On Windows, Acrobat 10.1 introduced a sandbox called Protected View (PV). With 11.0, the feature is improved and extended to Reader. PV is a highly secure, read-only mode that blocks most actions and application behavior until the user decides whether or not to trust the document.
Note
In Reader, Protected View is only supported when Protected Mode is enabled. There can by no HKCU or HKLM Protected Mode registry preference set to 0 (off) when Protected View is enabled.
PV is another defense-in-depth feature that is tightly integrated with the existing enhanced security feature. PV in Acrobat leverages the successful sandbox implementation already in place for Adobe Reader while providing a user experience that should be familiar to Microsoft Office 2010 users.
Protected View
Under the covers, the PV sandbox is similar to Reader’s Protected Mode sandbox, but is built on a stronger model which provides greater protections. Just like Reader, Acrobat strictly confines the execution environment of untrusted programs; that is, any PDF and the processes it invokes. When PV is enabled, Acrobat assumes some or all PDFs are potentially malicious based on user preferences and confines processing to a restricted sandbox.
Due to the rich nature of Acrobat’s capabilities, Acrobat’s behavior with PV enabled is slightly more complex than Reader’s. The Acrobat team has specifically tailored application behavior for two types of scenarios: viewing PDFs with the standalone application and viewing PDFs with a browser. The rationale behind providing two protection experiences was driven by a need to preserve usability as well as the right level of functionality and security in each mode.
Note
With 11.x, PV behaviors in the standalone product and the browser are identical.
In the standalone application, behavior is simple and parallels the Protected View provided by Office 2010. During a file download and/or save, web browsers and email programs typically mark documents such as Internet files and attachments with a “potentially unsafe” flag. When you open such a document, Acrobat displays a warning bar at the top of the viewing window. In this state, many of Acrobat’s features that interact with and change the document are disabled and the associated menu items are greyed out in order to limit user interaction.
The view is essentially read-only, and the disabled features prevent any embedded or tag-along malicious content from tampering with your system. Once you’ve decided to trust the document, choosing Enable All Features exits PV, re-enables all menu items, and provides permanent trust for the file by adding to enhanced security’s list of privileged locations (see Integration with enhanced security. The document is now open in a full, unsandboxed Acrobat process.
Protected View: Yellow message bar
When a PDF is opened in a browser, Protected View provides a streamlined experience that doesn’t utilize a warning bar. Instead, browser-based PDFs provide a Reader-like experience for documents that have been “rights enabled.” That is, all of Reader’s features are available in addition to features that become enabled when a document author uses Acrobat to extend features to Reader users. These features include signing existing form fields, adding new signature fields, saving form data, etc.
In this respect, a PDF in the browser’s Protected View is more capable than a PDF in the standalone Protected View. On the other hand, the browser-based capabilities are always limited while the standalone application enables users to achieve full functionality with a single click of a button.
Feature | Standalone | Browser |
---|---|---|
Drag-drop PDFs to the reading or navigation pane | No | Yes |
Printing | No | Yes |
Advanced Printing | No | No |
Saving | No | Yes |
Pan and Zoom | No | No |
Loupe Tool | No | No |
Reading mode | No | Yes |
Full screen mode | No | Yes |
Feature | Standalone | Browser |
---|---|---|
Drag-drop PDFs to the reading or navigation pane | No | No |
Printing | No | No |
Advanced Printing | No | No |
Saving | No | No |
Pan and Zoom | No | No |
Loupe Tool | No | No |
Reading mode | No | Yes |
Full screen mode | No | No |
Protected View can be enabled, disabled, and configured in other ways to provide the level of security you need. That is, you decide when and how to use Protected View based on your level of trust for the PDFs you interact with.
iProtectedView
:Registry configuration enables pre and post deployment configuration via the Customization Wizard, scripts, GPO, and other IT-centric methodologies. The application often uses internal keys that aren’t visible by default. If the requisite key does not exist, manually create it.
Keyname | Default | Summary |
---|---|---|
{keyname} | {defaultvalue} | {summary} |
There are several ways to assign trust so that this feature works in a trusted context:
tID
at:[HKCU\Software\Adobe\<product name>\<version>\TrustManager\<cTrustedSites or TrustedFolders>\]
"(All of the cabs are populated)"
Protected View can be locked so that the end user cannot change the setting. When locked, the user interface is disabled (greyed out). To do so, simply set the HKLM key as you would HKCU:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\<product name>\<version>\FeatureLockDown]
"iProtectedView"
While you can verify whether the application has Protected View enabled by viewing the Enhanced Security panel, it is also possible to verify the document you are currently viewing is subject to Protected View’s protections.
Note
When using the standalone application, verification should be obvious since a document that opens in Protected View displays the Yellow Message Bar.
To verify if the browser-based document you are viewing is opened in Protected View:
When Protected View cannot launch due to an unsupported configuration, a dialog alerts the user of the incompatibility and provides the user with the option to disable Protected View.
Unsupported configurations for Acrobat running in Protected View change across releases as the product evolves. For example, Protected Mode supports Citrix and Windows Terminal Services deployments with 10.1. For a list of unsupported configurations and workarounds, see http://kb2.adobe.com/cps/860/cpsid_86063.html.
Unsupported configuration dialog for 10.x
Unsupported configuration dialog for 11.x
Design principles
Some of the high-level design criteria for Protected View include the following:
System requirements?
Due to the fundamental differences in OS and product implementations, sandbox designs must be tailored to each environment. The current release includes support for the following:
When should Protected View be enabled or disabled?
Protected View should be enabled all the time for casual users who interact with PDFs in unsecure environments. There are a limited number of cases where you might want to disable Protected View:
How many processes should be running when I use Protected View?
Open the process explorer or task manager. When in Protected View, two AcroRd32.exe processes will be running alongside the Acrobat.exe process. More processes will appear based on how many browser instances you have viewing a PDF, invoked shell extensions, and iFilter.
Protected View: processes