Back
🔒
Adobe Acrobat Reader DC STIG Hardening Checklist
Hard
25 items
·
2 hours
testuser
Published 4 months ago
This checklist walks through hardening Adobe Acrobat Reader DC (Continuous track) to meet DISA STIG guidance. It’s for system administrators and desktop/security teams managing Windows environments who need to apply STIG resources, enforce policies, and verify compliance.
Progress
0 / 25
- Identify installed Acrobat Reader DC product track — Check install path or Programs and Features to confirm Continuous vs Classic track.
- Check installed version and CPE against STIG target — Record version (e.g., cpe:/a:adobe:acrobat_reader:10.1.1) and note discrepancies.
- Backup current Acrobat Reader settings and policy files — Export GPOs, Intune configs, and local settings before changes.
- Download STIG resources — Gather SCAP, XCCDF, GPOs, Intune policies, and SCC automated content.
- Download SCAP 1.3 content (Adobe Acrobat Reader DC STIG) — Get SCAP 1.3 Benchmark (Ver 2, Rel 4) from DISA resources.
- Download standalone XCCDF content — Obtain the XCCDF 1.1.4 benchmark for automated scanning.
- Download Group Policy Objects (GPOs) package — Retrieve the latest GPO package referenced by the STIG.
- Download Intune policies package — Download Intune policy files (e.g., January 2026/updated packages).
- Download SCC automated content — Get the SCC automated content and SCC tool for bulk remediation.
- Import GPO templates into Group Policy Management — Load and link GPOs to an OU containing test systems first.
- Import Intune policies into Microsoft Intune and assign to a test group — Import, assign to a pilot group, and validate policy deployment.
- Run SCAP/XCCDF compliance scan and review the report — Scan targets and prioritize high-severity findings for remediation.
- Apply SCC automated content via SCC tool — Use SCC to automate remediation where available; test before deploy.
- Configure update channel to Continuous track and enable silent updates — Ensure Continuous track is selected and silent auto-updates are on.
- Enable Protected Mode and Enhanced Security settings — Turn on sandboxing and enhanced security to limit exploit risk.
- Disable JavaScript in Acrobat Reader — Turn off JavaScript execution to reduce attack surface.
- Disable Adobe Document Cloud and online services integration — Turn off cloud features if not required by users or workflow.
- Disable browser integration and plugins for Acrobat Reader — Prevent PDF handling in browsers if policy requires local viewing only.
- Block external content and automatic launching of embedded files — Disallow external links, multimedia auto-play, and launching of attachments.
- Remove older Acrobat Reader versions and leftover installers — Uninstall legacy installs and delete offline installers from endpoints.
- Verify downloaded resource SHA hashes and file integrity — Compare SHAs to vendor/DISA values before applying packages.
- Test all changes in a representative test environment — Validate functionality and compatibility before wide deployment.
- Document applied settings, versions, and test results — Record policy versions, GPO/Intune imports, test notes, and rollbacks.
- Schedule periodic STIG updates and re-scans — Plan monthly or quarterly reviews and re-scan cadence.
- Send comments or change requests to DISA if needed — Email DISA FSO with proposed revisions or issues (per STIG guidance).
Your Stats
🏆
0
Completed
📅
—
Last Done
⏱️
—
Last Time
Completion Rate
Items checked per run
⚡
—
Fastest Run
🔥
0
Streak
🚫
—
Most Skipped Step
🔄
0
Resets
📝 My Notes