PaulDotCom mailing list archives
Disabling Acrobat JavaScript
From: j2mccluggage at adelphia.net (Jody & Jennifer McCluggage)
Date: Thu, 10 Jun 2010 20:09:30 -0400
Have you tried using Group Policy Preferences? I have had better luck managing registry settings using them. They were first included with Windows 2008 and are included in 7 but can be downloaded and installed on XP and Vista too. Jody -----Original Message----- From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Gibson, Samuel Sent: Thursday, June 10, 2010 8:43 AM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript I have had mixed luck with the ADM template. If the user manually enables javascript it seems to stay enabled. I ended up using the instructions found here: http://www.grouppolicy.biz/2010/01/how-to-make-adobe-reader-more-secure-usin g-group-policy/ along with the registry values contained in the ADM template below to create a GPO. In testing it seems to be working quite well. It also disables javascript each time the employee logs in. ________________________________________ From: pauldotcom-bounces at mail.pauldotcom.com [pauldotcom-bounces at mail.pauldotcom.com] on behalf of Bugbear [gbugbear at gmail.com] Sent: Tuesday, June 08, 2010 9:04 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript I use custom GPO or mgmt system that can edit HKCU a logon script for the user is another option Also check out the blacklist framework post my ranting I have compiled some info here (hey it was the holidays and I was annoyed) http://securitybraindump.blogspot.com/2009/12/adobes-0-face.html and also VRT has done some good research here http://vrt-sourcefire.blogspot.com/2010/01/acrobat-javascript-blacklist-fram ework.html here's an ADM template for GPO, hope this helps CLASS USER CATEGORY "Adobe Acrobat/Reader 7.x - 9.x" POLICY "JavaScript Reader 9.x" KEYNAME "Software\Adobe\Acrobat Reader\9.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 9.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY "JavaScript Acrobat 9.x" KEYNAME "Software\Adobe\Adobe Acrobat\9.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat 9.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY "JavaScript Reader 8.x" KEYNAME "Software\Adobe\Acrobat Reader\8.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 8.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY "JavaScript Acrobat 8.x" KEYNAME "Software\Adobe\Adobe Acrobat\8.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat 8.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY "JavaScript Reader 7.x" KEYNAME "Software\Adobe\Acrobat Reader\7.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 7.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY "JavaScript Acrobat 7.x" KEYNAME "Software\Adobe\Adobe Acrobat\7.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat 7.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY END CATEGORY On Tue, Jun 8, 2010 at 6:09 PM, Craig Freyman <craigfreyman at gmail.com> wrote:
What have some of you done to disable JavaScript in Acrobat Standard/Pro as well as Acrobat Reader from a corporate perspective? I am referring to installations that are already in place. Custom GPO? I've found a few articles describing the registry setting: [HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs] "bEnableJS"=dword:00000000 This will work for XP clients but this key isn't in this place on my Windows 7 box. It is under HKEY_Users\(MY SID)\Software\Adobe....... If this is the case, if I'll have to write a script that grabs the user's SID before running the registry file on login. Any other options people have used? _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Disabling Acrobat JavaScript Craig Freyman (Jun 08)
- Disabling Acrobat JavaScript Nicholas B. (Jun 08)
- Disabling Acrobat JavaScript Bugbear (Jun 08)
- Disabling Acrobat JavaScript Denis Hancock (Jun 08)
- Disabling Acrobat JavaScript Craig Freyman (Jun 08)
- Disabling Acrobat JavaScript Gibson, Samuel (Jun 10)
- Disabling Acrobat JavaScript Jody & Jennifer McCluggage (Jun 10)
- Disabling Acrobat JavaScript Craig Freyman (Jun 11)
- Disabling Acrobat JavaScript Bugbear (Jun 15)
- Disabling Acrobat JavaScript Dahl, Kevin (Jun 15)
- Disabling Acrobat JavaScript Bugbear (Jun 15)
- Disabling Acrobat JavaScript Jody & Jennifer McCluggage (Jun 15)
- Re: Disabling Acrobat JavaScript Bugbear (Jun 16)
- Re: Disabling Acrobat JavaScript Dahl, Kevin (Jun 16)
- Re: Disabling Acrobat JavaScript Dahl, Kevin (Jun 16)