Just duplicate the 8.x section and change all the 8's to 9's.
To this adm file I added the following for the Launch Attachments vulnerability that was recently addressed: POLICY "Launch Reader 9.x" KEYNAME "Software\Adobe\Acrobat Reader\9.0\Originals" EXPLAIN "Enable or Disable Launching Attachments in Acrobat Reader 9.x" VALUENAME "bAllowOpenFile" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY "Lock down Launch Reader 9.x" KEYNAME "Software\Adobe\Acrobat Reader\9.0\Originals" EXPLAIN "Enable or Disable User Changes to Launch Attachments in Acrobat Reader 9.x" VALUENAME "bSecureOpenFile" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY Carl From: Sam Cayze [mailto:[email protected]] Sent: Monday, April 19, 2010 1:42 PM To: NT System Admin Issues Subject: RE: Locking adobe I've used this adm file with GPOs with great success. Yes, people could probable re-enable through the GUI if they wanted. But it get's unchecked again via gpo refresh. The one I found on the web and pasted below is missing the pref for 9.x Please advise. CLASS USER CATEGORY "Adobe Acrobat/Reader 6.x - 8.x" POLICY "JavaScript Reader 8.x" KEYNAME "Software\Adobe\Acrobat Reader\8.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 8.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY "JavaScript Acrobat 8.x" KEYNAME "Software\Adobe\Adobe Acrobat\8.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat 8.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY "JavaScript Reader 7.x" KEYNAME "Software\Adobe\Acrobat Reader\7.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 7.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY "JavaScript Acrobat 7.x" KEYNAME "Software\Adobe\Adobe Acrobat\7.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat 7.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY "JavaScript Reader 6.x" KEYNAME "Software\Adobe\Acrobat Reader\6.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 6.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY "JavaScript Acrobat 6.x" KEYNAME "Software\Adobe\Adobe Acrobat\6.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat 6.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY END CATEGORY _____ From: Bill Songstad [mailto:[email protected]] Sent: Monday, April 19, 2010 12:33 PM To: NT System Admin Issues Subject: Re: Locking adobe Well locking the registry perms was effective and had no immediately obvios side-effects on Acrobat Reader's function. I'm not sure if that will hold true through updates and patches though. The process gets kind of ugly considering we are dealing with HKCU too. I can have the users run a script to lock themselves out of the reg key, but undoing it is a nightmare of finding the all the correct ids on the computer for all the users and changing the perms in the HKU tree. Much easier to give away than to take back it seems. Somehow, I think its best to persue another strategy. -Bill On Fri, Apr 16, 2010 at 3:59 PM, Peter van Houten <[email protected]> wrote: Would be interested in the results. As Brian pointed out, the Reader might not enjoy having its "private parts" locked ;-) -- Peter van Houten Bill Songstad wrote the following: Shamefully, I never thought of locking down the perms on the reg key. I'll monkey with that and post back with my results. -Bill On Fri, Apr 16, 2010 at 3:39 PM, Peter van Houten <[email protected] <mailto:[email protected]>> wrote: Have you tried changing the permissions of the reg key? -- Peter van Houten Bill Songstad wrote the following: Okay, I've figured out how to disable the /launch feature in Acrobat Reader, and make it so users can't easily undo it. But I can't for the life of me turn of jscript and make it sticky. [HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\JSPrefs] "bEnableJS"=dword:00000000 will turn off javascript within Acrobat Reader, but the user can just turn it back on, In fact if a java enabled document is opened, the user is prompted to enable it. Does anybody have a good strategy for keeping javascript disabled in Acrobat Reader? Thanks, -Bill ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
