I ended up using BugBear's suggestion. It's working great. On Thu, Jun 10, 2010 at 6:09 PM, Jody & Jennifer McCluggage < [email protected]> wrote:
> Have you tried using Group Policy Preferences? I have had better luck > managing registry settings using them. They were first included with > Windows 2008 and are included in 7 but can be downloaded and installed on > XP > and Vista too. > > Jody > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Gibson, > Samuel > Sent: Thursday, June 10, 2010 8:43 AM > To: PaulDotCom Security Weekly Mailing List > Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript > > I have had mixed luck with the ADM template. If the user manually enables > javascript it seems to stay enabled. I ended up using the instructions > found here: > > > http://www.grouppolicy.biz/2010/01/how-to-make-adobe-reader-more-secure-usin > g-group-policy/ > > along with the registry values contained in the ADM template below to > create > a GPO. In testing it seems to be working quite well. It also disables > javascript each time the employee logs in. > > > ________________________________________ > From: [email protected] > [[email protected]] on behalf of Bugbear > [[email protected]] > Sent: Tuesday, June 08, 2010 9:04 PM > To: PaulDotCom Security Weekly Mailing List > Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript > > I use custom GPO or mgmt system that can edit HKCU > > a logon script for the user is another option > > Also check out the blacklist framework > > post my ranting I have compiled some info here (hey it was the holidays and > I was annoyed) > > http://securitybraindump.blogspot.com/2009/12/adobes-0-face.html > > and also VRT has done some good research here > > > http://vrt-sourcefire.blogspot.com/2010/01/acrobat-javascript-blacklist-fram > ework.html > > here's an ADM template for GPO, hope this helps > > CLASS USER > > CATEGORY "Adobe Acrobat/Reader 7.x - 9.x" > > POLICY "JavaScript Reader 9.x" > KEYNAME "Software\Adobe\Acrobat Reader\9.0\JSPrefs" > EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 9.x" > VALUENAME "bEnableJS" > VALUEON NUMERIC 1 > VALUEOFF NUMERIC 0 > END POLICY > > POLICY "JavaScript Acrobat 9.x" > KEYNAME "Software\Adobe\Adobe Acrobat\9.0\JSPrefs" > EXPLAIN "Enable or Disable JavaScript in Acrobat 9.x" > VALUENAME "bEnableJS" > VALUEON NUMERIC 1 > VALUEOFF NUMERIC 0 > END POLICY > > > POLICY "JavaScript Reader 8.x" > KEYNAME "Software\Adobe\Acrobat Reader\8.0\JSPrefs" > EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 8.x" > VALUENAME "bEnableJS" > VALUEON NUMERIC 1 > VALUEOFF NUMERIC 0 > END POLICY > > POLICY "JavaScript Acrobat 8.x" > KEYNAME "Software\Adobe\Adobe Acrobat\8.0\JSPrefs" > EXPLAIN "Enable or Disable JavaScript in Acrobat 8.x" > VALUENAME "bEnableJS" > VALUEON NUMERIC 1 > VALUEOFF NUMERIC 0 > END POLICY > > POLICY "JavaScript Reader 7.x" > KEYNAME "Software\Adobe\Acrobat Reader\7.0\JSPrefs" > EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 7.x" > VALUENAME "bEnableJS" > VALUEON NUMERIC 1 > VALUEOFF NUMERIC 0 > END POLICY > > POLICY "JavaScript Acrobat 7.x" > KEYNAME "Software\Adobe\Adobe Acrobat\7.0\JSPrefs" > EXPLAIN "Enable or Disable JavaScript in Acrobat 7.x" > VALUENAME "bEnableJS" > VALUEON NUMERIC 1 > VALUEOFF NUMERIC 0 > END POLICY > > END CATEGORY > > > > On Tue, Jun 8, 2010 at 6:09 PM, Craig Freyman <[email protected]> > wrote: > > What have some of you done to disable JavaScript in Acrobat > > Standard/Pro as well as Acrobat Reader from a corporate perspective? > > I am referring to installations that are already in place. Custom GPO? > > I've found a few articles describing the registry setting: > > [HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs] > > "bEnableJS"=dword:00000000 > > This will work for XP clients but this key isn't in this place on my > > Windows > > 7 box. It is under HKEY_Users\(MY SID)\Software\Adobe....... > > If this is the case, if I'll have to write a script that grabs the > > user's SID before running the registry file on login. Any other > > options people have used? > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
