PolicyPak: Manage FoxIT Reader Using Group Policy

FoxIT Reader is an excellent alternative to Adobe Acrobat Reader. But it still need a little help to make sure it stays secure. In this video learn how to manage FoxIT Reader using Group Policy and PolicyPak. Don’t be “that guy” who could have done something, but .. oops.. didn’t protect his network.

Manage FoxIT with Group Policy and PolicyPak Video Transcript

Hello, everybody. This is Jeremy Moskowitz, Group Policy MVP and Founder of PolicyPak Software.In this video, we’re going to learn how to configure FoxIT Reader using Group Policy and PolicyPak.

Let’s start off with taking a look at FoxIT Reader. I’m just logged on as a standard user. I’m not an administrator. I’m just a standard user. I’m a big fan of FoxIT Reader, but if you go to “Tools/Preferences…” there are a lot of things that a regular user – someone without admin rights –can do to unfortunately make your machine less secure. If you’re going to be deploying FoxIT Reader to all of your client machines, you’re going to want to make sure that the application itself is locked down and secure.

Let’s actually go from the bottom up. Let’s talk about “Updater.” A lot of organizations have their own schedule for setting updates. You probably don’t want the default to “Every 7 days automatically check for security updates, and update ads bar and start page.” What you probably want to do is to “Do not update automatically.”So we’re not going to click it here. We’re going to use Group Policy to do it. I just want to show you that this is the default.

Let’s go over to the “Trust Manager.” Here we go. See, there’s this thing called “Enable Safe Reading Mode,” which is very important to make sure that documents can’t do bad things and will help you avoid attacks from malicious documents. If a user wants to, they can uncheck that checkbox. That’s not good. We don’t want to do that, but if they do that and click “OK” there’s absolutely nothing preventing them from doing that.

Let’s go to another setting here. Let’s go to “JavaScript,” yet another one you probably want them to have this guy unchecked. You want to uncheck “Enable JavaScript Actions.” The idea is that, again, the bad guys can use JavaScript as an attack vector against FoxIT Reader.

So what we’re going to do is, gosh, we’ve got three things we want to do. We want to check some things and uncheck some things and also lock it down so users can’t work around your settings. Let’s go ahead and close FoxIT Reader.

Now we’ll go over to our Group Policy station, the one that creates Group Policy for us. You can see we’ve got the “PreConfigured PolicyPaks”here on the right. On the left here, I’ve got a folder that we’re going to copy our extensions to.

Let me say that again. On the right here, we’ve got our “PreConfigured PolicyPaks.” We’re going to pick the “FoxIT Reader 5.” You can see we’ve got others as well for “Acrobat 10.” We’ve got others for things like “Flash” and “Firefox” and “Lync” and “Java” and a lot of other great applications that you want to manage using Group Policy.

But today, we’re going to use “FoxIT Reader 5.” We’re going to take our preconfigured dll, “pp-FoxIT Reader 5.dl,l” and “Copy here” into the “PolicyPak Extensions” folder on our machine, the one that we’re going to create Group Policy from. That’s it. You’re done. You’re ready to go, and you’re ready to manage FoxIT Reader using Group Policy.

We’re going to create a “New GPO” against our “East Sales Users.” We’ll go ahead and “Manage FoxIT Reader using Group Policy and Firefox.”We’ll right click, click “Edit…” and now we will dive down under user side “PolicyPak/Applications/New/Application.”There it is, “PolicyPak for FoxIT Reader.” We’ll double click that, and here we go.

The first thing we want to do, we started off with “Updater.” Let’s go ahead and force it to “Do not update automatically.” We also want to go the extra mile here. Because this is a thing a user can configure on their own, we can prevent that behavior by right clicking over and selecting “Disable corresponding control in target application.”We’re going to lock it down so a user can’t possibly mess it up. You can see the checkmark is checked for “Disable corresponding control in target application.”

If we go over to the “Trust Manager,” we want to guarantee that “Enable Safe Reading Mode” is turned on. We’re going to check it, and an underline in PolicyPak means we’re going to deliver the setting. But again, it’s probably not enough to just check the checkbox. Again, we’re going to right click and “Disable corresponding control in target application,”make sure the user can’t possibly work around it.

Let’s go over to “JavaScript.” We want to uncheck this checkbox to “Enable JavaScript Actions.” We want to reduce the amount of stuff the bad guys can do. While we’re here, again we can “Disable corresponding control in target application.”

Now that we’ve made those three settings changes, let’s go back over to our client machine here. Now I could if I want to log off and log back on. I could get a totally new work station. If I’m using a terminal server or a VDI session, the very next time I log on I’m going to get this setting.

Because again, PolicyPak is part of the operating system. We act as part of the operating system. As soon as you log on, you get the latest, greatest Group Policy settings. I just happen to be accelerating things a little bit by using “gpupdate,” but I could have just as easily logged off and logged back on.

Let’s go ahead and now let’s run “FoxIT Reader 5.0” here. Let’s go to “Tools/Preferences…” here, and we’ll go from the bottom up. There’s “Updater.” Cool. We’ve set it to “Do not automatically update.” As you can see, it’s grayed out so the user can’t possibly mess around and thwart your setting.

We can also see “Trust Manager.” They cannot, prevent unchecking “Enable Safe Reading Mode.” You saw me as a regular user uncheck that and click “OK.” Now I’ve guaranteed it on as the IT administrator using Group Policy and PolicyPak.

Then if we go over to “JavaScript,” here we go. We’ve unchecked “Enable JavaScript Actions.” All the settings here are available for you to use in FoxIT Reader. If there’s something special that I didn’t cover that you want to have done using PolicyPak and FoxIT Reader, you have a preconfigured Pak ready to go.

That’s it. I hope you’ve enjoyed how to use PolicyPak with the preconfigured FoxIT ReaderPak to lock your machines down and change things like the “Updater,” “Trust Manager” and the “JavaScript” control.

Thanks very much. Remember, with PolicyPak, what you set is what they get.

Thanks so much. Take care.

Back