be trustworthy in the relevant cabs (e.g. cCrossdomain, cDataInjection), thereby effectively creating a white list for secure workflows.

You can also elevate Trusted Win OS zones to privileged locations since these are already under IT control. Prior to 10.1.2/9.5, bTrustOSTrustedSites provided trust for Trusted Sites. With these versions, trust is also extended to Local Intranet Zones. Privileged location support is evolving rapidly, so pay attention to the version.

Privileged locations are identified by a unique t(id) with a string value pointing to the trusted location. The container cab determines which restriction the document can bypass. For example, a t(id) under cCrossDomain allows cross domain access. Adding _recursive to tIDs under TrustedFolders results in setting recursive trust, though this is on by default beginning with 10.1.

Note the following:

• TrustManager\cTrustedFolders contains cabs for trusted folders AND files.
• TrustManager\cTrustedSites contains cabs for trusted http and https hosts.

Each t(ID) must be unique. In the example below, t3 could reside in each of the cabs, but there could not be more than one t3 in each cab.

Registry Configuration: Cross domain file trust

[HKEY_CURRENT_USER\Software\Adobe\Acrobat
Reader\9.0\TrustManager\cTrustedFolders\cCrossdomain]
"t3"="C:\\DocumentsandSettings\\brogers\\MyDocuments\\acrobat_logo16.png"

The feature behaves as follows:

• The Trust Manager hive does not appear in the registry until the user interface is exercised. However, you can create it manually.
• A privileged location may be a file, folder, or host.
• With 10.1 and later, folder trust is recursive; that is, all subfolders are trusted when the parent folder is trusted.
• Privileged locations can be permanently disabled or enabled by the administrator.
• Configuration may occur via the user interface or directly in the registry.
• If configured through the user interface, the privileged location ID only may or may not appear under under all the possible cabs. Functionality changes across releases, so test the UI and see what trust is assigned.
• Administrator's can lock down the feature in HKLM so that users cannot change the setting. To do so, create an identical set of preferences in HKLM. ADmins can also disable the end user's ability to modify the list by setting bDisableTrustedSites and bDisableTrustedFolders .
• Permissions granted by other features often overlap. For example, cross domain policies, internet access settings in Trust Manager, and certificate trust settings for certified documents sometimes interact so that the most permissive setting takes precedence. TEST YOUR CONFIGURATION prior to deployment.
• All key (tID) names under a particular cab must be unique.
• 10.x products support the use of wildcard matching of subdomain components for trusted host URLs. For example, for a basic URL of a.b.c.adobe.com, you can wildcard on all of a, b, or c. It is required that at least the first subdomain is specified (adobe in this case). So *.corp.adobe.com or lcforms.*.adobe.com works, but *forms.corp.adobe.com or lcforms.corp.*.com will not.

For additional security-related details, refer to the Application Security Guide.

Summary table

(ID)_recursive	Prior to 10.1, the _recursive suffix on t(folder ID) makes the trust recursive.
(ID-files-folders)	Lists files and folders which are known to be trustworthy and should be exempt from security restrictions.
(ID-Sites)	Lists host names (http or https) which are known to be trustworthy and should be exempt from security restrictions.
AlwaysTrustedForJavaScript	Stores the privileged location ID for items that should be trusted to run JavaScript even when the JavaScript engine is disabled.
cFileAttachments	Stores the privileged location ID for items that should be trusted to open non-PDF or FDF file attachments without a warning dialog.
Crossdomain	Stores the privileged location ID for items that should allow cross domain access even though a server policy is not present.
DataInjection	Stores the privileged location ID for items that should allow data injection.
ExternalStream	Stores the privileged location ID for items that should be trusted to allow access to external streams (XObjects as defined by the PDF Reference) such as external images.
JavaScript	Stores the privileged location ID for items that should be trusted to run high privileged JavaScript.
JavaScriptURL	Stores the privileged location ID for items that should be trusted to allow JavaScript invoked URLs.
MultiMedia	Stores the privileged location ID for items that should be trusted to play multimedia content that use a 3rd party player.
ScriptInjection	Stores the privileged location ID for items that should be trusted to allow script injection.
SilentPrint	Stores the privileged location ID for items that should be trusted to allow silent printing to a file or a hardware printer.
TrustCertifiedDocumentsByOIDs	Stores certificate OIDs with that should be trusted to bypass security restrictions in certified documents.
TrustedFolders	A list of folders AND files that identify privileged locations that host trusted content.
TrustedFor3D	Stores the privileged location ID for items that are permitted to render 3D content.
TrustedSites	A list of sites (or hosts) that identify privileged locations that host trusted content.
TrustedSitesPrivate	Provides a method for specifying trusted hosts with less stringent wildcard restraints.
TrustOSTrustedSites	Elevates locations that Internet Explorer trusts to privileged locations so that they may bypass security restrictions.
UnsafeJavaScript	Stores the privileged location ID for items that are permitted to run blacklisted JavaScript.
Weblink	Stores the privileged location ID for items that should be trusted to allow navigation via URLs when the Trust Manager is set to block all URLs.

Disabling and locking the end user's ability to add files, folders, and hosts as a privileged location prevents them from assigning trust and thereby exempting that location from enhanced security restrictions.

The following options are available:

• Disabling and locking the ability to trust folders and files.
• Disabling and locking the ability to trust hosts/sites.
• Disabling and locking the ability to trust sites Internet Explorer trusts.

Example: Disabling Privileged Locations

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\AcrobatReader\9.0\FeatureLockDown]
"bDisableTrustedFolders"=dword:00000001
"bDisableTrustedSites"=dword:00000001

Summary table

DisableOSTrustedSites	Locks the ability to treat IE trusted sites as privileged locations either on or off so the users can't change the bTrustOSTrustedSites value via the user interface.
DisableTrustedFolders	Disables trusted folders AND files and prevents users from specifying a privileged location for directories.
DisableTrustedSites	Disables and locks the ability to specify host-based privileged locations.

These preferences control the Protected View feature for Windows. It is essentially a read-only mode. Released with Acrobat 10.1 and Reader 11.0, the feature is based on the same technology as Reader's sandbox and Protected Mode.

In Reader, Protected View is only supported when Protected Mode is enabled. If an HKCU or HKLM Protected Mode registry preference is set to 0 (off), Protected View cannot be enabled.

See also bDisableExpandEnvironmentVariables under FeatureLockDown.

Summary table

11.0 introduces the ability to elevate any certified document to a privileged location (all product versions). When set, certified documents become trusted for exemption from the same security restrictions from which other privileged locations are exempt. Note the following:

• The PDF's certification signature must be valid and chain to a trusted root.
• The setting is off by default.
• The one exception to such trusted PDF's parity with privileged locations is that this level of trust does not apply when the PDF is viewed in Protected View.

Summary table

EnableCertificateBasedTrust	Elevates (trusts) certified documents as a privileged location.
TrustCertifiedDocuments	Elevates (trusts) certified documents as a privileged location.