We’ve been running STIG configuration with Adobe Acrobat DC Classic & Continuous versions for a while with no issues until early 2019 when users started not being able to load PDFs from over the network anymore. Acrobat would say it was blocking loading PDFs from the internet and then give the address it was blocking of SMB://FileServerName.Domain.Org/Path/EvilPDF.pdf which is clearly not on the internet. It seems sometime in Feb 2019 an update to Acrobat altered this behavior. The confusing part of this was that some users could continue to load PDFs from the same location while others could not.
- Firstly the reason for some being able to load them and others not being able to is because Acrobat is like Office in that it stores in the user’s registry trusted locations. If a user added a document or location to their trusted locations prior to STIG/CIS/BP configuration being implemented on their system those allowances will continue to exist and be respected by Acrobat and Office in that user’s profile even though the usage of trust lists is disabled.
- Secondly the change in Acrobat that started this issue seems to only happen when the FQDN of a share server is used. If you use \\ShortName\Path\EvilPDF.pdf or even \\IPAddress\Path\EvilPDF.pdf then Acrobat lets the file through without problem. Once you use the FQDN Acrobat thinks you’re connecting to the internet.
Computer Configuration -> Administrative Templates -> Adobe Acrobat Pro DC Classic -> Preferences -> Trust Manager
Computer Configuration -> Administrative Templates -> Adobe Acrobat Pro DC Continuous -> Preferences -> Trust Manager
Access to websites = Block PDF files access to all web sites
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\cDefaultLaunchURLPerms
- REG_SZ = tHostPerms
- Value = version:2|URL:#|URL:#|URL:#
- # = behavior
- 2 = allow
- 3 = block
- Example = version:2|FileServerName.Domain.Org:2|http://www.tacobell.com:2|http://www.yahoo.com:3
- Allow SMB and http/https to FileServerName.Domain.Org
- Allow http://www.tacobell.com
- Deny http://www.yahoo.com
Note 1: You have to leave the http(s):// off the front of the FQDN for it to work for SMB shares. I tried using the smb:// notation but never got it to work in testing.
Note 2: the Adobe documentation states 1 is block but I found through actually creating block entries that 3 is what the latest Acrobat DC puts in the registry for that.
Once this populates out to your users they can once again open PDFs from the network shares when using FQDNs.