Disabling javascript in adobe

SPDES
SPDES used Ask the Experts™
on
Morning xperts, does anyone know how to disable javascript in adobe via group policy?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jason WatkinsIT Project Leader

Commented:
Group policy does not control any kind of extension to Adobe software.  Furthermore, javascript is not a technology used with great extend in Adobe PDF files, or such.  Disabling javascript overall on a web browser might be a safe approach, it will break many pieces of web functionality.

Author

Commented:
Can you do it with a group policy object?
It appears it can be done by setting the registry setting via group policy.   I have been trying to create a reg file that contains the key for all versions of Adobe, but since Adobe includes the version in the key path a programmatic approach may be a better answer.


[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\7.0\JSPrefs]
"bEnableJS"=dword:00000000


[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs]
"bEnableJS"=dword:00000000


[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs]
"bEnableJS"=dword:00000000
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Jason WatkinsIT Project Leader

Commented:
Here is what needs to be done...

Disable JavaScript in Adobe Reader and Acrobat  
 
   Disabling Javascript may prevent some exploits from resulting in
   code execution. Acrobat JavaScript can be disabled using the
   Preferences menu (Edit -> Preferences -> JavaScript and un-check
   Enable Acrobat JavaScript).
 
 
   Prevent Internet Explorer from automatically opening PDF documents
 
   The installer for Adobe Reader and Acrobat configures Internet
   Explorer to automatically open PDF files without any user
   interaction. This behavior can be reverted to the safer option of
   prompting the user by importing the following as a .REG file:
 
   Windows Registry Editor Version 5.00
 
   [HKEY_CLASSES_ROOT\AcroExch.Document.7]
   "EditFlags"=hex:00,00,00,00
 
 
   Disable the display of PDF documents in the web browser
 
   Preventing PDF documents from opening inside a web browser will
   partially mitigate this vulnerability. If this workaround is
   applied it may also mitigate future vulnerabilities. To prevent PDF
   documents from automatically being opened in a web browser, do the
   following:
   1. Open Adobe Acrobat Reader.  
   2. Open the Edit menu.    
   3. Choose the preferences option.  
   4. Choose the Internet section.
   5. Un-check the "Display PDF in browser" check box.  
 

Author

Commented:
Thanks Fireball, I know how to to it locally, I have 300+ machines to do. I cant go to everyone. I'm looking push it out somehow.
Also to set registry settings via group policy:
Click edit on a policy and goto
Computer configuration
 windows settings
   security settings
Then right click on registry and then add the registry keys and values.

You could also write a batch script to import
      regedit /s \\server\sharename\regfile.reg
and include that in the startup script via group policy.

Commented:
You can also make a group policy file, call it something like adobe.adm and put it in your Policies Adm folder. Usually something like:
\\<DC>\SYSVOL\<DOMAIN>\Policies\<Policy Class ID>\Adm

I found that it was necessary to include a carriage return at the end after END CATEGORY.
CLASS USER 
 
CATEGORY "Adobe Acrobat/Reader 6.x - 8.x" 
 
POLICY "JavaScript Reader 8.x" 
KEYNAME "Software\Adobe\Acrobat Reader\8.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 8.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
POLICY "JavaScript Acrobat 8.x" 
KEYNAME "Software\Adobe\Adobe Acrobat\8.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat 8.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
POLICY "JavaScript Reader 7.x" 
KEYNAME "Software\Adobe\Acrobat Reader\7.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 7.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
POLICY "JavaScript Acrobat 7.x" 
KEYNAME "Software\Adobe\Adobe Acrobat\7.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat 7.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
POLICY "JavaScript Reader 6.x" 
KEYNAME "Software\Adobe\Acrobat Reader\6.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 6.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
POLICY "JavaScript Acrobat 6.x" 
KEYNAME "Software\Adobe\Adobe Acrobat\6.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat 6.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
END CATEGORY

Open in new window

How do you know what policy class to put it in?

Commented:
in gpmc.mmc (sometimes not installed by default, you can google it) double click on your GPO and then click Details.  In here you will see the Unique ID.

A less intuitive approach would be to purposefully create an .adm with a syntax error in it and put it in your /Adm folders until you can't open your policy without getting an error message anymore.

I also forgot to mention that by default in 2003 the "View" is filtered, and you can't see the custom settings for this.  You can right click Administrative Templates under User Configuration and go" View->Filtering->Only show policy settings that can be fully managed" and un-select it.  Then you will be able to see the settings for  "Adobe Acrobat/Reader 6.x - 9.x".  Now go through each one and disable it.

Also, you can add this bit to your .adm file at the top to get support for Adobe 9.x

POLICY "JavaScript Reader 9.x" 
KEYNAME "Software\Adobe\Acrobat Reader\9.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 9.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0
END POLICY 

Open in new window

Is there a way after doing this gpo to prevent users from re-enabling javascript?

Commented:
Not that I'm aware of, but you might want to play with the Adobe Customization Wizard:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3993

And see if you can generate your own installer with JavaScript removed (Not sure if it's possible or not.)  Although that would require re-deploying Reader to your workstations.

Commented:
Just want to say that an alert just came out about this very thing.  

http://www.adobe.com/support/security/advisories/apsa09-01.html

I used the script above that Fr0zT: created and it worked perfectly.  Good job.
The registry setting (or any other registry setting):

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs]
"bEnableJS"=dword:00000000

can be set in Group Policy. Open a GPO, expand 'User Configuration', 'Preferences', 'Windows Settings', select 'Registry', hive 'HKEY_CURRENT_USER', in 'Key Path'. You need to navigate to the reigistry key you wish to add, so that means that the key must already exist on the machine you are on while in the GPO MMC.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial