STIG/CIS/Best Practices stops Acrobat loading PDFs from over the network

Active Directory, STIG/CIS/BP, Windows 2 Minutes

We’ve been running STIG configuration with Adobe Acrobat DC Classic & Continuous versions for a while with no issues until early 2019 when users started not being able to load PDFs from over the network anymore.  Acrobat would say it was blocking loading PDFs from the internet and then give the address it was blocking of SMB://FileServerName.Domain.Org/Path/EvilPDF.pdf which is clearly not on the internet.  It seems sometime in Feb 2019 an update to Acrobat altered this behavior.  The confusing part of this was that some users could continue to load PDFs from the same location while others could not.

  1. Firstly the reason for some being able to load them and others not being able to is because Acrobat is like Office in that it stores in the user’s registry trusted locations.  If a user added a document or location to their trusted locations prior to STIG/CIS/BP configuration being implemented on their system those allowances will continue to exist and be respected by Acrobat and Office in that user’s profile even though the usage of trust lists is disabled.
  2. Secondly the change in Acrobat that started this issue seems to only happen when the FQDN of a share server is used.  If you use \\ShortName\Path\EvilPDF.pdf or even \\IPAddress\Path\EvilPDF.pdf then Acrobat lets the file through without problem.  Once you use the FQDN Acrobat thinks you’re connecting to the internet.
The GPO is located at both of these locations depending on what version of Acrobat your support.
Computer Configuration -> Administrative Templates -> Adobe Acrobat Pro DC Classic -> Preferences -> Trust Manager
Computer Configuration -> Administrative Templates -> Adobe Acrobat Pro DC Continuous -> Preferences -> Trust Manager
The setting that causes the issue is this one;
Access to websites = Block PDF files access to all web sites
The problem is that now that this thinks FQDN shares are on the internet how do you allow them without allowing everything on the internet because there’s no GPO setting to designate between either.  Buried in the Adobe documentation is the registry configuration you can set to allow a white list of URLs in a REG_SZ called tHostPerms which has no corresponding GPO value.
The first step is to set the GPO value above Access to websites = Custom setting which tells Acrobat to then use the trust list we’re about to define.  The trust list lets you define allowed and blocked websites but when in Custom mode it will block everything except for what you place in the allow portion.  Then create a Computer Configuration -> Preferences -> Windows Settings -> Registry GPO entry for the following.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockdown\cDefaultLaunchURLPerms
    • REG_SZ = tHostPerms
    • Value = version:2|URL:#|URL:#|URL:#
      • # = behavior
      • 2 = allow
      • 3 = block
    • Example = version:2|FileServerName.Domain.Org:2|http://www.tacobell.com:2|http://www.yahoo.com:3

Note 1: You have to leave the http(s):// off the front of the FQDN for it to work for SMB shares.  I tried using the smb:// notation but never got it to work in testing.

Note 2: the Adobe documentation states 1 is block but I found through actually creating block entries that 3 is what the latest Acrobat DC puts in the registry for that.

Once this populates out to your users they can once again open PDFs from the network shares when using FQDNs.

Published by brentil

Published

Comments or questions?

This site uses Akismet to reduce spam. Learn how your comment data is processed.