Application Security in the Acrobat Family of Products. A ...

butterbeanspipeΛογισμικό & κατασκευή λογ/κού

14 Ιουλ 2012 (πριν από 5 χρόνια και 4 μήνες)

1.324 εμφανίσεις

Acrobat® Family of Products
Modification date: 4/17/12
Application Security
for the Acrobat Family of Products
© 2012 Adobe Systems Incorporated. All rights reserved.
Application Security for the Adobe® Acrobat Family of Products.
If this guide is distributed with software that includes an end user agreement, this guide, as well as the software
described in it, is furnished under license and may be used or copied only in accordance with the terms of such license.
Except as permitted by any such license, no part of this guide may be reproduced, stored in a retrieval system, or
transmitted, in any form or by any means, electronic, mechanical, recording, or otherwise, without the prior written
permission of Adobe Systems Incorporated. Please note that the content in this guide is protected under copyright law
even if it is not distributed with software that includes an end user license agreement.
The content of this guide is furnished for informational use only, is subject to change without notice, and should not be
construed as a commitment by Adobe Systems Incorporated. Adobe Systems Incorporated assumes no responsibility or
liability for any errors or inaccuracies that may appear in the informational content contained in this guide.
Please remember that existing artwork or images that you may want to include in your project may be protected under
copyright law. The unauthorized incorporation of such material into your new work could be a violation of the rights of
the copyright owner. Please be sure to obtain any permission required from the copyright owner.
Any references to company names in sample templates are for demonstration purposes only and are not intended to
refer to any actual organization.
Adobe, Acrobat®, Reader®, and the Adobe logo are either registered trademarks or trademarks of Adobe Systems
Incorporated in the United States and/or other countries.
Windows®, Windows NT®, and Windows XP® are registered trademarks of Microsoft® Corporation registered in the United
States and/or other countries. Mac® and Macintosh® are registered trademarks of Apple Computer®, Inc. in the United
States and other countries. All other trademarks are the property of their respective owners.
Adobe Systems Incorporated, 345 Park Avenue, San Jose, California 95110, USA. Notice to U.S. Government End Users.
The Software and Documentation are “Commercial Items,” as that term is defined at 48 C.F.R. §2.101, consisting of
“Commercial Computer Software” and “Commercial Computer Software Documentation,” as such terms are used in 48
C.F.R. §12.212 or 48 C.F.R. §227.7202, as applicable. Consistent with 48 C.F.R. §12.212 or 48 C.F.R. §§227.7202-1 through
227.7202-4, as applicable, the Commercial Computer Software and Commercial Computer Software Documentation are
being licensed to U.S. Government end users (a) only as Commercial Items and (b) with only those rights as are granted to
all other end users pursuant to the terms and conditions herein. Unpublished-rights reserved under the copyright laws of
the United States. Adobe Systems Incorporated, 345 Park Avenue, San Jose, CA 95110-2704, USA. For U.S. Government
End Users, Adobe agrees to comply with all applicable equal opportunity laws including, if appropriate, the provisions of
Executive Order 11246, as amended, Section 402 of the Vietnam Era Veterans Readjustment Assistance Act of 1974 (38
USC 4212), and Section 503 of the Rehabilitation Act of 1973, as amended, and the regulations at 41 CFR Parts 60-1
through 60-60, 60-250, and 60-741. The affirmative action clause and regulations contained in the preceding sentence
shall be incorporated by reference.
3
Contents
1 Application Security Overview.............................................................................................7
1.1 Information assurance......................................................................................................................8
1.2 Configuration overview....................................................................................................................9
1.2.1 General rules..................................................................................................................................................................9
1.2.2 Quick key.........................................................................................................................................................................9
2 Enhanced Security and Trusted Locations........................................................................10
2.1 What is enhanced security?.............................................................................................................10
2.1.1 Best practices...............................................................................................................................................................11
2.1.2 Changes across releases...........................................................................................................................................11
2.2 User experience...............................................................................................................................12
2.2.1 FDF, XFDF, and XDP workflows.............................................................................................................................13
2.2.2 Dialogs and warnings...............................................................................................................................................14
2.2.2.1 9.2, 8.1.7, and earlier........................................................................................................................................14
2.2.2.2 9.3, 8.2, and later...............................................................................................................................................15
2.3 User interface configuration (end users).......................................................................................16
2.3.1 Standalone settings...................................................................................................................................................16
2.3.2 Application running in a browser settings........................................................................................................17
2.3.3 Wildcard usage for privileged locations.............................................................................................................18
2.4 Registry-level configuration (administrators)...............................................................................18
2.4.1 Configuration rules common to all platforms..................................................................................................19
2.4.2 Default settings for 10.x...........................................................................................................................................20
2.4.3 Default settings for 9.3 and 8.2..............................................................................................................................20
2.4.4 Most restrictive settings...........................................................................................................................................21
2.4.5 Least restrictive settings...........................................................................................................................................21
2.4.6 Enabling and disabling enhanced security.......................................................................................................22
2.4.7 Specifying privileged locations (granting trust)..............................................................................................22
2.4.8 Trusting sites you already trust for Internet Explorer....................................................................................23
2.4.9 Recursive trust for directories................................................................................................................................23
2.4.10 Locking enhanced security on or off.................................................................................................................23
2.4.11 Locking privileged locations off.........................................................................................................................24
2.4.12 Locking trust for IE trusted sites on or off.......................................................................................................24
2.4.13 XObject access..........................................................................................................................................................24
2.4.14 Macintosh configuration.......................................................................................................................................25
2.4.15 UNIX configuration..................................................................................................................................................27
2.5 Bypassing enhanced security restrictions.....................................................................................28
2.5.1 Client controls..............................................................................................................................................................28
2.5.1.1 Specifying privileged locations...................................................................................................................28
2.5.1.2 Trusting sites that Internet Explorer trusts..............................................................................................29
2.5.1.3 Specifying trusted URLs via Trust Manager.............................................................................................29
2.5.1.4 Trusting certificates for privileged network operations.....................................................................29
2.5.2 Server controls.............................................................................................................................................................30
2.6 Enhanced security quick key...........................................................................................................31
3 Protected Mode in Adobe Reader (Windows)...................................................................32
Application Security for the Acrobat Family of Products. © 2012 Adobe Systems Inc.
Acrobat Security Administration Guide 4
3.1 Overview...........................................................................................................................................32
3.2 Configuration...................................................................................................................................33
3.2.1 Enabling Protected Mode via the UI....................................................................................................................33
3.2.2 Verifying the current mode.....................................................................................................................................34
3.2.3 Enabling Protected Mode via the registry.........................................................................................................34
3.2.4 Locking Protected Mode..........................................................................................................................................35
3.2.5 Enabling logging via the registry..........................................................................................................................35
3.2.6 Policy configuration...................................................................................................................................................36
3.2.6.1 Enabling custom policies...............................................................................................................................36
3.2.6.2 Creating policies................................................................................................................................................36
3.3 Unsupported configurations..........................................................................................................37
4 Protected View in Acrobat (Windows)...............................................................................39
4.1 Overview...........................................................................................................................................39
4.1.1 Protected View in standalone Acrobat...............................................................................................................40
4.1.2 Protected View in a browser...................................................................................................................................40
4.1.3 Integration with enhanced security....................................................................................................................41
4.2 Configuration...................................................................................................................................42
4.2.1 User interface configuration...................................................................................................................................42
4.2.2 Registry configuration..............................................................................................................................................42
4.2.3 Locking the Protected View feature....................................................................................................................43
4.2.4 Enabling logging........................................................................................................................................................43
4.2.5 Policy configuration...................................................................................................................................................44
4.2.5.1 Enabling custom policies...............................................................................................................................45
4.2.6 Verifying the current mode in a browser...........................................................................................................45
4.3 Unsupported configurations..........................................................................................................45
4.4 FAQs..................................................................................................................................................46
5 Cross Domain Configuration..............................................................................................48
5.1 Cross domain basics.........................................................................................................................48
5.1.1 same-origin policies: A brief history....................................................................................................................48
5.1.2 Cross domain workflow............................................................................................................................................49
5.1.3 When you need cross domain access.................................................................................................................50
5.1.4 When you don’t need cross domain support...................................................................................................50
5.1.5 PDFs in a standalone application vs. the browser..........................................................................................52
5.1.6 User experience...........................................................................................................................................................52
5.2 Policy file setup and configuration................................................................................................53
5.2.1 Policy file syntax..........................................................................................................................................................53
5.2.2 Policy file best practices...........................................................................................................................................54
5.2.3 Typical policy................................................................................................................................................................54
5.2.4 Permissive vs. restrictive policies..........................................................................................................................55
5.2.5 Meta vs. master policies...........................................................................................................................................55
5.2.6 HTTP-HTTPS communications...............................................................................................................................56
5.2.7 Socket permissions....................................................................................................................................................56
5.2.8 Credential-based permissions...............................................................................................................................56
5.2.9 Friendly names and alias use..................................................................................................................................56
5.2.10 IP address....................................................................................................................................................................57
5.2.11 Header-based permissions...................................................................................................................................57
5.3 Using certificates for cross domain access.....................................................................................57
5.3.1 Certified documents..................................................................................................................................................58
5.3.2 Reader enabled documents...................................................................................................................................59
Application Security for the Acrobat Family of Products. © 2012 Adobe Systems Inc.
Acrobat Security Administration Guide 5
5.3.3 Adding a certificate hash to a policy file............................................................................................................59
5.3.4 Fingerprint usage rules.............................................................................................................................................60
5.4 Server configuration........................................................................................................................60
5.4.1 Policy file host basics.................................................................................................................................................60
5.4.2 Differences between Acrobat and Flash............................................................................................................60
5.4.3 Server setup examples..............................................................................................................................................61
5.4.3.1 JBoss......................................................................................................................................................................61
5.4.3.2 WebSphere..........................................................................................................................................................61
5.4.3.3 SAP Netweaver 7 and 7.1...............................................................................................................................62
5.4.3.4 Windows..............................................................................................................................................................63
5.4.3.5 WebLogic.............................................................................................................................................................64
5.5 Calling policies via JavaScript.........................................................................................................64
5.6 Troubleshooting..............................................................................................................................64
5.6.1 Enabling logging........................................................................................................................................................65
5.6.2 General log messages...............................................................................................................................................66
5.6.3 Meta policy messages...............................................................................................................................................69
5.6.4 Policy file parsing/syntax errors............................................................................................................................72
5.6.5 Flash only messages..................................................................................................................................................72
5.7 Additional resources.......................................................................................................................73
6 Managing JavaScript Execution.........................................................................................75
6.1 JavaScript permissions basics.........................................................................................................75
6.1.1 Workflow diagrams....................................................................................................................................................75
6.1.2 Changes across releases...........................................................................................................................................78
6.1.3 Additional resources..................................................................................................................................................78
6.2 Restricting JavaScript......................................................................................................................78
6.2.1 Disabling JavaScript...................................................................................................................................................78
6.2.1.1 Disabling via the user interface...................................................................................................................78
6.2.1.2 Disabling via the registry...............................................................................................................................79
6.2.2 Blacklisting JS by API.................................................................................................................................................79
6.2.2.1 Disabling APIs via the registry......................................................................................................................79
6.2.2.2 Managing APIs with JS blacklist tool.........................................................................................................80
6.2.3 Preventing menu-invoked JS execution............................................................................................................83
6.2.3.1 Disabling menu-invoked JS via the user interface................................................................................83
6.2.3.2 Disabling menu-invoked JS via the registry............................................................................................83
6.2.4 Restricting JS object access....................................................................................................................................83
6.2.4.1 Disabling via the user interface...................................................................................................................83
6.2.4.2 Disabling via the registry...............................................................................................................................84
6.2.5 High privileged JavaScript.......................................................................................................................................84
6.2.6 JavaScript invoked URLs..........................................................................................................................................84
6.3 Trusting JavaScript..........................................................................................................................84
6.3.1 Enabling JavaScript....................................................................................................................................................84
6.3.1.1 Enabling via the user interface....................................................................................................................84
6.3.1.2 Enabling via the registry.................................................................................................................................85
6.3.2 Overriding disabled JS for trusted documents................................................................................................85
6.3.2.1 Enabling via the user interface....................................................................................................................85
6.3.2.2 Enabling via the registry.................................................................................................................................85
6.3.3 Allowing blacklisted APIs in trusted documents.............................................................................................85
6.3.3.1 Enabling via the registry.................................................................................................................................85
6.3.4 Bypassing high privileged (HP) JavaScript restrictions.................................................................................86
6.3.4.1 Enabling via the registry.................................................................................................................................87
Application Security for the Acrobat Family of Products. © 2012 Adobe Systems Inc.
Acrobat Security Administration Guide 6
6.3.4.2 Enabling via the user interface....................................................................................................................88
6.3.5 Allowing JS execution through a menu event.................................................................................................88
6.3.5.1 Enabling via the user interface....................................................................................................................89
6.3.5.2 Enabling via the registry.................................................................................................................................89
6.3.5.3 Enabling via a trusted function....................................................................................................................89
6.3.6 Allowing JS-invoked URLs.......................................................................................................................................89
6.3.6.1 Enabling via the user interface....................................................................................................................89
6.3.6.2 Enabling via the registry.................................................................................................................................89
6.4 User experience...............................................................................................................................90
6.5 JavaScript controls quick key.........................................................................................................92
6.6 User JavaScript changes for 10.1.1 and later................................................................................93
6.6.1 Affected users..............................................................................................................................................................93
6.6.2 Overview........................................................................................................................................................................93
6.6.3 Changes for 10.1.1......................................................................................................................................................93
6.6.4 What you should do..................................................................................................................................................94
6.6.4.1 Global variable issues (Windows and Macintosh).................................................................................94
6.6.4.2 User JavaScript issues (Windows only).....................................................................................................94
7 Attachments........................................................................................................................95
7.1 Black lists and white lists.................................................................................................................95
7.2 Attachment workflows....................................................................................................................96
7.3 Modifying attachment permissions...............................................................................................96
7.4 Resetting attachment permissions................................................................................................97
7.5 Allowing attachments to launch applications...............................................................................97
7.6 Registry modification......................................................................................................................97
7.7 Blacklisted files................................................................................................................................99
8 External Content Access...................................................................................................103
8.1 Internet URL access........................................................................................................................103
8.1.1 Blocking and allowing web sites........................................................................................................................103
8.1.2 Specifying behavior by URL.................................................................................................................................104
8.2 Multimedia.....................................................................................................................................106
8.2.1 Multimedia behavior: 9.3-8.2 and later............................................................................................................106
8.2.2 Multimedia behavior: 9.2-8.1.7 and earlier.....................................................................................................107
8.2.3 Configuring multimedia trust.............................................................................................................................108
8.2.4 Controlling multimedia in certified documents...........................................................................................109
8.3 XObjects..........................................................................................................................................110
8.4 3D content (9.5.1 and later)..........................................................................................................111
8.5 Flash integration (9.5.1 and later)................................................................................................111
8.5.1 Enterprise configuration.......................................................................................................................................112
9 Index...................................................................................................................................113
1
7
Application Security Overview
This Application Security Guide describes configuration details for the Acrobat family of products,
including sandboxing, enhanced security, scripting controls, attachments, and other features. The
primary goal here is to encourage enterprise stakeholders who configure and deploy clients to manage
them in a secure way. While this content is primarily aimed at administrators, other potential audiences
include:

Workflow owners and IT folks who are responsible for the integrity of their networked environment.

Technically savvy end users that need to customize their application’s security capabilities.
To mitigate security attacks, Adobe provides a security model designed to help you protect your
environment. Administrators in particular should explore the options for tuning applications for the
desired security level. Some of the security-related features that are configurable by end users and
admins include:

Protected Mode in Adobe Reader (Windows)
: Sandboxes processes to limit what malicious code can
accomplish on an affected machine.

Protected View in Acrobat (Windows)
: Sandboxes processes to limit what malicious code can
accomplish on an affected machine.

Enhanced Security and Trusted Locations
: Limits cross domain access, JS and data injection, silent
printing, stream access to external objects.

Cross Domain Configuration
: Cross domain access can be configured on the client or managed on a
server via a cross domain file. Clients have logging capability.

Managing JavaScript Execution
: JavaScript can be entirely disabled or allowed on a per document
or basis. A blacklist enables restricting particular APIs.

Attachments
: The application ships with a default list of allowed and disallowed file types that can
be launched from attachments. The list is customizable.

Internet URL access
: The Trust Manager provides tools for specifying URL permissions.

Multimedia
: Multimedia can be controlled on a per document basis. Legacy multimedia types (non
Flash) are turned off by default.

XObjects
: Enhanced security and UI settings interact to enable such access.

3D content (9.5.1 and later)
: 3D is disabled by default in 9.x products.

Flash integration (9.5.1 and later)
: Flash plays with the system player by default with 9.5.1.

Misc settings: Other settings are provided for controlling the viewing mode, providing alerts when
the viewer requests full screen, and so on.
Use case
Security features such as enhanced security allows you to restrict potentially dangerous actions while
selectively permitting them for locations you trust. When you enable enhanced security, your
application hardens itself against risky actions by doing the following:
Application Security Overview Information assurance
Application Security for the Acrobat Family of Products. © 2012 Adobe Systems Inc.
8

Prohibits
VFULSWLQMHFWLRQ
H[WHUQDOVWUHDPDFFHVV
ZHEDFFHVV
GDWDLQMHFWLRQ
FURVVGRPDLQDFFHVV
VLOHQWSULQWLQJ
1HZVHFXULW\PRGHO
script and data injection via an FDF NOT returned as
the result of a post from the PDF.

Blocks stream access to XObjects such as external images.

Forces requests for new content to adhere to a “same-origin”
policy; that is, access to web pages and other resources
originating from a domain other than your calling document
is prohibited.
Since these security features invoke restrictions
tha
t affect PDF
7UXVWFKHFN
5HTXHVWHG
FRQWHQW
8QWUXVWHG
7UXVWHG
7XQHGVHFXULW\
3ULYLOHJHGORFDWLRQ"
7UXVWHGFHUWLILFDWH"
7UXVW0DQDJHU2."
[GRPDLQSROLF\"
6DPH2ULJLQ"
workflows, you can selectively
bypass those restrictions for trusted files, folders,
and hosts b
y specifying a privileged location. In
other words, trusted domains can be defined as
exempt from enhanced security rules and other
settings configured elsewhere in the application.
There are several other methods for establishing
trust, and just as you tune your browser, so should
you tune your application so that it operates at a risk level appropriate for your environment.
1.1 Information assurance
Where concern about data integrity is a
prime mover, you should be concerned with
the client’s application security options as
well as its packaged security features such as
digital signatures, encryption, and
permissions.







These two are not always
functionally distinct, and both are critical
c
omponents of information assurance. For
example, signing certificates in certified
documents can be used to assign trust for operations that would otherwise be restricted by enhanced
security.
This guide focuses solely on application security--configuring the application to enable, disable, or
r
estrict features and PDF functionality that may pose a security risk. In all cases, configuration may occur
before or after deploying clients. For details about content security features, refer to the documents at
http://www.adobe.com/go/learn_acr_appsecurity_en.
Application Security Overview Configuration overview
Application Security for the Acrobat Family of Products. © 2012 Adobe Systems Inc.
9
Figure 1 Information assurance components
1.2 Configuration overview
The big picture is relatively simple: Acrobat products are highly configurable and allow you to:

Disable features and restrict content types.

Selectively assign trust files, folders, hosts, protocols, apis, and other critical workflow components.
1.2.1 General rules

The end user can assign trust by:

Enabling features globally

Assigning trust via privileged locations, multimedia settings, and trust manager settings

Via the Edit Certificate Trust dialog for certified signature workflows

The end user can restrict content types and application behavior by:

Disabling features globally

Enabling sandboxing via Protected Mode (Reader) and Protected View (Acrobat)

Enabling enhanced security and not trusting documents from unknown origins

Via the Edit Certificate Trust dialog for signature workflows

Many HKCU settings have an HKLM mirror so that IT can disable, lock, and control permissions
1.2.2 Quick key
Refer to the attached quick key for a separate document.
(QFU\SWLRQ
3HUPLVVLRQV
5LJKWV0DQDJHPHQW
'LJLWDO6LJQDWXUHV
(QKDQFHGVHFXULW\
7UXVW0DQDJHU
%ODFN:KLWHOLVWV
8VHUDVVLJQHGWUXVW
&
217(17
6
(&85,7<
$
33/,&$7,21
6
(&85,7<
,1)250$7,21

$
6685$1&(


2
10
Enhanced Security and Trusted Locations
Enhanced security is part of a security model introduced in version 9.0. As a best practice, enable
enhanced security to prevent unrestricted cross domain access and other potentially risky behavior.
Workflows and content should be designed to operate in the context of enhanced security.
Note:Enhanced security is enabled by default for the 9.3 and 8.2 updates. Its configuration
and behavior is identical across platforms and for viewing a PDF within a browser or a
standalone application. See the Enhanced security quick key for a one page overview.
2.1 What is enhanced security?
Enhanced security consists of two components: a set of default restrictions and a method to define
trusted locations that should not be subject to those restrictions. In other words, you can either block
dangerous actions altogether or else selectively permit them for locations and files you trust.
When you enable enhanced security, your application “hardens” itself against risky actions by doing the
f
ollowing for any document not specifically trusted:

Prevents cross domain access. It forces requests for new content to adhere to a “same-origin” policy.

Prohibits
VFULSWLQMHFWLRQ
H[WHUQDOVWUHDPDFFHVV
ZHEDFFHVV
GDWDLQMHFWLRQ
FURVVGRPDLQDFFHVV
VLOHQWSULQWLQJ
1HZVHFXULW\PRGHO
script and data injection via an FDF, XFDF, and XDP
NOT returned as the result of a post from the PDF.

Blocks stream access to XObjects such as external images.

Stops silent printing to a file or hardware printer.
These restrictions protect users against web attacks such as cross
sit
e scripting, cross site request forgeries, and others. The feature is designed to let you decide what
content to trust and help you selectively bypass those restrictions for trusted files, folders, and hosts.
These trusted domains--called privileged locations--are exempt from enhanced security rules. There are
several other methods for establishing trust, and just as you tune your browser, so should you tune your
application so that it operates at a risk level appropriate for your environment.
Figure 2 Enhanced security: effect on workflows
Enhanced Security and Trusted Locations Best practices
Application Security for the Acrobat Family of Products. © 2012 Adobe Systems Inc.
11
Enhanced security configuration can occur via the user interface (UI) by end users but IT can tune the
registry prior to deployment and even lock the preferences so that end users cannot change them.
When properly configured for your workflows, malicious attacks such as cross site scripting are
prevented, and a rich user experience is provided in the context of a safe and trusted environment.
This feature interacts with other features that also assign trust. When content is trusted as a result of a
cross domain policy file, for example, that content is not subject to enhanced security restrictions. It is
important to understand the various ways that trust can be assigned prior to configuring applications
and setting up workflows. Workflows should be designed for compatibility with enhanced security
enabled, so keep in mind that the following features interact with enhanced security:

Internet access permissions: While enhanced security prevents access to different origin locations
that try to return data, scripts, or content to the calling PDF, internet access can be set on a per site
basis via the Trust Manager. Trust Manager settings may or may not override enhanced security
settings depending on your application version and particular workflow.

Import and export of FDF, XFDF (form), and XDP data: Data file behavior is fundamentally
altered when this feature is on.

Certified document workflows: Access to a certified document may or may not be allowed
depending on whether:

The signing certificate’s fingerprint is in a cross domain policy file, or

The signing certificate is trusted or chains up to a trust anchor that is trusted for privileged
networked operations.
2.1.1 Best practices
To maintain workflow security, the following is recommended:

Enable enhanced security.

All trusted workflow files, folders, and hosts should be specified as privileged locations.

When applicable, manage trust via a server-based cross domain policy file.
2.1.2 Changes across releases
Table 1 Changes across releases: Enhanced security
Version
Change
9.0
Enhanced security introduced.
9.1
Support added for bypassing enhanced security restrictions by assigning trust to certified documents when
the SHA1 hash of the public key is specified in a cross domain policy file.
Certificates can be trusted for privileged networked operations such as cross domain access.
8.1.7 & 9.2
Enhanced security added for 8.1.7.
Enhanced Security and Trusted Locations User experience
Application Security for the Acrobat Family of Products. © 2012 Adobe Systems Inc.
12
2.2 User experience
The user experience with enhanced security enabled AND trust not assigned to the content in the
workflow is significantly different than when enhanced security is disabled. The key words here are “and
trust not assigned.” The feature is specifically designed so that users and admins can preconfigure trust
or assign it on the fly so that workflows remain operational even with the extra security and restrictions
that enhanced security provides.
8.2 & 9.3

Enhanced security turned on by default.

Enhanced security settings may take precedence of Trust Manager internet access settings.

A non-intrusive Yellow Message Bar (YMB) that doesn’t block workflows replaces many of the modal
dialogs. Depending on how the client is configured, the YMB appears at the top of the document and
offers the user to trust the document “once” or “always.” The YMB does not appear for silent printing or
xobject access.

Cross domain logging can be enabled and the log viewed via the user interface.

Cross domain policy files support all the mime types specified in the
Cross Domain Policy File
Specification
.
9.3.4
These are not changes in enhanced security but rather changes to privileged location trust:

cJavaScriptURL was introduced thereby adding a way to restrict JavaScript invoked URLs via enhanced
security. Trust can be assigned through privileged locations.

Trusting a location as a privileged location also trusts that location for high privileged JavaScript.
cJavaScript is populated.

Trusting a location as a privileged location also trusts that location for blacklisted JavaScript APIs.
cUnsafeJavaScript is populated.
10.0

Wildcards are supported when specifying hosts as privileged locations.

A sandbox for Reader is introduced called Protected Mode (PM). PM restrictions can be overridden via
privileged locations.
10.1

Folder trust is recursive by default.

bDisableDefaultRecursiveFolderTrust was introduced to disable the default recursive trust.

A sandbox for Acrobat is introduced called Protected View (PV). PV restrictions can be overridden via
privileged locations.
9.5 &
10.1.2
Wild cards and privileged locations:

Wild card handling for trusted hosts now conforms to the Cross Domain Specification.

The error dialog for invalid trusted host names that use wildcards is improved.

A new preference (cTrustedSitesPrivate) allows IT to permit less restrictive wildcard usage when specifying
trusted hosts.
Privileged location settings in HKLM:

bDisableTrustedFolders now removes Options button from YMB when disabled and locked

bDisableJavaScript in HKLM allows locking the JS engine off. An admin’s privileged location list in HKLM
can bypass this restriction.
Windows trust zones

The Win OS Security Zone setting in the Privileged locations panel now includes Local Intranet zones in
addition to the current Trusted Sites zone. The product should assign trust as Internet Explorer does.

LC Workspace XFA in Flex forms will now honor Win OS trust zone override.
Table 1 Changes across releases: Enhanced security
Version
Change
Enhanced Security and Trusted Locations FDF, XFDF, and XDP workflows
Application Security for the Acrobat Family of Products. © 2012 Adobe Systems Inc.
13
2.2.1 FDF, XFDF, and XDP workflows
XFDF, FDF, and XDP files are data files which simplify moving form, certificate, server, and other data
from one machine to another. This data transfer usually involves some mechanism such as data
injection into a PDF form field, installing files, executing a script, and so on. Because these actions
represent a potential security risk, enhanced security restricts this functionality unless the data
containing file has been assigned trust in some way. Trust assignment can occur via privileged locations,
a trusted certificate, or by cross domain policy files.
Table 2
lists the high level rules defining the
behavior.
Tip:If you distribute forms that request data from a server, the user may find that filled form
fields become blank after being asked to trust a document from the Yellow Message
Bar. If you find that your workflow is impaired, Adobe recommends that you leave
enhanced security enabled and assign trust as needed via one of the available methods
prior to sending such a form.
Exceptions
XFDF and XDP files use the same rules as FDF with the following exceptions:

XFDF does not support script injection.

XDP is only affected by these rules if the PDF is externally referenced (not embedded).
Table 2 Rules for opening a PDF via FDF
Action
Data file
location
PDF
location
8.x behavior
9.x behavior
Opening a
target PDF
local
local
PDF opens. No
authentication required.
No change.
Opening a
target PDF
local
server
PDF opens
Allow via dialog or enable enhanced security and
set privileged location.
Opening a
target PDF
server
server
PDF opens. No
authentication required.
No change.
Opening a
target PDF
https
server
local
Blocked
Http hosted FDFs cannot open local files.
Data injection
n/a
n/a
Allowed
Allowed if:

Data retuned via a form submit with url#FDF.

FDF has no /F or /UF key.

cross-domain policy permits it.
Data injection
server
browser
Allowed
Allowed if:

Link to PDF contains #FDF=url.

FDF has no /F or UF key.

cross domain policy permits it.
Data injection
server
Acrobat/Re
ader
Allowed
Allowed if:

PDF makes EFS POST/GET and FDF sends data
in https response to same PDF.

cross domain policy permits it.
Data injection
Varied
Varied
Allowed
Allow via dialog or enable enhanced security and
set privileged location.
Enhanced Security and Trusted Locations Dialogs and warnings
Application Security for the Acrobat Family of Products. © 2012 Adobe Systems Inc.
14
FDF restriction examples
The following are examples of disallowed actions when enhanced security is on:

If the PDF opens in the browser, and the URL to the PDF contains a #FDF=url, then the FDF data
specified by that url may be injected into the open PDF if the FDF has no /F key and if the PDF may
receive data from the FDF based on the cross domain policy.

If the PDF opens in the Acrobat/Reader standalone application and the FDF data comes back in the
https response to a POST/GET initiated by the PDF, then the FDF data may be injected into the open
PDF if the PDF specified in the FDF is the PDF that made the POST/GET and if the PDF may receive
data from the FDF based on the cross domain policy (i.e. * in crossdomain.xml).
FDF permissions examples
The following are examples of scenarios where FDF data injection does need a user-authorization dialog
when enhanced security is on:

You submit data from a PDF in the browser and the URL has #FDF at the end. The returned FDF has
an /F key pointing to a different PDF which needs to get loaded (everything is happening in the
browser). The FDF data gets injected into the second PDF.

Same as above, except it all happens in Acrobat rather than in the browser. In this case, the #FDF at
the end of the URL is not needed.

The “spontaneous FDF” case: In the browser, an unsolicited FDF arrives (via a link from an HTML
page before, and Acrobat is not running yet), and the FDF has an /F key for a PDF that it needs to
open and populate.

Opening a link of the form http://A.com/file.pdf#FDF=http://B.com/getFDF.
2.2.2 Dialogs and warnings
Beginning with the 9.3 and 8.2 updates, a non-intrusive Yellow Message Bar (YMB) that doesn’t block
workflows replaces many of the modal dialogs. Depending on how the client is configured, the YMB
appears at the top of the document and offers the user to trust the document “once” or “always.”
2.2.2.1 9.2, 8.1.7, and earlier
Pre 9.3 and 8.2, the application displayed modal dialogs whenever a risky behavior was invoked (
Figure
3
). The user had to click through the dialog to continue.
Script
injection
Any
Any
Allowed
Blocked if enhanced security is on and FDF is not in
a privileged location.
Table 2 Rules for opening a PDF via FDF
Action
Data file
location
PDF
location
8.x behavior
9.x behavior
Enhanced Security and Trusted Locations Dialogs and warnings
Application Security for the Acrobat Family of Products. © 2012 Adobe Systems Inc.
15
Figure 3 Enhanced Security: Data access dialog (pre 9.3 and 8.2)
2.2.2.2 9.3, 8.2, and later
With 9.3 and 8.2, most warning messages were moved to an unobtrusive Yellow Message Bar at the top
of the document. If the administrator has not disabled the feature, users can choose to trust a document
once or always for the particular action. A choice of “always” adds the document or host to the
privileged locations list.
Tip:Workflows where end users or administrators assign trust to files, folders, and hosts
avoid the appearance of the YMB and most other modal dialogs.
Figure 4 Yellow Message Bar: Cross domain access w/ end user trust disabled
Figure 5 Yellow Message Bar: Cross domain access
Figure 6 Yellow Message Bar: Data injection
Figure 7 Yellow Message Bar: Data injection w/ end user trust disabled
Enhanced Security and Trusted Locations User interface configuration (end users)
Application Security for the Acrobat Family of Products. © 2012 Adobe Systems Inc.
16
Figure 8 Yellow Message Bar: JavaScript injection
2.3 User interface configuration (end users)
For versions 9.x and 8.2, enhanced security settings are managed separately for the application
running as a standalone application versus in a browser. Thus, you can configure these settings
through the application user interface and/or by right clicking on a PDF loaded in a browser.
2.3.1 Standalone settings
To turn on enhanced security and specify privileged locations, do the following:
1.Choose Edit > Preferences (Windows) or Acrobat > Preferences (Macintosh).
2.Select Security (Enhanced) in the Categories panel.
3.Check the Enable Enhanced Security checkbox.
4.Windows only: If your workflows involve cross domain access enabled by accessing a server-based
cross domain policy file, check Create log file.
Note:This step is typically only need when troubleshooting. Logging is not available on
Macintosh.
5.Windows only: If you would like to trust as privileged locations any sites you already trust in
Internet Explorer, check Automatically trust sites from my Win OS security zones.
6.Specify privileged locations for content and domains you trust as described in Specifying privileged
locations.
7.Choose OK.
Enhanced Security and Trusted Locations Application running in a browser settings
Application Security for the Acrobat Family of Products. © 2012 Adobe Systems Inc.
17
Figure 9 Enhanced security panel: Windows
Figure 10 Enhanced security panel: Macintosh
2.3.2 Application running in a browser settings
When viewing a PDF in a browser, users do not have direct access to the application’s Preferences panel.
To configure enhanced security while browsing on the fly, do the following:
1.Right click on the PDF displayed in the browser.
2.Choose Page Display Preferences.
3.Choose Security (Enhanced) in the left hand tree.
4.Configure the Preferences panel as described above in “Standalone settings” on page 16.
Enhanced Security and Trusted Locations Wildcard usage for privileged locations
Application Security for the Acrobat Family of Products. © 2012 Adobe Systems Inc.
18
Figure 11 Preferences configuration in a browser
2.3.3 Wildcard usage for privileged locations
10.x products support the use of wildcard matching of subdomain components for trusted host URLs.
For example, for a basic URL of a.b.c.adobe.com, you can wildcard on all of “a”, “b”, and/or “c.” Wildcard
support adheres to the
Cross Domain Specification
beginning with 10.1.2.
Note:It is required that at least the first subdomain is specified (adobe in this case). So
*.corp.adobe.com or lcforms.*.adobe.com works, but *forms.corp.adobe.com or
lcforms.corp.*.com will not.
2.4 Registry-level configuration (administrators)
Note:A detailed
Preference Reference for Acrobat and Adobe Reader
is available as part of the
Administrator’s Information Manager (AIM), an AIR application containing many
admin-centric resources. For other related guides and quick keys, see the
Application
Security Library
.
Registry level preferences (
Table 3
) allow administrators to configure clients pre- and post-deployment.
Settings are available for:

Windows, Macintosh, and UNIX.

Turning enhanced security on and off.

Turning privileged locations on and off.

Specifying predefined privileged locations.

Locking the feature so that end users can’t change the settings.
Table 3 Registry Configuration: Enhanced security
Key
Description
bEnhancedSecurityInBrowser
Turns on and off enhanced security when the application is running in the browser.
bEnhancedSecurityStandalone
Turns on and off enhanced security for the standalone application.
bDisableTrustedFolders
Disables trusted folders and prevents users from specifying a privileged location for
directories.
bDisableTrustedSites
Disables trusted sites and prevents users from specifying a privileged location for hosts.
bTrustOSTrustedSites
Elevates the trusted sites list in Internet Explorer to privileged locations so that they may
bypass enhanced security restrictions.
bDisableOSTrustedSites Locks the ability to treat IE trusted sites as privileged locations either on or off so the
users can
't change the bTrustOSTrustedSites value via the user interface.
Table 4 Registry Configuration: Privileged location trust cabs
Key
Description
cTrustedFolders
A list of folders AND files that identify privileged locations that host trusted content.
cTrustedSites
A list of sites (or hosts) that identify privileged locations that host trusted content.
t(folder ID)
Lists directories and host names (http or https) which are known to be trustworthy. With 10.1,
folder trust is recursive by default.
t(folder ID)_recursive
The _recursive suffix on t(folder ID) makes the trust recursive. With 10.1, folder trust is recursive by
default.
t(trusted file ID)
Lists files which reside in a privileged location and are therefore exempt from enhanced security
limitations.
Table 5 Registry Configuration: Privileged location trust that bypasses ES restrictions
Key
Description
cCrossdomain
Allows cross domain access for the trusted content specified by t(ID).
cDataInjection
Allows data injection from the trusted content specified by t(ID).
cExternalStream
Allows access to external streams (XObjects) such as external images for the trusted content
specified by t(ID).
cScriptInjection
Allows script injection from the trusted content specified by t(ID).
cSilentPrint
Allows silent printing to a file or a hardware printer to be initiated by the trusted content specified
by t(ID).
cWeblink Allows connection to the targets of embedded URLs by the trusted content specified by t(ID).
Enhanced Security and Trusted Locations Configuration rules common to all platforms
Application Security for the Acrobat Family of Products. © 2012 Adobe Systems Inc.
19
2.4.1 Configuration rules common to all platforms
The following rules apply irrespective of the user’s platform:

Windows, Macintosh, and UNIX platforms use similarly named keys.
Enhanced Security and Trusted Locations Default settings for 10.x
Application Security for the Acrobat Family of Products. © 2012 Adobe Systems Inc.
20

When configuring paths, use your product (Adobe Acrobat or Acrobat Reader) and version (9.0 or
8.0).

For 8.x, only one key (bEnhancedSecurityStandalone) controls behavior for both standalone and
browser modes.

Preferences are usually boolean. True (1) enables the feature. False (0) disables the feature.

Both cTrustedFolders and bDisableTrustedFolders control the behavior for folders AND files.

Preferences may or may not be visible in the registry by default when the value has been set by the
application. It is often the case that the UI must be exercised to actually write the value to the
preference file or registry. When configuring preferences, it is usually expedient to toggle all the
values and restart the application. Doing so writes the values to the registry and lets you change the
preference setting without needing to create the key from scratch.
2.4.2 Default settings for 10.x
The default settings are similar to 9.3.4. See
Changes across releases
.
2.4.3 Default settings for 9.3 and 8.2
The default settings for 9.3 and 8.2 are as follows:

Enhanced security is enabled.

Privileged locations are enabled. The locations list is empty.
End users have the option to disable the feature or to leave it enabled and add privileged locations for
trusted files, folders, and hosts. Adobe recommends that enhanced security is enabled and care
exercised when assigning trust.
Administrators can of course configure all the options as well as lock down the user interface so that
users can’t change the settings. In many enterprise settings, admins will enable enhanced security,
preconfigure trust, and lock all settings. See the examples below.
Note:Preferences may or may not be visible in the registry by default when the value has
been set by the application. While the setting’s value is respected, it is often the case
that the UI must be exercised to actually write the value to the preference file or
registry. When configuring preferences, it is usually expedient to toggle all the values
and restart the application. Doing so writes the values to the registry and lets you
change the preference setting without needing to create the key from scratch.
Example 2.1: Default enhanced security settings (Windows 9.3 and 8.2)
[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\TrustManager]
"bTrustOSTrustedSites"=dword:00000001
"bEnhancedSecurityStandalone"=dword:00000001
"bEnhancedSecurityInBrowser"=dword:00000001
Example
2.2: Default enhanced security settings (Windows 9.3 and 8.2)
[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\TrustManager]
"bEnhancedSecurityStandalone"=dword:00000001
"bEnhancedSecurityInBrowser"=dword:00000001
Enhanced Security and Trusted Locations Most restrictive settings
Application Security for the Acrobat Family of Products. © 2012 Adobe Systems Inc.
21
2.4.4 Most restrictive settings
The following examples show the most restrictive settings with the features locked. This results in the
following:

All enhanced security protections will be in place.

Only administrators can configure privileged locations.

End users cannot change any of the settings.

Documents and workflows that are subject to these protections will need to have trust assigned by
some mechanism that the security model recognizes as a trustworthy way to bypass these
restrictions. Possibilities include those listed in
“Bypassing enhanced security restrictions” on page
28
.
Note:10.x products use the same settings.
Example
2.3: Most restrictive enhanced security settings: 9.x and 10.x
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\<Adobe Acrobat OR Acrobat
Reader><9.0 or 10.0>\FeatureLockDown]
"bEnhancedSecurityStandalone"=dword:00000001
"bEnhancedSecurityInBrowser"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\<Adobe Acrobat OR Acrobat
Reader><9.0 or 10.0>\FeatureLockDown]
"bDisableTrustedFolders"=dword:00000001
"bDisableTrustedSites"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\<Adobe Acrobat OR Acrobat
Reader><9.0 or 10.0>\FeatureLockDown]
"bDisableOSTrustedSites"=dword:00000001
Example 2.4: Most restrictive enhanced security settings: 8.x
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\<Adobe Acrobat OR Acrobat Reader>\
8.0\FeatureLockDown]
"bEnhancedSecurityStandalone"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\<Adobe Acrobat OR Acrobat Reader>\
8.0\FeatureLockDown]
"bDisableTrustedFolders"=dword:00000001
"bDisableTrustedSites"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\<Adobe Acrobat OR Acrobat Reader>\
8.0\FeatureLockDown]
"bDisableOSTrustedSites"=dword:00000001
2.4.5 Least restrictive settings
“Secure by default” is Adobe’s recommended best practice. However, you can disable all the features if
you are already operating within a secured environment. The following examples show the least
restrictive settings with the features not locked.
Note:10.x products use the same settings.
Enhanced Security and Trusted Locations Enabling and disabling enhanced security
Application Security for the Acrobat Family of Products. © 2012 Adobe Systems Inc.
22
Example 2.5: Least restrictive enhanced security settings: 9.x and 10.x
[HKEY_CURRENT_USER\Software\Adobe\(Adobe Acrobat or Acrobat Reader)\(9.0 or
10.0)\TrustManager]
"bEnhancedSecurityStandalone"=dword:00000000
"bEnhancedSecurityInBrowser"=dword:00000000
"bTrustOSTrustedSites"=dword:00000001
Example 2.6: Least restrictive enhanced security settings: 8.x
[HKEY_CURRENT_USER\Software\Adobe\(Adobe Acrobat or Acrobat Reader)\8.0\
TrustManager]
"bEnhancedSecurityStandalone"=dword:00000000
"bTrustOSTrustedSites"=dword:00000001
2.4.6 Enabling and disabling enhanced security
The following example shows how to enable enhanced security. These settings are individually
configurable, and both may be locked so that the end user cannot change the preference via the user
interface. Note that UI configuration sets both keys; however, they can be configured with different
values via the registry.
To disable enhanced security, set the value to 00000000.
Example 2.7: Registry Configuration: Enhanced security enabled
[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0\TrustManager]
"bEnhancedSecurityInBrowser"=dword:00000001
"bEnhancedSecurityStandalone"=dword:00000001
Tip:This feature can be locked so that users can’t change the setting via the UI.
2.4.7 Specifying privileged locations (granting trust)
You can specify trusted locations by creating a new key under the cab key associated with the feature
you want to allow. Note the following:

TrustManager\cTrustedFolders contains cabs for trusted folders AND files.

TrustManager\cTrustedSites contains cabs for trusted hosts such as http(s).

Available cabs include (subject to change over time): cCrossdomain, cDataInjection,
cExternalStream, cScriptInjection, cSilentPrint, cWeblink.

Each t(ID) must be unique. In the example below, t3 could reside in each of the cabs, but there could
not be more than one t3 in each cab.
Example 2.8: Registry Configuration: Cross domain file trust
[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\TrustManager\
cTrustedFolders\cCrossdomain]
"t3"="C:\\Documents and Settings\\brogers\\My Documents\\acrobat_logo16.png"
Tip:This feature can be locked so that users can’t change the setting via the UI.
Enhanced Security and Trusted Locations Trusting sites you already trust for Internet Explorer
Application Security for the Acrobat Family of Products. © 2012 Adobe Systems Inc.
23
2.4.8 Trusting sites you already trust for Internet Explorer
It is possible to automatically trust sites trusted by IE. When
bTrustOSTrustedSites
is enabled,
the trust list is a union of IE's trust list and Acrobat's privileged locations list. The key is lockable via
bDisableOSTrustedSites
.
Example 2.9: Registry Configuration: Enabling trust for IE trusted sites
[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\9.0\TrustManager]
"bTrustOSTrustedSites"=dword:00000001
Tip:This feature can be locked so that users can’t change the setting via the UI.
2.4.9 Recursive trust for directories
By default, if you make a folder a privileged location its subdirectories are not automatically included. To
make trust recursive, do the following:
1.Go to HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0\TrustManager\cTrustedFolders\.
2.For each subkey (e.g. cCrossdomain) where trust should be recursive, go to the subkey.
3.For each folder ID that should be recursive, modify the name by appending
_recursive
to it.
Example 2.10: Registry Configuration: Recursive trust
[HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0\TrustManager\
cTrustedFolders\cScriptInjection]

t5_recursive"="C:\\Aardvark"
2.4.10 Locking enhanced security on or off
Enhanced security can be locked as enabled or disabled. To do so:
1.Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\<product name>\<version>\
FeatureLockDown.
2.Right click and choose New > DWORD Value.
3.Create
bEnhancedSecurityStandalone
and/or
bEnhancedSecurityInBrowser
.
4.Right click on the key and choose Modify.
5.Set the value as follows:

0: Disables enhanced security and locks the feature.

1: Enables enhanced security and locks the feature.
Example
2.11: Registry Configuration: Enhanced security locked as enabled
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\9.0\FeatureLockDown]
"bEnhancedSecurityStandalone"=dword:00000001
"bEnhancedSecurityInBrowser"=dword:00000001
Enhanced Security and Trusted Locations Locking privileged locations off
Application Security for the Acrobat Family of Products. © 2012 Adobe Systems Inc.
24
2.4.11 Locking privileged locations off
You can disable and lock the ability to add privileged locations by setting the keys as shown in the
example below. This feature allows administrators to control what users can trust. Simply lock the
feature and provide your own trust list to user machines.
1.Go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\<product name>\<version>\
FeatureLockDown.
2.Right click and choose New > DWORD Value.
3.Create bEnhancedSecurityStandalone and/or bEnhancedSecurityInBrowser.
4.Right click on the key and choose Modify.
5.Set the value as follows:

0: Enables the feature.

1: Disables the feature.
Example
2.12: Registry Configuration: Privileged locations disabled
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\9.0\FeatureLockDown]
"bDisableTrustedFolders"=dword:00000001
"bDisableTrustedSites"=dword:00000001
2.4.12 Locking trust for IE trusted sites on or off
The ability to automatically trust sites the IE also trusts can be locked on or off by setting
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\FeatureLockDown as follows:

0: Disables trusting sites from IE and locks the feature.

1: Enables trusting sites from IE and locks the feature.
Example
2.13: Registry Configuration: Disabling trust for IE trusted sites
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\FeatureLockDown]
"bDisableOSTrustedSites"=dword:00000000
2.4.13 XObject access
Preference configuration can be a mystery if you don’t take to time to understand related features and
how they interact. For example, enhanced security settings interact with certificate trust settings and
Trust Manager settings. The following provides just one use case where two settings must be
configured to get one feature to work as expected.
XObject access
Since reference XObjects access external content, security is a concern. Therefore, XObject (external
stream) access requires that such access be granted though the user interface (or registry) and that the
referencing document is specified as trust-worthy when cross domain access is involved.
To configure XObject access:
To configure external content access:
Enhanced Security and Trusted Locations Macintosh configuration
Application Security for the Acrobat Family of Products. © 2012 Adobe Systems Inc.
25
1.Choose Edit > Preferences > Page Display (Windows) or Acrobat > Preferences Page
Display(Macintosh).
2.Configure the Reference XObjects View Mode panel by setting Show reference XObject targets.
3.Set the location of referenced files (if any).
4.Choose OK.
Figure 12 Resource access
To configure registry access:
1.Open the registry editor.
2.Go to HKEY_CURRENT_USER\Software\Adobe\<product>\<version>\TrustManager\
cTrustedFolders\cExternalStream.
3.Right click and choose New String.
4.Enter a document ID in the form of t(some integer).
5.Right click on the new ID and choose Modify.
6.Enter the path to the trusted document in the Value Data field.
7.Go to HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\9.0\TrustManager\cTrustedFolders\
cCrossdomain and repeat the same steps. Use the same ID and value.
Note:Other XObject settings can be configured via the UI or in the registry as described in
the
Preference Reference for Acrobat and Adobe Reader
.
2.4.14 Macintosh configuration
Enhanced security preferences cannot be locked on Macintosh systems.
Before continuing, install some plist editor such as PlistEdit Pro. Change the root path to reflect the
product (Acrobat or Reader) and version number (9.0 or 8.0) you are using.
Note:Preferences may or may not be visible in the registry by default when the value has
been set by the application. While the setting’s value is respected, it is often the case
that the UI must be exercised to actually write the value to the preference file or
registry. When configuring preferences, it is usually expedient to toggle all the values
and restart the application. Doing so writes the values to the registry and lets you
change the preference setting without needing to create the key from scratch.
To configure the settings:
1.Navigate to the .plist file:
Enhanced Security and Trusted Locations Macintosh configuration
Application Security for the Acrobat Family of Products. © 2012 Adobe Systems Inc.
26

Mactel: User\Library\Preferences\com.adobe.Acrobat.Pro_x86_9.0.plist

Mactel: User\Library\Preferences\com.adobe.Acrobat.Pro_x86_8.0.plist

PowerPC machine: User\Library\Preferences\com.adobe.Acrobat.Pro_ppc_8.0.plist

PowerPC machine: User\Library\Preferences\com.adobe.Acrobat.Pro_ppc_9.0.plist

PowerPC machine: User\Library\Preferences\com.adobe.Reader_ppc_8.0.plist

PowerPC machine: User\Library\Preferences\com.adobe.Reader_ppc_9.0.plist
2.Go to TrustManager.
3.Set EnhancedSecurityInBrowser (Boolean YES/NO).
4.Set EnhancedSecurityStandalone (Boolean YES/NO).
Note:Do not configure Number. For 8.x, only one key (bEnhancedSecurityStandalone)
controls behavior for both standalone and browser modes. Do not set
EnhancedSecurityInBrowser.
5.Exit the editor.
Enhanced Security and Trusted Locations UNIX configuration
Application Security for the Acrobat Family of Products. © 2012 Adobe Systems Inc.
27
Figure 13 Preferences: Enhanced security settings for UNIX
2.4.15 UNIX configuration
Enhanced security preferences cannot be locked on UNIX systems.
Note:Preferences may or may not be visible in the registry by default when the value has
been set by the application. While the setting’s value is respected, it is often the case
that the UI must be exercised to actually write the value to the preference file or
registry. When configuring preferences, it is usually expedient to toggle all the values
and restart the application. Doing so write the values to the registry and lets you
change the preference setting without needing to create the key from scratch.
To configure the settings:
1.Navigate to the .preferences file. For example:

~/.adobe/Acrobat/9.0/Preferences/reader_prefs

~/.adobe/Acrobat/8.0/Preferences/reader_prefs
Enhanced Security and Trusted Locations Bypassing enhanced security restrictions
Application Security for the Acrobat Family of Products. © 2012 Adobe Systems Inc.
28
2.Navigate to /TrustManager.
3.Add and set the keys in the file.
Note:For 8.x, only one key (bEnhancedSecurityStandalone) controls behavior for both
standalone and browser modes. Do not set EnhancedSecurityInBrowser.
Example 2.14: Preferences: Enhanced security settings for UNIX
/TrustManager
[/c <<
/EnhancedSecurityInBrowser [/b false]
/EnhancedSecurityStandalone [/b false]
>>]
4.Save and exit.
2.5 Bypassing enhanced security restrictions
Because enhanced security limits functionality and restricts certain operations, you can use one of
several mechanisms to override those restrictions for content you specifically trust, including:

Client controls
:

Specifying privileged locations

Specifying trusted URLs via Trust Manager

Trusting certificates for privileged network operations

Server controls
:

Managing cross domain access at the server

Enabling cross domain access for specific PDFs
2.5.1 Client controls
2.5.1.1 Specifying privileged locations
Enhanced security provides a method for specifying locations for trusted content. Privileged locations
can be a single file, a directory, or a host. The application maintains two privileged location lists: an
administrator list (in HKLM) and a user list (in HKCU). The user list is for the current user only and can be
edited via the user interface. The default installation does not specify any privileged locations.
The administrator list is created manually or by tuning the installer with the Acrobat Customization
Wizard before deployment. This method of trusting content is beneficial for administrators who control
clients in closed workflows, who don’t own a web service and so can’t manage a cross domain policy, or
who need to grant rights such as silent printing, and who trust the location.
To specify a privileged location through the user interface:
1.Navigate to the enhanced security panel (Figure 9).
Enhanced Security and Trusted Locations Client controls
Application Security for the Acrobat Family of Products. © 2012 Adobe Systems Inc.
29
2.Check or uncheck Automatically trust sites for my Win OS security zones. Enabling this feature
identifies as privileged locations the trusted sites you’ve configured for Internet Explorer.
3.Set a privileged location by selecting one of the following buttons:

Add File: A file is defined by a path, so its security settings will be invalid if that file is moved.

Add Folder Path: Prior to 10.1, trust is not recursive. With 10.1 and later, trust is recursive but
can be disabled via a registry preference.

Add Host: Enter the complete name of the root URL only with no wildcards. For example,
www.adobe.com but not www.adobe.com/lc. To specify HTTPS, select Secure Connections
Only.
4.Choose OK.
Tip:You can make a folder privileged location recursive by configuring the registry as
described in “Registry-level configuration (administrators)” on page 18.
2.5.1.2 Trusting sites that Internet Explorer trusts
See
Specifying privileged locations
.
2.5.1.3 Specifying trusted URLs via Trust Manager
For 9.2 and 8.1.7 and prior, Trust Manager settings override enhanced security settings. The Trust
Manager allows you to permit, block, or be asked about URL access. You may allow or block all URLs, or
you can specify a list of trusted URLs.
For 9.3 and 8.2, enhanced security settings take precedence over any Trust Manager settings.
2.5.1.4 Trusting certificates for privileged network operations
When enhanced security is on, a certified document can bypass some security restrictions even if it is
not in a privileged location. That is, trust can be assigned at the certificate level if:

The document is certified; that is, the first signature in the document is a certification signature.

The certification signature is valid.

The document recipient has specifically trusted the signer’s certificate for privileged operations.
Post-deployment, administrators can use an FDF file or an acrobatsecuritysettings file to configure the
Trusted Identity Manager for multiple clients. Pre-deployment, an administrator would tune the installer
with the Acrobat Customization Wizard. For details about certificates, see
Digital Signatures and Rights
Management in Acrobat and Adobe Reader
.
To manually set a certificate's trust level on a client-by-client basis:
1.Choose Advanced (Acrobat) or Document (Adobe Reader) > Manage Trusted Identities.
2.Choose Certificates in the Display drop down list.
3.Select the certificate.
4.Choose Edit Trust.
Enhanced Security and Trusted Locations Server controls
Application Security for the Acrobat Family of Products. © 2012 Adobe Systems Inc.
30
5.Set the options as needed.
Tip:Trusting the certificate for Privileged system options has the same effect as adding a
signed document as a privileged location and exempts it from enhanced security
restrictions.
6.Choose OK twice and close the dialog.
Figure 14 Setting certificate trust
2.5.2 Server controls
Enhanced security’s cross domain restrictions can also be bypassed and managed at the server.
Managing cross domain access at the server
Clients have the capability of automatically detecting and using crossdomain.xml policy files to access
content from a different origin. Administrators can configure the policy file as needed so that clients can
access trusted content. For more information, see
Cross-domain Access and Configuration
.
Enabling cross domain access for specific PDFs
For a PDF that comes from a server, the server has a domain and hence the PDF has a domain; however,
a stand-alone PDF residing on a user’s machine has no domain. When such a PDF accesses a server,
Acrobat’s default behavior is to consider that communication as cross domain.
To allow a “domain-less,” local PDF to access a server, it must be signed either with a certification
signature or a “reader enabled” signature (the hidden signature applied during Reader enablement) and
registered in a cross domain policy file. Again, the signature can be one of two types:

A certification signature in a certified document: Best for certified document workflows and
when high privileged JavaScript should be permitted.

A Reader enabled signature applied by a LiveCycle ES server: PDFs that are granted additional
usage rights are signed by the server. Using this fingerprint allows customers with many Reader
extended documents to continue accessing the server after enhanced security is enabled without
having to change their forms.
The fingerprint for the certificate that was used for the signing is registered in the cross domain file on
the server. In effect, the cross domain file on the server is saying “files signed with this certificate may
access this server.” To register the fingerprint, an administrator extracts the SHA-1 hash of the public key
from the signing certificate and places it in the cross domain policy file.
Note:For details as well as other related guides and quick keys, see the
Application Security
Library
.
Enhanced Security and Trusted Locations Enhanced security quick key
Application Security for the Acrobat Family of Products. © 2012 Adobe Systems Inc.
31
2.6 Enhanced security quick key
6HUYHU&RQILJ
5HJLVWU\&RQILJXUDWLRQ
8VHU,QWHUIDFH&RQILJXUDWLRQ
5HJLVWU\OHYHOSUHIHUHQFHVSURYLGH$GPLQVZLWKJUDQXODUFRQWURORYHUWKHIHDWXUH+LJKOHYHOUXOHV
:LQGRZV0DFLQWRVKDQG81,;SODWIRUPVXVHVLPLODUO\QDPHGNH\V
:KHQFRQILJXULQJSDWKVXVH\RXUSURGXFW$GREH$FUREDWRU$FUREDW5HDGHUDQGYHUVLRQRU


)RU[RQO\RQHNH\E(QKDQFHG6HFXULW\6WDQGDORQH FRQWUROVEHKDYLRUIRUERWKVWDQGDORQHDQGEURZVHUPRGHV
3UHIHUHQFHVDUHERROHDQ7UXHHQDEOHVWKHIHDWXUH)DOVHGLVDEOHVWKHIHDWXUH
(
1+$1&('
6
(&85,7<
4
8,&.

.(<
(QKDQFHGVHFXULW\SURYLGHVWZRWRROVDVHWRIUHVWULFWLRQVWKDWEORFNVSRWHQWLDOO\GDQJHURXVDFWLRQVDQGDPHFKDQLVPIRU
DVVLJQLQJWUXVWWRILOHVIROGHUVDQGKRVWVWKDWVKRXOGQRWEHVXEMHFWWRWKRVHUHVWULFWLRQV,WVEHQHILWVWKHUHIRUHLQFOXGH
$³KDUGHQHG´DSSOLFDWLRQWKDWSUHYHQWVFURVVGRPDLQDFFHVVUHTXHVWHGFRQWHQWPXVWDGKHUHWRD³VDPHRULJLQ´SROLF\
VLOHQWSULQWLQJKLJKSULYLOHJH-DYD6FULSWH[HFXWLRQVFULSWDQGGDWDLQMHFWLRQDQGVWUHDPDFFHVVWR;REMHFWV
$WUXVWPRGHOWKDWDOORZVWKHDERYHDFWLRQVEDVHGRQWKHFRQWHQW¶VUHVLGHQFHLQDSULYLOHJHGORFDWLRQ
7RFRQILJXUHHQKDQFHGVHFXULW\:LQDQG0DFRQO\

1DYLJDWHWRWKHSUHIHUHQFHVSDQHO
&KRRVH6HFXULW\(QKDQFHG
&KHFNXQFKHFN(QDEOH(QKDQFHG6HFXULW\
&KHFNHGLV(1$%/('8QFKHFNHGLV',6$%/('
&KHFN&UHDWHORJILOHWRHQDEOHFURVVGRPDLQORJJLQJ
7RE\SDVVHQKDQFHGVHFXULW\UHVWULFWLRQVIRUWUXVWHGFRQWHQW
&KHFNXQFKHFNZKHWKHUWRWUXVWVLWHV\RXDOUHDG\WUXVWLQ,(
1RWDYDLODEOHRQ0DFRU81,;RUYHUVLRQVSULRUWRDQG
&KRRVH$GG)LOH$GG)ROGHU3DWKRU$GG+RVW
6SHFLI\RUVHOHFWDORFDWLRQWKDWFRQWDLQVWUXVWHGFRQWHQW
&URVVGRPDLQDFFHVVFDQEHPDQDJHGE\DVHUYHU¶VFURVVGRPDLQSROLF\

7KHILOHPXVWEHQDPHGFURVVGRPDLQ[PODQGUHVLGHDWWKHVHUYHUURRW


KWWSH[DPSOHFRPFURVVGRPDLQ[POVKRXOGGLVSOD\WKHILOH
7KH0,0(W\SHDQGILOHV\QWD[PXVWFRQIRUPWRWKHVSHFLILFDWLRQ

(QDEOHORJJLQJWR$FUREDW&URVV'RPDLQORJYLDWKH8,RUWKH
UHJLVWU\[DQG$93ULYDWHE&URVV'RPDLQ/RJJLQJ WUXH

DQG'HIDXOWLV21$XWRPDWLFDOO\HQDEOHGIRU:LQ0DFDQG81,;[DQG'HIDXOWLV2))
2WKHUYHUVLRQV1RWDYDLODEOH
0DFLQWRVK
:,QGRZV
5RRWSDWKaDGREH$FUREDW3UHIHUHQFHVUHDGHUBSUHIV
(QKDQFHGVHFXULW\GLVDEOHG
7UXVW0DQDJHU>F(QKDQFHG6HFXULW\,Q%URZVHU>EIDOVH@(QKDQFHG6HFXULW\6WDQGDORQH>EIDOVH@!!@
81,;
7RGLVDEOH(QKDQFHG6HFXULW\
0DFWHOURRW8VHU?/LEUDU\?3UHIHUHQFHV?FRPDGREH$FUREDW3URB[BSOLVW
3RZHU3&URRW8VHU?/LEUDU\?3UHIHUHQFHV?FRPDGREH33&SOLVW
7UXVW0DQDJHU!(QKDQFHG6HFXULW\,Q%URZVHU%RROHDQ12
7UXVW0DQDJHU!(QKDQFHG6HFXULW\6WDQGDORQH%RROHDQ12
7RGLVDEOH(QKDQFHG6HFXULW\([DPSOHXVHV$FUREDWDQGDQ\[YHUVLRQ
3DWKIRUNH\VWLHGWRXVHUWKHLQWHUIDFH>+.(<B&855(17B86(5?6RIWZDUH?$GREH?$GREH$FUREDW??7UXVW0DQDJHU@
E(QKDQFHG6HFXULW\,Q%URZVHU GZRUG
E(QKDQFHG6HFXULW\6WDQGDORQH GZRUG
7RGLVDEOHDQGORFN(QKDQFHG6HFXULW\([DPSOHXVHV5HDGHUDQGDQ\VXSSRUWHG[YHUVLRQ
3DWKIRUORFNDEOHNH\V>+.(<B/2&$/B0$&+,1(?62)7:$5(?3ROLFLHV?$GREH?
$FUREDW
5HDGHU??)HDWXUH/RFN'RZQ@
E(QKDQFHG6HFXULW\6WDQGDORQH GZRUG
7RGLVDEOHDQGORFNSULYLOHJHGORFDWLRQV*LYHVDGPLQFRQWURORYHUZKDWLVWUXVWHGZKHQ(6LVHQDEOHG
E'LVDEOH7UXVWHG)ROGHUV GZRUG
E'LVDEOH7UXVWHG6LWHV GZRUG
:KR"
:KDW"
7,3)RU[YHUVLRQVXVHRQO\
(QKDQFHG6HFXULW\6WDQGDORQH
5
()(5(1&(6

(QKDQFHG6HFXULW\DQG7UXVWHG/RFDWLRQV

&URVV'RPDLQ$FFHVVDQG&RQILJXUDWLRQ

&URVV'RPDLQ3ROLF\)LOH6SHFLILFDWLRQ


3UHIHUHQFH5HIHUHQFHIRU$FUREDW 5HDGHU
32
Protected Mode in Adobe Reader (Windows)
The release of 10.0 introduces a sandbox for Adobe Reader called “Protected Mode” (PM). PM is another
defense-in-depth mechanism that further increases an attacker’s work factor and further protects the
user.
3.1 Overview
What is a “sandbox” and Protected Mode?
For application developers, sandboxing is a technique for creating a confined execution environment