Mobile codes hardening & management guideline : more for Flash, Java applet/runtime, MS Office macros

Ok further to an earlier post, I don't have the option to move out of IE & Adobe products (namely
Adobe Flash player, Acrobat/Reader,  Shockwave).

So I'll need specific hardenings & settings to make them more secure: attached is a draft I've got
but I'll need more such specific settings for Adobe Flash player, Java applets & Java Runtime
(I got a fair bit of Javascripts) & MS Office hardenings (& management of macros).

Much appreciated if anyone can add in some inputs on hardening/securing of these mobile codes.

Too much are intertwined that I can replace these Adobe products
Mobile-Codes-Deployment-and-Managem.docx
sunhuxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
Adobe Flash Player will soon be extinct.
Java Runtime is normally not needed in the browser. Java was introduced by Sun and Oracle has found to its dismay that security people used to refer to the Java 0-day exploit of the day. Basically Java needs a rewrite from scratch to be used securely in this internet age.  Oracle is removing browser support, already depreciated in JRE 9 and to be entirely removed in the future https://blogs.oracle.com/java-platform-group/moving-to-a-plugin-free-web
Adobe Acrobat/Reader  disable scripting!
0
dbruntonQuid, Me Anxius Sum?  Illegitimi non carborundum.Commented:
For Flash check the settings in the Control Panel.

You've got a whole bunch there.  See https://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html for an explanation.  I'm not sure which ones you'd want to choose in your organization.  Look at the privacy settings especially.

Also see https://www.dedoimedo.com/computers/flash-player-settings.html and note the clearing out of the Flash folder as well.  You may wish to clear that folder out on startup.

As David Johnson says Flash will becoming extinct and unless your organization has a specific need for it as in internal use I would try and look at phasing it out.  In five years time Flash might be just a memory.

Java.  If you're stuck with supporting it ... then again in the Control Panel look at the settings there.

For Java you can have trusted sites and for some users you may not want Java to run in the browser.  If you've only got Java apps that last might be enough.
0
sunhuxAuthor Commented:
https://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html

Refer to above;  as many of our users access youtube.com,  what's the most secure settings
for privacy, security  etc which will enable them to work ?
0
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

dbruntonQuid, Me Anxius Sum?  Illegitimi non carborundum.Commented:
Storage - This one is tricky.  I'd normally say Block all sites from storing information on this browser.  This folder can be used for various purposes - see http://help.adobe.com/en_US/FlashPlayer/LSM/WS6aa5ec234ff3f285139dc56112e3786b68c-7ffe.html .

Data such as viewing history, game progress, preferences, or information about your computer.  (Taken from link above).  However it can also be used to track the user as well, much like cookies.  Because it is possible that you may need to use this folder leave it Allow sites to save information on this computer.

These instructions  https://forums.adobe.com/thread/977699  show you how to clear that folder out to ensure privacy.

Camera and mic -- unless you've got a need for it Block all sites from using camera and mic.  Most Flash is just used for observing and not interaction.

Peer-assisted networking - Block all sites from using Peer-assisted networking.

Updates - Allow Adobe to install updates (recommended).  This may be grayed out on your system, it is on mine.  I believe but can't confirm that Windows is ensuring it is updated.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
Is Adobe Flash player = Adobe Shockwave player?  We have Shockwave installed on our 3500 PCs.

My take is rather close to DbRunton's ie:
Storage : to prompt (as I'm not certain if video streamed into our PCs is under this category, so it will prompt users)
Camera, Mic  &  Peer-assisted : I set it to "Block All sites"
Updates --> Allow Adobe to install updates (recommended)
0
sunhuxAuthor Commented:
After the "Updates" tab, there's this "Advanced" tab: possible to comment?

Adobe Flash player (I think this is = Adobe Macromedia player) is standalone while
 Shockwave is to  play content of destination using Adobe Redirector
0
dbruntonQuid, Me Anxius Sum?  Illegitimi non carborundum.Commented:
In the Advanced tab you can remove all Flash content from all browsers on the computer.  I think you only have Internet Explorer and you probably won't need to use that.

Also the Deauthorize button probably won't be needed.  I can't see people putting purchased content on the device and leaving it there.  And if these are business machines they'd be wiped before being resold.

Flash and Shockwave are different products.

I haven't used Shockwave player for a long time so I can't comment on the settings for that.  It's another technology whose time is passing or has passed.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.