With the release of the 10.1 update, Acrobat X for Windows provides a sandbox called Protected View. Protected View is another defense-in-depth feature that is tightly integrated with the existing Enhanced Security feature. Protected View in Acrobat leverages the successful sandbox implementation already in place for Adobe Reader while providing a user experience that should be familiar to Microsoft Office 2010 users.
Acrobat’s Protected View sandbox is similar to Reader’s Protected Mode sandbox and provides equal protection. Just like Reader, Acrobat strictly confines the execution environment of untrusted PDF files and the processes they invoke. Based on user preferences when Protected View is enabled, Acrobat assumes either all PDF files or just PDF files loading from untrusted locations are potentially malicious and confines processing to a restricted sandbox.
Design Principles
Designing Protected Mode in Adobe Reader was pretty simple: we needed to put Reader in a sandbox and allow only controlled access to the local machine. When we designed Protected View in Acrobat, we had a lot more to think about because there’s a lot more to Acrobat. We didn’t want to break the tasks and workflows that our customers rely on Acrobat to help them with. The following is a list of our design principles for Protected View.
- PDF files viewed in a browser using Acrobat with Protected View on are more functional than PDF files in Reader’s sandbox: For Protected View in a browser, the UI provides access to all of the features provided by Reader as well as the features that are available for any rights enabled document when viewed in Reader.
- As secure as Reader running in Protected Mode: Acrobat leverages the same technology and implementation as Reader and is just as secure.
- Transitioning out of Protected View should be simple: In Protected View, exiting the read-only mode is as simple as choosing “Enable All Features”.
- Disabled features should not be hidden: If a feature is not enabled in the sandbox, the UI still displays the disabled feature in the menu as a grayed out item.
Trust can be assigned to documents so that they bypass Protected View restrictions: Because of its integration with Enhanced Security, users can specify files, folders, and hosts as privileged locations
that are not subject to Protected View trust restrictions. PDF files originating from a privileged location will not open in Protected View.
Protected View is disabled by default to ensure compatibility with existing workflows… but Protected View should be enabled all the time for casual users who interact with PDF files in unsecured environments. Protected View can be enabled for all PDF files or just those that are from potentially unsafe locations. Web browsers and email programs typically mark documents such as downloaded internet files and attachments, including PDF files, with a “potentially unsafe” flag. When you open such a document, Acrobat displays a warning bar at the top of the viewing window. This is the recommended setting. In this state, many of Acrobat’s features that allow you to interact with and change the document or its state are disabled and the associated menu items are grayed out in order to limit your interaction. If “All files” is selected, even PDF files that you just created will open in Protected View.
Acrobat’s behavior with Protected View enabled is slightly more complex than Reader’s. Protected View was designed for two types of scenarios: viewing PDF files with the standalone application and viewing PDF files in a browser. This distinction preserves usability and provides the right level of functionality in each mode.
Protected View in Standalone Acrobat
In the standalone application, behavior is simple and parallels the Protected View provided by Microsoft Office 2010. The view is essentially read-only, and the disabled features prevent any embedded or hidden malicious content from tampering with your system. Once you’ve decided to trust the document, choosing “Enable All Features” exits Protected View, re-enables all commands, depending on the document permissions, and provides permanent trust for the PDF file by adding it to Enhanced Security’s list of privileged locations. The document is now open in a full, unsandboxed Acrobat process.
Protected View in a Browser
When a PDF is opened in a browser, Protected View provides a streamlined experience that doesn’t utilize a warning bar. Instead, browser-based PDF files provide an Adobe Reader-like experience for documents that have been “rights enabled.” That is, all of Reader’s features are available in addition to features that become enabled when a document author uses Acrobat to extend features to Reader users. These features include signing existing form fields, adding new signature fields, saving form data, and other tasks that modify the document if the document permissions allow these.
In this respect, a PDF file in the browser’s Protected View is more capable than a PDF file in the standalone Protected View. On the other hand, the browser-based capabilities are always limited while the standalone application enables users to achieve full functionality with a single click of a button.
Note: Because Windows Explorer leverages the Acrobat browser plug-in to create thumbnails for PDF files, Windows Explorer Preview displays PDF files using Protected View even if the file is already trusted.
Registry Configuration
Registry configuration enables pre and post deployment configuration via the Customization Wizard, scripts, GPO, and other IT-centric methodologies. Additional functionality also provides more granular control than is provided by the user interface alone. Protected View can be enabled or disabled via the registry for the following:
- Unsafe file locations only
- Protected View for all files
- Temporary files in the Temporary Internet Files directory
- Outlook email attachments
To configure Protected View, add the following keys to…
HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\10.0\TrustManager
or
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\10.0\FeatureLockDown
bProtectedViewForUnsafe – Specifies whether Protected View is invoked for files originating from an untrusted location.
bProtectedViewForAll – Specifies whether Protected View is invoked for all files.
bDisableTemporaryFile – Specifies whether Protected View is turned off for temporary files located within “Temporary Internet Files” directories.
bEnableAlwaysOutlookAttachment – Specifies whether Protected View is turned off for all Microsoft Outlook attachments.
Note: Earlier versions of Outlook (Office 2003 and 2007) do not append origin information to files they download to its temp directory. As a result, there is no way of knowing if the file came from trusted source. Such files do not automatically open in Protected View.
For more information about this and other Application Security features, see the Application Security Library and watch Brad Arkin, Sr. Director of Product Security and Privacy discuss Adobe’s strategy in the security space.
Typo in the reg key above,
HKEY_CURRENT_USER\Software\Adobe\Acrobat Acrobat\10.0\TrustManager
should be
HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\10.0\TrustManager
Good catch – I’ve updated the post
I want someone to be able to open an adobe pdf file which I am sending them?
How do I turn off the locked feature?
Protected view does not prevent users from opening files.
Joel, your comment to Mary is not true. I have to send the person the password to allow them to even open the document. In addition now I can not even change the security settings. This is a real immpediment to doing business.
I am not happy
The document is not editable when in Protected View. You must exit Protected View in order to modify the security settings.
After downloading newest version of Adobe Reader many pdf files will not open – ones emailed, pics downloaded from my camera, etc. Never had problems before this download and have tried all I can find to fix and no solution – please help or direct me to info that may help.
You might try posting this to the Acrobat user-to-user forums, it’s nearly impossible to diagnose these kinds of issues without having access to your specific environment. http://forums.adobe.com/community/acrobat
This is annoying, I have a document that can’t be edited by .pdf readers when I save as a reader extended form. When I save, it says “Security permissions already existing on this document only allow signing existing signature fields” – How can I fix this??
You’d need to remove the security permissions and you’ll need the password to do it. You mat need to contact the document author.
In Adobe Acrobat Pro, when reading documents I am unable to highlight text and are advised the the document is PDF/A format as is therefore read-only and cannot be modified.
I dont want to modify the document I only want to highlight text to make it easy to find.
Is there any way to avoid this ridiculous security overkill or do I need to find a better pdf reader?
PDF/A documents are considered read-only. The author made the choice to create a PDF/A document, it’s not the default. While it may be inconvenient to not allow highlighting for your use case, I think it’s easy to see that highlighting the document with black highlights will significantly change the document. You may need to contact the author to get a non-PDF/A version of the file.