Whitelist Java to provide better security and a better user experience

Last Updated on September 15, 2016 by Dave Farquhar

One of the best things you can do to improve your security in a corporate environment is to limit the use of Java, or whitelist Java. Undoubtedly there will be one or more legacy web applications your company uses that require Java, and it’s almost inevitable that at least two of them will be certified for one and only one version of the JRE, and it won’t be the same one.

Believe it or not there’s a solution to the problem of conflicting JREs, but it took me years to find it, because I had no idea that Oracle called it “Deployment Rule Set.” The secret’s out now. If you run Java, and you want security, you need Deployment Rule Set.

Deployment Rule Set does two things. It allows you to tell your web browser and your JRE what URLs are allowed to use Java. But, more importantly, it allows you to tell your web browser which JRE to use with that particular URL. So if you have something that requires JRE 1.6u20 and something else that requires 1.6u29, simply install both JREs. Then point those URLs at the correct one.

Now, keep in mind that JREs are supposed to be updated quarterly, so both of these particular JREs are horrifically insecure. You’re partially mitigating this risk by permitting only one web site to use the horrible JRE. I recommend adding an additional mitigation by running EMET. EMET will break some of the exploits against those old and vulnerable JREs.

It’s not perfect, but getting rid of old Java apps tends to be difficult. So it’s good to have ways to mitigate some of the risks.

I’ve also seen people whitelist Java using a web proxy, but I like this approach better, for two reasons. Using a proxy server you can’t direct web sites to a different JRE. Instead, you have to hope the system sorts it out. In my experience the system doesn’t always sort it out and you end up with problems. The second reason is because people take their laptops with them, and if they access the web without your proxy server, they lose the protection. By whitelisting locally instead, they always have it. Regardless of what network they’re on.

So the Deployment Rule Set doesn’t just improve your security. It also improves your user experience, because it ensures that Java apps get the JRE they’re certified for. That means fewer problems and fewer helpdesk calls.

It’s not quite as good as getting rid of the JRE that Ada Lovelace wrote for Charles Babbage. But it’s almost the next best thing.

If you found this post informative or helpful, please share it!