SPDES
asked on
Disabling javascript in adobe
Morning xperts, does anyone know how to disable javascript in adobe via group policy?
Group policy does not control any kind of extension to Adobe software. Furthermore, javascript is not a technology used with great extend in Adobe PDF files, or such. Disabling javascript overall on a web browser might be a safe approach, it will break many pieces of web functionality.
ASKER
Can you do it with a group policy object?
It appears it can be done by setting the registry setting via group policy. I have been trying to create a reg file that contains the key for all versions of Adobe, but since Adobe includes the version in the key path a programmatic approach may be a better answer.
[HKEY_CURRENT_USER\Softwar e\Adobe\Ac robat Reader\7.0\JSPrefs]
"bEnableJS"=dword:00000000
[HKEY_CURRENT_USER\Softwar e\Adobe\Ac robat Reader\8.0\JSPrefs]
"bEnableJS"=dword:00000000
[HKEY_CURRENT_USER\Softwar e\Adobe\Ac robat Reader\9.0\JSPrefs]
"bEnableJS"=dword:00000000
[HKEY_CURRENT_USER\Softwar
"bEnableJS"=dword:00000000
[HKEY_CURRENT_USER\Softwar
"bEnableJS"=dword:00000000
[HKEY_CURRENT_USER\Softwar
"bEnableJS"=dword:00000000
Here is what needs to be done...
Disable JavaScript in Adobe Reader and Acrobat
Disabling Javascript may prevent some exploits from resulting in
code execution. Acrobat JavaScript can be disabled using the
Preferences menu (Edit -> Preferences -> JavaScript and un-check
Enable Acrobat JavaScript).
Prevent Internet Explorer from automatically opening PDF documents
The installer for Adobe Reader and Acrobat configures Internet
Explorer to automatically open PDF files without any user
interaction. This behavior can be reverted to the safer option of
prompting the user by importing the following as a .REG file:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\AcroExc h.Document .7]
"EditFlags"=hex:00,00,00,0 0
Disable the display of PDF documents in the web browser
Preventing PDF documents from opening inside a web browser will
partially mitigate this vulnerability. If this workaround is
applied it may also mitigate future vulnerabilities. To prevent PDF
documents from automatically being opened in a web browser, do the
following:
1. Open Adobe Acrobat Reader.
2. Open the Edit menu.
3. Choose the preferences option.
4. Choose the Internet section.
5. Un-check the "Display PDF in browser" check box.
Disable JavaScript in Adobe Reader and Acrobat
Disabling Javascript may prevent some exploits from resulting in
code execution. Acrobat JavaScript can be disabled using the
Preferences menu (Edit -> Preferences -> JavaScript and un-check
Enable Acrobat JavaScript).
Prevent Internet Explorer from automatically opening PDF documents
The installer for Adobe Reader and Acrobat configures Internet
Explorer to automatically open PDF files without any user
interaction. This behavior can be reverted to the safer option of
prompting the user by importing the following as a .REG file:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\AcroExc
"EditFlags"=hex:00,00,00,0
Disable the display of PDF documents in the web browser
Preventing PDF documents from opening inside a web browser will
partially mitigate this vulnerability. If this workaround is
applied it may also mitigate future vulnerabilities. To prevent PDF
documents from automatically being opened in a web browser, do the
following:
1. Open Adobe Acrobat Reader.
2. Open the Edit menu.
3. Choose the preferences option.
4. Choose the Internet section.
5. Un-check the "Display PDF in browser" check box.
ASKER
Thanks Fireball, I know how to to it locally, I have 300+ machines to do. I cant go to everyone. I'm looking push it out somehow.
Also to set registry settings via group policy:
Click edit on a policy and goto
Computer configuration
windows settings
security settings
Then right click on registry and then add the registry keys and values.
You could also write a batch script to import
regedit /s \\server\sharename\regfile .reg
and include that in the startup script via group policy.
Click edit on a policy and goto
Computer configuration
windows settings
security settings
Then right click on registry and then add the registry keys and values.
You could also write a batch script to import
regedit /s \\server\sharename\regfile
and include that in the startup script via group policy.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
How do you know what policy class to put it in?
in gpmc.mmc (sometimes not installed by default, you can google it) double click on your GPO and then click Details. In here you will see the Unique ID.
A less intuitive approach would be to purposefully create an .adm with a syntax error in it and put it in your /Adm folders until you can't open your policy without getting an error message anymore.
I also forgot to mention that by default in 2003 the "View" is filtered, and you can't see the custom settings for this. You can right click Administrative Templates under User Configuration and go" View->Filtering->Only show policy settings that can be fully managed" and un-select it. Then you will be able to see the settings for "Adobe Acrobat/Reader 6.x - 9.x". Now go through each one and disable it.
Also, you can add this bit to your .adm file at the top to get support for Adobe 9.x
A less intuitive approach would be to purposefully create an .adm with a syntax error in it and put it in your /Adm folders until you can't open your policy without getting an error message anymore.
I also forgot to mention that by default in 2003 the "View" is filtered, and you can't see the custom settings for this. You can right click Administrative Templates under User Configuration and go" View->Filtering->Only show policy settings that can be fully managed" and un-select it. Then you will be able to see the settings for "Adobe Acrobat/Reader 6.x - 9.x". Now go through each one and disable it.
Also, you can add this bit to your .adm file at the top to get support for Adobe 9.x
POLICY "JavaScript Reader 9.x"
KEYNAME "Software\Adobe\Acrobat Reader\9.0\JSPrefs"
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 9.x"
VALUENAME "bEnableJS"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
Is there a way after doing this gpo to prevent users from re-enabling javascript?
Not that I'm aware of, but you might want to play with the Adobe Customization Wizard:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3993
And see if you can generate your own installer with JavaScript removed (Not sure if it's possible or not.) Although that would require re-deploying Reader to your workstations.
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3993
And see if you can generate your own installer with JavaScript removed (Not sure if it's possible or not.) Although that would require re-deploying Reader to your workstations.
Just want to say that an alert just came out about this very thing.
http://www.adobe.com/support/security/advisories/apsa09-01.html
I used the script above that Fr0zT: created and it worked perfectly. Good job.
http://www.adobe.com/support/security/advisories/apsa09-01.html
I used the script above that Fr0zT: created and it worked perfectly. Good job.
The registry setting (or any other registry setting):
[HKEY_CURRENT_USER\Softwar e\Adobe\Ac robat Reader\9.0\JSPrefs]
"bEnableJS"=dword:00000000
can be set in Group Policy. Open a GPO, expand 'User Configuration', 'Preferences', 'Windows Settings', select 'Registry', hive 'HKEY_CURRENT_USER', in 'Key Path'. You need to navigate to the reigistry key you wish to add, so that means that the key must already exist on the machine you are on while in the GPO MMC.
[HKEY_CURRENT_USER\Softwar
"bEnableJS"=dword:00000000
can be set in Group Policy. Open a GPO, expand 'User Configuration', 'Preferences', 'Windows Settings', select 'Registry', hive 'HKEY_CURRENT_USER', in 'Key Path'. You need to navigate to the reigistry key you wish to add, so that means that the key must already exist on the machine you are on while in the GPO MMC.