When the Department of Homeland security suggests that we temporarily disable Java until the dust settles (http://www.us-cert.gov/current/#us_cert_releases_oracle_java) , it’s nice to know that all PolicyPak customers have the fire extinguisher ready to rock at any time.
Here’s exactly how to use PolicyPak to put out the Java fire:
How to Manage the security slider in Java 7:
It’s great when you can use your own tools like Group Policy (or SCCM, etc) with PolicyPak to manage Java, remediate the problems and deal with the problems with the Java sandbox now, diabling Java entirely, until they’re fixed and you have time to roll out the new version of Java 7.
These “0 Day” exploits and vulnerabilities aren’t only seen by Java and Oracle. It’s a modern fact that many products (for which PolicyPak has preconfigured Paks for) could be affected at any time.
So, having PolicyPak ready to go in these emergency situations is paramount.
It’s not “enough” to know about the problem.
You need the tools in place to FIX and remediate the problem !
PolicyPak: Turn off Java immediately on all machines video transcript
Hi, everyone. This is Jeremy Moskowitz, Group Policy MVP and Founder of PolicyPak Software. In this video, I’m going to show you how to very quickly disable Java on all of your machines if there’s an outbreak or something you need to correct for.
As of right now, there’s an exploit out there. This can happen for any number of applications. In this particular example, I’m going to deal with Java. There have been exploits like this for Acrobat and other types of applications. If you are a PolicyPak customer, you have the fire extinguisher for when the next problem occurs. This video is going to show you exactly how you would fix that if you were a PolicyPak customer.
With that in mind, let’s make sure I actually have Java running. What I’m going to do is go to the “Control Panel” on this example machine and go to “java” here. Let’s go ahead and go to the “Java” tab and click “View….” You’ll see here I’ve actually gone the extra mile. I’ve actually got Java “1.6” and “1.7” installed, and you can see that right here. What happens if you’ve got two versions of Java installed? What are you going to do then? Let’s correct all these problems all in one shot by delivering the setting that will un-“Enable” Java here.
Let’s really make sure it’s really working and I’m not pulling a fast one on you. What I’m going to do is I’m going to go to “Internet Explorer” first and I’m going to run “java test.” Let’s just see if Java is functioning properly in the two main browsers here. Here’s “java test.” “How do I test whether Java is working on my computer?” This is the kind of prompt a user would get. They would click run, and sure enough, Java is working.
Let’s go to “Firefox,” and we will also do “java test.” Let’s see. Is it working here? Yes. You can see, Java is in fact registering and working. You can see it’s listing the Java version right there, and it’s listing the Java version right there.
If you are a PolicyPak customer, it’s very simple. Let’s go over to our management station. Here on my management station, I’ve got all my “PreConfigured PolicyPaks.” PolicyPak ships with over 50 preconfigured Paks for popular applications like Flash, Firefox, Acrobat Reader, FileZilla, Office, Lync – all sorts of applications that if a vulnerability occurs and a manufacturer makes a suggestion for what to flip on or off, you can deliver and enforce and remediate that setting using PolicyPak.
I’ve already gone through the motions and copied in the right file to the right place here. What I’m going to do is I’m going to do this for my entire domain. For my entire domain, I’m going to “Stop Java Everywhere.” I’m going to right click over and click “Edit…” here. Under computer side “PolicyPak/Applications/New/Application,” here are just some of the Paks that I’ve slid in in advance. I’ve got “Adobe Reader,” “Flash,” “Chrome,” “Firefox” and here’s “Java.” These are some of the applications that you could control.
Here’s “Java,” and we’ll go ahead and pick the latest, greatest version here. Now that we’re here, this looks exactly like the Java application itself, the knobs and the switches and such. What you’re going to want to do here is go to the “Miscellaneous” tab here.
The way that this happens to work is that based on the order that you installed each of your Javas in – for instance, if you did Java 6 first and Java 7 second – you’d be able to enable or disable each of these guys. What we want to do here is deliver uncheck, and therefore we’re going to disable both “Java 0” and “Java 1,” which is both of those Java versions.
Now while we’re here, let’s go into some other settings here. I want to, for instance, also while I’m here disable “Shortcut Creation” and also “Lockdown this setting using the system-wide config file” so users can’t work around it. I’ll also do the same thing for the “Java Console.” I will make sure that users can’t start the Java Console. I’m just doing those extra settings for fun.
All we’re going to do next is wait for Group Policy to update. We’ll use “gpupdate” in order to do that here. Now that we’re done, let’s first go over to “java” here and let’s see what occurred. Let’s go over to “Advanced,” and you can see here those settings that I specifically set to “Never allow” and “Do not start console,” plus I locked down those features so users can’t work around it.
Let’s also go over to the “Java” tab and go to “View…,” and you can see here that both of those checkmarks are now disabled. If we were to try to rerun Internet Explorer and we were to go to “java test” – we’ll run it here – you’ll get nothing, which is exactly what you need during this emergency situation. If we go over to “Firefox” and we do the same thing and we run “java test,” you can see once again Java is disabled during this emergency situation. How would you re-enable it? You’ve got PolicyPak.
Just to put a fine point on it, like I said, PolicyPak ships with tons of preconfigured Paks for all sorts of situations. This is not the first time, and certainly not the last time, a vendor will suggest – or in this case, the Department of Homeland Security suggests – that you disable an application or a particular checkbox which would involve some kind of threat vector.
With that in mind, I hope this gives you some insight on how you can immediately fix your problem as the problem is being addressed by the vendor, which can sometimes take days, weeks or sometimes months.
Thank you very much for watching. If you’re looking to get a demo of PolicyPak, come on over and we’ll show you what it’s all about. Click on the Webinar/Download button on the right in the PolicyPak.com website.
Thanks so much, and we’ll talk to you soon.
How to Manage the security slider in Java 7 video transcript
Hi, everyone. This is Jeremy Moskowitz, Group Policy MVP and Founder of PolicyPak Software. We’ve been getting some questions about how to manipulate and manage Java with all the nonsense that came out in January 2013. One of the things that we got asked about is, how do we manage this “Security” slider and also lock it down so users can’t work around it?
As you can see, I’m logged on here as a guy called “westsalesuser4.”Of course, what you don’t want to do is let your users reduce their own security. That would not be good, so don’t let them do that. You may also want to update or change this checkmark here. In fact, if you were to do this with admin rights and you click “Apply,” you would see that the user is prompted for admin credentials – not good.
What you’re looking for is a way to manipulate and manage this setting without the use of admin rights, and PolicyPak can deliver the setting regardless of the status of the user. If I do give some admin rights here, you can see what happens. It will gray this out. That’s all well and good, but then again a user would need admin rights in order to deal with this. That’s very cumbersome and not very popular.
Instead, what we’re going to do is we’re going to use PolicyPak to manage these settings and ensure that this stuff is delivered the way you want – maybe “Very High” security – and also locked down so users can’t work around it. Let’s go ahead and do that now.
I’ve already got the preconfigured Pak for Java ready to rock on my management station. I’m going to “Manage Java using PolicyPak.” We’ve got some other videos on the website for you to check out to do some other tricks with Java and PolicyPak, but this is an update video here.
You can do this either on the “User” side or the “Computer” side. We’ll go to “New/Application” and we’ll just go ahead and pick “PolicyPak for Java Control Panel (Windows 7)” here. Now you can see I’ve got some other cool Paks here like “Adobe Reader” and “Firefox” and “WinZip.” There are over 50 other preconfigured Paks, but we’re dealing with Java right now.
When we click it, what I want to help you go to is this “Security Main.” I have a tab here called “Security Main.” We don’t have a slider for that, but what we do have is a drop down. You can see that we’ve set “High,” “Medium,” “Low” and “Very High.” When you click on something in PolicyPak when it underlines, underline means we’re going to deliver that setting. Let’s just do nothing else. Let’s just deliver that setting just like that.
Just to prove we’re not pulling a fast one on you here, if I show you here, you can see it’s currently set to “Medium” as regular user. What I’m going to do is run “gpupdate” here, get the latest, greatest Group Policy settings. Now I happen to be using Group Policy for this. You don’t have to. You can, if you want to, use SCCM or LANDesk or KACE or Intune or any other technology to deploy your settings using PolicyPak. I just happen to be using Group Policy.
When I click on “Java” here and I go back to “Security,” it’s set to “Very High.” That’s fantastic, but still a user could work around the setting and just click “Apply.” That’s not something you want your users to be able to do. However, one of PolicyPak superpowers is that just by default even if they’re offline PolicyPak will continuously reiterate those settings. Even if the computer is offline or in a basement or a submarine or something, those settings are always remediated and ensured.
But actually, we’re going to go the extra mile. We’re going to lock this puppy down and make sure that users can’t work around it. I’ll leave it at “Very High” just to prove a point here. What the heck? I’ll go to “Medium” and we’ll do two birds with one stone. I’ll go ahead and click “OK” here.
I’ll go back. Let’s go back to the “Group Policy Management Editor” here and go back to that “Security Main” tab. What we want to do here is we want to right click and “Lockdown this setting using the system-wide config file.” By doing this setting, what I’m doing is I’m delivering another change to Java which will lock that whole slider down so users can’t work around it.
Now that that’s done, let’s click back on “Java” here, go back to “Security” and there you go. It’s set to “Very High,” and users can’t work around it. You may also come up with a situation where you want to uncheck this checkbox, the “Enable Java Content in the browser.” But if you tell you users to do it, they’re going to get prompted with “User Account Control” credentials – not what you want to do. Instead here, it says “Only disabled for this user.” You want to disable it for everybody.
To be on the super clear side to make sure everybody gets this, we’re going to use Group Policy and PolicyPak to do it. Just to prove a point here, it’s now currently set. Let’s uncheck it and also lock this setting out so the user cannot work around it to enable it or disable it and don’t get the UAC prompt. Let’s go ahead and do that together.
We’ll go back here to PolicyPak. We’ll go click on the “Security Main.” We’ll uncheck this checkbox to “Enable Java Content in the browser.” What we’ll also do, we’ll right click this guy and “Lockdown this setting using the system-wide config file.” By doing that, the next time we run “gpupdate” on the client system, we’re getting the latest, greatest settings using Group Policy to deliver this, which will react for all users on the system, not just this one particular user.
We’ll wait until this is finished, go ahead and rerun “Java,” and when we do this – click on “Security – you can see that it’s disabled. It says “Only disabled for this user,” but it’s not. It’s actually disabled for every user, and I can prove that by logging off and logging on as, say, a new user, a guy that’s never logged on before. Let’s go ahead and do that now.
I’m logged on as a guy called “westsalesuser4.” Let me go ahead and “Log off” here, and I’m going to log on as a new guy called “westsalesuser3.” Give it a second to log on. Okay, now that we’re all logged on, we’re now “westsalesuser3.” Let’s go over to “Control Panel.” We’ll type in “java” here. We’ll go over to “Java,” take a look at “Security” and you can see that it is in fact set to uncheckable for that user and also the security is maintained at “Very High.”
I hope this helps you out. We have tons of preconfigured Paks for lots of applications. The next time a big security fire hits if you are a PolicyPak customer, you’ve got this enormous arsenal to help remediate and deliver and enforce settings just like you saw it here in the “Java Control Panel” applet.
Thanks so much. Talk to you soon.