Adobe Acrobat Reader Hardening Guide
In order to protect it from potential security risks like malware or unauthorized access to sensitive data, Adobe Acrobat Reader DC must be hardened. One way to improve the security of the software is to disable JavaScript and Flash settings via the registry. Thus, it is possible to stop the execution of potentially harmful scripts or Flash content that could compromise the system or steal sensitive data. It’s important to keep in mind, though, that some PDF files that depend on these features may not function properly.
Table of Contents
Defender 365 Recommendations
In the Microsoft 365 Defender portal, new recommendations from Microsoft are constantly being added. When Defender detects a system on the network that has Adobe Acrobat Reader DC installed, the following two security enhancements are automatically suggested.
To fix this it is suggested to adjust the following registry keys on the device.
bEnableFlash / bDisableJavaScript
Intune Powershell Script Deployment
Now there are several ways to distribute this via Microsoft Intune Portal. One way would be via PowerShell Script. Home -> Devices -> Scripts
$path1 = 'HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown'
$path2 = 'HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown'
New-item -Path $path1 -Force | Out-Null
New-ItemProperty -Path $path1 -Name 'bEnableFlash' -Value 0 -PropertyType DWord
New-ItemProperty -Path $path1 -Name 'bDisableJavaScript' -Value 1 -PropertyType DWord
New-item -Path $path2 -Force | Out-Null
New-ItemProperty -Path $path2 -Name 'bDisableJavaScript' -Value 1 -PropertyType DWord
This way is relatively quick to implement and the security of the application increase in a few minutes.
Intune Proactive Remediation Solution
The second way would be to do it with Pro. I think this is the better way because here a whole error handling can setup and the subsequent overview of the deployment is more transparent.
Home -> Reports | Endpoint Analytics -> Endpoint Analytics -> Proactive remediations
Detection script
$path1 = Test-Path -Path 'HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown'
$path2 = Test-Path -Path 'HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown'
$key1 = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown'
$key2 = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown'
$key3 = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown'
if (($path1 -eq 'TRUE') -AND ($path2 -eq 'TRUE'))
{
if (($key1.bEnableFlash -eq '0') -AND ($key2.bDisableJavaScript -eq '1') -AND ($key3.bDisableJavaScript -eq '1')){
Write-Output "Adobe Security Defaults successful"
exit 0
}
else
{
Write-Output "Keys missing"
exit 1
}
}
else
{
Write-Output "Paths missing"
exit 1
}
Remediation script
$path1 = 'HKLM:\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown'
$path2 = 'HKLM:\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown'
try {
New-item -Path $path1 -Force
New-ItemProperty -Path $path1 -Name 'bEnableFlash' -Value 0 -PropertyType DWord -Force
New-ItemProperty -Path $path1 -Name 'bDisableJavaScript' -Value 1 -PropertyType DWord -Force
New-item -Path $path2 -Force
New-ItemProperty -Path $path2 -Name 'bDisableJavaScript' -Value 1 -PropertyType DWord -Force
exit 0
}
catch {
$errMsg = $_.Exception.Message
Write-host $errMsg
exit 1
}
Assign to a device group and that’s it, within a few hours results are visible.
Conclusion
In conclusion, hardening Adobe Acrobat Reader DC by disabling JavaScript and Flash settings via the registry is a crucial step in improving the security of the application in a company environment. In today’s increasingly digital world, it is essential for companies to take proactive measures to secure their applications and protect their data.
There are many more Steps to improve Security, look here: