[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Disabling javascript in adobe

Posted on 2009-02-21
14
Medium Priority
?
10,197 Views
Last Modified: 2012-05-07
Morning xperts, does anyone know how to disable javascript in adobe via group policy?
0
Comment
Question by:SPDES
  • 4
  • 2
  • 2
  • +4
14 Comments
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 23701263
Group policy does not control any kind of extension to Adobe software.  Furthermore, javascript is not a technology used with great extend in Adobe PDF files, or such.  Disabling javascript overall on a web browser might be a safe approach, it will break many pieces of web functionality.

0
 

Author Comment

by:SPDES
ID: 23710400
Can you do it with a group policy object?
0
 

Expert Comment

by:shackworth
ID: 23711823
It appears it can be done by setting the registry setting via group policy.   I have been trying to create a reg file that contains the key for all versions of Adobe, but since Adobe includes the version in the key path a programmatic approach may be a better answer.


[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\7.0\JSPrefs]
"bEnableJS"=dword:00000000


[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs]
"bEnableJS"=dword:00000000


[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs]
"bEnableJS"=dword:00000000
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 27

Expert Comment

by:Jason Watkins
ID: 23712418
Here is what needs to be done...

Disable JavaScript in Adobe Reader and Acrobat  
 
   Disabling Javascript may prevent some exploits from resulting in
   code execution. Acrobat JavaScript can be disabled using the
   Preferences menu (Edit -> Preferences -> JavaScript and un-check
   Enable Acrobat JavaScript).
 
 
   Prevent Internet Explorer from automatically opening PDF documents
 
   The installer for Adobe Reader and Acrobat configures Internet
   Explorer to automatically open PDF files without any user
   interaction. This behavior can be reverted to the safer option of
   prompting the user by importing the following as a .REG file:
 
   Windows Registry Editor Version 5.00
 
   [HKEY_CLASSES_ROOT\AcroExch.Document.7]
   "EditFlags"=hex:00,00,00,00
 
 
   Disable the display of PDF documents in the web browser
 
   Preventing PDF documents from opening inside a web browser will
   partially mitigate this vulnerability. If this workaround is
   applied it may also mitigate future vulnerabilities. To prevent PDF
   documents from automatically being opened in a web browser, do the
   following:
   1. Open Adobe Acrobat Reader.  
   2. Open the Edit menu.    
   3. Choose the preferences option.  
   4. Choose the Internet section.
   5. Un-check the "Display PDF in browser" check box.  
 
0
 

Author Comment

by:SPDES
ID: 23712631
Thanks Fireball, I know how to to it locally, I have 300+ machines to do. I cant go to everyone. I'm looking push it out somehow.
0
 

Expert Comment

by:shackworth
ID: 23712696
Also to set registry settings via group policy:
Click edit on a policy and goto
Computer configuration
 windows settings
   security settings
Then right click on registry and then add the registry keys and values.

You could also write a batch script to import
      regedit /s \\server\sharename\regfile.reg
and include that in the startup script via group policy.

0
 
LVL 3

Accepted Solution

by:
Fr0zT earned 2000 total points
ID: 23712959
You can also make a group policy file, call it something like adobe.adm and put it in your Policies Adm folder. Usually something like:
\\<DC>\SYSVOL\<DOMAIN>\Policies\<Policy Class ID>\Adm

I found that it was necessary to include a carriage return at the end after END CATEGORY.
CLASS USER 
 
CATEGORY "Adobe Acrobat/Reader 6.x - 8.x" 
 
POLICY "JavaScript Reader 8.x" 
KEYNAME "Software\Adobe\Acrobat Reader\8.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 8.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
POLICY "JavaScript Acrobat 8.x" 
KEYNAME "Software\Adobe\Adobe Acrobat\8.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat 8.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
POLICY "JavaScript Reader 7.x" 
KEYNAME "Software\Adobe\Acrobat Reader\7.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 7.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
POLICY "JavaScript Acrobat 7.x" 
KEYNAME "Software\Adobe\Adobe Acrobat\7.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat 7.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
POLICY "JavaScript Reader 6.x" 
KEYNAME "Software\Adobe\Acrobat Reader\6.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 6.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
POLICY "JavaScript Acrobat 6.x" 
KEYNAME "Software\Adobe\Adobe Acrobat\6.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat 6.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
 
END CATEGORY

Open in new window

0
 

Expert Comment

by:neoptoent
ID: 23713222
How do you know what policy class to put it in?
0
 
LVL 3

Expert Comment

by:Fr0zT
ID: 23713953
in gpmc.mmc (sometimes not installed by default, you can google it) double click on your GPO and then click Details.  In here you will see the Unique ID.

A less intuitive approach would be to purposefully create an .adm with a syntax error in it and put it in your /Adm folders until you can't open your policy without getting an error message anymore.

I also forgot to mention that by default in 2003 the "View" is filtered, and you can't see the custom settings for this.  You can right click Administrative Templates under User Configuration and go" View->Filtering->Only show policy settings that can be fully managed" and un-select it.  Then you will be able to see the settings for  "Adobe Acrobat/Reader 6.x - 9.x".  Now go through each one and disable it.

Also, you can add this bit to your .adm file at the top to get support for Adobe 9.x

POLICY "JavaScript Reader 9.x" 
KEYNAME "Software\Adobe\Acrobat Reader\9.0\JSPrefs" 
EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 9.x" 
VALUENAME "bEnableJS" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0
END POLICY 

Open in new window

0
 

Expert Comment

by:neoptoent
ID: 23721411
Is there a way after doing this gpo to prevent users from re-enabling javascript?
0
 
LVL 3

Expert Comment

by:Fr0zT
ID: 23722844
Not that I'm aware of, but you might want to play with the Adobe Customization Wizard:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3993

And see if you can generate your own installer with JavaScript removed (Not sure if it's possible or not.)  Although that would require re-deploying Reader to your workstations.
0
 
LVL 3

Expert Comment

by:Fr0zT
ID: 23737967
0
 

Expert Comment

by:dplaw
ID: 23759702
Just want to say that an alert just came out about this very thing.  

http://www.adobe.com/support/security/advisories/apsa09-01.html

I used the script above that Fr0zT: created and it worked perfectly.  Good job.
0
 

Expert Comment

by:MSCHelpDesk
ID: 24399039
The registry setting (or any other registry setting):

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs]
"bEnableJS"=dword:00000000

can be set in Group Policy. Open a GPO, expand 'User Configuration', 'Preferences', 'Windows Settings', select 'Registry', hive 'HKEY_CURRENT_USER', in 'Key Path'. You need to navigate to the reigistry key you wish to add, so that means that the key must already exist on the machine you are on while in the GPO MMC.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question