TickYouOff
Sign in
Back
🔒

Adobe Acrobat Reader DC Continuous Track STIG (Ver 2, Rel 1)

Medium 19 items · 1 hour
testuser's avatar
testuser Published 2 months ago
Security

This checklist captures key security configuration and verification steps from the DISA STIG for Adobe Acrobat Reader DC Continuous Track. It’s for administrators and security teams who must harden Reader, deploy DISA GPO/Intune resources, and verify compliance in managed Windows environments.

Source: https://ncp.nist.gov/checklist/666

Progress
0 / 19
  1. Verify Adobe Acrobat Reader DC product track — Confirm Continuous vs Classic before applying STIG settings.
  2. Check installation path for Continuous track (C:Program Files (x86)AdobeAcrobat Reader DC) — Continuous track defaults to this folder.
  3. Check Programs and Features entry to confirm 'Adobe Acrobat Reader DC' (Continuous) or 'Adobe Acrobat Reader MUI' (Classic) — Use Programs and Features if path is ambiguous.
  4. Install or update to the approved Continuous track version — Apply the organization's approved Reader build before policy changes.
  5. Download DISA SCAP, XCCDF, GPO, Intune and SCC resources — Obtain the latest STIG content, GPO and Intune packages from DISA.
  6. Apply DISA-provided GPO files to Active Directory — Import and link the GPO to target OUs.
  7. Import Intune policies into Microsoft Intune and assign to device groups — Upload and assign Intune policy packs for Reader DC.
  8. Configure silent automatic updates for the Continuous track — Set updates to silent so security fixes apply promptly.
  9. Disable Adobe Document Cloud and online services features — Block cloud integrations if not authorized by policy.
  10. Disable JavaScript execution in Acrobat Reader — Turn off JavaScript to reduce attack surface.
  11. Enable Protected View/Protected Mode and configure enhanced security — Ensure sandboxing and enhanced protection are enforced.
  12. Restrict or remove unnecessary plugins and browser extensions — Disable third-party plug-ins not required by users.
  13. Enforce browser PDF handling to use managed system viewer settings — Prevent unmanaged or legacy viewers from handling PDFs.
  14. Verify policy deployment and compliance on target hosts — Confirm settings applied and report noncompliance.
  15. Run gpresult /h or use GPO reporting to confirm GPO settings on a test host — Generate a report showing applied GPO settings.
  16. Check Intune device configuration status and compliance in the Intune portal — Review assignment and deployment success/failures.
  17. Enable auditing of Acrobat Reader installations and updates — Log installs/updates for incident response and tracking.
  18. Document exceptions, test impacts, and a phased roll-out plan — Test in representative environments before wide deployment.
  19. Subscribe to DISA STIG updates, SHA changes and resource feeds — Stay current with DISA resource and checksum updates.
Sign in to save
📝 My Notes