The configuration options here configure application security features such as enhanced security, protected mode, and privileged locations. Workflows and content should be designed to operate in the context of enabling all of these features; that is, untrusted content and source locations should be restricted, and workflow components known to be trusted should be specifically identified as privileged locations.
Due the complexity and critical nature of security settings, you might find it expedient to leverage existing configurations via the Registry feature. That is, configure an installed application and then copy the modified registry to the installer via the Wizard.
Protected View (PV) is a highly secure “super-sandbox” that is essentially a read-only mode. In Protected View, all features are disabled except those associated with viewing (e.g., zoom, navigation, links, find, etc.). Users must select Enable all features if they wish to do anything more than read the PDF. This action assigns trust and adds the document to the users’ list of Privileged Locations. PV behaves identically for Acrobat and Reader whether viewing PDFs in a browser or in a standalone product.
In Reader 11.0, Protected View is only supported when Protected Mode is enabled. There can by no HKCU or HKLM Protected Mode registry preference set to 0 (off) when Protected View is enabled.
There are three configuration options:
Protected View configuration
Enhanced security was enabled by default for the 9.3 and 8.2 updates. Its configuration and behavior are nearly identical across platforms and whether or not you are viewing a PDF within a browser or within a standalone application. Adobe recommends as a best practice that you enable enhanced security. Enhanced security restricts several types of behaviors and content:
Depending on how a PDF is opened, the PDF viewer may be a standalone application or may be opened within a browser. Settings may be configured separately for both cases. By default, enhanced security is enabled.
To specify a custom setting, set the Standalone and/or Browser drop down lists to one of the following:
Disabling and enabling enhanced security toggles the keys shown below. Locking the setting sets a key in HKLM that’s only available to administrators.
Enhanced security configuration
Registry configuration: Enhanced security enabled
[HKCU\Software\Adobe\<product name>\<version>\TrustManager] "bEnhancedSecurityInBrowser"=dword:00000001 "bEnhancedSecurityStandalone"=dword:00000001
Registry configuration: Locking enhanced security settings
[HKLM\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown] "bEnhancedSecurityStandalone"=dword:00000001 "bEnhancedSecurityInBrowser"=dword:00000001 [HKLM\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown] "bDisableTrustedFolders"=dword:00000001 "bDisableTrustedSites"=dword:00000001
You may also want to lock this feature via HKLM’s FeatureLockDown: "bDisableOSTrustedSites"=dword:00000001.
Enhanced security is specifically designed to let you decide what content to trust and help you selectively bypass its restrictions for trusted files, folders, and hosts. These trusted domains–called privileged locations–are exempt from enhanced security rules.
Privileged locations panel
To add a trusted location:
The Wizard sets:
[HKLM\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown] "cTrustedFolder" "cTrustedSites"
To remove a trusted object, select the trusted location and choose Remove.
To determine whether end-users can add trusted objects, select or clear the following check boxes:
[HKLM\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown] "bDisableTrustedFolders"=dword:00000001
[HKLM\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown] "bDisableTrustedSites"=dword:00000001
Because the product regularly evolves, the Wizard may contain functional differences from what can be done by users via the application UI. For example, the 10.0 Wizard set 8 preferences at the time of its release. At the time of the last 10.x update, the product set 12 preferences when a user specified a privileged location.
This feature is only available in Acrobat.
The Remove Hidden Information panel configures the Examine Document feature. This feature identifies hidden document information and allows the user to remove selected items:
To display the Examine document dialog box when closing Acrobat, select Examine document when closing document. The Wizard creates or modifies the following registry key:
[HKCU\Software\Adobe\<product name>\<version>\Security] "bAutoLaunchAtDocClose"=dword:00000001
To display the Examine document dialog box when sending e-mail, select Examine document when sending document by email. The Wizard creates or modifies the following registry key:
[HKCU\Software\Adobe\<product name>\<version>\Security] "bAutoLaunchAtSendMail"=dword:00000001