I want to secure our centrally managed computers better and it is very difficult to automatically deploy the java runtime, but how to do that is another question.
I find the security of Java catastrophic, even if it is fully patched: It looks like if the user says yes to the innocent question "Do you trust this certificate", java can do whatever it wants. Java webstart also seems to be an universal entry point for malware authors.
In general, I don't care for my users playing browser games, etc. Java applets seem to be extinct anyway.
But there is one page left (Ingramm Micro shopping system) which relies on Java.
Does anybody know an easy way to configure IE or java via group policy to only ever allow java plugins on certain preconfigured sites?
Thanks!
Excellent question. Ironically, this very functionality was exposed in the older Microsoft JVM (10 years ago).
Controlling Java in Internet Explorer
https://blogs.msdn.com/b/ieinternals/archive/2011/05/15/controlling-java-in-internet-explorer.aspx
Recently, there’s been some interest in how to control the use of Java within Internet Explorer. Java is a unique form of extensibility because it can be invoked in two ways:
These two invocation methods are subject to different security controls, which I’ll describe in today’s post.
Controlling Applet Tags
When Internet Explorer encounters an APPLET tag, it checks the URLACTION_JAVA_PERMISSIONS value to determine whether the APPLET should be loaded. If the value is URL_POLICY_JAVA_PROHIBIT, then the APPLET tag is prevented from loading the JVM. In earlier versions of Internet Explorer, when a Microsoft JVM was available, this URLAction was exposed on the Tools > Internet Options > Security > Custom… dialog, but it has since been removed.
You can use the Group Policy Editor to control the URLAction under the node \Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\ZoneID:
Alternatively, you can make a small registry tweak to add the JVM Options entry back to the Internet Control Panel:
The registry script takes advantage of the fact that the Internet Control Panel UI is extensible via the registry; it simply creates a new item that adjusts the values of the URLACTION_JAVA_PERMISSIONS URLAction.
If you adjust the Internet Zone settings from “High Security” to Disable (URL_POLICY_JAVA_PROHIBIT) any site attempting to use an APPLET tag will find that the applet does not load and a notification is shown:
Controlling Object Tags
Unfortunately, when a site uses an OBJECT tag to load Java, an entirely different codepath is executed. In the OBJECT tag case, the JAVA_PERMISSIONS URLAction isn’t consulted, because as far as Internet Explorer is concerned, this might be any type of OBJECT. Instead, the traditional ActiveX-controlling features are consulted (e.g. ActiveX Filtering, Per-Site ActiveX, Manage Add-ons, etc). You can use IE’s Tools > Manage Add-ons feature to examine or adjust the state of the Java Plug-in object:
Note: I’m told that the Java Plug-In SSV Helper Browser Helper object should not be disabled, as it ensures that websites may not attempt to load older (insecure) versions of the JVM you may have installed. However, you’ll notice that you pay a performance penalty on tab startup to load this BHO—this is one of the many reasons I don’t install Java on my PCs.
If you select the Java Plug-in, you can click the Disable button to prevent Java from being loaded by an OBJECT tag. Alternatively, if you click the More Information link, you can clear the * from the list of sites on which the Java Plug-in may run:
If you subsequently visit a site that attempts to invoke Java as an OBJECT tag, you will see a notification bar prompting you for permission to run Java on the current site.
So, if you want to permit Java to run only in the Intranet and Trusted Sites zones:
Step #1 will ensure that only Intranet Zone and Trusted Zone sites may load Java for APPLET Tags. Step #2 will ensure that the Java Plug-in will not load as an OBJECT on Internet Zone sites; a notification will be shown instead. Because Intranet and Trusted Sites ignore the Per-Site ActiveX list, you won’t see any additional warnings on those sites.