draftJava Runtime Environment (JRE) 7 STIG for WinXPThe Java Runtime Environment (JRE) is a bundle developed and offered by Oracle Corporation which includes the Java Virtual Machine (JVM), class libraries, and other components necessary to run Java applications and applets. Certain default settings within the JRE pose a security risk so it is necessary to deploy system wide properties to ensure a higher degree of security when utilizing the JRE.DISA, Field Security OperationsSTIG.DOD.MILRelease: 0.1 Benchmark Date: 28 Jul 20121I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>JRE0001 Disable ability to grant permission to untrusted authority<GroupDescription></GroupDescription>JRE0001-J7XPThe dialog enabling users to grant permissions to execute signed content from an un-trusted authority must be disabled. <VulnDiscussion>Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validate applets against trusted sources. Permitting execution of signed Java applets from un-trusted sources may result in acquiring malware, and risks system modification, invasion of privacy, or denial of service. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>VMS Target JRE Version 7DISA FSOVMS TargetJRE Version 72347Disable the 'Allow user to grant permissions to content from an un-trusted authority' feature.
Navigate to the 'deployment.properties' file for Java.
C:\Program Files\Java\jre7\lib\deployment.properties
Add or update the key 'deployment.security.askgrantdialog.notinca' to be 'false'.
Navigate to the 'deployment.properties' file for Java.
C:\Program Files\Java\jre7\lib\deployment.properties
If the key 'deployment.security.askgrantdialog.notinca=false' is not present, this is a finding.
If the key 'deployment.security.askgrantdialog.notinca' exists and is set to true, this is a finding.
JRE0010 Lock out option to grant permission to untrusted<GroupDescription></GroupDescription>JRE0010-J7XPThe dialog enabling users to grant permissions to execute signed content from an un-trusted authority must be locked. <VulnDiscussion>Java applets exist both signed and unsigned. Even for signed applets, there can be many sources, some of which may be purveyors of malware. Applet sources considered trusted can have their information populated into the browser, enabling Java to validate applets against trusted sources. Permitting execution of signed Java applets from un-trusted sources may result in acquiring malware, and risks system modification, invasion of privacy, or denial of service.
Ensuring users cannot change settings, contributes to a more consistent security profile.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>VMS Target JRE Version 7DISA FSOVMS TargetJRE Version 72347Lock the 'Allow user to grant permissions to content from an un-trusted authority' feature.
Navigate to the 'deployment.properties' file for Java.
C:\Program Files\Java\jre7\lib\deployment.properties
Add the key 'deployment.security.askgrantdialog.notinca.locked'. Navigate to the 'deployment.properties' file for Java.
C:\Program Files\Java\jre7\lib\deployment.properties
If the key 'deployment.security.askgrantdialog.notinca.locked' is not present, this is a finding.
JRE0020 Enable revocation check on publisher certificates<GroupDescription></GroupDescription>JRE0020-J7XPThe dialog to enable users to check publisher certificates for revocation must be enabled.
<VulnDiscussion>A certificate revocation list is a directory which contains a list of certificates that have been revoked for various reasons. Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found on a CRL should not be trusted. Permitting execution of an applet published with a revoked certificate may result in spoofing, malware, system modification, invasion of privacy, and denial of service. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>VMS Target JRE Version 7DISA FSOVMS TargetJRE Version 72347Enable the 'Check certificates for revocation using Certificate Revocation Lists (CRL)' option.
Navigate to the 'deployment.properties' file for Java.
C:\Program Files\Java\jre7\lib\deployment.properties
Add or update the key
'deployment.security.validation.crl' to be 'true'.
Navigate to the 'deployment.properties' file for Java.
C:\Program Files\Java\jre7\lib\deployment.properties
If the key 'deployment.security.validation.crl' is not present, this is a finding.
If the key 'deployment.security.validation.crl' is set to 'false', this is a finding.
JRE0030 Lock the option to check certificates for revocation<GroupDescription></GroupDescription>JRE0030-J7XPThe option to enable users to check publisher certificates for revocation must be locked.
<VulnDiscussion>A certificate revocation list is a directory which contains a list of certificates that have been revoked for various reasons. Certificates may be revoked due to improper issuance, compromise of the certificate, and failure to adhere to policy. Therefore, any certificate found on a CRL should not be trusted. Permitting execution of an applet published with a revoked certificate may result in spoofing, malware, system modification, invasion of privacy, and denial of service.
Ensuring users cannot change settings, contributes to a more consistent security profile.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>VMS Target JRE Version 7DISA FSOVMS TargetJRE Version 72347Lock the 'Check certificates for revocation using Certificate Revocation Lists (CRL)' option.
Navigate to the 'deployment.properties' file for Java.
C:\Program Files\Java\jre7\lib\deployment.properties
Add the key 'deployment.security.validation.crl.locked'. Navigate to the 'deployment.properties' file for Java.
C:\Program Files\Java\jre7\lib\deployment.properties
If the key 'deployment.security.validation.crl.locked' is not present, this is a finding.
JRE0040 Enable online certificate validation<GroupDescription></GroupDescription>JRE0040-J7XPThe option to enable online certificate validation must be enabled.
<VulnDiscussion>Online certificate validation provides a real-time alternative to validating a certificate. When enabled, if a certificate is presented, the status of the certificate is requested. The status is sent back as 'current', 'expired', or 'unknown'. Online certificate validation provides a greater degree of validation of certificates when running a signed Java applet. Permitting execution of an applet with an invalid certificate may result in malware, system modification, invasion of privacy, and denial of service. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>VMS Target JRE Version 7DISA FSOVMS TargetJRE Version 72347Enable the 'Enable online certificate validation' option.
Navigate to the 'deployment.properties' file for Java.
C:\Program Files\Java\jre7\lib\deployment.properties
Add or update the key
'deployment.security.validation.ocsp' to be 'true'.
Navigate to the 'deployment.properties' file for Java.
C:\Program Files\Java\jre7\lib\deployment.properties
If the key 'deployment.security.validation.ocsp' is not present, this is a finding.
If the key 'deployment.security.validation.ocsp' is set to 'false', this is a finding.
JRE0050 Lock online certificate validation<GroupDescription></GroupDescription>JRE0050-J7XPThe option to enable online certificate validation must be locked.
<VulnDiscussion> Online certificate validation provides a real-time alternative to validating a certificate. When enabled, if a certificate is presented, the status of the certificate is requested. The status is sent back as 'current', 'expired', or 'unknown'. Online certificate validation provides a greater degree of validation of certificates when running a signed Java applet. Permitting execution of an applet with an invalid certificate may result in malware, system modification, invasion of privacy, and denial of service.
Ensuring users cannot change settings, contributes to a more consistent security profile.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>VMS Target JRE Version 7DISA FSOVMS TargetJRE Version 72347Lock the 'Enable online certificate validation' option.
Navigate to the 'deployment.properties' file for Java.
C:\Program Files\Java\jre7\lib\deployment.properties
Add the key 'deployment.security.validation.ocsp.locked'. Navigate to the 'deployment.properties' file for Java.
C:\Program Files\Java\jre7\lib\deployment.properties
If the key 'deployment.security.validation.ocsp.locked' is not present, this is a finding.
JRE0060 The deployment.config file must be properly configured<GroupDescription></GroupDescription>JRE0060-J7XPThe configuration file must contain proper keys and values to deploy settings correctly. <VulnDiscussion>This configuration file must hold values of the location of the deployment.properties file, as well as the enforcement of these properties. Without a proper path for the properties file, deployment would not be possible. If the path specified does not lead to a properties file the value of the 'deployment.system.config. mandatory' key determines how to handle the situation. If the value of this key is true, JRE will not run if the path to the properties file is invalid. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>VMS Target JRE Version 7DISA FSOVMS TargetJRE Version 72347Specify the path to the deployment.properties file and set the mandatory configuration values.
On 32-bit systems, navigate to the JRE configuration file.
C:\Program Files\Java\jre7\lib\deployment.config
Include the following keys and values in the configuration file:
'deployment.system.config=file:C:/Program Files/Java/jre7/lib/deployment.properties'
'deployment.system.config.mandatory=false'.
On 64-bit systems, navigate to the JRE configuration files:
C:/Program Files/Java/jre7/lib/deployment.config
Include the following keys and values in the configuration file:
'deployment.system.config=file:C:/Program Files/Java/jre7/lib/deployment.properties'
'deployment.system.config.mandatory=false'.
C:/Program Files(x86)/Java/jre7/lib/deployment.config
Include the following keys and values in the configuration file:
'deployment.system.config=file:C:/Program Files/Java/jre7/lib/deployment.properties'
'deployment.system.config.mandatory=false'.
On 32-bit systems, navigate to the file indicated here:
C:/Program Files/Java/jre7/lib/deployment.config
Verify the key 'deployment.system.config' is set to 'file:C:/Program Files/Java/jre7/lib/deployment.properties'
Verify the key 'deployment.system.config.mandatory' is set to 'false'.
On 64-bit systems, navigate to the JRE configuration files:
C:/Program Files/Java/jre7/lib/deployment.config
Verify the key 'deployment.system.config' is set to 'file:C:/Program Files/Java/jre7/lib/deployment.properties'
Verify the key 'deployment.system.config.mandatory' is set to 'false'.
C:/Program Files(x86)/Java/jre7/lib/deployment.config
Verify the key 'deployment.system.config' is set to 'file:C:/Program Files/Java/jre7/lib/deployment.properties'
Verify the key 'deployment.system.config.mandatory' is set to 'false'.
If the configuration files are not set as indicated, this is a finding.
JRE0070 Configuration file must be present<GroupDescription></GroupDescription>JRE0070-J7XPA configuration file must be present to deploy properties for JRE. <VulnDiscussion>The deployment.config file is used for specifying the location and execution of system-level properties for the Java Runtime Environment. By default no deployment.config file exists; thus, no system-wide deployment.properties file exists. 64-bit systems require two copies of the file, one for the 64-bit JRE and the other for the 32-bit JRE. Without the deployment.config file, setting particular options for the Java control panel is impossible.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>VMS Target JRE Version 7DISA FSOVMS TargetJRE Version 72347On 32-bit systems, create a JRE deployment configuration file as indicated:
C:\Program Files\Java\jre7\lib\deployment.config
On 64-bit systems, create two JRE deployment configuration files as indicated:
C:\Program Files\Java\jre7\lib\deployment.config
C:\Program Files(x86)\Java\jre7\lib\deployment.config
On 32-bit systems, verify that one JRE deployment configuration file exists as indicated:
C:\Program Files\Java\jre7\lib\deployment.config
On 64-bit systems, verify that two JRE deployment configuration files exist as indicated:
C:\Program Files\Java\jre7\lib\deployment.config
C:\Program Files(x86)\Java\jre7\lib\deployment.config
If the configuration files do not exist as indicated, this is a finding.
JRE0080 Properties file must exist<GroupDescription></GroupDescription>JRE0080-J7XPA properties file must be present to hold all the keys that establish properties within the Java control panel. <VulnDiscussion>The deployment.properties file is used for specifying keys for the Java Runtime Environment. Each option in the Java control panel is represented by property keys. These keys adjust the options in the Java control panel based on the value assigned to that key. By default no deployment.properties file exists; thus, no system-wide deployment exists. Without the deployment.properties file, setting particular options for the Java control panel is impossible. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>VMS Target JRE Version 7DISA FSOVMS TargetJRE Version 72347Navigate to the Lib directory.
C:\Program Files\Java\jre7\lib
If there is no properties file entitled 'deployment.properties', this is a finding.Navigate to the Lib directory.
C:\Program Files\Java\jre7\lib
If there is no properties file entitled 'deployment.properties', this is a finding.