V-213121

Discussion

PDF files can contain URLs that initiate connections to websites in order to share or get information. Any Internet access introduces a security risk as malicious websites can transfer harmful content or silently gather data.

Check Content

Verify the following registry configuration:

Utilizing the Registry Editor, navigate to the following:
HKEY_LOCAL_MACHINE\Software\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown\cDefaultLaunchURLPerms\

Value Name: iURLPerms
Type: REG_DWORD
Value: 1

If the value for iURLPerms is not set to “1” and Type is not configured to REG_DWORD or does not exist, this is a finding.

Setting the value for iURLPerms to "0" means that a custom settings has been selected.  Custom setting allows for specific websites to be used for PDF workflows.  These websites must be approved by the ISSO/AO otherwise the setting must be "1" which blocks access to all websites.  If the iURLPerms setting is "0" and a documented risk acceptance approving the websites is provided, this is not a finding.

GUI path: Edit > Preferences > Trust Manager > In the 'Internet Access from PDF Files outside the web browser' section > Select 'Change Settings' option > In the 'PDF Files may connect to web sites to share or get information' section > Verify the radio button 'Block PDF files access to all web sites' is selected and greyed out (locked).    If 'Custom setting' is checked, a documented risk acceptance approved by the ISSO/AO approving the websites must be provided and then this is not a finding. 

Admin Template path: Computer Configuration > Administrative Templates > Adobe Acrobat Pro DC Continuous > Preferences > Trust Manager > 'Access to websites' must be set to 'Enabled' and 'Block PDF files access to all web sites' selected in the drop down box. If 'Custom setting' is selected, a documented risk acceptance approved by the ISSO/AO approving the websites must be provided and then this is not a finding.