TickYouOff
Back
🔒

Adobe Acrobat Reader DC STIG Hardening Checklist

Hard 25 items · 2 hours
testuser's avatar
testuser Published 4 months ago

This checklist walks through hardening Adobe Acrobat Reader DC (Continuous track) to meet DISA STIG guidance. It’s for system administrators and desktop/security teams managing Windows environments who need to apply STIG resources, enforce policies, and verify compliance.

Source: https://ncp.nist.gov/checklist/666

Progress
0 / 25
  1. Identify installed Acrobat Reader DC product track — Check install path or Programs and Features to confirm Continuous vs Classic track.
  2. Check installed version and CPE against STIG target — Record version (e.g., cpe:/a:adobe:acrobat_reader:10.1.1) and note discrepancies.
  3. Backup current Acrobat Reader settings and policy files — Export GPOs, Intune configs, and local settings before changes.
  4. Download STIG resources — Gather SCAP, XCCDF, GPOs, Intune policies, and SCC automated content.
  5. Download SCAP 1.3 content (Adobe Acrobat Reader DC STIG) — Get SCAP 1.3 Benchmark (Ver 2, Rel 4) from DISA resources.
  6. Download standalone XCCDF content — Obtain the XCCDF 1.1.4 benchmark for automated scanning.
  7. Download Group Policy Objects (GPOs) package — Retrieve the latest GPO package referenced by the STIG.
  8. Download Intune policies package — Download Intune policy files (e.g., January 2026/updated packages).
  9. Download SCC automated content — Get the SCC automated content and SCC tool for bulk remediation.
  10. Import GPO templates into Group Policy Management — Load and link GPOs to an OU containing test systems first.
  11. Import Intune policies into Microsoft Intune and assign to a test group — Import, assign to a pilot group, and validate policy deployment.
  12. Run SCAP/XCCDF compliance scan and review the report — Scan targets and prioritize high-severity findings for remediation.
  13. Apply SCC automated content via SCC tool — Use SCC to automate remediation where available; test before deploy.
  14. Configure update channel to Continuous track and enable silent updates — Ensure Continuous track is selected and silent auto-updates are on.
  15. Enable Protected Mode and Enhanced Security settings — Turn on sandboxing and enhanced security to limit exploit risk.
  16. Disable JavaScript in Acrobat Reader — Turn off JavaScript execution to reduce attack surface.
  17. Disable Adobe Document Cloud and online services integration — Turn off cloud features if not required by users or workflow.
  18. Disable browser integration and plugins for Acrobat Reader — Prevent PDF handling in browsers if policy requires local viewing only.
  19. Block external content and automatic launching of embedded files — Disallow external links, multimedia auto-play, and launching of attachments.
  20. Remove older Acrobat Reader versions and leftover installers — Uninstall legacy installs and delete offline installers from endpoints.
  21. Verify downloaded resource SHA hashes and file integrity — Compare SHAs to vendor/DISA values before applying packages.
  22. Test all changes in a representative test environment — Validate functionality and compatibility before wide deployment.
  23. Document applied settings, versions, and test results — Record policy versions, GPO/Intune imports, test notes, and rollbacks.
  24. Schedule periodic STIG updates and re-scans — Plan monthly or quarterly reviews and re-scan cadence.
  25. Send comments or change requests to DISA if needed — Email DISA FSO with proposed revisions or issues (per STIG guidance).
Sign in to save
📝 My Notes