Block Adobe Reader from creating child processes
Blocking Adobe Reader from creating child processes can be a security measure to reduce the attack surface of a system. Here are a few reasons why you might want to do this:
- Reduce the risk of malware: Adobe Reader is a commonly targeted application by malware authors, who may use it to execute malicious code on a system. By blocking Adobe Reader from creating child processes, you can prevent malware from exploiting this functionality to execute additional code on the system.
- Reduce the risk of privilege escalation: If a user runs Adobe Reader with elevated privileges, such as an administrator account, it could potentially be used to launch additional processes with those same elevated privileges. By blocking Adobe Reader from creating child processes, you can limit the potential for privilege escalation attacks.
- Enforce system policies: If your organization has specific policies in place regarding the use of applications and their functionality, blocking Adobe Reader from creating child processes can help enforce those policies and limit the potential for non-compliance.
Why would you not want to block Adobe Reader from creating child processes?
It's worth noting that there may be some legitimate use cases for Adobe Reader to create child processes, such as for certain plug-ins or add-ons. Before implementing this security measure, it's important to evaluate whether it will impact the functionality of the application and any necessary workflows. Additionally, there may be other security measures that are more appropriate or effective in your specific system and threat environment.
There are a few reasons why you might not want to block Adobe Reader from creating child processes:
- Application functionality: Adobe Reader may require child processes to function properly. For example, if a user is viewing a PDF document that contains embedded multimedia, such as videos or animations, Adobe Reader may need to create child processes to properly render the content.
- Compatibility: If other applications or processes on the system rely on Adobe Reader to create child processes, blocking this functionality could cause compatibility issues or even application crashes.
Block Adobe Reader from creating child processes using Intune
First, you'll need to make sure Microsoft Defender Antivirus is turned on as the primary antivirus solution, with Real-Time Protection enabled. To verify Defender Antivirus is turned on with real-time protection enabled go to Security recommendations and search for "Turn on real-time protection". From there click "Turn on real-time protection". Finally, click Exposed devices.
Now that our devices are ready, let's go ahead and block Adobe Reader from creating child processes using Intune.
- Go to Microsoft Intune admin center (Microsoft Endpoint Manager) > Endpoint security > Attack surface reduction.
- Click Create Policy.
- Set Platform to Windows 10 Windows 11, and Windows Server.
- Set Profile to Attack Surface Reduction Rules.
- Click Create.
- Name your policy and click Next.
- Set Block Adobe Reader from creating child processes to Block. Click Next.
- Add your inclusions and exclusions. Click Next > Next > Create.