Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Java Security Settings?

Posted on 2014-10-21
Last Modified: 2014-10-28
Hi Experts,
We wanting to deploy Java to my clients Windows 7 fleet,
The ICT security contact at the site is wanting to know what security settings we have in place for the existing version of Java for workstations.  Where can I find out on workstation that currently has the old version of Java installed, what security settings are defined for Java. Hope that makes sense?
Question by:craigleenz
  • 4
  • 3
LVL 15

Expert Comment

by:Haris Djulic
ID: 40393803
Java securtiy setings can be found on the securtity tab or advances on java settings pane. To start java setting pane you go to control panel and there you have the java setting shortcut... Thare yiu can see where are the cache files stored etc. Aldo you need to check the settings inside the browsers which control activity of java applets independently of java control panel....

Hope it helps...

Expert Comment

ID: 40393815
For the version, open a command prompt and use "java  -version"

C:\Windows\System32>java -version
java version "1.7.0_65"
Java(TM) SE Runtime Environment (build 1.7.0_65-b19)
Java HotSpot(TM) 64-Bit Server VM (build 24.65-b04, mixed mode)

You can also check in Start Menu / Settings / Programs / Uninstall,
you will see the list of all installed software and for example
"JAVA 7 Update 45" or "JAVA 6 Update xx"

Author Comment

ID: 40396330
thanks for you Reponses guys, however I'm still in the dark slightly here,
I’m not entirely clear what customisations are available but a quick search revealed the following options: (see below) where are these settings managed? via GPO?
(If these are the wrong options, please advise the correct ones)

19.2.3 Security Access And Control Settings
Table 19-5 Configuration Properties Related to Security Access and Control
Property Key      Type      Default Value      Description
deployment.security.level      String      HIGH      Security level setting. The following values are valid:
•      HIGH: Applications that are signed with a valid certificate and include the Permissions attribute in the manifest for the main JAR file are allowed to run with security prompts. Applications are also allowed to run with security prompts when the revocation status of the certificate cannot be checked. All other applications are blocked.
•      VERY_HIGH: Applications that are signed with a valid certificate and include the Permissions attribute in the manifest for the main JAR file are allowed to run with security prompts. All other applications are blocked.
deployment.webjava.enabled      Boolean      True?      Set to true to run applets or Java Web Start (JWS) applications. Set to false to block applets and JWS applications from running.
deployment.insecure.jres      String      PROMPT      Setting for insecure JRE prompt. The following values are valid:
•      NEVER: Untrusted content always runs with the default JRE.
•      PROMPT: Users are prompted before using insecure JRE versions, and are shown warning dialogs
deployment.expiration.check.enabled      Boolean      True false      Set to true to prompt users to update the JRE when an out-of-date JRE is found on their system. Set to false to suppress the prompt.
Note: To ensure that the expiration check is disabled, use the -userConfig deployment.expiration.check.enabled false option with the javaws command. If this property is changed in the deployment.properties file, open the Java Control Panel before starting an application to ensure that the native cache is synchronized with the file. Otherwise, the change might be ignored the first time an application is started.
deployment.security.askgrantdialog.show      Boolean      True?      Set to true to allow users to grant permissions to applets and JWS applications. Set to false to block users from granting permissions.
deployment.security.askgrantdialog.notinca      Boolean      True false      Set to true to allow users to grant permissions to certificates that are not issued by a CA in the Root/JSSE CA certificate store. Set to false to block users from granting permissions.
deployment.security.jsse.hostmismatch.warning      Boolean      true      Set to true to enable JSSE HTTPS certificate verification to show host-mismatch warnings. Set to false to suppress the warnings.
deployment.security.trusted.policy      String      ""      Policy file that contains the ceiling policy of permissions granted to trusted applications and applets. The default is all permissions. Use this property to configure a lesser set of permissions.
deployment.security.mixcode      String      ENABLE HIDE_CANCEL      Setting for mixed mode. The following values are valid:
•      ENABLE: Enables the software to test for mixing trusted and untrusted code and, when potentially unsafe components are detected, raises a warning dialog.
•      HIDE_RUN: Suppresses the warning dialog and, if potentially unsafe components are detected, behaves as if the user had clicked Run in the warning dialog - the applet or application continues running with some added protections.
•      HIDE_CANCEL: Suppresses the warning dialog and behaves as if the user had clicked Cancel in the warning dialog - potentially unsafe components are blocked from running and the program may terminate.
•      DISABLE (not recommended): Disables the software from checking for mixing trusted and untrusted code, leaving the user to run potentially unsafe code with no warning and without the additional protections.
deployment.security.sandbox.awtwarningwindow      Boolean      true      true if the sandbox has awtShowWindowWithoutWarning.
deployment.security.sandbox.jnlp.enhanced      Boolean      true      Set to true to prompt the user to accept the JNLP API security dialogs.
deployment.security.sandbox.selfsigned      String      PROMPT NEVER      Setting for the prompt to run self-signed code in the sandbox. The following values are valid:
•      PROMPT: Prompt user to allow the self-signed app to run in the sandbox.
•      NEVER: Block all self-signed content.
deployment.security.sandbox.casigned      String      PROMPT NEVER      Setting to enable users to turn off future prompts for a signed app running in the sandbox. The following values are valid:
•      PROMPT: Prompt user to allow the app to run and provide information on the certificate used to sign the app. The user can choose to turn off future prompting for this application.
•      NEVER: Block any content from running unless it asks for and is granted all permissions.
deployment.security.blacklist.check      Boolean      true      Support for blacklisting signed JAR files that contain serious security vulnerabilities. This property is used to toggle this behavior. For more information see Blacklist Feature.

deployment.security.revocation.check      String      ALL_CERTIFICATES      Setting for revocation checks. The following values are valid:
•      PUBLISHER_ONLY: Checks only the certificate that the publisher used to sign the application.
•      ALL_CERTIFICATES: Checks all certificates in the certificate chain.
•      NO_CHECK (not recommended): Suppresses the check for certificates that have been revoked.
deployment.security.validation.ocsp      Boolean      true      Specifies whether Online Certificate Status Protocol is enabled.
deployment.security.validation.ocsp.url      String      null      Specifies a URL string pointing to an OCSP response server.
deployment.security.validation.ocsp.signer      String      null      Points to a OCSP response signer certificate subject name.
deployment.security.validation.crl      Boolean      true      Specifies whether to use certificate revocation list.
deployment.security.validation.crl.url      String      null      Specifies a URL in the Certificate Revocation List to perform a certificate validation.
deployment.security.validation.clockskew      int      900      Acceptable time difference, in seconds, between the system clock and the clock on the server used for revocation checks. If the property is not set, or the value is negative, the default of 900 seconds (15 minutes) is used.
deployment.security.validation.timeout      int      15      Maximum time, in seconds, that the system attempts to connect to the server for revocation checks before timing out. If the property is not set, or the value is negative, the default of 15 seconds is used. To never time out, set the property to 0.
deployment.security.authenticator      Boolean      true      Normally Plug-in and Web Start install an Authenticator to handle communication with Authenticating web pages or Authenticating proxies. This is the default behavior (true). This option can be used to turn the normal behavior off if, for example, an application communicates directly with an authenticating web page and needs to install its own Authenticator.
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  


Author Comment

ID: 40396334
LVL 15

Accepted Solution

Haris Djulic earned 500 total points
ID: 40397130

Author Comment

ID: 40397812
thanks samo4fun, these are very good links, much appreciated,
a follow on questions to this, can JRE security settings be managed centrally? Just scouring through these articles, I get the impression you need to capture the configuration on one specific machine, copy the files and deploy those config files to the target machines, my question comes if we need to make a change, we would need to repeat the steps again?
This is doable, but I just need to understand if there are anything we can go using native GPO to manage all the settings centrally?
LVL 15

Expert Comment

by:Haris Djulic
ID: 40398345
Since you are creating GPO and then applying it to desired OU if you need to change something you will need to change/update the GPO and it will automatically been distributed to the OU i.e. PC in the OU..

And , yes you can manage the JRE using the GPO centrally since you (or someone else ) do that central domain server and it is distributed by GPO to all peers...

Author Closing Comment

ID: 40410042

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Knowing where your website is hosted is as important as the features you receive, the monthly fee, and the support you receive. Due diligence should be done when choosing your next hosting provider.
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question