java applet blocked |
I have come up with a ingenious solution to preventing this from ever happening again.
You wont get blocked, but prompted if the applet is not signed.
I wrote a program that upon every log in to verify and or set the security setting to medium every single time.
Now, some people say that will allow unwanted applets to run. That is possible IF they are signed. If they are not signed you will still get a prompt to allow to run, as some cooperate environments simply wont spend the extra monetary resources to hire a developer to update their applets as the one i work at does not like to do. Below is a list of security settings:
As of Java 7 update 51.
- Very High: Most secure setting - Only Java applications identified by a non-expired certificate from a trusted authority will be allowed to run.
- High (minimum recommended): Java applications identified by a certificate from a trusted authority will be allowed to run.
- Medium - All Java applications will be allowed to run after presenting a security prompt.
Java Security Slider |
You can of course add them to the java trusted sites, which is totally different from windows trusted sites, which is in my opinion is kinda a pain since now you have to enter them into a different location all over again. If you scroll to the bottom there is a script for this that will pull them from Internet Explorer Trusted sites and add them to java sites.
I am going to explain how this script works so everyone understands what it does. First off, I am only writing code for 64 bit architecture, as 32 bit is pretty much on the way out fast.
The Java security settings are located in a file called:
" deployment.properties "
This file is located in the following location:
" C:\Users\%username%\localLow\Sun\Java\Deployment\ "
In this file as shown below is showing the default settings when you initially install java or a new user logs onto a machine for the first time,
java deployment.properties |
The setting for the security settings is called:
" deployment.security.level=MEDIUM "
The setting will show MEDIUM if you adjust your java slider all the way down, or if you write to line 6 of this file, with that setting as shown below.
What my script does is the following:
1) A windows task is created to run the file at log on. More on that in a moment.
2) the script waits and verifies the existence of the " deployment.properties " file. It will then wait 9 addition seconds and will continue on. NOTE: If the file exists then it does not wait.
3) It reads this file line by line to check for the existence of :
" deployment.security.level=VERY HIGH " or if such a deployment security level line even exists.
4) IF either of those conditions are true then the following line will be written into the file at line position 6 ' " deployment.security.level=MEDIUM " ' as seen below.
Line 6 security settings default location |
This then forces the slide to medium even if grayed out, thus setting the security to MEDIUM.
5) If the line:
" deployment.security.level=MEDIUM "
already exists, then the script terminates.
OK so that's all this script does. What makes it work is to create another script to import a windows task to run the script at each log on, and create the necessary folder structure and place the actual exe that does the re-writing of the file in said locations.
The Windows task is set to run for:
" Users "
No high level privileges are needed as the data being written is in the user profile.
The file that does this is located in:
"C:\ProgramData\Scripts\java\" called " JavaSettings.exe ".
It will run at every log on, and does what is stated in the above description to alter the java file. This is particularly good in a domain environment where it is acceptable to run java security setting at medium and new users could be logging onto machines and facing the blocked site error message thus generating a call to the local Help Desk and getting assistance to set the slider to medium to overcome this. One could just run this as a one time shot for single log on machines. I will post a link to that as well as the one that creates the task.
The script runs silently for the most part except upon initial install of the task and associated files. in which a brief cmd window appears for a split second, and you will see an icon in the system tray briefly as well.
Also, upon first log in as a new user after the script has been installed on the machine, I have noticed that it could take a few minutes for the script to completely run to change the file contents as the network i am working with as it is antiquated and there is a bit of GP bloat being pushed to machines. This might not be the case with most modern networks with lean and efficient GP.
Below are the links to the 64 bit version of this:
Installer that creates the task and creates the necessary configurations is called JavaTask.exe
Stand alone one time fix to be run on demand on a per logged on user basis to set the setting to MEDIUM called JavaSettings.exe
I also created a stand alone import script that will import IE trusted sites to java trusted sites without any duplicates called ImportTrusted.exe
You can feel free to click on the right pane and look at some of my other work as well.
October 26 2014 - IMPORTANT UPDATE:
THIS WILL NOT WORK IF YOU HAVE JAVA 8 AND A DEPLOYMENT SOLUTION IN PLACE. ALSO, JAVA 8 DOES NOT SUPPORT MEDIUM SECURITY SETTINGS ANYMORE. YOU MUST ADD EACH SITE INDIVIDUALLY TO THE SITE EXCEPTION LIST