Securing the Java Runtime Environment

This forms part of a Java series including:

Java Deployment Rule Set and Active Directory Certificates

Java Deployment Rule Set and Self Signed Certificates

Java Runtime Environment (JRE) is used extensively in the enterprise for Rich Internet Applications (RIA) launched from the browser, and local Java-based desktop applications.

It’s difficult to support Java if every user has a different configuration, and coupled with this it’s not advisable to let users configure Java themselves due to the security implications.

Luckily its easy enough to lock down JRE settings with a few configuration files.

Create the deployment.config file

First start by creating the file: C:\Windows\Sun\Java\Deployment\deployment.config.  The file MUST exist in this location.  And paste and save the following inside the file:

The first setting points to the location of the deployment.properties file – this file will ultimately configure and lock down the Java settings.  We can store this file on a network but it’s advisable to keep it locally (see below), and due to it being a system-wide setting it should be in a per-machine location.  Hence for simplicity we keep it in the same location as the deployment.config file.

The second setting enforces that the deployment.properties file is used.  If the file cannot be located when mandatory is set to true (perhaps the file is stored on a network and the network location isn’t available) then Java will not load the application.

Create the deployment.properties file

Now we can start configuring and locking down the settings.  For JRE 7 (which is what we are locking down) we can see which Java settings are configurable.  Unfortunately not all settings are documented, but it’s a decent guide for most.

Create the file: C:\Windows\Sun\Java\Deployment\deployment.properties, then paste and save the following inside the file:

Create the exception.sites file

Now create the file: C:\Windows\Sun\Java\Deployment\exception.sites.  This file can remain blank for now.  But adding application URLs to this list allows users to run RIAs that would normally be blocked by security checks.  An example of an entry in this file might be:

A limitation of this file is that it cannot accept wildcards.  I recently encountered an issue where a website would use a dynamic port range of around 20,000 ports!  So rather than add 20,000 rows to site.exceptions (not advisable!) I created a Java deployment ruleset with an Active Directory code signing certificate.  You can also create a Java deployment ruleset with a self signed certificate.  With the ruleset.xml file you can specify wildcards for the port in a single rule.

Disable updates via the registry

Finally there are a few registry values that we can, to prevent Java from automatically updating.  Bear in mind that this is for a 32-bit install of Java on a 64-bit platform, and hence the ‘Wow6432Node’ location:

And finally, we’re done!

 

Java Deployment Rule Set and Self Signed Certificates

This forms part of a Java series including:

Securing Java Runtime Environment

Java Deployment Rule Set and Active Directory Certificates

Creating a Java Deployment Ruleset is actually a trivial process – it’s signing it that can be a pain in the backside.

In this post we are signing our Java Deployment Rule Set with an self signed certificate.  I am using jdk1.7.0_80 (yes, you need to download the Java Development Kit) to create my Java Deployment Rule Set.

Do NOT use a version of the JDK that has a major version that is greater than the JRE in your environment (for example if you are running Java 7 in your environment, use the Java 7 JDK and not the Java 8 JDK!).  If you do, it will appear to sign successfully but when you view the Java deployment rule set in the Java control panel you will see something like this (timestamp not available):

timestamp not available

instead of this:

timestamp java deployment ruleset

Create ruleset.xml

Create a file called ruleset.xml.  It MUST be called ruleset.xml since this is what Java specifically searches for inside the compiles JAR file.  The beauty of the ruleset.xml is that you can use wildcards for the URL and for the port.  With the exception.sites file you can’t do this.  Here is a basic example:

You obviously need to add your own URLs to this, and give them permission to “run”.  Interestingly if you have multiple versions of JRE installed, in the <action> tag you can provide a specific JRE version for that URL to use.  For example:

When we set permission to “run”, the following types of RIAs are allowed to run without prompts:

  • Signed with a valid certificate from a trusted certificate authority
  • Signed with an expired certificate
  • Self-signed
  • Unsigned
  • Missing required JAR file manifest attributes

So Java deployment rule set is great for hiding some of these warnings.  A Rich Internet Application (RIA) is blocked if it is signed with a certificate that is blacklisted or known to be revoked, even though the action is set to “run”.

Also (untested) you should also pay close attention to the process flow of Java Rich Internet Applications.  In the above example, if a URL match cannot be found the RIA will be blocked.  However if we wanted default processing to continue (so that the Java exception.sites file gets processed, for example) we could either delete the rule with the “block” permission or replace it with:

Compile DeploymentRuleset.jar

Compile ruleset.xml into a JAR file.  This MUST be called DeploymentRuleset.jar because again, this is what Java specifically looks for.  When we compile the JAR file, we should NOT specify a full path name to the ruleset.xml because Java cannot locate it within the JAR file.  So you should first ‘CD’ to c:\Alkane and then run the following command line:

Create a Java Keystore

Here we generate a new Java keystore.  The keystore will include a key pair (a public key and associated private key), and will wrap the public key into an X.509 v3 self-signed certificate.

I would recommend keeping the alias name in lower case.  I’ve noticed that if you give it a mixed case alias name and attempt to verify it later (jarsigner.exe -verify) with the mixed case alias name, you’ll see a message:

This jar contains signed entries which are not signed by the specified alias(es)

Even though the jarsigner.exe -verify command will work when the alias name is specified in lower case, I’d recommend keeping the alias name lower case throughout for consistency.

You can grab the distinguished name (dname) parameter for your environment by running this line of PowerShell:

Sign the JAR file

Now we sign the JAR file.

Because I am signing behind a proxy, I needed to specify a proxy host and port so I could timestamp my signature.  Timestamping is an important part of the process and ensures the signed JAR will remain valid indefinitely – even after the certificate expires.

Verify The Signature Of DeploymentRuleset.jar

We can verify the signature with the following command:

DeploymentRuleset.jar Testing

Now that everything is signed and verified successfully, we need to test it.

Our Java is locked down by a deployment.config file and a deployment.properties file located in C:\Windows\SUN\Java\Deployment.

As such to test the DeploymentRuleSet.jar file it’s as easy as placing it into this same location.  Then launch the Java control panel applet and head over to the security tab (this may differ for later versions of Java).

There should be a blue link towards the bottom called ‘View the active Deployment Ruleset’.  Click it and you should see the contents of your ruleset.xml file and a verification that it is valid and timestamped.  Click ‘View Certificate Details’ to verify the certificate.

Of course if you were testing browser redirection specifically (assuming you have JRE 1.7.0_51 and JRE 1.6.0_31 installed locally), you could add a rule like this:

By default Java in the browser should use the latest version installed (1.7.0_51 in our case) but the rule above forces it to load any applets on java.com with version 1.6.0_31.  Once this rule is in place, head over to the Java verify page and ensure it shows the ‘older’ version of Java!

Java Deployment Rule Set and Active Directory Certificates

This forms part of a Java series including:

Securing Java Runtime Environment

Java Deployment Rule Set and Self Signed Certificates

Creating a Java Deployment Ruleset is actually a trivial process – it’s signing it that can be a pain in the backside.

In this post we are signing our Java Deployment Rule Set with an Active Directory code signing certificate.  I am using jdk1.7.0_80 (yes, you need to download the Java Development Kit) to create my Java Deployment Rule Set.

Do NOT use a version of the JDK that has a major version that is greater than the JRE in your environment (for example if you are running Java 7 in your environment, use the Java 7 JDK and not the Java 8 JDK!).  If you do, it will appear to sign successfully but when you view the Java deployment rule set in the Java control panel you will see something like this (timestamp not available):

timestamp not available

instead of this:

timestamp java deployment ruleset

Create ruleset.xml

Create a file called ruleset.xml.  It MUST be called ruleset.xml since this is what Java specifically searches for inside the compiles JAR file.  The beauty of the ruleset.xml is that you can use wildcards for the URL and for the port.  With exception.sites you can’t do this.  Here is a basic example:

You obviously need to add your own URLs to this, and give them permission to “run”.  Interestingly if you have multiple versions of JRE installed, in the <action> tag you can provide a specific JRE version for that URL to use.  For example:

When we set permission to “run”, the following types of RIAs are allowed to run without prompts:

  • Signed with a valid certificate from a trusted certificate authority
  • Signed with an expired certificate
  • Self-signed
  • Unsigned
  • Missing required JAR file manifest attributes

So Java deployment rule set is great for hiding some of these warnings.  A Rich Internet Application (RIA) is blocked if it is signed with a certificate that is blacklisted or known to be revoked, even though the action is set to “run”.

Also (untested) you should also pay close attention to the process flow of Java Rich Internet Applications.  In the above example, if a URL match cannot be found the RIA will be blocked.  However if we wanted default processing to continue (so that the Java exception.sites file gets processed, for example) we could either delete the rule with the “block” permission or replace it with:

Compile DeploymentRuleset.jar

Compile ruleset.xml into a JAR file.  This MUST be called DeploymentRuleset.jar because again, this is what Java specifically looks for.  When we compile the JAR file, we should NOT specify a full path name to the ruleset.xml because Java cannot locate it within the JAR file.  So you should first ‘CD’ to c:\Alkane and then run the following command line:

Obtain a Code Signing Certificate

Follow this article on obtaining a code signing certificate from Active Directory Certificate Services.  Essentially you enable the code signing template in Certificate Services Manager, you then grant permissions to allow a user (yourself!) to request a Code Signing certificate, and you then you request a new certificate.

Export a Code Signing Certificate in PFX format

So now we can assume you’ve followed the steps above and you have a code signing certificate.  My code signing certificate forms a chain of:

  • Root certificate
  • Intermediate certificate
  • Code signing certificate

So let’s export them all in PFX format.  A PFX will include all certificates in the chain, as well as the private key.  And we need all this to create our Java keystore.  So:

From the Certificates MMC snap-in, navigate to your Personal certificate store.

Right-click the certificate > All Tasks > Export.

Click Next

Click ‘Yes, export the private key’

You are only given the option to export it as a PFX certificate.  This is fine, but make sure you select ‘Include all certificates in the certification path if possible’ and also ‘Export all extended properties’.  Click next.

Specify a password for the private key – let’s use alkanecertpass for this example.  Click next.

Provide a path to save your certificate in – let’s save it as C:\Alkane\Alkane.pfx.  Click next.  Click finish.

A .pfx file uses the same format as a .p12 or PKCS12 file. They are used to bundle a private key with its X.509 certificate(s) and to bundle all the members of a chain of trust.

Get the Alias Name of the PFX

Run the following command to get the alias name for your PFX.  We need this later on:

My PFX alias name is: alkanealias

Just a note – if you decide to change the alias name by using a command line similar to:

I would recommend keeping the alias name in lower case.  I’ve noticed that if you give it a mixed case alias name and attempt to verify it later (jarsigner.exe -verify) with the mixed case alias name, you’ll see a message:

This jar contains signed entries which are not signed by the specified alias(es)

Even though the jarsigner.exe -verify command will work when the alias name is specified in lower case, I’d recommend keeping the alias name lower case throughout for consistency.

Create a JKS Java Keytore

Now we can create our Java keystore from our PFX file.  There are a few formats we can create the keystore in (JKS, PKCS12, JCEKS for example) but we will create it in JKS format.  Be mindful that:

  • If you create your keystore in PKCS12 format, -deststorepass and -destkeypass should be the same
  • Change -deststoretype to PKCS12 if you require a keystore in PKCS12 format
  • Be careful if you change the -destalias from the -srcalias since when I verified my signed JAR file i got the following message:
    This jar contains signed entries which are not signed by the specified alias(es).

I keep the Java keystore alias name the same like so:

This will create: C:\Alkane\trusted.certs

Add Trusted Root Certificate

By default when we sign the JAR file it looks in the cacerts file (which is a form of keystore called a ‘truststore’ – see the difference between a keystore and a truststore) of the signing JDK (in my example, C:\Program Files (x86)\Java\jdk1.7.0_80\jre\lib\security\cacerts) to see if the root certificate is trusted. Because it isn’t in there it deems the root certificate as being untrusted and you will see errors when you verify such as:

  • The signer’s certificate chain is not validated.
  • CertPath not validated: Path does not chain with any of the trust anchors

So we add the root certificate as a trusted certificate in our own keystore like so:

Sign DeploymentRuleset.jar With Java Keystore

Now we can sign the DeploymentRuleset.jar file with our Java keystore:

Because I am signing behind a proxy, I needed to specify a proxy host and port so I could timestamp my signature.  Timestamping is an important part of the process and ensures the signed JAR will remain valid indefinitely – even after the certificate expires.

Verify The Signature Of DeploymentRuleset.jar

Now we need to verify the signature of the JAR file against out keystore.  Change the storetype parameter to PKCS12 for PKCS12 store types:

DeploymentRuleset.jar Testing

Now that everything is signed and verified successfully, we need to test it.

I’m not entirely sure this step is necessary for Active Directory certificates (since the root and intermediate certificates are already in the relevant trusted stores) but it’s probably relevant for externally purchased certificates.  In any event, at the moment our Java environment is fairly locked down, and we have deployment.config, deployment.properties and exception.sites located in C:\Windows\SUN\Java\Deployment.

I needed to add a reference to our keystore, so I added an entry to deployment.properties like so:

and then I lumped our new trusted.certs file into the same folder.  We use the ‘system’ context trusted.certs (deployment.system) instead of the ‘user’ context (deployment.user) because users may have already trusted their own specific sites and we don’t want to overwrite these.

To test the DeploymentRuleSet.jar file it’s as easy as placing it into this same location (C:\WINDOWS\Sun\Java\Deployment).  Then launch the Java control panel applet and head over to the security tab (this may differ for later versions of Java).

There should be a blue link towards the bottom called ‘View the active Deployment Ruleset’.  Click it and you should see the contents of your ruleset.xml file and a verification that it is valid and timestamped.  Click ‘View Certificate Details’ to verify the certificate.

Of course if you were testing browser redirection specifically (assuming you have JRE 1.7.0_51 and JRE 1.6.0_31 installed locally), you could add a rule like this:

By default Java in the browser should use the latest version installed (1.7.0_51 in our case) but the rule above forces it to load any applets on java.com with version 1.6.0_31.  Once this rule is in place, head over to the Java verify page and ensure it shows the ‘older’ version of Java!

 

 

Error 16389 for .Net Framework 4.6.2 as SCCM Application

In brief, when configuring .Net 4.6.2 as an SCCM 2012 application we get an error 16389.  Even when I checked the ‘Run installation and uninstall program as 32-bit process on 64-bit clients’ i still had the issue.  So I followed the aforementioned guide and fixed a couple of bugs.

So, first download the offline installer from here.

Now, using 7-Zip, extract the contents of NDP462-KB3151800-x86-x64-AllOS-ENU.exe to a folder of your choice.

Now select all of the extracted content (hold down shift or ctrl to select multiple), right-click, 7-Zip and Add to Archive.

Then use settings similar to the following – ensure you check ‘Create SFX archive’ and name the archive as an executable:

Add To Archive

Click OK and it will create a self extracting executable.  By default the extraction method isn’t silent – it shows a progress bar in a GUI.  But we can make it run silently by using the following VBScript file to perform the extraction and installation:

The default .Net executable is heavily compressed.  When extracted it extracts to over 1gb!  So I would suggest it’s worthwhile compressing it like above using 7-Zip (which doesn’t compress it quite as well, admittedly.)

Finally, the detection method:

.Net Detection Method

You can find the relevant release number for your version of .Net from here.

Suppress Opt-In and First Run dialogs when launching Office 2013

So a bit of background first.  I’d been given an Office 2013 App-V application to fix.  Each time it was launched the user was prompted with ‘First Run’, ‘Opt-In’ and licensing dialogs.  I needed to suppress these prompts.  This could probably be done via GPO or initially when the application was configured and captured, via the Office Customization Tool.  But since I didn’t want to start all over again I detected the registry settings.  Some I Googled, and some I found myself.  Here they are:

 

Google Chrome 49.0.2623.112

I’ve been configuring an old version of Google Chrome recently (googlechromestandaloneenterprise.msi), for a legacy Windows XP environment! (gasp).

Anyway, here’s my recipe.

We have manually created a master.preferences file:

Most of the entries are self explanatory.  However Google Chrome doesn’t open on the homepage when you launch the browser – instead it opens on the Startup URL, so we configured this to point to the ‘homepage’ too.

A guide for preferences can be found here:

http://www.chromium.org/administrators/configuring-other-preferences

The content of this file is in JSON format. Once you have finished editing and tweaking, ensure the JSON validates successfully – you can do this here: http://jsonlint.com/

Now we will add these ‘master preferences’ to our installer.  To do this we URL Encode the content of master.preferences file. You can do this in any URL Encoding/Decoding website such as here: http://meyerweb.com/eric/tools/dencoder/

Create a transform (MST)

Create a Property called MASTER_PREFERENCES. Paste the URL encoded master_preferences into the value field.

Find the Custom Action called BuildInstallCommand.   Look in the Target column and set: installerdata=[MASTER_PREFERENCES]

This will generate your master.preferences file at install time so that any new user profile created when Google Chrome is launched will use these settings (existing profiles will not use this preferences file). When Google Chrome is launched for the first time, user data is created here:

[LocalAppDataFolder]\Google\Chrome\User Data

I’ve also added a VBScript custom action to run towards the end of the InstallExecuteSequence (Deferred, just before InstallFinalize) to delete C:\Program Files\Google\Update and delete the services gupdate and gupdatem. This will suppress Chrome from updating.  The condition for this custom action is NOT REMOVE~=”ALL”.

Note that to sleep from within a custom action, we use one of the appraches mentioned here.

I’ve also added a clean up script after uninstall since it sometimes leaves a folder called CrashReports behind: