1 HOME


© 2013 Adobe Systems, Inc. All rights reserved.

Updated Oct 14, 2014.

21   File attachments

The Acrobat family of products always allow you to open and save PDF and FDF file attachments. However, attachments represent a potential security risk because they can contain malicious content, open other dangerous files, or launch applications. Certainly file types such as.bin,.exe,.bat, and so on will be recognized as threats by most users and are not allowed as attachments by default.

For a complete guide to attachment configuration, see the Application Security Guide in the http://learn.adobe.com/wiki/display/security/Application+Security+Library.

To mitigate the risk inherent in attachments:

Attachment blacklist

_images/attach1.png

21.1   Blocking “open” actions

To prevent users from opening or launching any file type other than PDF and FDF from a document opened in the application, check Prevent document from opening other files and launching other applications. This disables the ability of the application to open attachments or launch other applications that will open those attachments.

This feature locks the setting so that it cannot be changed by end users and sets:

[HKLM\SOFTWARE\Policies\Adobe\<product>\<version>\FeatureLockDown]
"iFileAttachmentPerms"=dword:00000001

21.2   Modifying black-white lists

To modify the level of user access to file types:

  1. In the Add and Modify File Types (Extensions) list, scroll to the file type you want to modify.

  2. Set the user access level when opening or launching the file type to one of the following:

    • Unspecified: Sets tBuiltInPermList to 1.
    • Allowed: Sets tBuiltInPermList to 2.
    • Prohibited: Sets tBuiltInPermList to 3.

This feature sets:

[HKLM\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown\cDefaultLaunchAttachmentPerms\
"tBuiltInPermList"

Note

PDF (documents) and FDF file extensions are always allowed. You cannot prohibit them or mark them as Unspecified.

21.3   Restoring default behaviors

To restore all of the changes you have made to the Add and Modify File Types (Extension) list:

  1. Choose Restore Defaults.
  2. Choose Yes to confirm.

This feature sets:

[HKLM\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown\cDefaultLaunchAttachmentPerms\
"tBuiltInPermList"

Note

The level of access for all default file types (except PDF and FDF) is set to Prohibited; any new file types that you added to the list are removed.

21.4   Unknown file types

You can control user access to file types marked Unspecified or that are not listed in the Add and Modify File Types (Extension) list.

To specify user access to unspecified file types, select one of the following options:

Unknown filetype attachment options
Registry Wizard UI Description
0 Prompt user without the ability to set the file type as Allowed If a file with an unspecified file extension is launched then a dialog appears with two options: Open File and Never Allow.
1 Prompt user with the ability to set the file type as Allowed If a file with an unspecified file extension is launched then a dialog appears with three options: Open File, Always Allow, and Never Allow.
2 None The file opens if it’s extension is associated with an extension.
3 Never launch files of Unspecified Types If a file with an unspecified file extension is launched then a dialog appears indicating that the application doesn’t allow such files to launch.

After installation, if Prevent document from opening other files and launching other applications is selected, users do not have access to any other file types. To check this in the product, go to Preferences > Edit > Trust Manager and verify the PDF File Attachments options are unavailable.

This features sets:

[HKLM\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown\cDefaultLaunchAttachmentPerms\
"iUnlistedAttachmentTypePerm"

Unknown file type behavior

_images/attach2.png