Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-79367 | AADC-CN-000285 | SV-94073r1_rule | Low |
Description |
---|
PDF files can contain URLs that initiate connections to websites in order to share or get information. Any Internet access introduces a security risk as malicious websites can transfer harmful content or silently gather data. |
STIG | Date |
---|---|
Adobe Acrobat Professional DC Continuous Security Technical Implementation Guide | 2019-07-01 |
Check Text ( C-78981r6_chk ) |
---|
Verify the following registry configuration: Utilizing the Registry Editor, navigate to the following: HKEY_LOCAL_MACHINE\Software\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown\cDefaultLaunchURLPerms\ Value Name: iURLPerms Type: REG_DWORD Value: 1 If the value for iURLPerms is not set to “1” and Type is not configured to REG_DWORD or does not exist, this is a finding. Setting the value for iURLPerms to "0" means that a custom settings has been selected. Custom setting allows for specific websites to be used for PDF workflows. These websites must be approved by the ISSO/AO otherwise the setting must be "1" which blocks access to all websites. If the iURLPerms setting is "0" and a documented risk acceptance approving the websites is provided, this is not a finding. GUI path: Edit > Preferences > Trust Manager > In the 'Internet Access from PDF Files outside the web browser' section > Select 'Change Settings' option > In the 'PDF Files may connect to web sites to share or get information' section > Verify the radio button 'Block PDF files access to all web sites' is selected and greyed out (locked). If 'Custom setting' is checked, a documented risk acceptance approved by the ISSO/AO approving the websites must be provided and then this is not a finding. Admin Template path: Computer Configuration > Administrative Templates > Adobe Acrobat Pro DC Continuous > Preferences > Trust Manager > 'Access to websites' must be set to 'Enabled' and 'Block PDF files access to all web sites' selected in the drop down box. If 'Custom setting' is selected, a documented risk acceptance approved by the ISSO/AO approving the websites must be provided and then this is not a finding. This policy setting requires the installation of the AcrobatProDCContinuous custom templates included with the STIG package. "AcrobatProDCContinuous.admx" and "AcrobatProDCContinuous.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. |
Fix Text (F-86139r4_fix) |
---|
Configure the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown\cDefaultLaunchURLPerms\ Value Name: iURLPerms Type: REG_DWORD Value: 1 The setting may be set to "0" if a documented risk acceptance approving the websites is approved by the ISSO/AO. Configure the policy value for Computer Configuration > Administrative Templates > Adobe Acrobat Pro DC Continuous > Preferences > Trust Manager > 'Access to websites' to 'Enabled' and select 'Block PDF files access to all web sites' in the drop down box. Select 'Custom setting' if needed and provide a documented risk acceptance approved by the ISSO/AO approving the websites. This policy setting requires the installation of the AcrobatProDCContinuous custom templates included with the STIG package. "AcrobatProDCContinuous.admx" and "AcrobatProDCContinuous.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively. |