Adobe Reader DC must disable all service access to Document Cloud Services.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-64939	ARDC-CN-000060	SV-79429r2_rule		Medium

Description
By default, Adobe online services are tightly integrated in Adobe Reader DC. With the integration of Adobe Document Cloud, disabling this feature prevents the risk of additional attack vectors. Within Adobe Reader DC, the Adobe Cloud resources require a paid subscription for each service.

STIG	Date
Adobe Acrobat Reader DC Continuous Track Security Technical Implementation Guide	2018-06-12

Details

Check Text ( C-65597r6_chk )
Verify the following registry configuration: Note: The Key Name "cServices" is not created by default in the Adobe Reader DC install and must be created. Utilizing the Registry Editor, navigate to the following: HKEY_LOCAL_MACHINE\Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cServices Value Name: bToggleAdobeDocumentServices Type: REG_DWORD Value: 1 If the value for bToggleAdobeDocumentServices is not set to “1” and Type configured to REG_DWORD or does not exist, then this is a finding. Admin Template path: Computer Configuration > Administrative Templates > Adobe Reader DC Continuous > Preferences > 'Service access to Document Cloud Services' must be set to 'Disabled'. This policy setting requires the installation of the AcrobatDCContinuous custom templates included with the STIG package. "AcrobatDCContinuous.admx" and "AcrobatDCContinuous.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.

Check Text ( C-65597r6_chk )

Verify the following registry configuration:

Note: The Key Name "cServices" is not created by default in the Adobe Reader DC install and must be created.

Utilizing the Registry Editor, navigate to the following: HKEY_LOCAL_MACHINE\Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cServices

Value Name: bToggleAdobeDocumentServices
Type: REG_DWORD
Value: 1

If the value for bToggleAdobeDocumentServices is not set to “1” and Type configured to REG_DWORD or does not exist, then this is a finding.

Admin Template path: Computer Configuration > Administrative Templates > Adobe Reader DC Continuous > Preferences > 'Service access to Document Cloud Services' must be set to 'Disabled'.

This policy setting requires the installation of the AcrobatDCContinuous custom templates included with the STIG package. "AcrobatDCContinuous.admx" and "AcrobatDCContinuous.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.

Fix Text (F-70879r3_fix)
Configure the following registry value: Note: The Key Name "cServices" is not created by default in the Adobe Reader DC install and must be created. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cServices Value Name: bToggleAdobeDocumentServices Type: REG_DWORD Value: 1 Configure the policy value for Computer Configuration > Administrative Templates > Adobe Reader DC Continuous > Preferences > 'Service access to Document Cloud Services' to 'Disabled'. This policy setting requires the installation of the AcrobatDCContinuous custom templates included with the STIG package. "AcrobatDCContinuous.admx" and "AcrobatDCContinuous.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.

Fix Text (F-70879r3_fix)

Configure the following registry value:

Note: The Key Name "cServices" is not created by default in the Adobe Reader DC install and must be created.

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cServices

Value Name: bToggleAdobeDocumentServices
Type: REG_DWORD
Value: 1

Configure the policy value for Computer Configuration > Administrative Templates > Adobe Reader DC Continuous > Preferences > 'Service access to Document Cloud Services' to 'Disabled'.

This policy setting requires the installation of the AcrobatDCContinuous custom templates included with the STIG package. "AcrobatDCContinuous.admx" and "AcrobatDCContinuous.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.