Sequencing Java – The Definitive Guide Part 3
(Restricting access to insecure Java versions)

Back in Part 1, we established the reasons for virtualising Java along with best practices for doing so, and in Part 2, we went over how the new features of App-V 5.0 SP2 can cause problems with this solution.

The next step is to create either a DSC link or Connection Group between your application and the Java package. Typically the ‘application’ will be just an Internet Explorer shortcut pointing to specific URL.

There is a problem with this approach however. The user will typically not be aware of what is going on under the hood, they just know that for this website to work, they need to use this special start menu shortcut as it won’t work by just typing the URL into their browser. Once the browser has been launched in the virtual environment with an insecure Java version (aren’t they all?), there is nothing preventing the user from continuing to use the session for their day-to-day browsing, where they might be unlucky enough to suffer at the hand of one of many exploits in the wild. You can’t rely on the basic isolation that App-V provides as a security blanket either, as there are plenty of ways to break out of the sandbox.

This post describes a solution to lock down the virtualised instance of Java so that it can only be loaded by specific sites. There are a few different ways to pull this off, but the simplest solution I came up with was to configure the internet settings to put every site into Restricted Sites by default, then configure a domain whitelist to allow specific URLs to be assigned an alternate zone, such as Internet, Intranet, or Trusted Sites.

There are four locations in the registry that can store these settings, and they have a hierarchy as follows:

  1. HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  2. HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  3. HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  4. HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Since HKLM\Software\Policies overrides all of the other locations, this is where we should place our configuration settings. All of these locations are ignored by default in App-V 5, so the registry settings on the client need to be reconfigured for this to work. Also, in App-V these settings are ignored if placed in any DSC link child packages, so they must be placed in the main package.  See my previous post Overriding Group Policy Settings With App-V for further information about this.

There are four default zones configured in Internet Explorer and each is assigned a number:

  • 0 – My Computer
  • 1 – Local Intranet
  • 2 – Trusted Sites
  • 3 – Internet
  • 4 – Restricted Sites

To configure all URLs to default to Restricted Sites, the following registry keys can be set:

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
"http"=dword:00000004
"https"=dword:00000004
"ftp"=dword:00000004
"file"=dword:00000004
"shell"=dword:00000004

There may be other protocols you wish to lock down, but these are all the defaults.

This however does not seem to apply when HTML files are loaded from the local machine, so to optionally harden the My Computer zone to block the Java plugin, the following key can be set (see this page for further information):

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1200"=dword:00000003
(disables all ActiveX controls loaded via the object tag)
"1C00"=dword:00000000 (disables loading of Java via the applet tag)

Then, to place the domain javatester.org in the Internet zone, where it will be able to load Java, the following registry key can be set:

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\javatester.org]
"*"=dword:00000003

The asterisk denotes all protocols, and the number 3 equates to the Internet zone as described previously.

All of these internet settings registry keys should be marked as merge, except for the Domains key listed above, which should be set to override. This is because we don’t want to override the entire Internet Settings key since it might contain vital settings such as proxy configuration.  We do however want  full control of the contents of the Domains key since the domain policy applied to clients might already contain some entries to direct certain URLs to Trusted Sites for example.

Sequencing Recipe For IE Shortcuts

It is recommended to create these sequences on a 32-bit machine if possible to increase their portability. Although I recommend steering clear of App-V 5.0 SP2 for now for creating the Java packages, it is fine to use it for generating these shortcut packages.

Pre-Sequencing Steps

If sequencing on a clean machine, many of the registry keys under HKLM\Software\Policies will not exist, so creating them prior to sequencing will help ensure that they get marked as merge by default rather than override. Set the following registry keys:

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]

Monitoring Steps

Create The Shortcut

Create a shortcut to Internet Explorer. Unless the site has a specific requirement to use a 64-bit Java plugin with the 64-bit version of Internet Explorer, ensure to use the 32-bit version of Internet Explorer from Program Files (x86) on a 64-bit Windows machine.

Edit the shortcut target to add the -noframemerging parameter followed by your URL. This switch forces Internet Explorer to create a new process, rather than pass the request to an instance of the browser that could already be running outside of the bubble. For example, on 64-bit Windows:

“C:\Program Files (x86)\Internet Explorer\iexplore.exe” -noframemerging http://javatester.org

Or on 32-bit Windows:

“C:\Program Files\Internet Explorer\iexplore.exe”
-noframemerging http://javatester.org

Change the default icon if desired.  You can either change it to the IE page icon as shown below:

IE icons

Or, if your desired web site uses a favicon, e.g:

favicon

You can find this in %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files:

temporary internet files

However, you cannot browse to this location from the Change Icon dialog box so just copy it to the %TEMP% folder first (so that it does not get picked up as a file during monitoring).

Do not launch Internet Explorer during the sequencing process.  It is not necessary to create feature blocks to optimise streaming as the package will be tiny in size and launching will only capture unnecessary registry settings.

Applying The Policy Settings

Apply the following registry keys, adjusting the domain name and the required zone number as necessary:

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\javatester.org]
"*"=dword:00000003

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
"http"=dword:00000004
"https"=dword:00000004
"ftp"=dword:00000004
"file"=dword:00000004
"shell"=dword:00000004

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
"1200"=dword:00000003
"1C00"=dword:00000000

Post-Monitoring Steps

Again, do not launch Internet Explorer during the customise / streaming phases.

Create a mandatory DSC link to the required Java package if using App-V 4.6.

Check the override/merge status of the HKLM\Software\Policies keys. These should be correct if the pre-sequencing step was followed and the application was sequenced on a clean machine with no group policies applied.  In general, it is recommended that all the policy keys are set to merge except for the Domains subkey.

 

You can download all of the required reg files and some pre-configured Internet Explorer shortcuts here.

 

Demonstration

To give these packages a spin, I created them with App-V 5, and created a connection group using Tim Mangan’s excellent App-V Manage tool:

App-V Manage Connection Group

Then by launching my specially crafted shortcut, Internet Explorer opens, loading my virtualised version of Java. Notice the site is in the Internet Zone:

IE - Internet Zone example

If I then try to use the same browser instance to navigate to a different website, notice that it automatically gets put into Restricted Sites and the Java plugin is unable to load:

IE - Restricted Sites example
 

19 responses on “Sequencing Java – The Definitive Guide Part 3
(Restricting access to insecure Java versions)

  1. Chris

    This series has been very helpful. Thank you.

    I am not seeing the desired behavior with blocking Java (6u45 in my case) from launching on non-allowed sites.

    Looking at the MS documentation, I see that Zone 0 is My Computer. Is this being used as a catch-all zone? Do I need to set the settings for Zone 0 in the other zones as well?

    Thanks again.

    1. Zone 0 is for web pages stored locally on the machine rather than delivered from a web server.

      1. Chris

        Thanks for the reply Dan.

        Still no luck. I am importing the following during sequencing –

        [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\omacmlprd01v]
        “*”=dword:00000003

        [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
        @=””
        “http”=dword:00000004
        “https”=dword:00000004
        “ftp”=dword:00000004
        “file”=dword:00000004
        “shell”=dword:00000004

        [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones]
        “1200”=dword:00000003
        “1C00″=dword:00000000

        [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
        “1200”=dword:00000003
        “1C00″=dword:00000000

        [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2]
        “1200”=dword:00000003
        “1C00″=dword:00000000

        [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4]
        “1200”=dword:00000003
        “1C00″=dword:00000000

        I still have the ActiveX being loaded in sites in the Internet Zone. The site I want to access is showing up as Intranet Zone.

        Any ideas?

        1. A few things:

          – Set your ZoneMap\Domains\servername key to 1 for Intranet or 2 for Trusted Sites rather than forcing it into Internet zone 3.

          – Don’t set those 1200 and 1C00 keys for all those zones, they were intended just for zone 0 as a workaround to disable Java for files opened from the local machine.

          – Make sure the keys are in the package and not part of the exclusion list, and make sure you have followed the steps to allow group policy keys in App-V packages to work as they are ignored by default in App-V 5 (I assume you’re using 5?)

          http://packageology.com/2014/02/overriding-group-policy-settings-app-v/

          1. Chris

            Thank you Dan. The problem was exactly what you wrote about in the group policy post.

            I really do appreciate this series of posts and your assistance.

            Cheers!

  2. Jim Nguyen

    Is there a firefox commandline equivalent to -noframemerging thats not “-new-window”?

    Don’t think they produce the same result…

    PS Great articles by the way!

    1. Sorry, I’ve only tested this with IE so far!

  3. rmusick

    Hi Dan, just a quick question. I don’t know if I am doing this wrong or not but I have applied all of the settings from your script:
    [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\javatester.org]
    “*”=dword:00000003

    [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
    “http”=dword:00000004
    “https”=dword:00000004
    “ftp”=dword:00000004
    “file”=dword:00000004
    “shell”=dword:00000004

    [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones]
    “1200”=dword:00000003
    “1C00″=dword:00000000

    The problem is if I did this right then only javatester.org should be loadable. I am still able to go to other sites, Google, CNN, etc.
    am I missing something?
    Thanks

    1. I’ll ask the same as for the first comment – have you modified the registry key on the client so that policy keys in the virtual package can take effect?

      http://packageology.com/2014/02/overriding-group-policy-settings-app-v/

      Also that last reg key is missing the /0 at the end (Zones/0) but that would only affect files loaded from the local disk rather than the web.

      1. rmusick

        It worked, not as I as I expected. Users can still go to sites, but at least they cant do anything on them. I can live with that! Thanks

  4. rmusick

    Hi Dan, I was wondering if you found a way to sequence Microsoft’s infamous java blocker patch? Since this update came out, the users get a red banner with “Java(TM) was blocked because it is out of date and needs to be updated” Update Run this time..
    Just wondering if you know how can i make it not pop up.
    Thanks.

    1. I haven’t updated the guide yet, but someone in the comments has provided a solution!

  5. Cody Lambert

    Amazing. Great work.

  6. Stefan

    Hi Dan, i got a problem with isolated or Virtualized Java 1.6+ Web Start applications after i see The Webstarter has Started Splash Screen with Java 6 but in the Process shows he access the Local installed javaws.exe and javaw.exe so the App fail to start.

    the simply only solution i found is to set the Envirionement in the App-V Application or in a Batch..
    Envireonement example..
    CLASSPATH=”%java_home%\lib\javaws.jar;%java_home%\lib\deploy
    Batch example..
    SET java_home=C:\LocalData\jre
    SET PATH=%java_home%\bin\;%PATH%
    Set CLASSPATH=”%java_home%\lib\javaws.jar;%java_home%\lib\deploy.jar”
    “%java_home%\bin\javaws.exe” -Xnosplsah “http://server/start.jnlp”

    Possibly a nice add to your top Java Guide

    1. .jnlp files are opened via the file association mechanism, so I’d double check that they are associated to the correct version of Java. Otherwise create a custom shortcut to javaws.exe passing the jnlp file as a parameter?

    2. Stefan

      I tried it with an other JRE 1.6 App not work again.. sorry..

  7. Stefan

    Hi Dan i normaly make for all java web start apps a direkt link with the correct javaws.exe & URL but since java 1.7_u25 and 1.8 the old javaws 1.6 apps stop working and not start. I see the started launcher was correct but in the Taskmanager the localy newer javaw.exe is used and the app fail to start. this also shows in the verbose log. looks like an Orcacle maden Problem (Feature)

  8. Davi Cruz

    Excelent post series!

    There is only one reg value incorrect on your post. the value 1C00, from HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones is binary, so creating it as dword will not work.

    it should be like this:

    [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones]
    “1C00″=hex:00,00,00,00

  9. Robert

    Hi Dan, I was wondering if you have had any luck with this and Windows 10 1607? I attempted to run my previously working package on 1607 and I get errors:
    PackageId : 941785d4-2aa8-4bc3-95b1-06b361cbc325
    VersionId : 287eaade-5bea-4677-bcbf-f884959d140e
    Name : Java6U41x32Ax64
    Version : 0.0.0.1
    Path : \Java6U41x32Ax64.appv
    IsPublishedToUser : False
    UserPending : False
    IsPublishedGlobally : False
    GlobalPending : False
    InUse : False
    InUseByCurrentUser : False
    PackageSize : 93636688
    PercentLoaded : 1
    IsLoading : False
    HasAssetIntelligence : False

    Publish-AppvClientpackage : Application Virtualization Service failed to complete requested operation.

    Operation attempted: Publish AppV Package.

    Windows Error: 0x80070003 – The system cannot find the path specified

    Error module: Integration Manager. Internal error detail: 5C00162180070003.

    Please consult AppV Client Event Log for more details.
    At line:1 char:1
    + Publish-AppvClientpackage Java6U41x32Ax64 -global

    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo : InvalidResult: (:) [Publish-AppvClientPackage], ClientException

    + FullyQualifiedErrorId : PublishPackageError,Microsoft.AppV.AppvClientPowerShell.PublishAppvPackage

    Just wonder if you have seen or know how to fix this.
    Thanks

Leave a Reply