Removing Java from IE in your domain with Group Policy Preferences

Leave a reply

Something remarkable happened late last Thursday night, the Department of Homeland Security’s CERT announced their support for the open web. Wait, no, the plug-in free web? Not quite, but close enough: they’ve officially recommended removing Java from all web browsers. This is tremendous news for web developers, and I’m glad at least one department of the United States has decided to put their weight behind a modern web built on open standards. In their alert, here’s where they make their support clear:

This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, disable Java in web browsers.

What the DHS give to web developers, they taketh away from sysadmins. The first question that will come to mind is, how does one “remove Java” from just web browsers? Internet Explorer is still the most widely deployed browser, and dominates business environments by many metrics. In order to block it, I had to follow the rabbit hole down through CERT articles and vulnerabilities to find reliable ways to disable Java in IE. It started with finding the CERT.org vulnerability note VU#636312 dating from August of 2012. A widespread vulnerability was discovered to escape the security manager prompting a substantial response by tech sites and this lead to a response by Microsoft in the form of KB2751647 which details registry changes necessary to disable the entry points for Java content in Internet Explorer.

This alone wasn’t useful for me, as this meant deploying a registry key for every user account on every machine for the businesses I work with and the clients I work for. They don’t have the infrastructure to deploy a .reg easily and efficiently – though perhaps I was looking at the problem incorrectly. I settled on a tool Microsoft added a few years back, and possibly the most useful addition to group policy in a decade: Group Policy Preferences. For those not aware, some years ago Microsoft absorbed a smaller company, of course, and their product extended Group Policy to handle basic tasks such as adding printers, copying or updating files and registry keys and… wait a second, there we go.

Group Policy Preferences uses an XML data format which allows copy-pasting registry keys, so here’s how I implemented the recommendation to block Java.

I will assume some basic familiarity with creating group policy objects and linking them. More information on that can be found at Microsoft’s excellent Group Policy portal.

We will need to open up the Computer Configuration > Preferences > Registry:

Computer Configuration Preferences Registry

And there simply copy and paste in this XML code from this Pastebin. The content looks something like:

<?xml version="1.0"?>
<Collection clsid="{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}" name="Disable Java in IE"><Collection clsid="{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}" name="Disable Java ActiveX CLSIDs" status="Values generated by the Registry Wizard" changed="2013-01-11 20:48:43" uid="{A198612C-A7E5-4D4F-B8A8-AD3BA07D4855}">
    <Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Kill ActiveX Control CLSID 5852F5ED-8BF4-11D4-A245-0080C6F74284" descr="Wizard Generated Registry Item" image="12"><Properties action="U" hive="HKEY_LOCAL_MACHINE" key="SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{5852F5ED-8BF4-11D4-A245-0080C6F74284}" name="Compatibility Flags" default="0" type="REG_DWORD" displayDecimal="0" value="00000400"/></Registry>
    <Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Kill ActiveX Control CLSID 8AD9C840-044E-11D1-B3E9-00805F499D93" descr="Wizard Generated Registry Item" image="12"><Properties action="U" hive="HKEY_LOCAL_MACHINE" key="SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8AD9C840-044E-11D1-B3E9-00805F499D93}" name="Compatibility Flags" default="0" type="REG_DWORD" displayDecimal="0" value="00000400"/></Registry>
    <Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Kill ActiveX Control CLSID CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA" descr="Wizard Generated Registry Item" image="12"><Properties action="U" hive="HKEY_LOCAL_MACHINE" key="SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}" name="Compatibility Flags" default="0" type="REG_DWORD" displayDecimal="0" value="00000400"/></Registry>

Finally, we also need to open up User Configuration > Preferences > Registry in the same manner as above and paste in this XML:

<?xml version="1.0"?>
<Collection clsid="{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}" name="Disable Java in IE"><Registry clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}" name="Disable Java APPLET in Internet Zone" descr="Wizard Generated Registry Item" image="12"><Properties action="U" hive="HKEY_CURRENT_USER" key="Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" name="1C00" default="0" type="REG_DWORD" displayDecimal="0" value="00000000"/></Registry>
</Collection>

The user configuration snippet is also available on Pastebin.

Apply the policies, and pat yourself on the back for taking your business one step closer to an open web.