14   Security

The configuration options here configure application security features such as enhanced security, protected mode, and privileged locations. Workflows and content should be designed to operate in the context of enabling all of these features; that is, untrusted content and source locations should be restricted, and workflow components known to be trusted should be specifically identified as privileged locations.

Note

Due the complexity and critical nature of security settings, you might find it expedient to leverage existing configurations via the Registry feature. That is, configure an installed application and then copy the modified registry to the installer via the Wizard.

14.1   Protected View

Protected View (PV) is a highly secure “super-sandbox” that is essentially a read-only mode. In Protected View, all features are disabled except those associated with viewing (e.g., zoom, navigation, links, find, etc.). Users must select Enable all features if they wish to do anything more than read the PDF. This action assigns trust and adds the document to the users’ list of Privileged Locations. PV behaves identically for Acrobat and Reader whether viewing PDFs in a browser or in a standalone product.

Note

In Reader 11.0, Protected View is only supported when Protected Mode is enabled. There can by no HKCU or HKLM Protected Mode registry preference set to 0 (off) when Protected View is enabled.

There are three configuration options:

  • Off: Disable Protected View.
  • Files from potentially unsafe locations: Open files from the internet or other unknown (and therefore untrusted) sources in Protected View.
  • All files: Open all files in Protected View.

Protected View configuration

_images/protectedview.png

14.2   Enhanced security

Enhanced security was enabled by default for the 9.3 and 8.2 updates. Its configuration and behavior are nearly identical across platforms and whether or not you are viewing a PDF within a browser or within a standalone application. Adobe recommends as a best practice that you enable enhanced security. Enhanced security restricts several types of behaviors and content:

  • Unrestricted cross domain access
  • Silent printing
  • XObject (stream) access
  • Data injection
  • Script injection

14.2.1   Standalone and browser behavior

Depending on how a PDF is opened, the PDF viewer may be a standalone application or may be opened within a browser. Settings may be configured separately for both cases. By default, enhanced security is enabled.

To specify a custom setting, set the Standalone and/or Browser drop down lists to one of the following:

  • Enable: Enhanced security is on but users can change the setting (the default).
  • Enable & Lock: Enhanced security is on but the UI is locked so that users can’t change the setting.
  • Disable: Enhanced security is off but users can change the setting.
  • Disable & Lock: Enhanced security is off but the UI is locked so that users can’t change the setting.

Disabling and enabling enhanced security toggles the keys shown below. Locking the setting sets a key in HKLM that’s only available to administrators.

Enhanced security configuration

_images/enhancedsecurity.png

Registry configuration: Enhanced security enabled

[HKCU\Software\Adobe\<product name>\<version>\TrustManager]
"bEnhancedSecurityInBrowser"=dword:00000001
"bEnhancedSecurityStandalone"=dword:00000001

Registry configuration: Locking enhanced security settings

[HKLM\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown]
"bEnhancedSecurityStandalone"=dword:00000001
"bEnhancedSecurityInBrowser"=dword:00000001
[HKLM\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown]
"bDisableTrustedFolders"=dword:00000001
"bDisableTrustedSites"=dword:00000001

Note

You may also want to lock this feature via HKLM’s FeatureLockDown: "bDisableOSTrustedSites"=dword:00000001.

14.2.2   Specifying privileged locations

Enhanced security is specifically designed to let you decide what content to trust and help you selectively bypass its restrictions for trusted files, folders, and hosts. These trusted domains–called privileged locations–are exempt from enhanced security rules.

Privileged locations panel

_images/privilegedlocation.png

To add a trusted location:

  1. Choose Add File, Add Folder , or Add Host.
  2. Enter a value or browse to the location.
  3. Set recursivity for folders and hosts (recursivity is on by default).

The Wizard sets:

[HKLM\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown]
"cTrustedFolder"
"cTrustedSites"

To remove a trusted object, select the trusted location and choose Remove.

14.2.3   Locking privileged locations

To determine whether end-users can add trusted objects, select or clear the following check boxes:

  • Prevent end-user to add trusted Files and Folders. This feature locks the user interface by setting:
[HKLM\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown]
"bDisableTrustedFolders"=dword:00000001
  • Prevent end-user to add trusted Hosts. This feature locks the user interface by setting:
[HKLM\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown]
"bDisableTrustedSites"=dword:00000001

14.2.4   Product UI vs. Wizard UI

Because the product regularly evolves, the Wizard may contain functional differences from what can be done by users via the application UI. For example, the 10.0 Wizard set 8 preferences at the time of its release. At the time of the last 10.x update, the product set 12 preferences when a user specified a privileged location.

14.3   Examine document

This feature is only available in Acrobat.

The Remove Hidden Information panel configures the Examine Document feature. This feature identifies hidden document information and allows the user to remove selected items:

To display the Examine document dialog box when closing Acrobat, select Examine document when closing document. The Wizard creates or modifies the following registry key:

bAutoLaunchAtDocClose

[HKCU\Software\Adobe\<product name>\<version>\Security]
"bAutoLaunchAtDocClose"=dword:00000001

To display the Examine document dialog box when sending e-mail, select Examine document when sending document by email. The Wizard creates or modifies the following registry key:

bAutoLaunchAtSendMail

[HKCU\Software\Adobe\<product name>\<version>\Security]
"bAutoLaunchAtSendMail"=dword:00000001