Check: ARDC-CN-000025
Adobe Acrobat Reader DC Continuous Track STIG:
ARDC-CN-000025
(in versions v2 r1 through v1 r4)
Title
Adobe Reader DC must Block Websites. (Cat II impact)
Discussion
Clicking any link to the Internet poses a potential security risk. Malicious websites can transfer harmful content or silently gather data. Acrobat Reader documents can connect to websites which can pose a potential threat to DoD systems and that functionality must be blocked. However, PDF document workflows that are trusted (e.g., DoD-created) can benefit from leveraging legitimate website access with minimal risk. Therefore, the ISSO may approve of website access and accept the risk if the access provides benefit and is a trusted site or the risk associated with accessing the site has been mitigated. Adobe Reader must block access to all websites that are not specifically allowed by ISSO risk acceptance. Satisfies: SRG-APP-000112, SRG-APP-000206, SRG-APP-000207, SRG-APP-000209, SRG-APP-000210
Check Content
Verify the following registry configuration: Utilizing the Registry Editor, navigate to the following: HKEY_LOCAL_MACHINE\Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cDefaultLaunchURLPerms Value Name: iURLPerms Type: REG_DWORD Value: 1 Value: 0 - only with a documented ISSO risk acceptance If the value for “iURLPerms” is set to “0” and a documented ISSO risk acceptance approving access to websites is provided, this is not a finding. If the value for “iURLPerms” is not set to “1” and “Type” configured to “REG_DWORD” or does not exist, this is a finding.
Fix Text
Configure the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cDefaultLaunchURLPerms Value Name: iURLPerms Type: REG_DWORD Value: 1 If configuring system to allow access to websites, obtain documented ISSO approvals and risk acceptance and set “iURLPerms” to “0”.
Additional Identifiers
Rule ID: SV-213172r395811_rule
Vulnerability ID: V-213172
Group Title: SRG-APP-000112
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001166 |
The information system identifies organization-defined unacceptable mobile code. |
CCI-001169 |
The information system prevents the download of organization-defined unacceptable mobile code. |
CCI-001170 |
The information system prevents the automatic execution of mobile code in organization-defined software applications. |
CCI-001662 |
The information system takes organization-defined corrective action when organization-defined unacceptable mobile code is identified. |
CCI-001695 |
The information system prevents the execution of organization-defined unacceptable mobile code. |