Page 1 PDF Creation Date: August 4, 2008 Document Security User Guide for Acrobat 9.0 and Adobe Reader 9.0 Acrobat® and Adobe® Reader® Version 9.0...
Page 2 Adobe Systems Incorporated. Please note that the content in this guide is protected under copyright law even if it is not distributed with software that includes an end user license agreement.
Page 3: Table Of Contents
Contents Getting Started ........................7 1.1 What’s in this Guide? ..........................7 1.2 Who Should Read This Guide? ......................7 1.3 How Should You Use This Guide? ......................8 1.4 Roadmap to Security Documentation....................8 Getting and Using Your Digital ID..................10 2.1 Digital ID Basics..........................10 2.1.1 What is a Digital ID? ..............................10 2.1.2 Digital ID Storage Mechanisms ..........................11 2.1.3 Registering a Digital ID for Use in Acrobat......................12...
Page 4 Acrobat 8 Family of Products Security Feature User Guide 3.2.4 Searching for Digital ID Certificates........................34 3.3 Certificate Trust Settings........................36 3.3.1 Setting Certificate Trust............................37 3.3.2 Setting Certificate Policy Restrictions .........................39 3.3.3 Using Certificates for Certificate Security (Encryption).................40 3.4 Using Directory Servers to Add Trusted Identities ................40 3.4.1 Manually Configuring a Directory Server......................41 3.4.2 Editing Directory Servers Details ..........................42 3.4.3 Deleting a Directory Server.............................42...
Page 5 8.3 Setting JavaScript Options......................101 8.3.1 High Privilege JavaScript Defined ........................101 8.3.2 Javascript and Certified Documents......................... 102 8.4 Adobe Trusted Identity Updates ....................103 8.5 Working with Attachments ......................103 8.5.1 Default Behavior: Black and White Lists ......................103...
Page 6 9.2.3.4 Importing Timestamp Server Settings ....................132 9.2.3.5 Importing Directory Server Settings....................... 134 9.2.3.6 Importing Adobe LiveCycle Rights Management Server Settings ..........135 9.2.3.7 Importing Roaming ID Account Settings....................136 9.2.3.8 Importing a Trust Anchor and Setting Trust ..................138 10 Glossary of Security Terms ....................
Page 7: Getting Started
Administrators: This document describes how to configure and use the application user interface. Because system administrators may be responsible for deploying and supporting the Adobe Acrobat family of products (including Adobe Reader) in document security workflows, leverage this guide to help your clients use the product correctly and effectively.
Page 8: How Should You Use This Guide
Many of the application’s registry settings can be accessed and manipulated via JavaScript. Note: The most recent document versions may be found online at http://www.adobe.com/devnet/ acrobat/.
Page 9 A guide to the documentation in the Adobe Acrobat SDK. Roadmap Acrobat and PDF Library API Reference Developers A description of the APIs for Acrobat and Adobe Reader® plug-ins, as well as for PDF Library applications. JavaScript for Acrobat API Reference Developers A listing of the Acrobat JavaScript APIs.
Page 10: Getting And Using Your Digital Id
Getting and Using Your Digital ID A digital ID is like a driver’s license or passport or other “certified by some entity” paper identification. It proves your identity to people and institutions that you communicate with electronically. These IDs are a critical component of digital signatures and certificate security.
Page 11: Digital Id Storage Mechanisms
Network sharing: Certificates can be stored on a central server. The Trusted Identity Manager can be  used to search for certificates on LDAP directory servers. Adobe applications provide tools for configuring and managing directory servers. For details, see “Using Directory Servers to Add Trusted Identities”...
Page 12: Registering A Digital Id For Use In Acrobat
Windows Certificate Store. Import Import Import Import Contains: Certificate and public key only .apf Adobe Profile Files (Legacy): Not used after Acrobat 5. Files can be Import Import Import Import upgraded by double clicking them. Export Contains: Digital ID (public and private keys) 2.1.3 Registering a Digital ID for Use in Acrobat...
Page 13: Digital Id Management And The Security Settings Console
Acrobat Family of Products Getting and Using Your Digital ID Security Feature User Guide Digital ID Management and the Security Settings Console Figure 3 Add Digital ID dialog .apf Digital IDs no longer supported Older application versions use a deprecated digital ID format with an .apf extension. .apf is not supported in 9.0.
Page 14: Generic Id Operations
Generic ID Operations Adobe Reader (Windows): Edit > Preferences > Identity  Adobe Reader (Macintosh): Adobe Reader > Preferences > Identity  2. Configure the identity details. These details will appear in your signature appearance when you sign with a self-signed digital ID.
Page 15: Sharing (Exporting) A Digital Id Certificate
Acrobat Family of Products Getting and Using Your Digital ID Security Feature User Guide Sharing (Exporting) a Digital ID Certificate 1. Choose Advanced (Acrobat) or Document (Reader) > Security Settings. 2. Select Digital IDs in the left-hand tree (Figure 2.2.1). 3.
Page 16: Customizing A Digital Id Name
Acrobat Family of Products Getting and Using Your Digital ID Security Feature User Guide Customizing a Digital ID Name Windows Digital IDs  PKCS#11 Modules and Tokens  2.2.4 Customizing a Digital ID Name You can personalize a digital ID by providing a user-friendly name. This name appears in the ID drop-down list in workflows where you are asked to select an ID.
Page 17: Managing Pkcs#12 Digital Id Files
Acrobat Family of Products Getting and Using Your Digital ID Security Feature User Guide Managing PKCS#12 Digital ID Files Left hand panel: The certificate chain.  Bottom area: A description of the certificate, path validity statement, path validation time, and ...
Page 18: Logging In To A Digital Id File
Note: In enterprise settings, you may be instructed by your administrator to get a digital ID from a specific location or to customize Acrobat or Adobe Reader to work with software supplied by your organization. To find a digital ID file: 1.
Page 19: Adding And Removing Digital Id Files From The File List
9. Review the digital ID list and choose Finish. 2.3.3 Adding and Removing Digital ID Files from the File List Adobe Acrobat and Adobe Reader only allow deletion of user-created self-signed digital IDs created with those applications. A file can have one or more IDs.
Page 20: Changing A Pkcs#12 File's Password Timeout
Acrobat Family of Products Getting and Using Your Digital ID Security Feature User Guide Changing a PKCS#12 File’s Password Timeout Figure 10 Digital ID files: Password configuration 2.3.5 Changing a PKCS#12 File’s Password Timeout Passwords and password time-outs can only be set for PKCS#12 IDs. Since a file can contain multiple IDs, passwords and time-outs are configured at the file level rather than for individual IDs.
Page 21: Logging In To Pkcs#12 Files
Acrobat Family of Products Getting and Using Your Digital ID Security Feature User Guide Logging in to PKCS#12 Files Figure 11 Digital ID files: Timeout settings 2.3.6 Logging in to PKCS#12 Files The digital ID Login feature provides access to the IDs in a particular file. Login behavior is dependant on the user-specified password timeout feature.
Page 22 These files should always be backed up. On Windows XP, the default location is C:\Documents and Settings\ <username>\Application Data\Adobe\<application name>\<version>\Security\ Windows Certificate Store: (Windows only) Stores the ID in the Windows Certificate Store where it ...
Page 23 Acrobat Family of Products Getting and Using Your Digital ID Security Feature User Guide Creating a Self-Signed Digital ID Figure 13 Digital ID: Configuration 6. Configure the digital ID. The dialog is prepopulated if the Identity preferences have been previously configured: Tip: If you use non-Roman characters, choose Enable Unicode Support before continuing.
Page 24: Deleting A Pkcs#12 Digital Id
Figure 14 Digital ID: PKCS#12 location and password 2.3.8 Deleting a PKCS#12 Digital ID Adobe Acrobat and Adobe Reader only allow deletion of user-created, self-signed digital IDs created by them. The methodology for deleting other types of IDs varies with the type of ID.
Page 25: Managing Windows Digital Ids
The Windows store makes these IDs available to other Windows applications such as Acrobat and Adobe Reader. When an ID in the Windows store is registered with the application, it appears in the Security Settings Console.
Page 26: Adding A Roaming Id Account To Get A Roaming Id
Acrobat Family of Products Getting and Using Your Digital ID Security Feature User Guide Adding a Roaming ID Account to Get a Roaming ID server rather than being distributed to each individual. Deployment and management therefore occurs in one location rather than on numerous client machines. Depending on how the system is configured, users identify themselves (authenticate) to the server either with a username and password, Windows single sign-on, or by some 3rd party method such as ArcotID.
Page 27: Managing Ids Accessible Via Pkcs#11 Devices
Digital IDs can reside on hardware such as a smart card or token with a USB interface. In these cases, the card is inserted into a smart card reader or the token is inserted directly into an USB port. Adobe products can be configured to look for and use IDs on these devices by adding the device’s module (software driver)
Page 28: Changing Passwords
Acrobat Family of Products Getting and Using Your Digital ID Security Feature User Guide Changing Passwords 3. Highlight PKCS#11 Modules and Tokens. Figure 18 PKCS#11 Security Settings menu items 4. Choose Add Module. 5. Browse to the device driver. On Windows, this could likely be C:\Windows\system32\<some .
Page 29: Logging In To A Device
PKCS#11 workflows vary by the device supplier. For example, additional passwords or PINs may or may not be required. The login interface may be provided by the Adobe application or by the device supplier. To log in to a device: 1.
Page 30: Managing Certificate Trust And Trusted Identities
Managing Certificate Trust and Trusted Identities As described in “What is a Digital ID?” on page 10, a digital ID consists of two main parts: a certificate with a public key and a private key. Participants in signing and certificate security workflows need to exchange the public part (the certificate) of their digital ID.
Page 31 Acrobat Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide What is a Trusted Identity? The Acrobat family of products provide tools for selecting and interacting with the certificates of document recipients you trust. For example, Acrobat’s user interface prompts authors to select one or more recipients when applying certificate security.
Page 32: Adding Someone To Your Trusted Identity List
Acrobat Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Adding Someone to Your Trusted Identity List each other. It is also possible to create a group from any number of contacts so that security can be applied to all group members with a single action.
Page 33: Requesting A Digital Id Via Email
124. 3.2.3 Importing a Certificate From a File Acrobat and Adobe Reader are can export certificates to a file so that they can be shared as needed. To import certificates, follow the instructions described in “Migrating and Sharing Security Settings” on page 112.
Page 34: Searching For Digital Id Certificates
Search button will NOT appear. The list of search servers in the Directories drop-down list is populated through three mechanisms: The default server settings that ship with Adobe Acrobat and Adobe Reader.  The Windows Certificate Store if the user has turned on this option.
Page 35 Acrobat Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Searching for Digital ID Certificates Figure 26 Digital IDs: Searching for certificates To search for a certificate so that you can add one or more people to your trusted identities list: 1.
Page 36: Certificate Trust Settings
Acrobat Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Certificate Trust Settings Figure 27 Searching for a document recipients 3.3 Certificate Trust Settings Contacts in the trusted identities list should be associated with one or more certificates. Those certificate’s trust settings may be individually configured.
Page 37: Setting Certificate Trust
1. Do one of the following: If you already have the certificate:  1. Choose Advanced (Acrobat) or Document (Adobe Reader) > Manage Trusted Identities. 2. Choose Certificates in the Display drop down list. 3. Select the certificate. 4. Choose Edit Trust.
Page 38 Acrobat Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Setting Certificate Trust 2. On the Trust tab, select the trust options. In enterprise settings, an administrator should tell you which trust settings to use. Note: During an import action, recipients of the distributed trust anchor may be able to inherit its trust settings.
Page 39: Setting Certificate Policy Restrictions
Acrobat Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Setting Certificate Policy Restrictions Embedded high privilege JavaScript: Trusts embedded scripts. Certificate settings do not  override application-level settings, so even if JavaScript is enabled for a particular certificate, it may not execute unless the application’s preferences allow it.
Page 40: Using Certificates For Certificate Security (Encryption)
Businesses often use a centrally managed certificate repository such as an LDAP directory server. Directory servers are capable of returning X.509 public key certificates. These servers are searchable so that you can easily expand your list of trusted identities. Both Adobe Acrobat and Adobe Reader for Windows ship with default servers: Versions 7.x:...
Page 41: Manually Configuring A Directory Server
Acrobat Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Manually Configuring a Directory Server Figure 32 Digital ID Directory servers: Server list 3.4.1 Manually Configuring a Directory Server Some companies store employee digital ID certificates on a networked LDAP server. To access those certificates, add the server to the list of directories used to locate those IDs.
Page 42: Editing Directory Servers Details
Acrobat Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Editing Directory Servers Details Figure 33 Digital ID Directory servers: Setting server details 3.4.2 Editing Directory Servers Details Directory server details can be changed at any time. To edit directory server information: 1.
Page 43: Specifying A Default Directory Server
Acrobat Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Specifying a Default Directory Server 3.4.4 Specifying a Default Directory Server A default server may be specified so that it is always used when searching for digital IDs. To set default directory server: 1.
Page 44: Emailing Certificate Or Contact Data
Acrobat Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Emailing Certificate or Contact Data Figure 35 Contacts: Viewing details 3. Choose Details. Figure 36 Edit Contact dialog 4. Edit the details. 5. Choose OK. 3.5.2 Emailing Certificate or Contact Data You can export certificate and contact data via email directly from the Trusted Identity Manager.
Page 45: Associating A Certificate With A Contact
Acrobat Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Associating a Certificate with a Contact 3.5.4 Associating a Certificate with a Contact A certificate is usually already associated with a contact. However, in certain cases the two may need to be reassociated: Someone has provided you with new contact information.
Page 46: Deleting Contacts And Certificates
Acrobat Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Deleting Contacts and Certificates Note: The certificate list is populated with the currently associated certificate and any unassociated certificates for the current contact. In other words, the list does not display all of a contact’s certificates, it displays only those that have no contact association.
Page 47 Acrobat Family of Products Managing Certificate Trust and Trusted Identities Security Feature User Guide Deleting Contacts and Certificates Figure 39 Contacts: Deleting Deleting a Certificate To delete a certificate: 1. Choose Advanced (Acrobat) or Document (Reader) > Manage Trusted Identities. 2.
Page 48: Document Security Basics
Security is often added to documents to limit viewing, editing, printing, and other features to only those users that have the required password, a digital ID, or access to an Adobe LiveCycle Rights Management Server. Acrobat’s default security methods not only protect document content from unauthorized access, but also allow users to specify encryption levels and permission settings.
Page 49: Choosing A Security Method Type
Supported by Acrobat 6.0 and later. Adobe LiveCycle Rights Management Server security: These policies are stored on a server, and ...
Page 50: Security Policies
Acrobat Family of Products Document Security Basics Security Feature User Guide Security Policies Table 5 Security method pros and cons Method Pros Cons Password Backward-compatible to Acrobat 3.0 for certain encryption levels. Protection depends on password strength. Simple and easily understood. Anyone who knows the password Share documents by sharing the password.
Page 51: Choosing What To Encrypt
Acrobat Family of Products Document Security Basics Security Feature User Guide Security Methods and Encryption Note: Password security is unavailable if your administrator has configured your application to operate in FIPS mode. Certificate security: The user selects what document components to encrypt and then chooses the ...
Page 52: Security Methods And Permissions
Security Feature User Guide Security Methods and Permissions 128-bit RC4 is compatible with Acrobat 6.0 and later as well as other non-Adobe and Adobe PDF  clients such as Ghostscript® and Apple Preview® that have not implemented AES. RC4 has a smaller file size by about 32 bytes per stream.
Page 53: Permissions Workflow
Adobe products enforce permissions restrictions. However, not all third-party products fully support and respect these permissions. Ecryption and therefore document access would likely not be impaired, but Adobe cannot gaurentee that individual permissions settings will remain function. Recipients using such third-party products might be able to bypass some of your restrictions.
Page 54: Associating Batch Processing With A Security Method
Acrobat Family of Products Document Security Basics Security Feature User Guide Associating Batch Processing with a Security Method 2. Changes Allowed: Limits page-level editing, commenting, and form field interaction. None: Prevents users from changing the document, including filling in signature and form fields. ...
Page 55: Changing And Viewing Security Settings
Acrobat Family of Products Document Security Basics Security Feature User Guide Changing and Viewing Security Settings Figure 44 Security methods for batch processing 4.2 Changing and Viewing Security Settings While anyone who can open a document can view its security methods, only those with permission can change those methods.
Page 56: Viewing Document Restrictions
Acrobat Family of Products Document Security Basics Security Feature User Guide Viewing Document Restrictions Figure 46 Document security settings: Certificate security Figure 47 Document security settings: ALCRMS security 4.2.2 Viewing Document Restrictions In addition to the encryption and permissions settings enforced by the document’s security method, a document may be subject to additional restrictions if it is signed or certified.
Page 57: Viewing Security Settings In A Browser
Acrobat Family of Products Document Security Basics Security Feature User Guide Viewing Security Settings in a Browser Figure 48 Document Property dialog 4.2.3 Viewing Security Settings in a Browser To view document security settings in a Web browser: 1. Click on the lock icon in the left-hand pane. 2.
Page 58: Editing Security Method Settings
Acrobat Family of Products Document Security Basics Security Feature User Guide Editing Security Method Settings Note: New settings do not appear in the user interface until the document is closed and reopened. 3. If the document is password protected, enter the document password. 4.
Page 59: Security Policies: Reusable Security Settings
User policies: User policies are created and applied by anyone. User password and certificate policies  are stored locally while Adobe LiveCycle Rights Management Server policies are stored on the server. Policy authors can edit and delete the policies they create.
Page 60: Creating Security Policies With Policy Manager
Acrobat Family of Products Document Security Basics Security Feature User Guide Creating Security Policies with Policy Manager 4.3.1 Creating Security Policies with Policy Manager Policies can be created ahead of time or during the course of creating new security settings. When the Security Settings Console appears, simply choose Save these settings as a policy and enter a policy name and optional description (Figure...
Page 61: Viewing A Security Policy
Acrobat Family of Products Document Security Basics Security Feature User Guide Viewing a Security Policy 1. Choose Advanced > Security > Secure this Document. 2. Highlight a policy. 3. Choose Apply to Document. 4. Save the document. Tip: If a policy has been designated as a “favorite, ” a star appears next to the selected policy. All favorites appear in the security menu (Figure 53).
Page 62: Making A Security Policy Favorite
Acrobat Family of Products Document Security Basics Security Feature User Guide Making a Security Policy Favorite 4. Change the policy’s settings as described in one of the following sections: Chapter 5, “Password Security”  Chapter 6, “Certificate Security”  Chapter 7, “LiveCycle Rights Management Server Security” ...
Page 63: Envelopes
Acrobat Family of Products Document Security Basics Security Feature User Guide Envelopes To delete a security policy: 1. Choose Advanced > Security > Manage Security Policies (Figure 50). 2. Choose a security policy. 3. Choose Delete. 4. Choose Yes at the confirmation dialog. 5.
Page 64 Acrobat Family of Products Document Security Basics Security Feature User Guide Envelopes Embed file attachments in security envelopes for secure transit. 1. Choose the Advanced > Security > Create Security Envelope. 2. Choose Add File To Send. 3. Browse to the documents you want to attach and choose Open. Select any PDFs in the list that you don’t want to include and choose Remove Selected Files.
Page 65: Password Security
Password Security Acrobat users can perform any task in this section. Adobe Reader users can only view encrypted documents and can not encrypt them for others. Password security provides a simple method for sharing encrypted documents by sharing passwords. Like all security methods, password security can enforce document restrictions on operations such as opening, printing, and editing.
Page 66: Creating Password Security Settings
Acrobat Family of Products Password Security Security Feature User Guide Creating Password Security Settings Tip: If the document has both types of passwords, it can be opened with either password. The document open password and permissions password cannot be identical. At a high level, adding password security includes specifying encryption settings, creating a Document Open password (if needed), creating a Permissions password (if needed), specifying permissions settings, and saving the document...
Page 67 Acrobat Family of Products Password Security Security Feature User Guide Creating a Reusable Password Security Policy 1. Compatibility: The compatibility options determine what encryption options will be available. Compatibility with earlier versions of Acrobat may mean all document contents will have to be encrypted.
Page 68 Creating a Reusable Password Security Policy Tip: Adobe recommends that permission passwords and document open password always be used together. The permissions password is used to change permissions and is NOT needed to gain access to the features the author is permitting. Thus, holders of the permissions password are essentially “owners”...
Page 69: Creating Password Security For One-Time Use
Acrobat Family of Products Password Security Security Feature User Guide Creating Password Security for One-Time Use 11. Choose OK. 12. Reenter the Document Open and/or Permissions passwords (if any) when asked to confirm it and choose OK. 13. Choose Finish. 5.1.2 Creating Password Security for One-Time Use Use this method if you: Need to make the document backward-compatible to Acrobat 3.0.
Page 70 Adobe products enforce permissions restrictions. However, not all third-party products fully support and respect these permissions. Ecryption and therefore document access would likely not be impaired, but Adobe cannot gaurentee that individual permissions settings will remain function. Recipients using such third-party products might be able to bypass some of your restrictions.
Page 71 Acrobat Family of Products Password Security Security Feature User Guide Creating Password Security for One-Time Use 2. Changes Allowed: Limits page-level editing, commenting, and form field interaction. None: Prevents users from changing the document, including filling in signature and form fields. ...
Page 72: Opening A Password-Protected Document
Acrobat Family of Products Password Security Security Feature User Guide Opening a Password-Protected Document 5.2 Opening a Password-Protected Document You must know the Document Open or Permissions password to open the document. To open a password protected document: 1. Open the document. 2.
Page 73: Password Recovery
Acrobat Family of Products Password Security Security Feature User Guide Password Recovery 5.5 Password Recovery Caution: There is no way to recover a lost password from a document. Keep a backup copy that is not password-protected.
Page 74: Certificate Security
Certificate Security Acrobat users can perform any task in this section. Adobe Reader users can only view encrypted documents and not encrypt them for others. If you share documents that require high security, you may need certificate security. Businesses use certificate security because a public key infrastructure (PKI) enables central management by an administrator.
Page 75: Setting Up The Certificate Security Environment
Acrobat Family of Products Certificate Security Security Feature User Guide Setting up the Certificate Security Environment 6.1 Setting up the Certificate Security Environment If you’re going to use certificate security, consider doing the following: Configuring Acrobat to use certificates in the Windows Certificate store as well as those in the Acrobat ...
Page 76: Selecting A Certificate To Use For Encryption
Acrobat Family of Products Certificate Security Security Feature User Guide Selecting a Certificate to Use for Encryption Figure 62 Windows integration The Windows Certificate Store will now appear in Search for Recipients dialog’s directory list. The dialog can be invoked from two locations: From a certificate security workflow: Set the encryption settings, choose Next, and then choose ...
Page 77: Working With Groups Of Contacts
Acrobat Family of Products Certificate Security Security Feature User Guide Working with Groups of Contacts Figure 63 Choosing a certificate for encryption 6.2 Working with Groups of Contacts Contacts can be added to a group so that all group members can easily share a predefined set of permissions and restrictions.
Page 78: Deleting A Group
Acrobat Family of Products Certificate Security Security Feature User Guide Deleting a Group 3. Add or remove a contact: Adding a contact: Choose Add, select a contact from the contact list, and choose OK twice.  Removing a contact: Select a contact, choose Remove, and choose OK. ...
Page 79 Acrobat Family of Products Certificate Security Security Feature User Guide Creating a Reusable Certificate Security Policy 1. Choose Advanced > Security > Manage Security Policies. 2. Choose New. 3. Select Use public key certificates. 4. Choose Next. 5. Enter a policy name and optional description. Figure 66 Security policy: General settings 6.
Page 80 Security Feature User Guide Creating a Reusable Certificate Security Policy 128-bit RC4: Compatible with Acrobat 6.0 and later as well as other non-Adobe and Adobe PDF  clients such as Ghostscript and Apple Preview that have not implemented AES. RC4 has a smaller file size by about 32 bytes per stream.
Page 81 Control or Shift keys. 2. Choose Permissions. 3. When an alert appears stating that non-Adobe products may not respect these settings, choose OK. 4. Check Restrict printing and editing of the document and security settings.
Page 82: Creating Certificate Security For The Current Document
Acrobat Family of Products Certificate Security Security Feature User Guide Creating Certificate Security for the Current Document 1. Printing Allowed: None: Prohibits printing.  Low Resolution: Limits printing to 150-dpi resolution. Printing may be slower because each  page is printed as a bitmapped image. This option is only available if a high encryption level (Acrobat 5 or Acrobat 6) is selected.
Page 83 Adobe products enforce permissions restrictions. However, not all third-party products fully support and respect these permissions. Encryption and therefore document access would likely not be impaired, but Adobe cannot guarantee that individual permissions settings will remain function. Recipients using such third-party products might be able to bypass some of your restrictions.
Page 84 5. Choose the encryption algorithm: 128-bit RC4: Compatible with Acrobat 6.0 and later as well as other non-Adobe and Adobe PDF  clients such as Ghostscript and Apple Preview that have not implemented AES. RC4 has a smaller file size by about 32 bytes per stream.
Page 85 Acrobat Family of Products Certificate Security Security Feature User Guide Creating Certificate Security for the Current Document Figure 70 Choosing a digital ID for certificate security 8. If you have more than one digital ID, choose the digital ID persistence level. Ask me which digital ID to use next time ...
Page 86 Control or Shift keys. 2. Choose Permissions. 3. When an alert appears stating that non-Adobe products may not respect these settings, choose OK. 4. Check Restrict printing and editing of the document and security settings.
Page 87: Applying A Certificate Security Policy
Acrobat Family of Products Certificate Security Security Feature User Guide Applying a Certificate Security Policy 2. Changes Allowed: Limits page-level editing, commenting, and form field interaction. None: Prevents users from changing the document, including filling in signature and form fields. ...
Page 88: Opening A Certificate-Protected Document
Acrobat Family of Products Certificate Security Security Feature User Guide Opening a Certificate-Protected Document 1. Configure certificate security as described in “Creating Certificate Security Settings” on page 78. When you are prompted to add document recipients to the recipient list, choose Search. 2.
Page 89 Acrobat Family of Products Certificate Security Security Feature User Guide Opening a Certificate-Protected Document Figure 73 Opening an encrypted document: With certificate security...
Page 90: Livecycle Rights Management Server Security
LiveCycle Rights Management Server Security Adobe LiveCycle Rights Management Server (ALCRMS) security is only available to users with access to an Adobe LiveCycle Rights Management Server. Tip: This document provides a cursory overview of the ALCRMS features. For information on configuring your application to use an Adobe LiveCycle Rights Management Server, log in to the server and use the help system.
Page 91: Importing Alcrms Settings From An Fdf File
 7.1.1 Importing ALCRMS Settings from an FDF file Adobe LiveCycle Rights Management Server settings can be distributed via FDF files. Both users and administrators can import and export server settings in the same way as timestamp and directory server information is imported and exported.
Page 92: Managing Your Alcrms Account
7.1.4 Managing your ALCRMS Account To manage your ALCRMS Account: 1. Choose Advanced > Security > Adobe LiveCycle Rights Management > Manage My Account. 2. If prompted, enter a username and password and choose OK. 3. Manage your account as described in the Adobe LiveCycle Rights Management Help documentation.
Page 93: Applying Alcrms Security
1. Choose Advanced > Security > Manage Security Policies. 2. Highlight a policy. 3. Choose Apply to Document. 7.2.3 Refreshing the Security Policy List To refresh the list of available ALCRMS policies: 1. Choose Advanced > Security > Adobe LiveCycle Rights Management > Refresh Security Policies.
Page 94: Synchronizing A Document For Offline Use
Synchronizing a document for offline use allows you to get the latest version so that you can access it when you are not connected to the network. To synchronize a document: 1. Choose Advanced > Security > Adobe LiveCycle Rights Management > Synchronize for Offline. 2. If prompted, enter a username and password and choose OK.
Page 95: External Content And Document Security
External Content and Document Security Document access to internal and external content such as the Internet, attachments, and embedded multimedia represents a security risk. Users should configure their application so that it operates at an acceptable risk level. In enterprise settings, administrators should either preconfigure client installations or distribute instructions for setting up the application correctly.
Page 96: Enabling Enhanced Security
Add Folder Path: If you have a large number of files that you trust, specify an entire directory.  Add Host: Enter the name of the root URL only. For example, enter www.adobe.com but not www.  adobe.com/products. To only allow higher privileges for files accessed from secure connections, select the option for Secure Connections Only (https:).
Page 97: Changes In Fdf Behavior
Acrobat Family of Products External Content and Document Security Security Feature User Guide Changes in FDF Behavior 8.1.2 Changes in FDF Behavior FDF files are data exchange files. Like acrobatsecurity files, they help you move certificate, server, and other data from one machine to another. This data transfer usually involves some mechanism such as data injection into a PDF form field, installing files, executing a script, and so on.
Page 98: Interaction With Trust Manager
8.1.4 Make Privileged Folder Locations Recursive You can extend privileged locations to be recursive by configuring the registry a reg setting. For details, refer to the Security Administration Guide for Acrobat 9.0 and Adobe Reader 9.0. 8.2 Controlling Multimedia The Acrobat family of products have a notion of trusted documents and other documents (documents that have not been trusted).
Page 99: Configuring Multimedia Trust Preferences
Acrobat Family of Products External Content and Document Security Security Feature User Guide Configuring Multimedia Trust Preferences If your multimedia trust preferences result in a prompt asking whether you want to play multimedia,  the Manage Trust for Multimedia Content dialog will offer various options that may allow you to trust the document.
Page 100: Controlling Multimedia In Certified Documents
External Content and Document Security Security Feature User Guide Controlling Multimedia in Certified Documents 1. Open the Multimedia Trust Manager: Acrobat and Adobe Reader (Windows): Edit > Preferences > Multimedia Trust  Acrobat and Adobe Reader (Macintosh): (Application) > Preferences > Multimedia Trust ...
Page 101: Setting Javascript Options
Acrobat Family of Products External Content and Document Security Security Feature User Guide Setting JavaScript Options your system. Participants in certification workflows should consider the source of the document and the security of the workflow before enabling dynamic content. Whether dynamic content executes in certified documents based on the Trusted Document or Other Document settings depends on two items under your control: You can configure a certified document to use the trusted document settings on a per-certificate basis ...
Page 102: Javascript And Certified Documents
To block or allow execution of all JavaScript from the tool bar: 1. Choose one of the following: Acrobat and Adobe Reader (Windows): Edit > Preferences > JavaScript  Acrobat and Adobe Reader (Macintosh): (Application) > Preferences > JavaScript ...
Page 103: Adobe Trusted Identity Updates
Adobe Trusted Identity Updates 8.4 Adobe Trusted Identity Updates In order to facilitate workflows that use certificates, Adobe occasionally sends new certificates configured as trust anchors to application users. These certificates allow you to validate signatures that are signed with certificates that chain up to those trusted certificates. In other words, you can validate those signatures without the extra steps of trusting each signer’s certificate or manually configuring another...
Page 104 Acrobat Family of Products External Content and Document Security Security Feature User Guide Default Behavior: Black and White Lists Be aware of dangerous file types and how the application manages those types. Adobe applications  maintain Black Lists and White Lists which control application behavior.
Page 105 Acrobat Family of Products External Content and Document Security Security Feature User Guide Default Behavior: Black and White Lists Table 4 Default prohibited file types Extension Description .ade Access Project Extension (Microsoft) .adp Access Project (Microsoft) .app Executable Application .asp Active Server Page .bas BASIC Source Code...
Page 106 Acrobat Family of Products External Content and Document Security Security Feature User Guide Default Behavior: Black and White Lists Table 4 Default prohibited file types Extension Description .mad Access Module Shortcut (Microsoft) .maf Access (Microsoft) .mag Access Diagram Shortcut (Microsoft) .mam Access Macro Shortcut (Microsoft) .maq...
Page 107: Adding Files To The Black And White Lists
Acrobat Family of Products External Content and Document Security Security Feature User Guide Adding Files to the Black and White Lists Table 4 Default prohibited file types Extension Description .sit Compressed archive of Mac files (Stuffit) .tar Tape Archive file .tgz UNIX Tar file Gzipped .tmp...
Page 108: Resetting The Black And White Lists
Acrobat Family of Products External Content and Document Security Security Feature User Guide Resetting the Black and White Lists Figure 85 Launch Attachment dialog 8.5.3 Resetting the Black and White Lists Because the registry list could grow over time and users do not have direct access to the lists through the user interface, resetting the list to its original state may result in the highest level of security.
Page 109: Controlling Access To Referenced Files And Xobjects
Acrobat Family of Products External Content and Document Security Security Feature User Guide Controlling Access to Referenced Files and XObjects 8.6 Controlling Access to Referenced Files and XObjects Your application can inform you when a PDF file is attempting to access external content identified as a stream object by flags as specified in the PDF Reference.
Page 110: Turning Internet Access Off And On
Acrobat Family of Products External Content and Document Security Security Feature User Guide Turning Internet Access Off and On 8.7.1 Turning Internet Access Off and On To block or allow all Web sites: 1. Choose Edit > Preferences (Windows) or Acrobat > Preferences (Macintosh). 2.
Page 111: Allowing And Blocking Specific Web Sites
To configure Internet resource access on a per-URL basis, add specific Web sites to the black and white lists: 1. Choose Edit > Preferences (Windows) or Acrobat (or Adobe Reader) > Preferences (Macintosh). 2. Select Trust Manager in the Categories panel.
Page 112: Migrating And Sharing Security Settings
ID data, trust, server details, signing preferences, and so on. Settings can only be exported from Acrobat but settings can be imported by both Acrobat and Adobe Reader. 9.1.1 Exporting Security Settings to a File Settings can only be exported from Acrobat.
Page 113: Importing Security Settings From A File
10. Sign and save the file. If you don’t know how to certify a file, refer to the Digital Signatures User Guide. 9.1.2 Importing Security Settings from a File Settings can be imported by both Acrobat and Adobe Reader. To import security settings:...
Page 114 Acrobat Family of Products Migrating and Sharing Security Settings Security Feature User Guide Importing Security Settings from a File 1. Choose Advanced > Security > Import Security Settings. 2. Browse to an .acrobatsecuritysettings file. 3. Choose Open. 4. acrobatsecuritysettings files must be certified and are therefore signed. You can verify the signer’s identity by choosing the Signature Properties in the Document Message Bar and reviewing the signer’s details.
Page 115: Importing Security Settings From A Server
9.2 Sharing Settings & Certificates with FDF Acrobat and Adobe Reader support the use of FDF files to exchange data between the Acrobat family of client and server products. FDF files use a .fdf extension, and like .pdf, it is registered by Adobe so that the...
Page 116 FDF features: Import and export of digital ID certificates.  Import and export of server settings for an Adobe LiveCycle Rights Management Server, LDAP  directory servers, roaming credential servers, and timestamp servers. Creation by a user (through the application) or by a server programmatically.
Page 117: Fdf Files And Security
Acrobat Family of Products Migrating and Sharing Security Settings Security Feature User Guide FDF Files and Security “Exporting Your Certificate” on page 121  “Emailing Your Certificate” on page 122  “Saving Your Digital ID Certificate to a File” on page 123 ...
Page 118: Exporting Application Settings With Fdf Files
Acrobat Family of Products Migrating and Sharing Security Settings Security Feature User Guide Exporting Application Settings with FDF Files Table 5 Rules for opening a PDF via FDF Action location location 8.x behavior 9.x behavior Data injection server Application Allowed Allowed if: PDF makes EFS POST/GET and FDF sends ...
Page 119: Exporting A Trust Anchor
When Acrobat exports a certificate, it automatically exports other selected certificates in that certificate’s chain and includes them in the FDF file. 1. Choose Advanced (Acrobat) or Document (Adobe Reader) > Manage Trusted Identities. 2. Choose Certificates in the Display drop-down list.
Page 120 Figure 99 Selecting a certificate chain for export 6. Choose Export. 7. Choose one of the following: Email the data to someone: Emailing the data automatically creates an FDF file that other Adobe  product users can easily import. Save the exported data to a file: Acrobat FDF Data Exchange. FDF is a format recognized by the ...
Page 121: Setting The Certificate Trust Level
When distributing a trusted root in a signed file that the FDF recipient can validate, set the certificate trust level: 1. Choose Advanced (Acrobat) or Document (Adobe Reader) > Manage Trusted Identities. 2. Choose Certificates in the Display drop-down list.
Page 122: Emailing Your Certificate
To email a digital ID certificate: 1. Choose Advanced (Acrobat) or Document (Adobe Reader) > Security Settings. 2. Select Digital IDs in the left-hand tree. 3. Highlight an ID in the list on the right. If you have more than one, choose the one that is appropriate for the usage context.
Page 123: Saving Your Digital Id Certificate To A File
Certificate Message Syntax - PKCS#7: Save the file as a PKCS7 file. Use this format when the data  will be imported into a non-Adobe store such as the Macintosh key store or Windows Certificate Store. 7. Choose Next.
Page 124: Requesting A Certificate Via Email
When you request digital ID information from someone, the application automatically attaches to the email an FDF file containing your contact information and certificate. To request a certificate from someone: 1. Choose Advanced (Acrobat) or Document (Adobe Reader) > Manage Trusted Identities. 2. Choose Request Contact. Figure 103 Emailing a certificate request 3.
Page 125: Emailing Server Details
Save, and then choose OK. Tell the intended recipient(s) where to find the file. 9.2.2.7 Emailing Server Details Adobe LiveCycle Rights Management Server, directory server, roaming credential server, and timestamp server details can be exported to an FDF file for distribution to one or more people. Server information sent via an email resides in an attached FDF file.
Page 126: Exporting Server Details
12. Choose Finish. 9.2.2.8 Exporting Server Details Adobe LiveCycle Rights Management Server, directory server, roaming ID, and timestamp server details can be exported to an FDF file for distribution to one or more people. Server information can be written to a file and saved to any location.
Page 127: Importing Application Settings With Fdf Files
ID so that it can be added to their trusted identities list. One way someone can get your ID is to request it in an email. To request your certificate, a user will simply choose Advanced (Acrobat) or Document (Adobe Reader) > Manage Trusted Identities and then choose Request Contact. Acrobat automatically attaches an FDF file with their public certificate to an email that requests your digital ID.
Page 128 Acrobat Family of Products Migrating and Sharing Security Settings Security Feature User Guide Importing Application Settings with FDF Files To respond to an email digital ID request: 1. Double click the attached FDF file. 2. Choose Email your Certificate. Figure 109 Emailing your certificate 3.
Page 129: Importing Someone's Certificate
To add someone’s certificate to your list of trusted identities: 1. Click on the FDF file or from Acrobat or Adobe Reader choose File > Open. The digital ID certificate may be sent directly from Acrobat as an email attachment or may reside in a networked directory.
Page 130: Importing Multiple Certificates
To add multiple certificate to the trusted identities list all at once: 1. Click on the FDF file or from Acrobat or Adobe Reader choose File > Open. The digital ID certificate may be sent directly from Acrobat as an email attachment or may reside in a networked directory.
Page 131 Acrobat Family of Products Migrating and Sharing Security Settings Security Feature User Guide Importing Application Settings with FDF Files Figure 113 Importing multiple certificates 2. If the FDF file is signed, the signature can be validated, AND a trust level has been specified by the sender, check or uncheck Accept the level of Trust specified by the signer for all Contacts in this file.
Page 132: Importing Timestamp Server Settings
1. Locate the FDF file: find the file in an email or on the local file system and double click on it. The FDF can also be imported through the Security Settings Console by choosing Advanced (Acrobat) or Document (Adobe Reader) > Security Settings, selecting Time Stamp Servers in the left-hand list, and choosing Import.
Page 133 If No is selected, a default timestamp server must be set before timestamps can be used. To set a default timestamp server, Choose Advanced (Acrobat) or Document (Adobe Reader) > Security Settings > Time Stamp Servers, select a server, and choose Set Default.
Page 134: Importing Directory Server Settings
1. Locate the FDF file: find the file in an email or on the local file system and double click on it. The FDF can also be imported through the Security Settings Console by choosing Advanced (Acrobat) or Document (Adobe Reader) > Security Settings, selecting Directory Servers in the left-hand list, and choosing Import.
Page 135: Importing Adobe Livecycle Rights Management Server Settings
1. Locate the FDF file: find the file in an email or on the local file system and double click on it. The FDF can also be imported through the Security Settings Console by choosing Advanced (Acrobat) or Document (Adobe Reader) > Security Settings, selecting Adobe LiveCycle Rights Management Servers in the left-hand list, and choosing Import.
Page 136: Importing Roaming Id Account Settings
4. Choose OK. 5. Choose Import. 6. If you do not already have a default Adobe LiveCycle Rights Management Server, a dialog appears asking whether or not you want to make this your default server, choose Yes or No. 7. Choose OK.
Page 137 Acrobat Family of Products Migrating and Sharing Security Settings Security Feature User Guide Importing Application Settings with FDF Files Figure 120 Importing roaming ID server settings 3. Choose Import. 4. Verify the roaming ID account name and server URL. Figure 121 Roaming ID server name and URL 5.
Page 138: Importing A Trust Anchor And Setting Trust
Click on the FDF file. It may be an email attachment or a file on a network or your local system.  In Acrobat or Adobe Reader choose File > Open, browse to the FDF file, and choose Open. ...
Page 139 Acrobat Family of Products Migrating and Sharing Security Settings Security Feature User Guide Importing Application Settings with FDF Files Note: During an import action, recipients of the distributed trust anchor may be able to inherit its trust settings. Once you’ve verified the sender, you usually want to accept these settings so you can use the certificate they way the sender intended.
Page 140 Acrobat Family of Products Migrating and Sharing Security Settings Security Feature User Guide Importing Application Settings with FDF Files application environment be configured correctly. For details, see “Setting JavaScript Options” on page 101. Privileged system operations (networking, printing, file access, etc.: Some operations ...
Page 141: Glossary Of Security Terms
See PKCS#7. .pfx See PKCS#12. Adobe Profile Files Adobe's legacy certificate format not used after Acrobat 5. The certificates are stored in .apf files. This format is not supported as of version 9.0. ALCRMS Adobe LiveCycle Rights Management Server. approval signature A signature used to indicate approval of, or consent on, the document terms.
Page 142 An Adobe security partner that has joined the Adobe CDS program to provide CDS digital IDs to end users and organizations. As of Acrobat 6, Adobe Reader and Acrobat trust CDS digital IDs and are able to validate signatures that use GeoTrust digital IDs, without requiring any special application configuration.
Page 143 If you double click on a .p7c file it will be viewed by a Windows application. Policy Server As of Acrobat 9, Adobe Policy Server is renamed to Adobe LiveCycle Rights Management Server privileged context A context in which you have the right to do something that’s normally restricted. Such a right (or privilege) could be granted by executing a method in a specific way (through the console or batch process), by some PDF property, or because the document was signed by someone you trust.
Page 144: Index
Index .mdw 106 .mdz 106 .ade 105 .msc 106 .adp 105 .msi 106 .apf 141 .msp 106 .apf Digital IDs no longer supported 13 .mst 106 .app 105 .ocx 106 .asp 105 .ops 106 .bas 105 .p12 141 .bat 105 .p7b 141 .bz 105 .p7c 141...
Page 145 81, 86 certified document 141 Adding Someone to Your Trusted Identity List 32 Certified Document Services (CDS) 141 Adobe LiveCycle Rights Management Server security 49 Certified Document Services. 141 Adobe Profile Files 141 certify or certifying 141 Adobe Trusted Identity Updates 103...
Page 146 Importing 134 Enhanced security Sender’s identify 126 Configuration dialog 96 Server list 41 Enhanced Security in Acrobat 9 and Adobe Reader 9 9 Setting defaults 43 Envelopes 63 Setting server details 42 Examples of Allowed Behavior 98 Digital ID files...
Page 147 Guidelines for Developing CSPs for Acrobat on Windows 9 Logging in to a roaming ID server 137 Gzip Compressed Archive 105 Logging in to an Adobe LiveCycle Rights Management Server 136 Logging in to PKCS#12 Files 21 High Privilege JavaScript Defined 101...
Page 148 Acrobat Family of Products Index Security Feature User Guide Multimedia Trust (legacy) 100 Registration Information/Key for Windows 95/98, Registry Data file 106 Removing a contact 78 Removing Document Security 58 OCSP 142 Removing Password Security 72 Office Profile Settings file 106 Requesting a Certificate via Email 124 Online Certificate Status Protocol (OCSP) 142 Requesting a Digital ID via Email 33...
Page 149 Acrobat Family of Products Index Security Feature User Guide Selecting a digital ID 128 VBScript Script file, Visual Basic for Applications Script 107 Self-expanding archive (used by Stuffit for Mac files and View a Document’s Audit History 94 possibly by others) 106 Viewing a Security Policy 61 Server Name 41 Viewing All of Your Digital IDs 15...

This manual is also suitable for:

Acrobat 9.0 Reader 9.0

Adobe 22002484 Manual

1 Getting Started

2 Getting and Using Your Digital ID

3 Managing Certificate Trust and Trusted Identities

4 Document Security Basics

5 Password Security

6 Certificate Security

7 Livecycle Rights Management Server Security

8 External Content and Document Security

9 Migrating and Sharing Security Settings

10 Glossary of Security Terms

11 Index

Quick Links

Need help?

Questions and answers

Related Manuals for Adobe 22002484

Summary of Contents for Adobe 22002484

This manual is also suitable for:

Table of Contents