Anyone can go to the control panel on their windows OS and shut down Java running in their browser. But how the hell are you going to do it for over 10,000K + non it people.
First a shopping list of sorts.
Windows SDK – http://www.microsoft.com/en-us/download/details.aspx?id=3138
Manual Java Download link – http://www.java.com/en/download/manual.jsp
I will show how to manipulate the MSI based installed of Java so that you can build a custom transform with the settings you feel is appropriate to deploy. First steps is to download the Windows 7 SDK. You do not need to install the full SDK. Follow my second link on how to install ORCA. The second article tells you which options you will need to install.
So what is ORCA? ORCA is a Microsoft based utility that allows you to see property database tables of MSI installers. This will be an important thing to do so we can build a custom transform of Java.
Download Java from the manual download link. So you will start to think. Hey wait a minute. This only has executable versions of Java. That’s ok. I suggest installing it in a Windows 7 VM.
Install Java 7 update 10 in a Windows 7 VM. Once you are finished navigate to the following folder.
C:\Users\{username}\AppData\LocalLow\Sun\Java\jre1.7.0_10 (for Win 7)
You will see two files:
Pull those and make two separate copies in two separate places. I suggest making some copies of it in case you end up messing something up. Next you will need to run ORCA and do a file Open on the jre1.7.0_10.msi file.
When orca pulls up the MSI you will see a lot of property table files. The first thing you need to do. Generate a new transform before you start editing.
Once you have selected new Transform on the right you will see a listing of tables. Scroll down until you see a Table called “Property”.
There are a few properties to take note of.
(AUTOUPDATECHECK=0 JAVAUPDATE=0, MOZILLA=1, IEXPLORER=1 and REBOOT=No)
In their current order. This will prevent Java from Auto updating and performing update checks. Why do this? In your org it is wise to test application compatibility related to java applications before you choose to upgrade. It’s all about quality control.
The other settings enable java in Mozilla Firefox and IE. Reboot’s are suppressed with the setting “No”. This is done for obvious reasons. If you only run IE in your org. Mozilla can be set to = 0
Some new settings to take note of which are not in the “Property” Table
WEB_JAVA=0/1
WEB_JAVA_SECURITY_LEVEL=VH/H/M/L
These are two settings you can add as a property row in the table “Property” all you need to do is right click on the right hand side of the window pane and click on “add row”
WEB_JAVA=0
This will disable java content inside the browser. IF you do this. Setting WEB_JAVA_SECURITY_LEVEL will not be needed.
WEB_JAVA=1
This will enable Java inside the browser. Setting WEB_JAVA_SECURITY_LEVEL will be needed. Assign your security level as you see fit.
Once you are done with adding in the settings. Go to Transform toolbar and select “Generate Transform”. This will make a mst of your customized JAVA settings for you org.
Rollout Time
Uninstall previous version of Java. Refer to my script located here to do that. This will uninstall any version of Java. Even if multiple versions exist on the machine.
Next rollout customized version of Java.
Here is what your customized rollout deployment would look like from a command line
msiexec /i c:\temp\jre1.7.0_10.msi TRANSFORMS=”c:\temp\untitled.mst” /passive
This will automatically install Java only showing a progress bar to the machine.
Roll the uninstall script and this command line into your org’s deployment tool. MSI’s can also be accomplished as a GPO software based policy install.
Adding a little Extra security sauce to your landscape
Only do this if you enabled web_java setting
If you have well documented apps in your org then you should start whitelisting sites in the trust sites zone.
Do this to the registry first:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Set the value data from 10000 to 0
This effectively removes java from being ran in the “internet zone”
I normally do reg add modifications as batch scripts and then I deploy.
Next set up your trusted sites by group policy. This will eliminate a lot of risk if you absolutely have to run Java in your internet browser. Be aware of XSS exploits though