Hardening Internet Explorer and Java 6 #infosec

java-icon

As an IT guy you would always like to upgrade to the latest patched version of an OS/Framework/App etc. to be more secure in this Wild Wild West Internet thing. But what if your business still uses the Internet Explorer 8 or 9 and your business apps stuck at Java 6, so Java 6 Update 45 is your highest possible version (insecure, really insecure –> Hackers target Java 6 with Security Exploits)? I made some research and these Registry settings should mitigate the attack surface of the Internet Explorer in combination with Java 6 Update 45 on the Internet while still be able to run Java on INTRANET sites:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

“1C00″=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]

“1C00″=dword:00000000

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA}\iexplore\AllowedDomains\*]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8AD9C840-044E-11D1-B3E9-00805F499D93}\iexplore\AllowedDomains\*]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND]

“iexplore.exe”=dword:00000000

The first two prevents IE from starting up an Internet Zone Java Applet but still keep Intranet Zone Java Applets open.

Internet Zone Java Applet example: http://www.natice.noaa.gov/ims/loop/nhem-1mo-loop.html

The last three ones remove the trusted domains for Internet Java Objects calls and prevent users to add domains to be “Allowed”, but still keep Intranet Zone Java Objects calls open:

Internet Zone Java Object example: http://deletethis.net/dave/qbp/

The first two are easy to be embed into an OS Image process but the last three ones only as a user GPO/Script.

Some sites that helped me out resp. interesting stuff for further reading:

Controlling Java in Internet Explorer, Securing the Java plug-in in Internet Explorer, How to use Java in the Enterprise while Limiting Exposure with IE Trusted Sites

Advertisements
This entry was posted in Computer und Internet and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s