Posted on June 20, 2014 · Posted in Active Directory

Java Settings Management with Group Policies

Today we’ll deal with the configuration peculiarities of Java SE centralized security settings on corporate computers using Windows group policies (GPO). These policies should prevent downloading and running untrusted Java applets and ActiveX objects on corporate computers.

The main requirements to the group policies of managing Java security settings:

  • A policy should apply only to the machines with Java 6 or Java 7 installed
  • Users should still have an opportunity to view current settings in Java Control Panel
  • The current Java config files should be stored in the domain controllers and replicated between them
  • At least 2 policies should be created: the first should completely block Java in the browsers, and the second — prevent the launch of unsigned applets.

Tip. The setting of security level for the unsigned Java applets, Java Web Start apps and intrinsic JavaFX apps (able to run in a browser) appeared in Java SE Development Kit 7 Update 10 (JDK 7u10). Due to this update, a user can forbid the launch of any Java application in a browser using Java Control Panel.

WMI Filter to Select Computers with Java

To apply a group policy of Java management only to computers with Java environment installed, create a special WMI filter (More on WMI filtering in group policies).

To do it, open the Group Policy Management Console and create a new WMI filter with the name Java SE 7 Computers in WMI filters section. In the description field, write something like «For Policies that will only apply for hosts running Java SE 7» and use the following WMI WQL query:

SELECT * FROM win32_Directory WHERE (name="c:\\Program Files\\Java\\jre7" OR name="c:\\Program Files (x86)\\Java\\jre7")


This filter will look for Java\jre7 folder in Program Files (x86 and x64) with WMI Query and if found it will apply the policy to these computers.

The same WMI filter should be created for Java 6 (we look for jre6 directory)

Creating Java Configuration Files

Our task is to create two Java security policies. One of them will completely block Java in all browsers, and the other configures some of Java security settings.

To store Java configuration files in the sysvol folder in the domain controller (e.g., \\\sysvol\\scripts\Java), create two folders:

  1. Java7Restrict – contains configuration files for special Java security settings
  2. Java7Block – is a directory for config files that block Java in browsers

Java7Restrict and Java7Block folders on sysvol

To configure Java SE settings, we need deployment.config file. In this config file using deployment.system.config option, specify the path to, which determines Java settings for all users of the system (this file should be located in %windir%\Sun\Java\Deployment\deployment.config directory and is not created during installation by default). The path can point to the URL (HTTP or HTTPS) or a file path UNC to Not to load individual Java settings for different users, set the option deployment.system.config.mandatory=true.

Tip. A config file with custom Java settings is stored in the user account in the following location: %USERPROFILE%\AppData\LocalLow\Sun\Java\Deployment\ in Windows 7 or %AppData%\Sun\Java\Deployment\ in XP and priority for this file is higher than the system file

The file deployment.config for Java7Restrict policy can be as follows:


The file can also look like that (we assume that Java security level should be set to Very High and the other Java security settings are blocked)

Tip. For more information about the structure of and its settings see in Deployment Configuration File and Properties on or in the Oracle documentation on their website (how to configure Java security settings using a config file is described here).


Create files with the indicated contents in \\\sysvol\\scripts\Java\Java7Restrict folder.

file : java config

Create configuration files for the policy that blocks Java in all browsers as well. To do it, add the following strings to


Creating Group Policies to Manage Java Settings

Let’s go directly to creating group policies that distribute Java security settings to all computers in your company.

Create a new GPO object (a policy) with the name Java7Restrict.

Using GPP (Group Policy Preferences), we have to create a folder to store configuration files with Java settings on user computers. To do it, create a new item in GPO Computer Configuration –> Preferences –> Windows Settings –> Folders with the following settings:

  • Action: Create
  • Path:  %WinDir%\Sun\Java\Deployment

create folder Sun\Java\Deployment with GPO Java7Restrict

Then you have to copy the deployment.config file to the user computer. To do it, create a new entry in GPO Computer Configuration –> Preferences –> Windows Settings –> Files with the following settings:

  • Action: Replace
  • Source file: \\\sysvol\\scripts\Java\Java7Restrict\deployment.config
  • Destination file: %windir%\Sun\Java\Deployment\deployment.config.

java deployment.config replace with gpp

Now you only have to select Java SE 7 Computers we have created earlier as the WMI filter and link (assign) a policy to the corresponding AD container (OU). linking java gpo to computers OU

After you applied the policies on the user computers, open Java Control Panel and make sure that Java security level is set to Very High, and other options are inactive so that the users can’t edit them.

java security level: very high

If a user tries to load a self-signed applet or one not in your trusted signature file, a window with the following warning appears:

The publisher cannot be verified by a trusted source. Code will be treated as unsigned. CertificateExeption: Your security configuration will not allow granting permission to self signed certificates.

Java error: The publisher cannot be verified by a trusted source

Use the same method to create the second policy Java7Deny to completely block Java in browsers. After the policy is applied, the following notification appears when trying to run Java applet in any browser:

Application Blocked by Security Settings
Your security settings have blocked a self-signed application from running.

Java SE: Application Blocked by Security Settings

Today there are a lot of serious security issues of Java applets, many 0day Java vulnerabilities and exploits. So the network administrator and security services should pay much attention to the issues of Java security. In large networks, it is easier to implement it using Windows GPOs.

Related Articles