Disabling Acrobat JavaScript

[gibsons at my.uwstout.edu (Gibson, Samuel)]

I have had mixed luck with the ADM template. If the user manually enables javascript it seems to stay enabled.  I ended 
up using the instructions found here:

http://www.grouppolicy.biz/2010/01/how-to-make-adobe-reader-more-secure-using-group-policy/

along with the registry values contained in the ADM template below to create a GPO.  In testing it seems to be working 
quite well.  It also disables javascript each time the employee logs in.


________________________________________
From: pauldotcom-bounces at mail.pauldotcom.com [pauldotcom-bounces at mail.pauldotcom.com] on behalf of Bugbear 
[gbugbear at gmail.com]
Sent: Tuesday, June 08, 2010 9:04 PM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript

I use custom GPO or mgmt system that can edit HKCU

a logon script for the user is another option

Also check out the blacklist framework

post my ranting I have compiled some info here (hey it was the
holidays and I was annoyed)

http://securitybraindump.blogspot.com/2009/12/adobes-0-face.html

and also VRT has done some good research here

http://vrt-sourcefire.blogspot.com/2010/01/acrobat-javascript-blacklist-framework.html

here's an ADM template for GPO, hope this helps

CLASS USER

CATEGORY "Adobe Acrobat/Reader 7.x - 9.x"

POLICY "JavaScript Reader 9.x"
KEYNAME "Software\Adobe\Acrobat Reader\9.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 9.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY

POLICY "JavaScript Acrobat 9.x"
KEYNAME "Software\Adobe\Adobe Acrobat\9.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat 9.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY


POLICY "JavaScript Reader 8.x"
KEYNAME "Software\Adobe\Acrobat Reader\8.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 8.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY

POLICY "JavaScript Acrobat 8.x"
KEYNAME "Software\Adobe\Adobe Acrobat\8.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat 8.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY

POLICY "JavaScript Reader 7.x"
KEYNAME "Software\Adobe\Acrobat Reader\7.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 7.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY

POLICY "JavaScript Acrobat 7.x"
KEYNAME "Software\Adobe\Adobe Acrobat\7.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat 7.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY

END CATEGORY



On Tue, Jun 8, 2010 at 6:09 PM, Craig Freyman <craigfreyman at gmail.com> wrote:
> What have some of you done to disable JavaScript in Acrobat Standard/Pro as
> well as Acrobat Reader from a corporate perspective?  I am referring to
> installations that are already in place.  Custom GPO?
> I've found a few articles describing the registry setting:
> [HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs]
> "bEnableJS"=dword:00000000
> This will work for XP clients but this key isn't in this place on my Windows
> 7 box. It is under HKEY_Users\(MY SID)\Software\Adobe.......
> If this is the case, if I'll have to write a script that grabs the user's
> SID before running the registry file on login.  Any other options people
> have used?
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com