Java Security Configuration On Windows Systems

Java has received a lot of (bad) press in the past year or two due to a variety of serious security problems. The most recent versions of Java correct the majority of these problems, but have introduced some features that can be complicated to configure and can be a problem for some web sites, or web-based tools -- especially those that are old and may not reflect the current thinking needed to solve these problems.

In very broad terms, Java provides the ability to download and run code of various types from other computers over the network. This includes computers on the internet, and so provides a great vehicle for "bad guys" to introduce exploit code onto your system. A key tool to thwart such attempts is to require that this kind of remote code be digitally signed by its author. This allows users to confirm hat the code has not been altered since it was signed, and allows you to decide whether or not to trust the code depending on the trustworthiness of its signer.

Note: Unless it is required, browser-based java should be disabled entirely. If it is needed, it can be enabled, but should be configured as follows.

Note that many web sites don't use Java at all, and in many cases, the ability to run Java from within your web browser can be disabled entirely. If you don't need it, this is definitely the safest mode of operation. Within the Java control panel on windows, the "Security" tab provides controls for this purpose. Simply launch the Windows Control panel, select "Programs and Features' and click on "Java" to bring up the java control panel. Alternatively, you can simply run the control panel directly by invoking:

  • C:\Program Files\Java\Jre7\bin\javacpl.exe           (on 32-bit windows systems)
  • C:\Program Files (x86)\Java\Jre7\bin\javacpl.exe   (on 64-bit windows systems)

Once the Java control panel is running, select the "Security" tab at the top. This produces a display that should look like the following (note: this shows browser Java enabled... This should be true only if it is needed.

 The security tab of the Java Control Panel on Windows, showing java enabled in the browser with High Security selected.

 

Note that the "High" security setting indicated on the slider requires that java applications can be run if they have a valid, trusted signature. Attempting to run such an application will produce a warning to the user and ask him or her to confirm the action after reviewing the signature. There will also be a checkbox allowing your to tell the system to trust other similarly signed applications in the future.

Selecting "Very High"  requires a valid, unexpired signature from an already trusted author.

The "Exception Site List" box contains a list of web sites or network locations from which applications will be allowed to run (after an appropriate warning/prompt). The "Edit Site List" button allows you to add sites to this list. For web sites, "https" sites are preferred. Locations on file shares can also be specified, but the text cautions that such locations are considered a security risk. In our environment, enabling the use of central fileservers, or other trusted systems on site is a relatively low risk and is a reasonable approach to enable critical applications.  It is reasonable to add JLab sites and other, well known and trusted sites. The "Add a site" box looks like:

 Dialog box for adding trusted sites tot eh Java security configruation on Windows.

You can click "Add" and add sites that are trusted to provide code to download and execute. If possible, all sites added to the trusted list should use https (SSL-enabled).