Adobe 12001196 - Acrobat - Mac Скачать руководство пользователя | Manualshive

Страница: 96 / 96

background image

10 Content security

Application security is all about hardening the application against malicious attacks. Content security is
designed to protect workflows and content within the application's secured environment. The product's
application security options as well as its content security features such as digital signatures, encryption,
and permissions provide unparallelled control over PDF-based workflows. These two are not always
functionally distinct, and both are critical components of information assurance. For example, signing
certificates in certified documents can be used to assign trust for operations that would otherwise be
restricted by enhanced security.

This guide focuses solely on application security--configuring the application to enable, disable, or restrict
features and PDF functionality that may pose a security risk. In all cases, configuration may occur before
or after deploying clients. For details about content security features, refer to the digital signatures and
document security documentation.

Information assurance components

Section 10 Content security

Application Security Guide

Page 92

Section 10 Content security

«
...
94
95
96

Содержание 12001196 - Acrobat - Mac

Страница 1: ...Acrobat Family of Products Acrobat Application Security Guide all versions...

Страница 2: ...nd the Adobe logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and or other countries Windows Windows 7 and Windows XP are registered trademarks of...

Страница 3: ...ons 15 3 6 FAQs 16 4 Enhanced Security 20 4 1 Feature interaction 20 4 2 Changes across releases 20 4 3 Configuration 21 4 4 Trust overrides 24 4 4 1 Privileged locations 25 4 4 2 Internet Access 25 4...

Страница 4: ...Certificate based permissions 60 7 4 Server configuration 63 7 5 Calling policies via JavaScript 67 7 6 Troubleshooting 67 8 External Content Access 76 8 1 Internet access 76 8 1 1 Changes across rel...

Страница 5: ...to propagate settings across your organization is to configure an installed application and then use the Customization Wizard s registry feature to copy the settings to the application installer Best...

Страница 6: ...robat Describes the security model when Flash runs inside a PDF document Cross Domain Policy File Specification A specification and guide for creating server based cross domain policy files with examp...

Страница 7: ...e potentially malicious based on user preferences and confines processing to a restricted sandbox Note For links to all documentation about Reader s sandbox see http learn adobe com wiki display secur...

Страница 8: ...at is all of Reader s features are available in addition to features that become enabled when a document author uses Acrobat to extend features to Reader users These features include signing existing...

Страница 9: ...I for the file folder or host Create a privileged location via the registry plist by placing a tID at HKCU Software Adobe product name version TrustManager cTrustedSites or TrustedFolders All of the c...

Страница 10: ...ms actions based on those policies and when an admin provides a properly configured policy file the broker can bypass the application s default restrictions The broker first reads and applies all cust...

Страница 11: ...configuration dialog 2 4 FAQs Design principles Some of the high level design criteria for Protected View include the following PDFs in a browser are more functional than PDFs in a Reader s sandbox Fo...

Страница 12: ...casual users who interact with PDFs in unsecure environments There are a limited number of cases where you might want to disable Protected View In enterprise settings where PDF workflows are entirely...

Страница 13: ...vileges Thus processes that could be subject to an attacker s control run with limited capabilities and must perform actions such as reading and writing through a separate trusted process This design...

Страница 14: ...y on XP In enterprise settings where PDF workflows are entirely confined to trusted environments under an administrator s control If you have third party or custom plugins that cause issues when runni...

Страница 15: ...lick and choose New REG_SZ Value 3 Create tBrokerLogfilePath 4 Right click on tBrokerLogfilePath and choose Modify 5 Set the value For example C DOCUME 1 username LOCALS 1 Temp BrL4FBA tmp Policy logg...

Страница 16: ...y must reside in the Reader install directory adjacent to AcroRd32 exe in the install folder for example D Program Files x86 Adobe Reader 10 0 Reader The name of the policy file must be ProtectedModeW...

Страница 17: ...rocesses PROCESS_ALL_EXEC SystemRoot system32 calc exe Registry REG_ALLOW_ANY HKEY_CURRENT_USER Software SomeProgram Mutants MUTANT_ALLOW_ANY imejp Sections SECTION_ALLOW_ANY imejp 3 4 Read policy cha...

Страница 18: ...at a read restricted location on the user s disk or a network share When an FDF or XFDF is opened and it tries to reference a PDF file kept at a read restricted location on the user s disk or a netwo...

Страница 19: ...rted until 10 1 and later Note When a screen reader like JAWS or Window Eyes is already running when Reader is started for the first time on XP systems a warning is shown instructing the user to turn...

Страница 20: ...t configuration are not supported For a current list of issues see http helpx adobe com acrobat kb protected mode troubleshooting reader html Does the fact that Protected Mode invoke two Reader proces...

Страница 21: ...effect on viewing LC Reader Extended PDFs It should work fine out of the box Is there any special status for certified documents so that one can disable Protected Mode only with certified documents No...

Страница 22: ...sion has a limitation with Microsoft Desktop Search and is not installed with Reader X Does the Reader X need to go through the broker if we are saving a Reader extended document Yes Are the policies...

Страница 23: ...r own broker No we do not currently provide the option for developers to write their own brokers but we may do so for future releases Do the Broker and the Sandbox processes share both the WindowStati...

Страница 24: ...ssign trust When content is trusted as a result of a cross domain policy file for example that content is not subject to enhanced security restrictions It is important to understand the various ways t...

Страница 25: ...Acrobat or Acrobat Reader and version 9 0 or 8 0 For 8 x only one key bEnhancedSecurityStandalone controls behavior for both standalone and browser modes Preferences are usually boolean True 1 enables...

Страница 26: ...lue 3 Create bEnhancedSecurityStandalone and or bEnhancedSecurityInBrowser 4 Right click on the key and choose Modify 5 Set the value as follows 0 Disables enhanced security and locks the feature 1 En...

Страница 27: ...Reader_ppc_9 0 plist 2 Go to TrustManager 3 Set EnhancedSecurityInBrowser Boolean YES NO 4 Set EnhancedSecurityStandalone Boolean YES NO 5 Exit the editor Note Do not configure Number For 8 x only on...

Страница 28: ...of cross domain access Users can trust documents on the fly when the PDF opens When the Yellow Message Bar appears choose the Options button and then trust the document once or always Create a privile...

Страница 29: ...ification signature The certification signature is valid The document recipient has specifically trusted the signer s certificate for privileged network operations Configure certificate trust as descr...

Страница 30: ...s untrusted content in the workflow is significantly different than when enhanced security is disabled The feature is specifically designed so that users and admins can preconfigure trust or assign it...

Страница 31: ...ased on the cross domain policy If the PDF opens in the Acrobat Reader standalone application and the FDF data comes back in the https response to a POST GET initiated by the PDF then the FDF data may...

Страница 32: ...ature users can choose to trust a document once or always for the particular action A choice of always adds the document or host to the privileged locations list The message and the options button cho...

Страница 33: ...e settings with the features locked This results in the following All enhanced security protections will be in place Only administrators can configure privileged locations End users cannot change any...

Страница 34: ...obe Adobe Acrobat or Acrobat Reader 9 0 or 10 0 TrustManager bEnhancedSecurityStandalone dword 00000000 bEnhancedSecurityInBrowser dword 00000000 bTrustOSTrustedSites dword 00000001 4 7 Troubleshootin...

Страница 35: ...aScript Allow JavaScript globally by API or by trusting specific document for it Configuration is possible either through the user interface the registry or both as follows User interface Application...

Страница 36: ...eCertificateBasedTrust provides a way to make certified documents trusted as a privileged location 5 4 Disabling JavaScript Global JS configuration may occur via the user interface or the registry pli...

Страница 37: ...an API and the other does not the API is blocked 5 5 1 Blacklist locations Macintosh Policy deployment is specific to Windows so Macintosh has only one update path blacklist at Contents MacOS Prefere...

Страница 38: ...Key 4 Create tBlackList right click in the right hand panel and choose New String value 5 Enter tBlackList 6 Right click on tBlackList and choose Modify 7 Add the APIs to block as a pipe separated li...

Страница 39: ...is the JavaScript Blacklist Framework Tool for Acrobat and Adobe Reader The tool offers protections against an entire class of vulnerabilities that target JavaScript APIs 5 5 4 1 Installation To insta...

Страница 40: ...a current list of APIs from an Adobe server but presents a default list if an Internet connection is unavailable To use the tool 1 Choose Start Programs JS Blacklist Framework for Adobe Reader or Acr...

Страница 41: ...p trustFunction Executing non privileged JS calls via menu items is not blocked whether this box has been checked or not 5 6 1 Trusted override There are several ways to assign trust so that this feat...

Страница 42: ...ith security restrictions These are marked by an S in the third column of the quick bar in the JavaScript for Acrobat API Reference These methods can be executed only in a privileged context which inc...

Страница 43: ...5 8 1 1 Certificate trust You can control script behavior on a per certificate basis or by using trust anchors If a signer s certifying certificate chains up to another certificate a trust anchor that...

Страница 44: ...on the YMB An untrusted document that tries to invoke an URL via JS displays the YMB by default The user is given the option to trust the document for such actions via the Options button on the YMB 5...

Страница 45: ...effort to provide granular control over document behavior The behavior across versions is as follows 5 12 1 9 1 and 8 1 6 and earlier If the application has JavaScript enabled Non high privileged Jav...

Страница 46: ...message bar JS off warning 9 2 and 8 1 7 and later High privileged JavaScript will not execute unless the user has established a prior trust relationship with the document via a trusted certificate or...

Страница 47: ...ly sandboxed processes are specifically prohibited from writing to that folder Thus the most secure operation involves enabling Protected View in Acrobat and Protected Mode in Reader thereby sandboxin...

Страница 48: ...is will export the stored global variables to the new Acrobat session Or Copy glob js and glob setting js from the old JavaScripts folder to the Program Files Adobe Reader JavaScript folder and then d...

Страница 49: ...ed if the file extension is associated with the requisite program File types on the black list These can be attached but a warning dialog appears stating that they cannot be saved or opened from the a...

Страница 50: ...e type version 1 ade 3 adp 3 app 3 arc 3 arj 3 asp 3 bas 3 bat 3 bz 3 bz2 3 cab 3 chm 3 class 3 cmd 3 com 3 command 3 cpl 3 crt 3 csh 3 desktop 3 dll 3 exe 3 fxp 3 gz 3 hex 3 hlp 3 hqx 3 hta 3 inf 3 i...

Страница 51: ...user interface resetting the list to its original state may result in the highest level of security To reset the black and white lists 1 Choose Preferences Trust Manager 2 In the PDF File Attachments...

Страница 52: ...to the white list and prevents future warnings Never allow opening files of this type Adds the file type to the black list and does not open it 4 Choose OK Launch Attachment dialog 6 3 Blacklisted ext...

Страница 53: ...t Microsoft mas Access Stored Procedures Microsoft mat Access Table Shortcut Microsoft mau Media Attachment Unit mav Access View Shortcut Microsoft maw Access Data Access Page Microsoft mda Access Add...

Страница 54: ...Folder url Internet Location vb VBScript file or Any VisualBasic Source vbe VBScript Encoded Script file vbs VBScript Script file Visual Basic for Applications Script vsmacros Visual Studio NET Binary...

Страница 55: ...wed via the user interface cross domain policy files support all the mime types specified in the Cross Domain Policy File Specification 7 1 Cross domain basics 7 1 1 Same origin policies As the Acroba...

Страница 56: ...b com hosts a policy and requires credentials for access then any documents served from the domains listed in b com s policy file gain the right to use those credentials on the user s behalf Now that...

Страница 57: ...by the enhanced security preference Acrobat s cross domain support becomes important when Enhanced security is enabled because uncontrolled cross domain access should not be permitted You require sele...

Страница 58: ...le deployment pattern allows developers to employ the Web Service Proxy pattern In this design pattern new Web services are authored using LiveCycle at the same origin as the hosted document which the...

Страница 59: ...policy file containing a wild card or the local file must be in a privileged location Local files A PDF can be opened directly from a local disk or referenced by a file URL Files have no domain when t...

Страница 60: ...aders in cross domain requests The cross domain feature introduced with 9 0 allows administrators to Create a cross domain policy based on a specification Configure access to a broad range of location...

Страница 61: ...le com crossdomain xml the default location that clients check when a policy file is required Policy files hosted this way are known as master policy files allow access from Allowing access to root do...

Страница 62: ...ccess to this target domain it does define a meta policy that allows other policy files within this domain to determine how access is handled In this case the client is instructed to look for a policy...

Страница 63: ...1 0 DOCTYPE cross domain policy SYSTEM http www adobe com xml dtds cross domain policy dtd cross domain policy allow access from domain example com to ports 507 516 523 cross domain policy 7 2 8 Crede...

Страница 64: ...der 9 1 introduces an extension to cross domain policies that enables cross domain access on a per document basis You do so by identifying a certified document signed with a specific certificate that...

Страница 65: ...ow Signature Properties 3 Choose the Details tab in the Certificate Viewer to see the list of all data for the selected certificate 4 In the Certificate Data pane select the SHA1 digest field 5 In the...

Страница 66: ...e 9 In the Certificate Data pane select the SHA1 digest field 10 In the bottom pane highlight and copy the hex data fingerprint Note You should now remove the ID from the machine so that it doesn t ex...

Страница 67: ...er configuration Policy files function only on servers that communicate over HTTP HTTPS or FTP 7 4 1 Policy file host basics When creating and using a policy file the following rules apply It s name m...

Страница 68: ...t grant permissions for socket based connections For a socket connection a policy file can be used for both same domain connections as well as connections made across domains 7 4 3 Server setup exampl...

Страница 69: ...ee cluster apps sap com com sap eng crossdomain xml 2 Specify the MIME type for the policy file For Netweaver 7 0 Netweaver 7 0 EhP1 and Netweaver 2004 1 Open the Visual Administrator 2 Choose the Pro...

Страница 70: ...You must specify the file extension first and then the MIME type and separate them by a comma For example xml text x cross domain policy 5 Choose Save Changes 7 4 3 4 Windows Cross domain configurati...

Страница 71: ...as app loadPolicyFile url will affect other PDFs opened during that client s session For details refer to the JavaScript for Acrobat API Reference SWFs can load policies from other locations via the...

Страница 72: ...updates and later allow configuration via the user interface To do so 1 Choose Edit Preferences Windows only 2 Select Security Enhanced in the Categories panel 3 Check Create log file Enhanced securi...

Страница 73: ...found The URLs indicate The resource requested Where the PDF was loaded from The policy file granting the permission Note It is possible that multiple policy files would have permitted the operation...

Страница 74: ...and can t be found Verify the files are correctly pointed to A policy file exists but is invalid for some reason In this case this message should be preceded by a more specific message that shows the...

Страница 75: ...Moselle Firefox 2 0 0 3 and earlier 2 0 0 4 and later Safari Macintosh 2 x and earlier 3 x and later strict Policy file requested from s redirected to s will use final URL in determining scope An HTTP...

Страница 76: ...er policy file The site control tag is only legal in master policy files crossdomain xml on an HTTP HTTPS FTP server or a socket policy file from port 843 The meta policy has been ignored but the poli...

Страница 77: ...server should explicitly declare a meta policy rather than relying on this implicit mechanism This can be done using a site control tag in the master policy file or using the HTTP response header X P...

Страница 78: ...Acrobat clients should not receive these messages However since Acrobat leverages the Flash model these are provided for informational purposes Root level SWF loaded s Only pertinent to Flash Found se...

Страница 79: ...ent to Flash and socket policy files strict Local socket connection forbidden to host s without a socket policy file Only pertinent to Flash and socket policy files Application Security Guide Section...

Страница 80: ...ver Trust Manager internet access settings 8 1 2 Configuration For 9 2 and earlier this feature overrides enhanced security settings for files and folders With 9 3 enhanced security settings take prec...

Страница 81: ...hether or not URL access is allowed on a global or per URL basis Manage Internet Access dialog For URLs that aren t explicitly trusted or blocked they are not on the white or black list a warning appe...

Страница 82: ...he Authplay dll for playing content is defined as non legacy multimedia Files like flv and h 264 encoded files play by default The Yellow Message Bar doesn t appear in the presence of these media type...

Страница 83: ...buttons choose Trusted documents or Non trusted documents The Trust Manager displays the selected trust preferences Note Beginning with 9 5 and 10 1 2 trust for legacy multimedia formats is stored in...

Страница 84: ...or the file folder or host With 9 5 10 1 2 and later create a privileged location via the registry plist by placing a tID at HKCU Software Adobe product name version TrustManager cTrustedSites or Trus...

Страница 85: ...e For versions 8 2 9 3 to 9 4 7 10 1 1 this feature does not interact with enhanced security and the Trusted Documents list is not the same as the privileged locations list Trust is stored in a file c...

Страница 86: ...ct by flags which are defined in the PDF Reference For example an URL might point to an image external to the document Only PDF developers create PDF files with streams so you may not need to enable a...

Страница 87: ...nt Trust files folders and hosts as privileged locations via Preferences Security Enhanced Privileged Locations panel so that when a PDF with 3D content opens If it is trusted the 3D content renders I...

Страница 88: ...ontent in a PDF Enterprise IT can control how Flash plays within PDFs by setting the bEnableFlash registry entry Win or EnableFlash plist entry Mac When set to 0 Flash only plays if the PDF is a trust...

Страница 89: ...trust is assigned Permissions granted by other features often overlap For example cross domain policies internet access settings in Trust Manager and certificate trust settings for certified documents...

Страница 90: ...iction The Win OS Security Zone setting in the Privileged Locations panel now includes Local Intranet zones in addition to the current Trusted Sites zone The product should assign trust as Internet Ex...

Страница 91: ...edFolders cTrustedSites The container cab determines which restriction the document can bypass For example a tID under cCrossDomain allows cross domain access For a complete list of available preferen...

Страница 92: ...e recursive modify the name by appending _recursive to it Registry Configuration Recursive trust HKEY_CURRENT_USER Software Adobe product name version TrustManager cTrustedFolders cScriptInjection t5_...

Страница 93: ...setting via the UI as follows by setting bDisableOSTrustedSites as follows 0 Disables trusting sites from IE and locks the feature 1 Enables trusting sites from IE and locks the feature HKEY_LOCAL_MAC...

Страница 94: ...s List 9 x Choose Security Manage Trusted Identities and from the Display drop down list choose Certificates 10 x Choose Tools Sign and Certify More Sign and Certify Manage Trusted Identities and From...

Страница 95: ...ternal content access 1 Choose Edit Preferences Page Display Windows or Acrobat Preferences Page Display Macintosh 2 Configure the Reference XObjects View Mode panel by setting Show reference XObject...

Страница 96: ...cal components of information assurance For example signing certificates in certified documents can be used to assign trust for operations that would otherwise be restricted by enhanced security This...

Отзывы:

Нет отзывов

Похожие инструкции для 12001196 - Acrobat - Mac

Бренд: Samsung Страницы: 11

Persona Persona M30e

Бренд: Fargo Страницы: 31

Бренд: MACROMEDIA Страницы: 232

Unity Express 8.0 Voice-Mail System

Бренд: Cisco Страницы: 50

TELEPRESENCE MANAGEMENT SUITE PROVISIONING

Бренд: Cisco Страницы: 16

Unified MeetingPlace H.323/SIP

Бренд: Cisco Страницы: 54

PVDM2 24DM - Digital Modem Module

Бренд: Cisco Страницы: 48

TELEPRESENCE MANAGEMENT SUITE SECURE SERVER

Бренд: Cisco Страницы: 34

Бренд: Cisco Страницы: 8

Unified Videoconferencing Manager

Бренд: Cisco Страницы: 22

SMART BUSINESS COMMUNICATIONS SYSTEM

Бренд: Cisco Страницы: 27

MDS 9222i - Multiservice Modular Fabric Switch

Бренд: Cisco Страницы: 40

MCS 7825 Series

Бренд: Cisco Страницы: 20

Surveillance Media Server

Бренд: Cisco Страницы: 14

Бренд: Cisco Страницы: 92

TelePresence Movi 4.1

Бренд: Cisco Страницы: 29

MeetingPlace Video Integration

Бренд: Cisco Страницы: 84

Бренд: Cisco Страницы: 48

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды