Skip to main content
E
edwards83245968
Participant
April 24, 2019
Question

AdobeGCdata folder is created at deployment with the Everyone group having FullControl (in prog files,\common files\adobe)

  • April 24, 2019
  • 4 replies
  • 8366 views

Folders

c:\Program Files\Common Files\Adobe\AdobeGCData

and

c:\Program Files(x86)\Common Files\Adobe\AdobeGCData

are created at point of deployment of Adobe Pro DC.  they are given full control to the everyone group.  I am pretty sure this is not something we are doing as part of our deployment but if it is please let us know and how we could change this.

If this is standard, what will break if we amend these permissions?

This to us is a massive security hole and we need to remove these permissions.  I am looking for some advice / reassurance as to whether this will break anything in terms of functionality of the main application?

thanks in advance,

Ed

This topic has been closed for replies.

4 replies

T
Test Screen Name
Legend
April 26, 2019

"Having a writable area in Program Files would allow anyone or any malicious third party (viral payload) to write in an exe or script and have it run without any restrictions.  "

I do not follow this, since Program Files has no inherent privileges, compared to any other folder.

E
edwards83245968Author
Participant
April 26, 2019

it does in our environment.. we run applocker and anything in prog files is allowed to run without it's own rule.  this should be a protected area i.e. admin rights are required to write / add content e.g. executables into these areas (as is standard in a windows environment).  Therefore this is the tacit permission for those applications to run - An admin has allowed it to be written into these folders therefore it is OK.  With the rule set on a specific folder to Everyone FullControl, all this control is lost.

T
Test Screen Name
Legend
April 24, 2019

This seems, in fact, to be the Microsoft approved place to store things that are application specific, not read-only from the original install, and not user-specific. It replaced C:\Documents and Settings\All Users\Application Data. What Is the ProgramData Folder in Windows?

T
Test Screen Name
Legend
April 24, 2019

Sorry, my mistake, that's ProgramData. You have c:\Program Files\Common Files which is unusual as a place to be writeable, but only a security issue if there is anything in there you don't want overwritten.

E
edwards83245968Author
Participant
April 26, 2019

We get assessed against some quite stringent security scopes and this will not pass anymore. - i.e. it will be picked up by the scanning tools.

Having a writable area in Program Files would allow anyone or any malicious third party (viral payload) to write in an exe or script and have it run without any restrictions.  couple that with the creation of a scheduled task and you potentially have an exe that will run every time the machine is booted / user logs in to it.

T
Test Screen Name
Legend
April 24, 2019

Why do you consider it a security hole? It looks as if it contains databases, which the end user will naturally need to update. Or not?

kglad
Community Expert
kgladCommunity Expert
Community Expert
April 24, 2019

[ moved from Installing, Updating, & Subscribing to Acrobat to Enterprise Deployment (Acrobat and Reader)]

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices