Securing the Java Runtime Environment

When many business applications require multiple versions of Java, securing the Java Runtime Environment is of paramount importance. This blog post forms part of a Java series including:

Java Deployment Rule Set and Active Directory Certificates

Java Deployment Rule Set and Self Signed Certificates

Java Runtime Environment (JRE) is used extensively in the enterprise for Rich Internet Applications (RIA) launched from the browser, and local Java-based desktop applications.

It’s difficult to support Java if every user has a different configuration, and coupled with this it’s not advisable to let users configure Java themselves due to the security implications.

Luckily its easy enough to lock down JRE settings with a few configuration files.

Securing the Java Runtime Environment

First start by creating the file: C:\Windows\Sun\Java\Deployment\deployment.config. The file MUST exist in this location. And paste and save the following inside the file:

deployment.system.config=file\:C\:/WINDOWS/Sun/Java/Deployment/deployment.properties
deployment.system.config.mandatory=true

The first setting points to the location of the deployment.properties file – this file will ultimately configure and lock down the Java settings. We can store this file on a network but it’s advisable to keep it locally (see below), and due to it being a system-wide setting it should be in a per-machine location. Hence for simplicity we keep it in the same location as the deployment.config file.

The second setting enforces that the deployment.properties file is used. If the file cannot be located when mandatory is set to true (perhaps the file is stored on a network and the network location isn’t available) then Java will not load the application.

Create the deployment.properties file

Now we can start configuring and locking down the settings. For JRE 7 (which is what we are locking down) we can see which Java settings are configurable. Unfortunately not all settings are documented, but it’s a decent guide for most.

Create the file: C:\Windows\Sun\Java\Deployment\deployment.properties, then paste and save the following inside the file:

#*************************************
#************GENERAL TAB*************
#*************************************
deployment.proxy.type=PROX_TYPE_BROWSER
deployment.proxy.type.locked
deployment.javapi.cache.enabled=true
deployment.javapi.cache.enabled.locked
#*************************************
#************UPDATE TAB*************
#*************************************
deployment.expiration.check.enabled=false
deployment.expiration.check.enabled.locked
deployment.expiration.decision=NEVER
deployment.expiration.decision.locked
deployment.expiration.decision.suppression=true
deployment.expiration.decision.suppression.locked
deployment.javaws.autodownload=NEVER
deployment.javaws.autodownload.locked
#*************************************
#************SECURITY TAB*************
#*************************************
deployment.security.level=MEDIUM
deployment.security.level.locked
deployment.webjava.enabled=true
deployment.webjava.enabled.locked
deployment.user.security.exception.sites=C\:/WINDOWS/Sun/Java/Deployment/exception.sites
deployment.user.security.exception.sites.locked
#*************************************
#************ADVANCED TAB*************
#*************************************
#Start Debugging
deployment.trace=false
deployment.trace.locked
deployment.log=false
deployment.log.locked
deployment.javapi.lifecycle.exception=false
deployment.javapi.lifecycle.exception.locked
#End Debugging
#Start Java console
deployment.console.startup.mode=HIDE
deployment.console.startup.mode.locked
#End Java console
#Start Shortcut creation
deployment.javaws.shortcut=ASK_IF_HINTED
deployment.javaws.shortcut.locked
#End Shortcut creation
#Start JNLP File/MIME association
deployment.javaws.associations=ASSOCIATION_ASK_USER
deployment.javaws.associations.locked
#End JNLP File/MIME association
#Start Application installation
deployment.javaws.install=IF_HINT
deployment.javaws.install.locked
#End Application installation
#Start Secure environment execution
deployment.security.askgrantdialog.show=true
deployment.security.askgrantdialog.show.locked
deployment.security.sandbox.awtwarningwindow=true
deployment.security.sandbox.awtwarningwindow.locked
deployment.security.sandbox.jnlp.enhanced=true
deployment.security.sandbox.jnlp.enhanced.locked
deployment.security.clientauth.keystore.auto=true
deployment.security.clientauth.keystore.auto.locked
deployment.security.jsse.hostmismatch.warning=true
deployment.security.jsse.hostmismatch.warning.locked
deployment.security.https.warning.show=false
deployment.security.https.warning.show.locked
#End Secure environment execution
#Start Mixed code
deployment.security.mixcode=ENABLE
deployment.security.mixcode.locked
#End Mixed code
#Start Perform certificate revocation checks
deployment.security.revocation.check=ALL_CERTIFICATES
deployment.security.revocation.check.locked
#End Perform certificate revocation checks
#Start Check for certificate revocation - *bug* only locks if deployment.security.revocation.check=NO_CHECK
deployment.security.validation.crl=true
deployment.security.validation.crl.locked
deployment.security.validation.ocsp=true
deployment.security.validation.ocsp.locked
#End Check for certificate revocation
#Start Advanced security settings
deployment.security.browser.keystore.use=true
deployment.security.browser.keystore.use.locked
deployment.security.blacklist.check=true
deployment.security.blacklist.check.locked
deployment.security.password.cache=true
deployment.security.password.cache.locked
deployment.security.SSLv2Hello=false
deployment.security.SSLv2Hello.locked
deployment.security.SSLv3=true
deployment.security.SSLv3.locked
deployment.security.TLSv1=true
deployment.security.TLSv1.locked
deployment.security.TLSv1.1=false
deployment.security.TLSv1.1.locked
deployment.security.TLSv1.2=false
deployment.security.TLSv1.2.locked
#End Advanced security settings
#Start Miscellaneous
deployment.system.tray.icon=false
deployment.system.tray.icon.locked
#End Miscellaneous

Create the exception.sites file

Now create the file: C:\Windows\Sun\Java\Deployment\exception.sites. This file can remain blank for now. But adding application URLs to this list allows users to run RIAs that would normally be blocked by security checks. An example of an entry in this file might be:

https://www.whatever.com:8443/

A limitation of this file is that it cannot accept wildcards. I recently encountered an issue where a website would use a dynamic port range of around 20,000 ports! So rather than add 20,000 rows to site.exceptions (not advisable!) I created a Java deployment ruleset with an Active Directory code signing certificate. You can also create a Java deployment ruleset with a self signed certificate. With the ruleset.xml file you can specify wildcards for the port in a single rule.

Disable updates via the registry

Finally there are a few registry values that we can, to prevent Java from automatically updating. Bear in mind that this is for a 32-bit install of Java on a 64-bit platform, and hence the ‘Wow6432Node’ location:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Update\Policy]
"EnableJavaUpdate"=dword:00000000
"EnableAutoUpdateCheck"=dword:00000000
"NotifyDownload"=dword:00000000
"NotifyInstall"=dword:00000000

And finally, we’re done!