January 2022 DISA STIG GPO Package 0114

ADMX Templates/Adobe/en-us/AcrobatProDCClassic.adml → ADMX Templates/Adobe/en-us/AcrobatDCContinuous.adml

@@ -1,12 +1,12 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <policyDefinitionResources xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xsi:schemaLocation="" xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions" >
 
 
-	<displayName >Adobe Acrobat Pro DC Classic ADMX File</displayName>
-	<description >ADMX File for Adobe Acrobat Pro DC Classic</description>
+	<displayName >Adobe Reader DC Continuous ADMX File</displayName>
+	<description >ADMX File for Adobe Reader DC Continuous</description>
 	<resources >
 		<stringTable >
-			<string id="Cat_Adobe_Pro_DC" >Adobe Acrobat Pro DC Classic</string>
+			<string id="Cat_Adobe_DC_Continuous" >Adobe Reader DC Continuous</string>
 			<string id="Cat_Preferences" >Preferences</string>
 			<string id="Cat_General" >General</string>
 			<string id="Cat_Security" >Security (Enhanced)</string>
@@ -18,6 +18,7 @@
 			<string id="Explain_Disable_PDF_handler" >Disables the ability to change the specified default handler (PDF viewer).
 
 The UI configuration does not set any key in HKCU. Instead, changing the setting via the UI invokes the installer which sets the key in HKLM. The default application behavior varies depending on what is installed. A value of 1 disables the user's ability to change the default handler.
+
 Possible values include:
 Disabled (0): Allow the user to change the default viewer. 
 Enabled  (1): Don't allow the user to change the default viewer. 
@@ -94,28 +95,30 @@ GUI mapping - Edit &gt; Preferences &gt; Security (Enhanced) &gt; Privileged loc
 Disabled (1): Disables Send and Track plugin
 Enabled  (0): Enables Send and Track plugin. 
 </string>
-<string id="Enable_FIPS" >Enable FIPS</string>
+	<string id="Enable_FIPS" >Enable FIPS</string>
 	<string id="Explain_Enable_FIPS" >Use of weak or untrusted encryption algorithms undermines the purpose of using encryption to protect data. 
 
 Enabled  (1): Enables FIPS
 Disabled (0): Disables FIPS 
 </string>	
-		<string id="European_certificates" >Load trusted certificates from an Adobe EUTL server</string>
+	<string id="European_certificates" >Load trusted certificates from an Adobe EUTL server</string>
 	<string id="Explain_European_certificates" >The user can update Adobe European certificates from an Adobe server through the GUI.  
 
 Enabled  (1): Allows download and installation of European certificates
 Disabled (0): Prevents download and installation of European certificates 
 
 GUI mapping - Edit &gt; Preferences &gt; Trust Manager &gt; Automatic European Union Trust Lists
 </string>
-<string id="Protected_Mode" >Protected Mode</string>
+	<string id="Protected_Mode" >Enable Protected Mode at startup</string>
 	<string id="Explain_Protected_Mode" >Protected Mode is a sandbox that is essentially read-only mode.  
 
 Enabled  (1): Turns on Protected Mode
 Disabled (0): Turns off Protected Mode 
+
+GUI mapping - Edit &gt; Preferences &gt; Security (Enhanced) &gt; Sandbox Protections
 </string>
-<string id="Protected_View" >Protected View</string>
-			<string id="Explain_Protected_View" > Protected View is a super-sandbox that is essentially a read-only mode.
+	<string id="Protected_View" >Protected View</string>
+	<string id="Explain_Protected_View" > Protected View is a super-sandbox that is essentially a read-only mode.
 
 Possible values include: 
 0: Off 
@@ -124,28 +127,28 @@ Possible values include:
 
 GUI mapping - Edit &gt; Preferences &gt; Security (Enhanced) &gt; Protected View
 </string>
-<string id="Store_files" >Store files on Adobe.com</string>
-	<string id="Explain_Store_files" >Acrobat provides the ability to store PDF files on Adobe.com servers.  
+	<string id="Document_cloud" >Service access to Document Cloud Services</string>
+	<string id="Explain_Document_cloud" >Disables all service access except those features controlled by the other preferences.  
 
-Enabled  (0): Turns on the ability to store files on Adobe.com
-Disabled (1): Turns off the ability to store files on Adobe.com
+Enabled  (0): Enables Document Cloud services
+Disabled (1): Disables Document Cloud services
 </string>
-<string id="Cloud_Synchronization" >Cloud Synchronization</string>
+	<string id="Cloud_Synchronization" >Cloud Synchronization</string>
 	<string id="Explain_Cloud_Synchronization" >Acrobat online services are tightly integrated in Adobe content.  
 
 Enabled  (0): Synchronization of desktop preferences across devices is allowed
 Disabled (1): Prevents synchronization of desktop preferences across devices
 </string>
-<string id="Repair_installation_32" >Repair Installation on 32 bit</string>
-	<string id="Explain_Repair_installation_32" >User has the option or ability to repair an Adobe Acrobat Pro DC Classic install.   
+	<string id="Repair_installation_32" >Repair Installation on 32 bit</string>
+	<string id="Explain_Repair_installation_32" >User has the option or ability to repair an Adobe Acrobat DC Continuous install.   
 
 Enabled  (0): Allows user the ability to repair Adobe install
 Disabled (1): Prevents user from repairing Adobe install
 
 GUI mapping - Help &gt; Repair Installation
 </string>
-<string id="Repair_installation_64" >Repair Installation on 64 bit</string>
-	<string id="Explain_Repair_installation_64" >User has the option or ability to repair an Adobe Acrobat Pro DC Classic install.   
+	<string id="Repair_installation_64" >Repair Installation on 64 bit</string>
+	<string id="Explain_Repair_installation_64" >User has the option or ability to repair an Adobe Acrobat DC Continuous install.   
 
 Enabled  (0): Allows user the ability to repair Adobe install
 Disabled (1): Prevents user from repairing Adobe install
@@ -158,56 +161,74 @@ GUI mapping - Help &gt; Repair Installation
 Enabled  (0): Allows access to third-party services 
 Disabled (1): Prevents access to third-party services
 </string>
-<string id="WebMail" >WebMail</string>
+	<string id="WebMail" >WebMail</string>
 	<string id="Explain_WebMail" >WebMail allows users to send PDFs as email attachments using any mail account. 
 
 Enabled  (0): Allows users to send PDFs to any mail account 
 Disabled (1): Prevents users from sending PDFs to any mail account
 </string>
-<string id="WelcomeScreen" >Welcome Screen</string>
+	<string id="WelcomeScreen" >Welcome Screen</string>
 	<string id="Explain_WelcomeScreen" >Welcome screen provides marketing material and online links.
 
 Enabled  (1): Shows welcome screen
 Disabled (0): Disables welcome screen
 </string>
-<string id="Cloud_features" >SharePoint and Office 365 access</string>
+	<string id="Cloud_features" >SharePoint and Office 365 access</string>
 	<string id="Explain_Cloud_features" >Users have the ability to use both SharePoint and Office 365 cloud features.
 
 Enabled  (0): Enables users ability to access SharePoint and Office 365 cloud features
 Disabled (1): Disables users ability to access SharePoint and Office 365 cloud features
 </string>
-<string id="Adobe_certificates" >Load trusted certificates from an Adobe AATL server</string>
+	<string id="Adobe_certificates" >Load trusted certificates from an Adobe AATL server</string>
 	<string id="Explain_Adobe_certificates" >The user can update Adobe certificates from an Adobe server through the GUI.  
 
 Enabled  (1): Allows download and installation of Adobe certificates
 Disabled (0): Prevents download and installation of Adobe certificates
 
 GUI mapping - Edit &gt; Preferences &gt; Trust Manager &gt; Automatic Adobe Approved Trust List
 </string>
-<string id="Trusted_Host" >Privileged host locations</string>
+	<string id="Trusted_Host" >Privileged host locations</string>
 	<string id="Explain_Trusted_Host" >Privileged host locations are the primary method Acrobat uses to allow users and admins to specify trusted content that should be exempt from security restrictions.  
 
 Enabled  (0): Enables trusted host locations
 Disabled (1): Disables trusted host locations 
 
 GUI mapping - Edit &gt; Preferences &gt; Security (Enhanced) &gt; Privileged locations
 </string>
-<string id="Trusted_sites" >Automatically trust sites from my Win OS security zones</string>
+	<string id="Trusted_sites" >Automatically trust sites with my Win OS security zones</string>
 	<string id="Explain_Trusted_sites" >Privileged site locations are the primary method Acrobat uses to allow users and admins to specify trusted content that should be exempt from security restrictions.  
 
 Enabled  (0): Enables trusted sites locations
 Disabled (1): Disables trusted sites locations
 
 GUI mapping - Edit &gt; Preferences &gt; Security (Enhanced) &gt; Privileged locations
 </string>
-<string id="Certificate_trust" >Automatically trust documents with valid certification</string>
+	<string id="Certificate_trust" >Automatically trust documents with valid certification</string>
 	<string id="Explain_Certificate_trust" >Certified document trust elevates signed PDF files to a privileged location and bypasses privileged view security protections.
 
 Enabled  (1): Enables certified documents
 Disabled (0): Disables certified documents
 
 GUI mapping - Edit &gt; Preferences &gt; Security (Enhanced) &gt; Privileged locations
 </string>
+	<string id="Send_for_Signature" >Adobe Send for Signature</string>
+	<string id="Explain_Send_for_Signature" >Disables Adobe Send for Signature.
+
+Enabled  (0): Enables the ability to Send for Signature 
+Disabled (1): Disables the ability to Send for Signature
+</string>
+	<string id="Service_Upgrades" >Service Upgrades</string>
+	<string id="Explain_Service_Upgrades" >Disables both updates to the product's web-plugin components as well as all services.
+
+Enabled  (1): Enables Service Upgrades 
+Disabled (0): Disables Service Upgrades
+</string>
+	<string id="Acrobat_Upsell" >Acrobat Upsell</string>
+	<string id="Explain_Acrobat_Upsell" >Disables messages which encourage the user to upgrade the product.
+
+Enabled  (0): Enables Acrobat Upsell messages 
+Disabled (1): Disables Acrobat Upsell messages 
+</string>	
 		</stringTable>
 		<presentationTable>
 		<presentation id="Access_to_unknown_websites">
@@ -216,7 +237,7 @@ GUI mapping - Edit &gt; Preferences &gt; Security (Enhanced) &gt; Privileged loc
 		<presentation id="Access_to_websites">
 	 <dropdownList refId="Access_to_websitesDropID" noSort="true" defaultItem="2">PDF files may connect to webs sites to share or get information</dropdownList>
 	 </presentation>
-	 <presentation id="Protected_View">
+	 	<presentation id="Protected_View">
 	 <dropdownList refId="Protected_ViewDropID" noSort="true" defaultItem="2">Protected View</dropdownList>
 	 </presentation>
 	 </presentationTable>

ADMX Templates/Microsoft/SecGuide.admx

@@ -25,8 +25,26 @@
 
     <policies>
 
+        <!-- Configure Print Driver Restriction-->
+        <policy name="Pol_SecGuide_0721_Print_Driver"
+                class="Machine"
+                displayName="$(string.Pol_SecGuide_PrintDriver)"
+                explainText="$(string.Pol_SecGuide_PrintDriver_Help)"
+                key="Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
+                valueName="RestrictDriverInstallationToAdministrators"
+                >
+            <parentCategory ref="Cat_SecGuide" />
+            <supportedOn ref="windows:SUPPORTED_Windows7" />
+            <enabledValue>
+                <decimal value="1" />
+            </enabledValue>
+            <disabledValue>
+                <decimal value="0" />
+            </disabledValue>
+        </policy>
+
+
         <!-- Configure SMBv1 -->
-
         <policy name="Pol_SecGuide_0001_SMBv1_Server"
                 class="Machine"
                 displayName="$(string.Pol_SecGuide_SMBv1Server)"
@@ -196,7 +214,6 @@
         </policy>
 
         <!-- Credential theft protections -->
-
         <policy name="Pol_SecGuide_0201_LATFP"
                 class="Machine"
                 displayName="$(string.Pol_SecGuide_LATFP)"
@@ -503,5 +520,28 @@
             </elements>
         </policy>
 
-    </policies>
+        <!-- Legacy JScript Block for Internet Explorer -->
+        <policy name="Pol_SecGuide_Legacy_JScript"
+            class="Machine"
+            displayName="$(string.Pol_SecGuide_Legacy_JScript)"
+            explainText="$(string.Pol_SecGuide_Legacy_JScript_Help)"
+            key="software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LEGACY_JSCRIPT_PER_SECURITY_ZONE"
+            presentation="$(presentation.Pol_SecGuide_Legacy_JScript)"
+                >
+            <parentCategory ref="Cat_SecGuide" />
+            <supportedOn ref="windows:SUPPORTED_Windows_10_0_RS4" />
+                  <elements>
+					<decimal id="POL_SG_excel" valueName="excel.exe" maxValue="99999" storeAsText="false" />
+					<decimal id="POL_SG_mspub" valueName="mspub.exe" maxValue="99999" storeAsText="false" />
+					<decimal id="POL_SG_powerpnt" valueName="powerpnt.exe" maxValue="99999" storeAsText="false" />
+					<decimal id="POL_SG_onenote" valueName="onenote.exe" maxValue="99999" storeAsText="false" />
+					<decimal id="POL_SG_visio" valueName="visio.exe" maxValue="99999" storeAsText="false" />
+					<decimal id="POL_SG_winproj" valueName="winproj.exe" maxValue="99999" storeAsText="false" />
+					<decimal id="POL_SG_winword" valueName="winword.exe" maxValue="99999" storeAsText="false" />
+					<decimal id="POL_SG_outlook" valueName="outlook.exe" maxValue="99999" storeAsText="false" />
+					<decimal id="POL_SG_msaccess" valueName="msaccess.exe" maxValue="99999" storeAsText="false" />
+				 </elements>
+        </policy>
+
+	</policies>
 </policyDefinitions>

ADMX Templates/Microsoft/en-US/SecGuide.adml

@@ -56,6 +56,18 @@ Computer Configuration\Administrative Templates\Windows Components\Windows Defen
 
 If this setting is disabled or not configured, SEHOP is not enforced for 32-bit processes.
 </string>
+      <string id="Pol_SecGuide_PrintDriver">Limits print driver installation to Administrators</string>
+      <string id="Pol_SecGuide_PrintDriver_Help">
+Determines whether users that aren't Administrator can install print drivers on this computer.
+
+By default, users that aren't Administrators can't install print drivers on this computer.
+
+If you enable this setting or do not configure it, the system will limit installation of print drivers to Administrators of this computer.
+
+If you disable this setting, the system will not limit installation of print drivers to this computer.
+
+Additional Information: https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7 for additional information.
+      </string>
       <string id="Pol_SecGuide_SMBv1Server">Configure SMB v1 server</string>
       <string id="Pol_SecGuide_SMBv1Server_Help">Disabling this setting disables server-side processing of the SMBv1 protocol. (Recommended.)
 
@@ -153,6 +165,18 @@ Because this setting is not a true Group Policy setting and "tattoos" the regist
       <string id="BlockFlash_BlockActivation">Block all activation</string>
       <string id="BlockFlash_BlockEmbedded">Block embedding/linking, allow other activation</string>
       <string id="BlockFlash_AllowAll">Allow all activation</string>
+	  <string id="Pol_SecGuide_Legacy_JScript">Restrict legacy JScript execution for Office</string>
+      <string id="Pol_SecGuide_Legacy_JScript_Help">This policy setting controls JScript execution per Security Zone within Internet Explorer and WebBrowser Control (WebOC) for Office applications.
+
+It's important to determine whether legacy JScript is being used to provide business-critical functionality before you enable this setting.
+
+If Enabled, Office applications will not execute legacy JScript for the Internet or Restricted Sites zones and users aren’t notified by the application that legacy JScript execution is restricted. Modern JScript9 will continue to function for all zones.
+
+If Disabled or Not Configured JScript will function without any restrictions.
+
+The values are set in hexadecimal and should be converted prior to changing the setting value. To learn more about Internet Explorer Feature Control Key and the Restrict JScript process-level policy for Windows, please refer to: https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/general-info/ee330734(v=vs.85)#restrict-jscript-at-a-process-level </string>
+
+
     </stringTable>
 
       <presentationTable>
@@ -171,6 +195,17 @@ Because this setting is not a true Group Policy setting and "tattoos" the regist
           <presentation id="Pol_SecGuide_Block_Flash">
               <dropdownList refId="Pol_SecGuide_Block_Flash" noSort="true" defaultItem="0">Block Flash player in Office</dropdownList>
           </presentation>
+		  	  <presentation id="Pol_SecGuide_Legacy_JScript">
+				<decimalTextBox refId="POL_SG_excel" defaultValue="69632"> Excel: </decimalTextBox>
+				<decimalTextBox refId="POL_SG_mspub" defaultValue="69632"> Publisher: </decimalTextBox>
+                <decimalTextBox refId="POL_SG_powerpnt" defaultValue="69632"> PowerPoint: </decimalTextBox>
+				<decimalTextBox refId="POL_SG_onenote" defaultValue="69632"> OneNote: </decimalTextBox>
+                <decimalTextBox refId="POL_SG_visio" defaultValue="69632"> Visio: </decimalTextBox>
+                <decimalTextBox refId="POL_SG_winproj" defaultValue="69632"> Project: </decimalTextBox>
+                <decimalTextBox refId="POL_SG_winword" defaultValue="69632"> Word: </decimalTextBox>
+                <decimalTextBox refId="POL_SG_outlook" defaultValue="69632"> Outlook: </decimalTextBox>
+                <decimalTextBox refId="POL_SG_msaccess" defaultValue="69632"> Access: </decimalTextBox>
+			  </presentation>
       </presentationTable>
 
   </resources>