I have had mixed luck with the ADM template. If the user manually enables javascript it seems to stay enabled. I ended up using the instructions found here:
http://www.grouppolicy.biz/2010/01/how-to-make-adobe-reader-more-secure-using-group-policy/ along with the registry values contained in the ADM template below to create a GPO. In testing it seems to be working quite well. It also disables javascript each time the employee logs in. ________________________________________ From: [email protected] [[email protected]] on behalf of Bugbear [[email protected]] Sent: Tuesday, June 08, 2010 9:04 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript I use custom GPO or mgmt system that can edit HKCU a logon script for the user is another option Also check out the blacklist framework post my ranting I have compiled some info here (hey it was the holidays and I was annoyed) http://securitybraindump.blogspot.com/2009/12/adobes-0-face.html and also VRT has done some good research here http://vrt-sourcefire.blogspot.com/2010/01/acrobat-javascript-blacklist-framework.html here's an ADM template for GPO, hope this helps CLASS USER CATEGORY "Adobe Acrobat/Reader 7.x - 9.x" POLICY "JavaScript Reader 9.x" KEYNAME "Software\Adobe\Acrobat Reader\9.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 9.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY "JavaScript Acrobat 9.x" KEYNAME "Software\Adobe\Adobe Acrobat\9.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat 9.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY "JavaScript Reader 8.x" KEYNAME "Software\Adobe\Acrobat Reader\8.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 8.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY "JavaScript Acrobat 8.x" KEYNAME "Software\Adobe\Adobe Acrobat\8.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat 8.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY "JavaScript Reader 7.x" KEYNAME "Software\Adobe\Acrobat Reader\7.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 7.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY "JavaScript Acrobat 7.x" KEYNAME "Software\Adobe\Adobe Acrobat\7.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat 7.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY END CATEGORY On Tue, Jun 8, 2010 at 6:09 PM, Craig Freyman <[email protected]> wrote: > What have some of you done to disable JavaScript in Acrobat Standard/Pro as > well as Acrobat Reader from a corporate perspective? I am referring to > installations that are already in place. Custom GPO? > I've found a few articles describing the registry setting: > [HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs] > "bEnableJS"=dword:00000000 > This will work for XP clients but this key isn't in this place on my Windows > 7 box. It is under HKEY_Users\(MY SID)\Software\Adobe....... > If this is the case, if I'll have to write a script that grabs the user's > SID before running the registry file on login. Any other options people > have used? > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
