NIST FDCC Compliance with Adobe Acrobat and Reader

PostsThe Archives

Adobe Acrobat and Adobe Reader have been tested and meet the NIST FDCC compliance guidelines according to the testing process provided in OMB memo m08‐22. Compliance was verified by testing the product using the following procedures:

The Federal Desktop Core Configuration (FDCC) is a list of security settings managed by the National Institute of Standards and Technology (NIST) for US government computers. The Office of Management and Budget (OMB) has issued instructions to agencies to use these settings with a vendor’s self-assertion of desktop applications working with FDCC settings.Testing Procedure:The testing on Adobe Acrobat 9.0 and Adobe Reader 9.0 was completed for both XP and Vista with the following steps:1. Take a baseline scan of FDCC settings using SCAP validated Secutor Prime Pro2. Install as Admin any required software required for functional testing3. Take a second baseline scan of FDCC settings before installing Adobe Product4. Install Adobe Product as Admin5. Scan system for changes to FDCC settings6. Log onto standard user level account7. Perform Application Testing in all Functional Areas9. Scan system for changes to FDCC settings10. Uninstall Product as Admin, and Restart11. Scan system for changes to FDCC settingsThe application performed correctly on a standard user level account in all functional areas on both operating systems with a few minor exceptions. There are two main pieces of functionality lost in the FDCC configuration:1. Product update via the Help menu in the application is unavailable for Standard User (can be accessed when logged in as Admin). We believe this to be due to security mechanisms put in place by the operating system. However, we tested downloading the standalone update from and were successfully able to patch the application as a workaround.2. Acrobat toolbar for Internet Explorer is unavailable. There is an explicit FDCC requirement to disable toolbars in IE, making this issue by design.In addition, two cases do not work as expected due to FDCC policy number CCE 598 which disables the ability of Internet Explorer to launch COM add-ons known as browser helper objects. The two cases are:1. Using the “Back” button in the browser, when the web server sends any one of FDF/XFDF/XDP to the PDF loaded in the browser as a response to a POST, will cause a re-submission to the web server.2. Using template-based assembly of a new PDF in a received FDF in the browser will cause the assembled PDF to open, however the data is not populated.Some functional areas required use of the Flash Player, however installation of ActiveX controls is disabled by default, thus we had to download and install the stand-alone Flash installer as Admin.Issues encountered during testing:XP:Firewall Settings: Throughout the testing process, two FDCC settings had to be turned off due to the testing setup so that we could remotely test the settings using an SCAP scanner. These two settings from the standard profile are:Allow file and printer sharing exceptionDo not allow exceptionsSecurity Updates: The system was set up with XP Service Pack 3, which rolled into it the hot fix corresponding to Knowledge Base article number 923191 (MS06‐057), however the SCAP test has an error that has been acknowledged by NIST in which it still looks for the registry key corresponding to the hot fix regardless of whether the service pack is installed. This failure can be seen throughout the testing process.Vista:Security Updates: Like XP, there is a conflict between Service Pack 1 being installed and a specific hot fix that FDCC is looking for (MS07‐032 KB931213) which has been rolled into SP1. This issue has also been acknowledged by NIST representatives.Overall:For some testing procedures, certain FDCC settings were turned off explicitly in order to allow for testing procedures to succeed. These settings were:1. Logon options – in order to perform certain automated testing, the logon options needed to be disabled for message text to users and enabling automatic logon. These are not necessary for normal use of Acrobat or Reader and were only changed in specific machines used for automated testing.2. Enable Telnet – In one instance, this setting was changed due to connection issues for the testing machine; however this was an isolated case that was explicitly changed by the tester and is not necessary for normal use of Acrobat or Reader. These settings were only changed for the purpose of testing.While testing Internet Explorer, six of the settings are located in the per user section of the registry and could not be accessed from the remote machine when logged into the standard user. These settings failed in scans if the user was logged into the standard user, but to not reflect the settings current state, rather a deficiency in FDCC testing abilities.Additionally, Acrobat and Reader interact with various third party applications such as Microsoft Office which require further Microsoft hotfixes to be installed in order to remain compliant with FDCC. 3rd party products and associated hotfixes are necessary post install. Please note that none of these setting changes are caused explicitly by Adobe Products and can be easily mitigated through Windows Updates.

Posts, The Archives

Posted on 03-13-2009