Setting up security policies

Types of security policies

If you often apply the same security settings to multiple PDFs, you can save your settings as a policy that you can reuse. Security policies save time while ensuring a consistently secure workflow. Creating policies for password and certificate security lets you reuse the same security settings for any number of PDFs. Two kinds of security policies are available:

  • Organizational policies are especially useful if you want others to have access to PDFs for a limited time. Adobe LiveCycle Rights Management ES policies are stored on a server. Users must have access to the server to use these policies. Creating these policies requires specifying the document recipients from a list on Adobe LiveCycle Rights Management ES. Adobe LiveCycle Rights Management ES controls access to PDFs and auditing events as defined by the security policy. You can use Adobe LiveCycle Rights Management ES if your company has licensed the software and made it available to you.

  • User policies are created and applied by individuals. If you apply the same security settings to numerous documents, you can save time by creating a user policy. Then, apply the user policy to documents. User policies for passwords and public key certificates are stored on your local computer. With access to Adobe LiveCycle Rights Management ES, you can create a user policy that’s stored on Adobe LiveCycle Rights Management ES. That policy is available only to you.

How organizational policies are authenticated

In addition to reusing security settings, policies stored on Adobe LiveCycle Rights Management ES enable you to expire and revoke documents. You can also maintain accountability by auditing users who open protected documents.

Security policies
A.
Policies are stored on server.

B.
Policies are applied to a PDF.

C.
Users can open, edit, and print a document only if permitted by policy.

Setting up server-based security policies involves four main stages:

Configure the Adobe LiveCycle Rights Management ES
The system administrator of your company or group usually configures Adobe LiveCycle Rights Management ES, manages accounts, and sets up organizational policies. For more information on configuring Adobe LiveCycle Rights Management ES, see the Adobe website.

Publish a document with a security policy
An author creates a PDF and applies a policy stored on Adobe LiveCycle Rights Management ES to the PDF. The server generates a license and unique encryption key for the PDF. Acrobat embeds the license in the PDF and encrypts it using the encryption key. The author or administrator can use this license to track and audit the PDF.

View a document with a policy applied
When users try to open the secure PDF in Acrobat 9 (or Reader 9), they must authenticate their identities. If the user is granted access to the PDF, the PDF is decrypted and opens with the permissions specified in the policy.

Administer events and modify access
By logging in to an Adobe LiveCycle Rights Management ES account, the author or administrator can track events and change access to policy-secured PDFs. Administrators can view all PDF and system events, modify configuration settings, and change access to policy-secured PDFs.

Create a user security policy

User policies can use passwords, certificates, or Adobe LiveCycle Rights Management ES to authenticate documents.

The policies for password and certificate security can be stored on a local computer. Security policies created using Adobe LiveCycle Rights Management ES are stored on a server. You can audit actions and change security settings dynamically. You can use Adobe LiveCycle Rights Management ES if your company has licensed the software and made it available to you.

Create a password policy

  1. In Acrobat, choose Tools > Protection > Encrypt > Manage. If you don’t see the Protection panel, see the instructions for adding panels at Task panes.
  2. Click New.
  3. Select Use Passwords, and then click Next.
  4. Type a name and description for the policy, do one of the following, and then click Next:
    • To specify passwords and restrictions whenever you apply this policy to a document, clear the Save Passwords With The Policy option.

    • To save passwords and restriction settings with the policy, select Save Passwords With The Policy.

  5. Specify a compatibility setting and password options. If you selected Save Passwords With The Policy, specify the password and restrictions. Click OK.
  6. Review the policy details, click Finish, and then click Close.

Create a certificate policy

  1. In Acrobat, choose Tools > Protection > Encrypt > Manage. If you don’t see the Protection panel, see the instructions for adding panels at Task panes.
  2. Click New.
  3. Select Use Public Key Certificates, and then click Next.
  4. Type a name and description for the policy, and specify the document components to encrypt.

    Certificates must be current and have key usage that allows for encryption.

  5. Determine how to enforce the policy:
    • To create a policy that is associated with individual recipients, do not select Ask For Recipients When Applying This Policy.

    • To create a policy that is associated with individual documents, select Ask For Recipients When Applying This Policy.

  6. Select an encryption algorithm from the menu that is compatible with the recipients’ version of Acrobat, and click Next.
  7. Do one of the following:
    • If you selected Ask For Recipients When Applying This Policy, review the policy settings and then click Finish.

    • If you did not select Ask For Recipients When Applying This Policy, specify recipients by selecting digital IDs (including your digital ID). Then click Next.

  8. Click Finish.

Creating policies for secure file attachments

You can add security to one or more documents by embedding them in a security envelope and sending it as an e-mail attachment. This method is useful if you want to send a secure file attachment without encrypting the files. You can embed the documents as file attachments in a security envelope, and encrypt and send the envelope to the recipients. When the recipients open the envelope, they can extract the file attachments and save them. The saved files are identical to the original file attachments and are no longer encrypted when saved.

For example, when you send confidential documents, including non-PDF files, you only want the recipient to view the documents. You can embed these documents as attachments in a security envelope, encrypt the envelope, and send it by e-mail. Anyone can open the envelope, view its cover page, and even view a list of the contents. However, only the recipient can view the embedded attachments and extract them.

Embed file attachments in security envelopes for secure transit.
  1. Choose Tools > Protection > More Protection > Create Security Envelopes. If you don’t see the Protection panel, see the instructions for adding panels at Task panes.
  2. Click Add File To Send, select the documents you want to attach, and then click Open. Click Next.
  3. Select an envelope template, and click Next.
  4. Select a delivery method, and click Next.
  5. If an envelope policy has been created, select it or select New Policy. Then, follow the steps to create a policy.
  6. Review the information and click Finish.
  7. For some policies, you are asked to type the information you want displayed on the envelope. Enter enough information to allow recipients to identify the sender of the envelope.
  8. Complete the security information (password, certificate, or policy).
  9. When the envelope is displayed, type the names of the recipients. Then, either click the Save or Mail icon in the toolbar.

    If you click the Mail icon, your default e-mail program opens with the security envelope as an attachment. Type the e-mail addresses of the recipients, and send the e-mail message.

Create a user security policy with Adobe LiveCycle Rights Management ES

If you have access to Adobe LiveCycle Rights Management ES, you can restrict document access and rights of individuals registered with the server. When you create a user policy using Adobe LiveCycle Rights Management ES, you’re redirected to the Adobe LiveCycle Rights Management ES web page.

  1. Do one of the following:
    • For a single PDF or a component PDF in a PDF Portfolio, open the PDF.

    • For a PDF Portfolio, open the PDF Portfolio and choose View > Portfolio > Cover Sheet.

  2. Choose Tools > Protection > Encrypt > Manage. If you don’t see the Protection panel, see the instructions for adding panels at Task panes.
  3. Click New.
  4. Select Use The Adobe LiveCycle Rights Management, and click Next.
  5. On the Adobe LiveCycle Rights Management web page, click Policies, and then click New.
  6. Type a name and description, set the validity period, and any other options.
  7. Select the users or groups, set permissions for them, and click OK.
  8. Specify the document components you want to encrypt, and whether you want a watermark.
  9. When you’re done, click Save at the top of the page.

Apply security policies to PDFs

You can apply either an organization policy or a user policy to a PDF. To apply a server policy to a document, connect to Adobe LiveCycle Rights Management ES. Adobe LiveCycle Rights Management security policies must be stored on a server, but PDFs to which the policies are applied need not. You can apply policies to PDFs using Acrobat, server-side batch sequences, or other applications, such as Microsoft Outlook.

Only the policy administrator can edit or remove organizational policies. For details on editing security policies, choose Tools > Protection > More Protection > Rights Management > Manage Account. Then click Help in the upper-right corner.

Apply a security policy to a PDF

  1. Do one of the following:
    • For a single PDF or a component PDF in a PDF Portfolio, open the PDF.

    • For a PDF Portfolio, open the PDF Portfolio and choose View > Portfolio > Cover Sheet.

  2. If you are using a server policy, choose Tools > Protection > Encrypt > Manage. Select a policy. Choose an Adobe LiveCycle Rights Management policy from the list and then click Refresh.

    Refreshing security policies ensures that you get the most up-to-date server policies.

  3. Choose Tools > Protection > Encrypt > Manage. Select a policy, and then click Apply To Document. If you don’t see the Protection panel, see the instructions for adding panels at Task panes.

Apply a policy to attachments in Outlook

You can send different types of files as secure PDF attachments in Microsoft Outlook. This option is available only if Adobe LiveCycle Rights Management ES is set up and available in Acrobat.

  1. In Outlook, choose File > New > Mail Message.
  2. In the toolbar, click the Attach As Secured Adobe PDF button .
  3. Select the file you want to attach by typing the file path or by clicking Browse.
  4. Specify how you want to secure the document, and click OK.

    The file is converted to PDF and encrypted using the security method you choose.

  5. Complete the e-mail message, and then click Send.

Remove a user security policy from a PDF

You can remove a security policy from a PDF if you have appropriate permissions. In general, a document owner can remove a security policy from a PDF.

  1. Do one of the following:
    • For a single PDF or a component PDF in a PDF Portfolio, open the PDF.

    • For a PDF Portfolio, open the PDF Portfolio and choose View > Portfolio > Cover Sheet.

  2. Select Tools > Protection > Encrypt > Remove. If you don’t see the Protection panel, see the instructions for adding panels at Task panes.

Export security settings

  1. Choose Tools > Protection > More Protection > Export Security Settings. If you don’t see the Protection panel, see the instructions for adding panels at Task panes.
  2. Choose which groups of settings you want to share and click OK.
  3. Review and modify the security settings as needed, and then click Export.
  4. Select the method to use to encrypt the security settings (if desired), and then click OK.
  5. Certify the file.

Copy, edit, or delete a policy

  1. Choose Tools > Protection > Encrypt > Manage. If you don’t see the Protection panel, see the instructions for adding panels at Task panes.
  2. From the Show menu, choose whether you want to display all policies that you have access to, user policies that you’ve created, or organizational policies.
  3. Select a policy, and then use the options you want:
    Note: Options to edit or delete organizational policies aren’t available unless you have administrator rights to Adobe LiveCycle Rights Management ES. Changes to these policies can be made only on Adobe LiveCycle Rights Management ES, which opens automatically when you select an option.
    Copy
    Use to create a policy that’s based on the settings of an existing policy.

    Edit
    Editing a user policy that is stored on a local computer affects only documents to which the policy is applied after the policy is edited. For user policies stored on a server, you can edit the permission settings and other options. This option isn’t available for organizational policies.

    Delete
    This option is not available usually for organizational policies.

    Favorite
    If this option is selected, a star appears next to the policy. To remove a policy from the favorites, click Favorite again. You can apply the Favorite option to multiple policies. Use this option to make a policy easier to retrieve.

Revoke a policy-protected PDF

To restrict access to a policy-protected PDF that you made available to a group of users, you can revoke the document.

  1. Do one of the following:
    • For a single PDF or a component PDF in a PDF Portfolio, open the PDF and log in to Adobe LiveCycle Rights Management ES.

    • For a PDF Portfolio, open the PDF Portfolio, log in to Adobe LiveCycle Rights Management, and choose View > Portfolio > Cover Sheet.

  2. Choose Tools > Protection > More Protection > Rights Management > Revoke. If you don’t see the Protection panel, see the instructions for adding panels at Task panes.
  3. From the menu on the web page, choose an option that explains why you’re revoking the document, or type a message. If you’re replacing the revoked document, type the URL location of the new document.
  4. Click OK to save your changes.