Security Tip: Block Internet Explorer invocation of Java with Group Policy

Given the non-stop barrage of security vulnerabilities being found and exploited in Java, every Systems Administrator should disable Java for Internet Explorer or have a really good reason not to. (Don’t worry, we can still cater for you if you have specific sites that require Java!)

Unfortunately it is notoriously hard to do. Microsoft had a go but US CERT found Microsoft’s method didn’t block it completely. US CERT’s KB article provides a registry file which blocks the invocation of Java Web Start for non-trusted sites.

I’ve converted the registry file into xml files ready for importing into Group Policy registry preferences. You’ll need two, one in a user policy and one in a computer policy.
For your convenience you can download them below.

Please test before using at your own risk!

https://dl.dropbox.com/u/1683671/Group%20Policy/DisableJava_ComputerRegistry.xml

https://dl.dropbox.com/u/1683671/Group%20Policy/DisableJava_UserRegistry.xml

Then just add any business sites that require Java to your trusted sites list. If you want to do it through Group Policy check out Alan Burchill’s article on IE Site Zone mapping but in my experiences only a couple of people have needed sites with Java and I add them on a per-user basis.

This is a low effort, maximum gain security tip for your organisation (just make sure you test that it actually is disabling it as it should!)

This entry was posted in Admin Tips and tagged . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

Leave a Reply