+ Post New Thread
Results 1 to 9 of 9
Windows 7 Thread, Trying to prevent JAR files from being run...using software restiction policy in Technical; I've got a software restriction policy which blocks for example EXE's from running: Setup is windows 7, 32 & 64 ...
  1. #1
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,347
    Thank Post
    85
    Thanked 47 Times in 33 Posts
    Rep Power
    31

    Trying to prevent JAR files from being run...using software restiction policy

    I've got a software restriction policy which blocks for example EXE's from running:

    Setup is windows 7, 32 & 64 bit clients and server is 2008 R2.

    Policy details are:

    Apply software restriction policies to the following : All software files except libraries (such as DLLs)
    Apply software restriction policies to the following users : All users
    When applying software restriction policies : Ignore certificate rules

    Designated File Types
    ADE Microsoft Access Project Extension
    ADP Microsoft Access Project
    BAS BAS File
    BAT Windows Batch File
    CHM Compiled HTML Help file
    CMD Windows Command Script
    COM MS-DOS Application
    CPL Control panel item
    CRT Security Certificate
    EXE Application
    HLP Help file
    HTA HTML Application
    INF Setup Information
    INS INS File
    ISP ISP File
    JAR Executable Jar File
    LNK Shortcut
    MDB Microsoft Access Database
    MDE Microsoft Access MDE Database
    MSC Microsoft Common Console Document
    MSI Windows Installer Package
    MSP Windows Installer Patch
    MST MST File
    OCX ActiveX control
    PCD PCD File
    PIF Shortcut to MS-DOS Program
    REG Registration Entries
    SCR Screen saver
    SHS SHS File
    URL Internet Shortcut
    VB Visual Basic Source file
    WSC Windows Script Component

    Trusted publisher management : Allow all administrators and users to manage user's own Trusted Publishers
    Certificate verification : None

    Default Security Level : Disallowed

    I then have some Software Restriction Policies/Additional Rules to allow software to run from "allowed locations".

    If I disable the policy then users can run test executables from say the D:\
    If I enable the policy then users cannot run test executables from the D:\


    However, I cannot seem to stop JAR files from being run.

    I must be missing something obvious but cannot work this one out

  2. #2


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,701
    Thank Post
    352
    Thanked 805 Times in 720 Posts
    Rep Power
    348
    I suspect the jars are being launched from javaws.exe as a process which will be falling outside of your D:\ block.

  3. #3
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,347
    Thank Post
    85
    Thanked 47 Times in 33 Posts
    Rep Power
    31
    I am logging in as a test user and double clicking directly a *.jar file....

    Just to say this is obviously a user based policy not computers based...

  4. #4


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,701
    Thank Post
    352
    Thanked 805 Times in 720 Posts
    Rep Power
    348
    I appreciate what you're saying but this is like saying double clicking a docx file doesn't actually open word.

    Have a look in task manager before and after you open the jar, I suspect it will be javaws.exe you see.

  5. #5
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,347
    Thank Post
    85
    Thanked 47 Times in 33 Posts
    Rep Power
    31
    Quote Originally Posted by kmount View Post
    I appreciate what you're saying but this is like saying double clicking a docx file doesn't actually open word.

    Have a look in task manager before and after you open the jar, I suspect it will be javaws.exe you see.
    Thanks but won't blocking javaws.exe disable legitimate use of java? Or is that the only way?

  6. #6


    Join Date
    Feb 2007
    Location
    Northamptonshire
    Posts
    4,701
    Thank Post
    352
    Thanked 805 Times in 720 Posts
    Rep Power
    348
    Yeah, if you confirm it is javaws that is running you'll find it tougher to block them without risking other stuff.

    Are you looking to prohibit all jar's from D from executing? If so, you could consider using FSRM to stop them being stored there in the first place (and then search through and delete them). Not as 'clean' a solution as an outright block on *.jar that you'd be looking for but if you do need javaws then yeah I think things will be a bit tougher without some third party software like Impero which could possibly do it.

  7. #7
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,347
    Thank Post
    85
    Thanked 47 Times in 33 Posts
    Rep Power
    31
    I am trying now to see if a computer policy can restrict JAR files!

    I've created a simple software restriction policy:

    Apply software restriction policies to the following All software files except libraries (such as DLLs)
    Apply software restriction policies to the following users All users except local administrators
    When applying software restriction policies Ignore certificate rules


    Default Security Level Disallowed

    I've added some extra path rules to allow software to run from our "SAFE" network locations:

    Path Ruleshide
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
    Security Level Unrestricted
    Description
    Date last modified 04/11/2013 12:39:15

    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Cur rentVersion\ProgramFilesDir%
    Security Level Unrestricted
    Description
    Date last modified 04/11/2013 12:39:15

    \\fp4\SHApps
    Security Level Unrestricted
    Description
    Date last modified 04/11/2013 12:53:51

    N:\
    Security Level Unrestricted
    Description
    Date last modified 04/11/2013 13:06:03

    However when I apply this policy ONLY local applications can run, anything from the N:\ drive is blocked

    Not sure why?

    It's the same way I've setup the USER policy...

  8. #8
    free780's Avatar
    Join Date
    Sep 2012
    Posts
    1,078
    Thank Post
    46
    Thanked 87 Times in 82 Posts
    Rep Power
    23
    You may need to configure deployment rulesets for java. To basically block all java or dont install java unless its needed for certain domains which you can allow in drs.

  9. #9
    kennysarmy's Avatar
    Join Date
    Oct 2005
    Location
    UK
    Posts
    1,347
    Thank Post
    85
    Thanked 47 Times in 33 Posts
    Rep Power
    31
    I think the reason I thought nothing from the N:\ drive was working was that I did nt put the desktop location in the path rules:

    I could navigate to N:\ and run software fine, but when I ran shortcuts from the desktop they did nt work - it looked like it was the N:\ drive that was blocked!

    I've now been able to create a computer based policy that blocks JAR files from running from memory sticks and the like and yet keep JAR files from running from our controlled network location - this is because the Head of IT is running a custom Minecraft server.

    Just need to do a bit more testing in the morning - but looks like it's working a charm - and it keeps JAVA working for other websites etc too.

    Hopefully!



SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 43
    Last Post: 8th September 2013, 03:43 AM
  2. Replies: 4
    Last Post: 7th March 2013, 12:13 PM
  3. Replies: 1
    Last Post: 22nd February 2012, 01:10 PM
  4. Prevent certain named files from being saved
    By bondbill2k2 in forum Windows
    Replies: 13
    Last Post: 30th January 2012, 12:20 PM
  5. Replies: 0
    Last Post: 18th February 2011, 11:38 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •