AdobeGCdata folder is created at deployment with the Everyone group having FullControl (in prog files,\common files\adobe)

Report · Apr 24, 2019

Folders

c:\Program Files\Common Files\Adobe\AdobeGCData

and

c:\Program Files(x86)\Common Files\Adobe\AdobeGCData

are created at point of deployment of Adobe Pro DC. they are given full control to the everyone group. I am pretty sure this is not something we are doing as part of our deployment but if it is please let us know and how we could change this.

If this is standard, what will break if we amend these permissions?

This to us is a massive security hole and we need to remove these permissions. I am looking for some advice / reassurance as to whether this will break anything in terms of functionality of the main application?

thanks in advance,

Ed

Report · Apr 24, 2019

[ moved from Installing, Updating, & Subscribing to Acrobat to Enterprise Deployment (Acrobat and Reader)]

Report · Apr 24, 2019

Why do you consider it a security hole? It looks as if it contains databases, which the end user will naturally need to update. Or not?

Report · Apr 24, 2019

This seems, in fact, to be the Microsoft approved place to store things that are application specific, not read-only from the original install, and not user-specific. It replaced C:\Documents and Settings\All Users\Application Data. What Is the ProgramData Folder in Windows?

Report · Apr 24, 2019

Sorry, my mistake, that's ProgramData. You have c:\Program Files\Common Files which is unusual as a place to be writeable, but only a security issue if there is anything in there you don't want overwritten.

Report · Apr 26, 2019

We get assessed against some quite stringent security scopes and this will not pass anymore. - i.e. it will be picked up by the scanning tools.

Having a writable area in Program Files would allow anyone or any malicious third party (viral payload) to write in an exe or script and have it run without any restrictions. couple that with the creation of a scheduled task and you potentially have an exe that will run every time the machine is booted / user logs in to it.

Report · Apr 26, 2019

"Having a writable area in Program Files would allow anyone or any malicious third party (viral payload) to write in an exe or script and have it run without any restrictions. "

I do not follow this, since Program Files has no inherent privileges, compared to any other folder.

Report · Apr 26, 2019

it does in our environment.. we run applocker and anything in prog files is allowed to run without it's own rule. this should be a protected area i.e. admin rights are required to write / add content e.g. executables into these areas (as is standard in a windows environment). Therefore this is the tacit permission for those applications to run - An admin has allowed it to be written into these folders therefore it is OK. With the rule set on a specific folder to Everyone FullControl, all this control is lost.