Copy link to clipboard
Copied
Hi there,
This is a question about Security Policies.
I was under the impression that, given Acrobat DC (2015) saved the details of its Security Policy settings in the 'security-policy.acrodata' file, that I would be able to place this file in a network location such that other users would instantly have the ability to use the same Security Policy on their installation.
However, while the Policy does show up correctly on another installation (by replacing the security-policy.acrodata and associated .DAT files on their machine), it cannot successfully apply security and when trying to edit presents an error message about file corruption.
My hypothesis is that the accompanying 'lb.dat', 'lbi.dat' and 'lbk.dat' files within the /Security folder tie the decryption of the fields /OwnerPWId and/or /SP_Id within the security-policy.acrodata to a specific installation. Upon opening or editing the security policy, the aforementioned .DAT files are instantly over-written, and setting them to 'Read Only' causes Acrobat to crash.
As such - is there no way to share settings in this manner (any more)?
I am aware there is a 'LiveCycle' system which can distribute network policies.
I am aware that Pro installations can generate and then subsequently read a custom set of Actions to achieve the same thing, but in a couple more clicks for the end user.
Many thanks in advance,
Craig
Hi Craig,
First, the Export Security Settings feature is the equivalent of a batch export process. Each checkbox in the screen shot below used to have to be exported (and consequently import) individually.
The feature was added in order to allow a user to export all of the these settings en masse.
Second, the reason that the resulting security settings file needs to be digitally signed is because a digital signature provides two things; it insures that the signed file has not been tampered with (d
...Copy link to clipboard
Copied
Hoping Steven.Madwin​ will reply to this?
I would cite Re: Data encryption policies and personal passwords lost with the upgrade from Acrobat Pro to Acroba... as the last (three years ago!) instance of this problem which was left un-resolved.
Copy link to clipboard
Copied
Hi Craig,
I'm not on the Acrobat team any longer, thus I don't normally monitor this forum, hence the delay in answering.
First, a couple of caveats.
Please try this:
The users looking to import the file will use the same steps to get to the Security panel on the Preferences dialog, but click the Import button to start the process. You can Import using Acrobat Reader, only Export is not available.
Steve
Copy link to clipboard
Copied
Hi Steven.Madwin​, many thanks for your response! I had got as far as exploring the 'export' function but, not knowing anything about digitally signing documents, didn't take it any further.
Your proposed approach works well in principle, the issue now is that each (Standard) User now has to:
This is almost as many actions as setting up a security policy from scratch!
If everyone was on Pro I could create a custom Tool, leverage the Action wizard and apply security in a couple of clicks. Unfortunately this is not the case.
What we are really looking for is a batch-able process such that all users can have our security settings within there installation and ready to go - do you know of any way to automate the process outlined in bullets above, that will work for Standard and Pro Users alike?
Many thanks in advance,
Craig
Copy link to clipboard
Copied
Hi Craig,
First, the Export Security Settings feature is the equivalent of a batch export process. Each checkbox in the screen shot below used to have to be exported (and consequently import) individually.
The feature was added in order to allow a user to export all of the these settings en masse.
Second, the reason that the resulting security settings file needs to be digitally signed is because a digital signature provides two things; it insures that the signed file has not been tampered with (document integrity check), and, it insures that the signer is who they say they are and was authorized to sign (signer integrity check). Because we opened the door to allow a (relatively) easy way to make a lot of changes to someone's computer, it was incumbent upon us to insure that the data about to be imported provided enough security to make sure the recipient's computer was not being hijacked by an unreliable source (read, the bad guy).
Finally, there is a method to allow users to import the settings without having to do anything. It was designed to work in an enterprise environment, not the individual-by-individual world (it can work that way, but as you mentioned each person has to apply the settings). You can create a custom installer that will set the registry setting to cause the Custom Import feature to be enabled. It would look something akin to this:
It's from here where you can control the frequency of checking for updates and require that the security settings file is signed by a specific digital ID. I know you mentioned that you're not familiar with digital IDs, but one of the foundations of Public-key Infrastructure (PKI) is that digital IDs are only issued to entities who can prove their identity. You may want (you don't have to) require that the settings file is signed with your company's corporate digital ID as an extra layer of security.
Steve
Copy link to clipboard
Copied
Anyone?