Posted by: Dan O'Connor
So what do you do with Java in your environment?
I would think that if you have it installed it is there for a very good reason. There is an application that is needed by the business that requires it.
Uninstalling Java will eliminate the risk from your environment but it will also stop people from working. Keeping it up to date is a good start but that is not going to protect you from from what happen this past weekend.
I have had a couple of ideas of this;
- In most cases while some of the users require access to Java, not everyone does. With the newer versions it is possible to remove the browsers access to Java. This should help to reduce your attack surface, using registry snap shot tools I was able to create a set of reg files that will either enable to disable this like to all of the applicable browsers. The main issue with this is that it will not take effect until the browser has been restarted. Attaching these processes to the login of the users that need it by GroupPolicy will allow their Java to be ready for those who need it, and for those that don’t it will appear that they don’t have it installed. I am going to cover this in a more detail in another post, and I might share what I have created but at minimum I will show you how to make your own.
- The users that need Java will only need to use it on specific sites, there may only be a few sites so what if we can limit where Java can go? This is where having your historical logs really can show value. I am going to cover this here in part 2.