Adobe Reader DC must block access to Unknown Websites.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-64929	ARDC-CN-000030	SV-79419r2_rule		Medium

Description
Because Internet access is a potential security risk, clicking any unknown website link to the Internet poses a potential security risk. Malicious websites can transfer harmful content or silently gather data. Satisfies: SRG-APP-000112, SRG-APP-000206, SRG-APP-000207, SRG-APP-000209, SRG-APP-000210

STIG	Date
Adobe Acrobat Reader DC Continuous Track Security Technical Implementation Guide	2018-06-12

Details

Check Text ( C-65587r3_chk )
Verify the following registry configuration: Utilizing the Registry Editor, navigate to the following: HKEY_LOCAL_MACHINE\Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cDefaultLaunchURLPerms Value Name: iUnknownURLPerms Type: REG_DWORD Value: 3 If the value for iUnknownURLPerms is not set to “3” and Type configured to REG_DWORD or does not exist, then this is a finding. GUI path: Edit > Preferences > Trust Manager > In the 'Internet Access from PDF Files outside the web browser' section > Select 'Change Settings' option > In the 'PDF Files may connect to web sites to share or get information' section, if 'Block PDF files access to all web sites' is selected and greyed out (locked), then this is not a finding. If 'Custom setting' is checked, then in the 'Default behavior for web sites that are not in the above list' section, verify the radio button 'Block access' is checked and greyed out (locked) . If the box is not checked nor greyed out, this is a finding. Admin Template path: Computer Configuration > Administrative Templates > Adobe Reader DC Continuous > Preferences > Trust Manager > 'Access to unknown websites' must be set to 'Enabled' and 'Block access' selected in the drop down box. This policy setting requires the installation of the AcrobatDCContinuous custom templates included with the STIG package. "AcrobatDCContinuous.admx" and "AcrobatDCContinuous.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.

Check Text ( C-65587r3_chk )

Verify the following registry configuration:

Utilizing the Registry Editor, navigate to the following: HKEY_LOCAL_MACHINE\Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cDefaultLaunchURLPerms

Value Name: iUnknownURLPerms
Type: REG_DWORD
Value: 3

If the value for iUnknownURLPerms is not set to “3” and Type configured to REG_DWORD or does not exist, then this is a finding.

GUI path: Edit > Preferences > Trust Manager > In the 'Internet Access from PDF Files outside the web browser' section > Select 'Change Settings' option > In the 'PDF Files may connect to web sites to share or get information' section, if 'Block PDF files access to all web sites' is selected and greyed out (locked), then this is not a finding. If 'Custom setting' is checked, then in the 'Default behavior for web sites that are not in the above list' section, verify the radio button 'Block access' is checked and greyed out (locked) . If the box is not checked nor greyed out, this is a finding.

Admin Template path: Computer Configuration > Administrative Templates > Adobe Reader DC Continuous > Preferences > Trust Manager > 'Access to unknown websites' must be set to 'Enabled' and 'Block access' selected in the drop down box.

This policy setting requires the installation of the AcrobatDCContinuous custom templates included with the STIG package. "AcrobatDCContinuous.admx" and "AcrobatDCContinuous.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.

Fix Text (F-70869r3_fix)
Configure the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cDefaultLaunchURLPerms Value Name: iUnknownURLPerms Type: REG_DWORD Value: 3 Configure the policy value for Computer Configuration > Administrative Templates > Adobe Reader DC Continuous > Preferences > Trust Manager > 'Access to unknown websites' to 'Enabled' and select 'Block access' in the drop down box. This policy setting requires the installation of the AcrobatDCContinuous custom templates included with the STIG package. "AcrobatDCContinuous.admx" and "AcrobatDCContinuous.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.

Fix Text (F-70869r3_fix)

Configure the following registry value:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cDefaultLaunchURLPerms

Value Name: iUnknownURLPerms
Type: REG_DWORD
Value: 3

Configure the policy value for Computer Configuration > Administrative Templates > Adobe Reader DC Continuous > Preferences > Trust Manager > 'Access to unknown websites' to 'Enabled' and select 'Block access' in the drop down box.

This policy setting requires the installation of the AcrobatDCContinuous custom templates included with the STIG package. "AcrobatDCContinuous.admx" and "AcrobatDCContinuous.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.