Sharing Security Policy Settings across multiple users?

Report · Aug 06, 2018

Hi there,

This is a question about Security Policies.

I was under the impression that, given Acrobat DC (2015) saved the details of its Security Policy settings in the 'security-policy.acrodata' file, that I would be able to place this file in a network location such that other users would instantly have the ability to use the same Security Policy on their installation.

However, while the Policy does show up correctly on another installation (by replacing the security-policy.acrodata and associated .DAT files on their machine), it cannot successfully apply security and when trying to edit presents an error message about file corruption.

My hypothesis is that the accompanying 'lb.dat', 'lbi.dat' and 'lbk.dat' files within the /Security folder tie the decryption of the fields /OwnerPWId and/or /SP_Id within the security-policy.acrodata to a specific installation. Upon opening or editing the security policy, the aforementioned .DAT files are instantly over-written, and setting them to 'Read Only' causes Acrobat to crash.

As such - is there no way to share settings in this manner (any more)?

I am aware there is a 'LiveCycle' system which can distribute network policies.

I am aware that Pro installations can generate and then subsequently read a custom set of Actions to achieve the same thing, but in a couple more clicks for the end user.

Many thanks in advance,

Craig

Report · Aug 06, 2018

Hoping Steven.Madwin will reply to this?

I would cite Re: Data encryption policies and personal passwords lost with the upgrade from Acrobat Pro to Acroba... as the last (three years ago!) instance of this problem which was left un-resolved.

In Response To DCACraig · Aug 15, 2018

Hi Craig,

I'm not on the Acrobat team any longer, thus I don't normally monitor this forum, hence the delay in answering.

First, a couple of caveats.

This can only be done from Acrobat Standard or Pro. You cannot do this if you're using Acrobat Reader
If you've configured Security Policies in the Adobe Experience Manager (née Rights Management Server) they are not exportable. Those policies are locked to a specific e-mail and won't work for anyone else.

Please try this:

Select the Edit > Preferences (Windows) or Acrobat > Preferences (Mac) menu item
Select Security from the Categories list ox on the Preferences dialog
Click the Export button in the Security Settings group box
Click the Deselect All button, and then select the Security Policies checkbox
Click the Export button on the dialog
Select the None radio button on the Export Security Settings dialog, and then click the OK button
Click the OK button on the no encryption confirmation dialog
Click the OK button on the Save as Certified Document dialog
Select a digital ID to sign the Security Settings file with and then click the Continue button
- Note: this works much better if you are using a digital ID that chains up to a trusted certificate that in the Acrobat list of Trusted Identities by default. Otherwise, each individual importing the file will have to manually set trust in order for the signature to be valid.
Provide a name (e.g. Policies.acrobatsecuritysettings) and then save the Security Settings file
Click the OK button on the success information dialog

The users looking to import the file will use the same steps to get to the Security panel on the Preferences dialog, but click the Import button to start the process. You can Import using Acrobat Reader, only Export is not available.

Steve

In Response To Steven_Madwin · Aug 16, 2018

Hi Steven.Madwin, many thanks for your response! I had got as far as exploring the 'export' function but, not knowing anything about digitally signing documents, didn't take it any further.

Your proposed approach works well in principle, the issue now is that each (Standard) User now has to:

click Edit
click Preferences
click Security
click Import
navigate to the file location (could be several clicks)
click Import
click OK
click OK

This is almost as many actions as setting up a security policy from scratch!

If everyone was on Pro I could create a custom Tool, leverage the Action wizard and apply security in a couple of clicks. Unfortunately this is not the case.

What we are really looking for is a batch-able process such that all users can have our security settings within there installation and ready to go - do you know of any way to automate the process outlined in bullets above, that will work for Standard and Pro Users alike?

Many thanks in advance,

Craig

In Response To DCACraig · Aug 16, 2018

Hi Craig,

First, the Export Security Settings feature is the equivalent of a batch export process. Each checkbox in the screen shot below used to have to be exported (and consequently import) individually.

The feature was added in order to allow a user to export all of the these settings en masse.

Second, the reason that the resulting security settings file needs to be digitally signed is because a digital signature provides two things; it insures that the signed file has not been tampered with (document integrity check), and, it insures that the signer is who they say they are and was authorized to sign (signer integrity check). Because we opened the door to allow a (relatively) easy way to make a lot of changes to someone's computer, it was incumbent upon us to insure that the data about to be imported provided enough security to make sure the recipient's computer was not being hijacked by an unreliable source (read, the bad guy).

Finally, there is a method to allow users to import the settings without having to do anything. It was designed to work in an enterprise environment, not the individual-by-individual world (it can work that way, but as you mentioned each person has to apply the settings). You can create a custom installer that will set the registry setting to cause the Custom Import feature to be enabled. It would look something akin to this:

It's from here where you can control the frequency of checking for updates and require that the security settings file is signed by a specific digital ID. I know you mentioned that you're not familiar with digital IDs, but one of the foundations of Public-key Infrastructure (PKI) is that digital IDs are only issued to entities who can prove their identity. You may want (you don't have to) require that the settings file is signed with your company's corporate digital ID as an extra layer of security.

Steve

Report · Aug 13, 2018

Anyone?

Adobe Community

Sharing Security Policy Settings across multiple users?

1 Correct answer