+ Post New Thread
Results 1 to 14 of 14
Windows Thread, Setting Java Control Panel Security by GPO in Technical; Afternoon, We're running Java v7 update 45 across our school and we're wanting the default Security level set in the ...
  1. #1

    Join Date
    May 2013
    Posts
    18
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Setting Java Control Panel Security by GPO

    Afternoon,

    We're running Java v7 update 45 across our school and we're wanting the default Security level set in the Java Control Panel to be 'Medium'.

    Is there anyway to force this out via GPO? I've had a look but can't seem to find the relevant path.

    Any help would be much appreciated

  2. #2
    free780's Avatar
    Join Date
    Sep 2012
    Posts
    1,012
    Thank Post
    42
    Thanked 84 Times in 80 Posts
    Rep Power
    22
    Set the setting on a pc copy the deployment.properties from the users profile appdata locallow sun java deployment. Push that file out via gpp to c:\windows\sun\java I think.

  3. #3

    fiza's Avatar
    Join Date
    Dec 2008
    Location
    London
    Posts
    2,169
    Thank Post
    430
    Thanked 314 Times in 265 Posts
    Rep Power
    153
    Can anyone shed any light on this? How do you set the security level to Medium for all users using GPO?

  4. #4


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,038
    Thank Post
    231
    Thanked 2,705 Times in 1,997 Posts
    Rep Power
    793
    Quote Originally Posted by fiza View Post
    How do you set the security level to Medium for all users using GPO?
    Add the highlighted line to your deployment.properties file to set the security at the system level. I use Group Policy Preferences (Computer Configuration » Preferences » Windows Settings » Files) to copy the file to C:\Windows\Sun\Java\Deployment.

    Code:
    deployment.expiration.check.enabled=false
    deployment.expiration.decision.suppression=true
    deployment.expiration.decision=NEVER
    deployment.insecure.jres=ALWAYS
    deployment.security.level.locked
    deployment.security.level=MEDIUM
    deployment.security.mixcode.locked
    deployment.security.mixcode=HIDE_RUN
    deployment.webjava.enabled.locked
    deployment.webjava.enabled=true
    You will also need to copy a file called deployment.config to the same folder. This contains the two lines below.

    Code:
    deployment.system.config=file\:C\:/WINDOWS/Sun/Java/Deployment/deployment.properties
    deployment.system.config.mandatory=false
    Last edited by Arthur; 20th January 2014 at 04:16 PM.

  5. Thanks to Arthur from:

    DarrenShan (21st January 2014)

  6. #5

    fiza's Avatar
    Join Date
    Dec 2008
    Location
    London
    Posts
    2,169
    Thank Post
    430
    Thanked 314 Times in 265 Posts
    Rep Power
    153
    Quote Originally Posted by Arthur View Post
    Add the highlighted line to your deployment.properties file to set the security at the system level.

    Code:
    deployment.expiration.check.enabled=false
    deployment.expiration.decision.suppression=true
    deployment.expiration.decision=NEVER
    deployment.insecure.jres=ALWAYS
    deployment.security.level.locked
    deployment.security.level=MEDIUM
    deployment.security.mixcode.locked
    deployment.security.mixcode=HIDE_RUN
    deployment.webjava.enabled.locked
    deployment.webjava.enabled=true
    @Arthur - I read that somewhere but can I find my deployment.config file anywhere? Nope!!! Looked in windows\sun\java\Deployment - its empty!
    Looked in App Data - no mention of Sun or Java.

    does this only work if you deploy Java via Group Policy in the first place?

  7. #6

    fiza's Avatar
    Join Date
    Dec 2008
    Location
    London
    Posts
    2,169
    Thank Post
    430
    Thanked 314 Times in 265 Posts
    Rep Power
    153
    @Arthur - Scratch that last post. I found it.
    How would I add the line for every user?

  8. #7


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,038
    Thank Post
    231
    Thanked 2,705 Times in 1,997 Posts
    Rep Power
    793
    Quote Originally Posted by fiza View Post
    How would I add the line for every user?
    If you copy deployment.config and deployment.properties to C:\Windows\Sun\Java\Deployment on every PC with Java installed, the settings contained within deployment.properties will be applied to all users that log onto the computer.

  9. 2 Thanks to Arthur:

    DarrenShan (21st January 2014), fiza (21st January 2014)

  10. #8

    Join Date
    May 2012
    Posts
    297
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    So we are venturing down the same path with the new Java security. We are having an issue with sites being blocked and needed to manually whitelist them. Has anyone managed to make the DeploymentRuleSet.jar file yet?

    Ive created the .jar file and used the guides to combine the .xml file with the site exceptions. Im running into issues though once I've signed the .jar with our wildcard .p12 and apply it to the sun\java\deployment folder.

    When i open up the java configure panel, and go to security the blue hyperlink shows up, and it shows the contents of my .xml. But when I go the site defined as "run" in the XML it says cannot verify self signed Deployment Rule Set jar...

    Is this an issue with the signing cert or my method?

  11. #9
    ADMaster's Avatar
    Join Date
    May 2012
    Posts
    332
    Thank Post
    5
    Thanked 35 Times in 30 Posts
    Rep Power
    23
    My guess would be your computer doesn’t trust the signing cert. However I didn’t create a deployment rule set, I avoided all that by creating exception.sites list.
    Add the path to your exception list in the deployment properties, copy it out with the same method. In my case I use SCCM, but GPP or startup script works too.

    See my post in the other java thread for examples of my config file.
    Java Runtime Environment 7 Update 51 released. 36 vulnerabilities fixed!

  12. #10

    Join Date
    May 2012
    Posts
    297
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    oh wow i will have to look into your exception.sites... im pushing to release SCCM site wide and so far eveyrthing we have needed to change has been pushing for this.

  13. #11

    Join Date
    May 2012
    Posts
    297
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    could you post a copy of what your exceptions.sites looks like?

  14. #12
    free780's Avatar
    Join Date
    Sep 2012
    Posts
    1,012
    Thank Post
    42
    Thanked 84 Times in 80 Posts
    Rep Power
    22
    From my instructions when I did it.

    Create the jar file


    Jar -cvf DeploymentRuleSet.jar ruleset.xml




    Then you need to generate a keystore.


    keytool -genkey -keyalg RSA -alias selfsigned -keystore java-keystore.jks -storepass password -validity 360 -keysize 2048
    The keystore will be valid for 1 year. The password will be password. The filename is java-keystore.jks . Store the file in secure location, when finished.
    Then you need to export a certificate.
    Copy the lcb-keystore.jks to c:\program files (x86)\java\jre7\bin


    Keytool -importkeystore --destkeystore c:\program files (x86)\java\jre7\lib\security\cacerts -srcKeystore Cert.cer
    keytool -exportcert -keystore keystore.jks -alias selfsigned -file Cert.cer

    Then you need to insert the cert into cacerts store in java 7.

    Copy the cacerts file so it can be deployed through GPP.

    You then need to sign the DeploymentRuleSet.jar file. You will need to download the JDK. The keystore will need to be copied to the same directory as jarsigner.exe .

    jarsigner -verbose -keystore keystore.jks -signedjar DeploymentRuleSet.jar DeploymentRuleSet.jar selfsigned

    I've only tested it not got it out in production.

  15. #13

    Join Date
    Feb 2014
    Posts
    1
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Is this a txt file or jar file?

    deployment.properties
    deployment.config
    Last edited by LS-NetTech; 28th February 2014 at 07:42 PM.

  16. #14


    Join Date
    Feb 2007
    Location
    51.403651, -0.515458
    Posts
    9,038
    Thank Post
    231
    Thanked 2,705 Times in 1,997 Posts
    Rep Power
    793
    Quote Originally Posted by LS-NetTech View Post
    Is this a txt file or jar file?
    They are text files.

SHARE:
+ Post New Thread

Similar Threads

  1. Deploying Java 6 update 23 by msi via GPO
    By farfadet in forum Network and Classroom Management
    Replies: 10
    Last Post: 3rd February 2011, 08:02 PM
  2. Setting WiFi settings by GPO - Ruckus, XPSP3 and 2003R2
    By BatchFile in forum Network and Classroom Management
    Replies: 11
    Last Post: 31st January 2011, 10:56 AM
  3. Setting Microsoft Access Security via GPO
    By Ambient in forum Windows Server 2000/2003
    Replies: 2
    Last Post: 20th January 2010, 09:06 AM
  4. Allow active X controls to be authorised automatically by GPO
    By denon101 in forum Windows Server 2000/2003
    Replies: 2
    Last Post: 20th May 2009, 02:47 PM
  5. Replies: 6
    Last Post: 20th October 2005, 06:48 PM

Thread Information

Users Browsing this Thread

There are currently 5 users browsing this thread. (0 members and 5 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •