Link to home
Start Free TrialLog in
Avatar of SPDES
SPDES

asked on

Disabling javascript in adobe

Morning xperts, does anyone know how to disable javascript in adobe via group policy?
Avatar of Jason Watkins
Jason Watkins
Flag of United States of America image

Group policy does not control any kind of extension to Adobe software.  Furthermore, javascript is not a technology used with great extend in Adobe PDF files, or such.  Disabling javascript overall on a web browser might be a safe approach, it will break many pieces of web functionality.

Avatar of SPDES
SPDES

ASKER

Can you do it with a group policy object?
It appears it can be done by setting the registry setting via group policy.   I have been trying to create a reg file that contains the key for all versions of Adobe, but since Adobe includes the version in the key path a programmatic approach may be a better answer.


[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\7.0\JSPrefs]
"bEnableJS"=dword:00000000


[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs]
"bEnableJS"=dword:00000000


[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs]
"bEnableJS"=dword:00000000
Here is what needs to be done...

Disable JavaScript in Adobe Reader and Acrobat  
 
   Disabling Javascript may prevent some exploits from resulting in
   code execution. Acrobat JavaScript can be disabled using the
   Preferences menu (Edit -> Preferences -> JavaScript and un-check
   Enable Acrobat JavaScript).
 
 
   Prevent Internet Explorer from automatically opening PDF documents
 
   The installer for Adobe Reader and Acrobat configures Internet
   Explorer to automatically open PDF files without any user
   interaction. This behavior can be reverted to the safer option of
   prompting the user by importing the following as a .REG file:
 
   Windows Registry Editor Version 5.00
 
   [HKEY_CLASSES_ROOT\AcroExch.Document.7]
   "EditFlags"=hex:00,00,00,00
 
 
   Disable the display of PDF documents in the web browser
 
   Preventing PDF documents from opening inside a web browser will
   partially mitigate this vulnerability. If this workaround is
   applied it may also mitigate future vulnerabilities. To prevent PDF
   documents from automatically being opened in a web browser, do the
   following:
   1. Open Adobe Acrobat Reader.  
   2. Open the Edit menu.    
   3. Choose the preferences option.  
   4. Choose the Internet section.
   5. Un-check the "Display PDF in browser" check box.  
 
Avatar of SPDES

ASKER

Thanks Fireball, I know how to to it locally, I have 300+ machines to do. I cant go to everyone. I'm looking push it out somehow.
Also to set registry settings via group policy:
Click edit on a policy and goto
Computer configuration
 windows settings
   security settings
Then right click on registry and then add the registry keys and values.

You could also write a batch script to import
      regedit /s \\server\sharename\regfile.reg
and include that in the startup script via group policy.

ASKER CERTIFIED SOLUTION
Avatar of Fr0zT
Fr0zT
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
How do you know what policy class to put it in?
in gpmc.mmc (sometimes not installed by default, you can google it) double click on your GPO and then click Details.  In here you will see the Unique ID.

A less intuitive approach would be to purposefully create an .adm with a syntax error in it and put it in your /Adm folders until you can't open your policy without getting an error message anymore.

I also forgot to mention that by default in 2003 the "View" is filtered, and you can't see the custom settings for this.  You can right click Administrative Templates under User Configuration and go" View->Filtering->Only show policy settings that can be fully managed" and un-select it.  Then you will be able to see the settings for  "Adobe Acrobat/Reader 6.x - 9.x".  Now go through each one and disable it.

Also, you can add this bit to your .adm file at the top to get support for Adobe 9.x

POLICY "JavaScript Reader 9.x" 
KEYNAME "Software\Adobe\Acrobat Reader\9.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 9.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0
END POLICY 

Open in new window

Is there a way after doing this gpo to prevent users from re-enabling javascript?
Not that I'm aware of, but you might want to play with the Adobe Customization Wizard:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3993

And see if you can generate your own installer with JavaScript removed (Not sure if it's possible or not.)  Although that would require re-deploying Reader to your workstations.
Just want to say that an alert just came out about this very thing.  

http://www.adobe.com/support/security/advisories/apsa09-01.html

I used the script above that Fr0zT: created and it worked perfectly.  Good job.
The registry setting (or any other registry setting):

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs]
"bEnableJS"=dword:00000000

can be set in Group Policy. Open a GPO, expand 'User Configuration', 'Preferences', 'Windows Settings', select 'Registry', hive 'HKEY_CURRENT_USER', in 'Key Path'. You need to navigate to the reigistry key you wish to add, so that means that the key must already exist on the machine you are on while in the GPO MMC.