Every good IT pro tries to follow best practices by updating and configuring workstations, software installed,…
Let’s consider specifically the PDF reader software provided by Adobe and the fact that the IT pro wants to harden the configuration to have a more resistant endpoint to this attack vector.
Adobe provides some GPO templates that you can find on their FTP website:
| Version | Reader | Acrobat |
| DC | ReaderADMTemplate.zip | AcrobatADMTemplate.zip |
| 2017 | ReaderADMTemplate.zip | AcrobatADMTemplate.zip |
| 2015 | ReaderADMTemplate.zip | AcrobatADMTemplate.zip |
If you load all these ADMX and ADML files in your policy definitions folder, you’ve got the following in the group policy editor console:
When you start to explore these templates and look for hardening the security settings, you get really disappointed because there’s only between 5 to 7 settings per node 😦
It’s a shame because Adobe took the time to document many registry settings in the Enterprise toolkit pages and for example on these pages:
- Preference reference: Use this dictionary of 500+ registry and plist preferences to fine tune your product
- Administration guide
But they failed to make these settings available in GPO templates 😦
Adobe fails, no problem, PowerShell to the rescue 😎
It appears I’m not the only one who thinks this way. The Information Assurance mission at NSA (iadgov) helps the Department of Defense (DoD) to apply baselines.
They have a huge github repository and even have an Adobe Reader DC template with around 45 settings. It’s not their first attempt. Before that they published recommended Adobe Reader XI settings.
However their single Adobe template has many problems that I won’t detail here when I loaded it on a Windows 7 workstation.
Kudos to iadgov! I’ve used some of their settings when appropriate, their categories but the main difference is that I created a PowerShell module that creates templates on demand for the Reader, Acrobat and their 2005, 2007 or DC versions 😎
I’d like the community to contribute to get more settings,… I’ve uploaded the module on github so that it’s easy to fork, track issues, follow changes.
I’ve also added a documentation of every settings on this page: https://github.com/p0w3rsh3ll/AdobeGPOTemplates/blob/master/Documentation.md
I’ve also uploaded the module on the PowerShell Gallery: https://www.powershellgallery.com/packages/AdobeGPOTemplates
Here’s an overview of what you’ll get if you generate all the templates and move them to your local GPO templates folder:
That looks better, isn’t it? And there are more than 40 settings for each version of Adobe Software. 😀
- How to start and create these templates?
- Download the module
Find-Module -Name AdobeGPOTemplates -Repository PSGallery
Save-Module -Name AdobeGPOTemplates -Path ~/Downloads -Repository PSGallery
$HT = @{
CatalogFilePath = "~/Downloads/AdobeGPOTemplates/1.0.0/AdobeGPOTemplates.cat"
Path = "~/Downloads/AdobeGPOTemplates/1.0.0"
Detailed = $true
FilesToSkip = 'PSGetModuleInfo.xml'
}
Test-FileCatalog @HT
Import-Module ~/Downloads/AdobeGPOTemplates/1.0.0/AdobeGPOTemplates.psd1 -Force Get-Command New-AdobeGPOTemplate -Syntax # Get-Help New-AdobeGPOTemplate -Examples New-AdobeGPOTemplate -Product Reader,Acrobat -Version DC,2017,2015 copy .\*.admx -Destination C:\Windows\PolicyDefinitions\ copy .\*.adml -Destination C:\Windows\PolicyDefinitions\en-US\ gpedit.msc
- What’s the bare minimum config?
- Disable JavaScript
- Disable the ability to execute any embedded object
- Have the protected view turned on for anything
- Example of minimum config
If you omit the first rule of hygiene that states that you need to update your software and the fact that the Adobe Reader has many “cloud-focused” features, I’d say that the 3 minimum settings to configure are:
I know we may not agree and if you’ve an opinion about the bare minimum config, please share it in the comments.
Let’s say you just want to change the following default settings at the user level without locking down everything based on the above 3 recommendations:
After you configured the following GPO settings:
You get this in the Reader UI:
Pingback: Create Adobe GPO templates with a PowerShell module - How to Code .NET
Do you have a method to deploy adobe reader dc by GPO? or better with WSUS Package Publisher? Thanks in advance.
If you want to deploy Adobe Reader DC by GPO, you can use Immediate Scheduled Task.
Sorry I don’t know for WSUS Package Publisher.
We have applied the Adobe Acrobat Pro DOC Continuous GPOs in our environment. But while testing Acrobat DC Pro for any issues related to the GPOs, it was found that when users are trying to access our internal SharePoint site, they are being asked for authentication credentials. Earlier they would connect automatically to the sharepoint site. Has anyone seen this before? If so, which GPO may be causing this?
See https://github.com/p0w3rsh3ll/AdobeGPOTemplates/blob/master/Documentation.md#bdisablesharepointfeatures