Create Adobe GPO templates

Every good IT pro tries to follow best practices by updating and configuring workstations, software installed,…

Let’s consider specifically the PDF reader software provided by Adobe and the fact that the IT pro wants to harden the configuration to have a more resistant endpoint to this attack vector.

Adobe provides some GPO templates that you can find on their FTP website:

Version Reader Acrobat
DC ReaderADMTemplate.zip AcrobatADMTemplate.zip
2017 ReaderADMTemplate.zip AcrobatADMTemplate.zip
2015 ReaderADMTemplate.zip AcrobatADMTemplate.zip

If you load all these ADMX and ADML files in your policy definitions folder, you’ve got the following in the group policy editor console:

When you start to explore these templates and look for hardening the security settings, you get really disappointed because there’s only between 5 to 7 settings per node 😦

It’s a shame because Adobe took the time to document many registry settings in the Enterprise toolkit pages and for example on these pages:

But they failed to make these settings available in GPO templates 😦

Adobe fails, no problem, PowerShell to the rescue 😎

It appears I’m not the only one who thinks this way. The Information Assurance mission at NSA (iadgov) helps the Department of Defense (DoD) to apply baselines.
They have a huge github repository and even have an Adobe Reader DC template with around 45 settings. It’s not their first attempt. Before that they published recommended Adobe Reader XI settings.

However their single Adobe template has many problems that I won’t detail here when I loaded it on a Windows 7 workstation.
Kudos to iadgov! I’ve used some of their settings when appropriate, their categories but the main difference is that I created a PowerShell module that creates templates on demand for the Reader, Acrobat and their 2005, 2007 or DC versions 😎

I’d like the community to contribute to get more settings,… I’ve uploaded the module on github so that it’s easy to fork, track issues, follow changes.
I’ve also added a documentation of every settings on this page: https://github.com/p0w3rsh3ll/AdobeGPOTemplates/blob/master/Documentation.md

I’ve also uploaded the module on the PowerShell Gallery: https://www.powershellgallery.com/packages/AdobeGPOTemplates

Here’s an overview of what you’ll get if you generate all the templates and move them to your local GPO templates folder:

That looks better, isn’t it? And there are more than 40 settings for each version of Adobe Software. πŸ˜€

  • How to start and create these templates?
    • Download the module
    • Find-Module -Name AdobeGPOTemplates -Repository PSGallery
      Save-Module -Name AdobeGPOTemplates -Path ~/Downloads -Repository PSGallery
      $HT = @{
       CatalogFilePath = "~/Downloads/AdobeGPOTemplates/1.0.0/AdobeGPOTemplates.cat"
       Path = "~/Downloads/AdobeGPOTemplates/1.0.0"
       Detailed = $true
       FilesToSkip = 'PSGetModuleInfo.xml'
      }
      Test-FileCatalog @HT
      

    • Import the module, create templates and copy them to your local GPO templates folder
    • Import-Module ~/Downloads/AdobeGPOTemplates/1.0.0/AdobeGPOTemplates.psd1 -Force
      Get-Command New-AdobeGPOTemplate -Syntax
      # Get-Help New-AdobeGPOTemplate  -Examples
      New-AdobeGPOTemplate -Product Reader,Acrobat -Version DC,2017,2015
      copy .\*.admx -Destination C:\Windows\PolicyDefinitions\
      copy .\*.adml -Destination C:\Windows\PolicyDefinitions\en-US\
      gpedit.msc
      

  • What’s the bare minimum config?
  • If you omit the first rule of hygiene that states that you need to update your software and the fact that the Adobe Reader has many “cloud-focused” features, I’d say that the 3 minimum settings to configure are:

    1. Disable JavaScript
    2. Disable the ability to execute any embedded object
    3. Have the protected view turned on for anything

    I know we may not agree and if you’ve an opinion about the bare minimum config, please share it in the comments.

    • Example of minimum config

    Let’s say you just want to change the following default settings at the user level without locking down everything based on the above 3 recommendations:


    After you configured the following GPO settings:

    You get this in the Reader UI:


    Advertisements

One thought on “Create Adobe GPO templates

  1. Pingback: Create Adobe GPO templates with a PowerShell module - How to Code .NET

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s