Cannot prevent JAR file execution using group policy
To increase security I'm trying to prevent restricted accounts from executing Java applications which are not in specific, unwritable folders on a Windows XP Professional desktop machine. Unfortunately since a JAR file is essentially an archive which is opened using the Java virtual machine, the normal software restriction policy does not catch it.Java does include a security manager which can be used to 'sandbox' code which is not in specified locations, but I have been unable to find a way to make this run by default (Sun only make this run with applets and apparently assume any jar file which has found its way onto your hard drive is completely trusted).I have found that it's possible to make the security manager load during the default action as the user double clicks the jar file, but it is still very easy to simply use 'open with' or the command line to launch the application without the security manager.Any policy specifically aimed at .jar files would also be easily circumvented by changing the file extension and using 'open with' or the command line to launch it.I would really prefer not to have to remove the JRE since this would disable a lot of web content and some of the applications I need to use. In addition, various programs include their own JRE when they install so this would be a fairly difficult task anyway.Thanks.1 person needs an answerI do too
July 15th, 2010 12:14pm

I guess these jar files in webbrowser will be with .jar extention. One way is to apply policy in domain that block all content that ended with.jar e.g. *.jarI guess your question would be answerd in Java website, try to ask Java support.
Free Windows Admin Tool Kit Click here and download it now
July 15th, 2010 4:21pm

Well I don't have a problem with applets running - they automatically get a sandbox which I can customise. It's downloaded jar files which can apparently execute without restriction. Unfortunately Sun support seem to be quite difficult to get hold of. Normal group policy restrictions which block exe files don't seem to block jar files since they're just archives - it would be the same as trying to block a .doc file. To make it even more difficult, it's also possible to change the name of a jar file to something like .txt and still run it using the JRE. I suppose I need some way of defining where the JRE is allowed to run files from, but if this is even possible it's not obvious how. The java.policy file can include this sort thing but it doesn't seem to be possible to make it apply to all java applications.
July 15th, 2010 7:07pm

It seems to be more Java problem and as you said they don't have enough policy objects . In Windows 7 there is a feature called Applocker that might resolve this problem by create customize policy for application that run or not, but it is feature in Windows 7. About Windows XP, I guess one way is to block jar file from downloading in a first place . I guess it would be better idea to discuss it with Java team, as long as they are the creator of Java. Or post it in their forum.
Free Windows Admin Tool Kit Click here and download it now
July 16th, 2010 9:06am

It's surprising that you find Websites needing Java. These days, they are few and far between. I don't normally install Java, and if it's been preinstalled I remove it.A while back we had one of our (fortunately fairly rare) security issues on a desktop, and it turned-out to be due to an exploit which involved an interaction between Adobe Reader and Java. Following that experience (And since we couldn't very well do without a PDF reader!) I decided we'd have a purge on Java. Not one user complained.If you must have Java for certain apps, you might be able to do something more restricted with the portableapps.com version.Another option is to use Firefox for browsing, in which case you can turn off Java.In fact, by modifying the {Firefox folder}\greprefs\all.js file you can stop the plugin loading altogether.
July 16th, 2010 10:53pm

In Internet Explorer still could disable Java from manage add-on, if user want to, it is not neccessary to use firefox to do that.
Free Windows Admin Tool Kit Click here and download it now
July 17th, 2010 11:59am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics