Check: AADC-CL-001335
Adobe Acrobat Professional DC Classic Track STIG:
AADC-CL-001335
(in versions v1 r2 through v1 r1)
Title
Adobe Acrobat Pro DC Classic certified document trust must be disabled. (Cat II impact)
Discussion
Certified document trust elevates signed PDF files to a privileged location and bypasses privileged view security protections. Disabling certified documents disables and locks the end user's ability to elevate certified documents as a privileged location.
Check Content
Verify the following registry configuration: Using the Registry Editor, navigate to the following: HKEY_LOCAL_MACHINE\Software\Policies\Adobe\Adobe Acrobat\2015\FeatureLockDown Value Name: bEnableCertificateBasedTrust Type: REG_DWORD Value: 0 If the value for bEnableCertificateBasedTrust is not set to "0" and Type is not configured to REG_DWORD or does not exist, this is a finding. GUI path: Edit > Preferences > Security (Enhanced) > In the 'Privileged Location' section, verify 'Automatically trust documents with valid certification' option is unchecked and greyed out (locked). If this box is checked and not greyed out, this is a finding. Admin Template path: Computer Configuration > Administrative Templates > Adobe Acrobat Pro DC Classic > Preferences > Security (Enhanced) > 'Automatically trust documents with valid certification' must be set to 'Disabled'. This policy setting requires the installation of the AcrobatProDCClassic custom templates included with the STIG package. "AcrobatProDCClassic.admx" and "AcrobatProDCClassic.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
Fix Text
Configure the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Adobe\Adobe Acrobat\2015\FeatureLockDown Value Name: bEnableCertificateBasedTrust Type: REG_DWORD Value: 0 Configure the policy value for Computer Configuration > Administrative Templates > Adobe Acrobat Pro DC Classic > Preferences > Security (Enhanced) > 'Automatically trust documents with valid certification' to 'Disabled'. This policy setting requires the installation of the AcrobatProDCClassic custom templates included with the STIG package. "AcrobatProDCClassic.admx" and "AcrobatProDCClassic.adml" must be copied to the \Windows\PolicyDefinitions and \Windows\PolicyDefinitions\en-US directories respectively.
Additional Identifiers
Rule ID: SV-94863r1_rule
Vulnerability ID: V-80159
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001813 |
The information system enforces access restrictions. |
Controls
Number | Title |
---|---|
CM-5 (1) |
Automated Access Enforcement / Auditing |