Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
If the system is on the SIPRNET, this requirement is NA. Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.properties For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre7\lib\deployment.properties C:\Program Files (x86)\Java\jre7\lib\deployment.properties If the key, 'deployment.security.askgrantdialog.notinca=false' is not present, this is a finding. If the key 'deployment.security.askgrantdialog.notinca' exists and is set to true, this is a finding.
Disable the 'Allow user to grant permissions to content from an un-trusted authority' feature. Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre7\lib\deployment.properties C:\Program Files (x86)\Java\jre7\lib\deployment.properties Add or update the key, 'deployment.security.askgrantdialog.notinca'. Set to a value of 'false'.
Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre7\lib\deployment.properties C:\Program Files (x86)\Java\jre7\lib\deployment.properties If the key 'deployment.security.askgrantdialog.notinca.locked' is not present, this is a finding.
Lock the 'Allow user to grant permissions to content from an un-trusted authority' feature. Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre7\lib\deployment.properties C:\Program Files (x86)\Java\jre7\lib\deployment.properties Add the key 'deployment.security.askgrantdialog.notinca.locked' to the deployment.properties file.
If the system is on the SIPRNET, this requirement is NA. Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre7\lib\deployment.properties C:\Program Files (x86)\Java\jre7\lib\deployment.properties If the key 'deployment.security.validation.crl' is not present in the deployment.properties file, this is a finding. If the key 'deployment.security.validation.crl' is set to 'false', this is a finding.
If the system is on the SIPRNET, this requirement is NA. Enable the 'Check certificates for revocation using Certificate Revocation Lists (CRL)' option. Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre7\lib\deployment.properties C:\Program Files (x86)\Java\jre7\lib\deployment.properties Add or update the key 'deployment.security.validation.crl' in the deployment.properties file. Set the value to 'true'.
If the system is on the SIPRNET, this requirement is NA. Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre7\lib\deployment.properties C:\Program Files (x86)\Java\jre7\lib\deployment.properties If the key 'deployment.security.validation.crl.locked' is not present in the deployment.properties file, this is a finding. If the key 'deployment.security.validation.ocsp.locked' is not present in the deployment.properties file, this is a finding.
If the system is on the SIPRNET, this requirement is NA. Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre7\lib\deployment.properties C:\Program Files (x86)\Java\jre7\lib\deployment.properties Add the key 'deployment.security.validation.crl.locked' to the deployment.properties file. Add the key 'deployment.security.validation.ocsp.locked' to the deployment.properties file.
If the system is on the SIPRNET, this requirement is NA. Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre7\lib\deployment.properties C:\Program Files (x86)\Java\jre7\lib\deployment.properties If the key 'deployment.security.validation.ocsp' is not present in the deployment.properties file, this is a finding. If the key 'deployment.security.validation.ocsp' is set to 'false', this is a finding.
If the system is on the SIPRNET, this requirement is NA. Enable the 'Enable online certificate validation' option. Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre7\lib\deployment.properties C:\Program Files (x86)\Java\jre7\lib\deployment.properties Add or update the key 'deployment.security.validation.ocsp' to the deployment.properties file. Set the value to 'true'.
If the system is on the SIPRNET, this requirement is NA. Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre7\lib\deployment.properties C:\Program Files (x86)\Java\jre7\lib\deployment.properties If the key 'deployment.security.validation.ocsp.locked' is not present in the deployment.properties file, this is a finding.
If the system is on the SIPRNET, this requirement is NA. Lock the 'Enable online certificate validation' option. Navigate to the 'deployment.properties' file for Java. For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files: C:\Program Files\Java\jre7\lib\deployment.properties C:\Program Files (x86)\Java\jre7\lib\deployment.properties Add the key 'deployment.security.validation.ocsp.locked' to the deployment.properties file.
Navigate to the deployment.config file: If the deployment.config file does not exist, it must be created. The deployment.config file is a text file containing 2 keys. They are: deployment.system.config = deployment.system.config.mandatory = For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.config. For 64 bit systems you must check both the 64 bit and the 32 bit config files: C:\Program Files\Java\jre7\lib\deployment.config C:\Program Files (x86)\Java\jre7\lib\deployment.config Verify the 'deployment.system.config' key in the deployment.config file is set to the correct path. Note that the characters : and \ must be delimited by a backslash. The path contained in the deployment.config file(s) will depend upon system architecture. The following paths are examples. Drive letters may vary based upon your system. For 32 bit systems the path is: 'file:C\:\\Program Files\\Java\\jre7\\lib\\deployment.properties' For 64 bit systems the paths are: 'file:C\:\\Program Files\\Java\\jre7\\lib\\deployment.properties' 'file:C\:\\Program Files (x86)\\Java\\jre7\\lib\\deployment.properties' Verify the 'deployment.system.config.mandatory' key in the deployment.config file(s) are set to 'false'. If the 'deployment.system.config' key is not set to the correct path and the 'deployment.system.config.mandatory' key is not set to false, this is a finding.
If the deployment.config file does not exist, create the file. The deployment.config file is a text file containing 2 keys. They are: deployment.system.config = deployment.system.config.mandatory = On 32-bit systems the deployment config file should be located at: C:\Program Files\Java\jre7\lib\deployment.config On 64-bit systems there can be 2 locations for the deployment.config file. One is for 32 bit JRE and the other for 64 bit JRE: 64 bit - C:\Program Files\Java\jre7\lib\deployment.config 32 bit - C:\Program Files (x86)\Java\jre7\lib\deployment.config Include the following keys and values in the appropriate deployment.config file based upon your system architecture. If you are running both a 32 bit and a 64 bit JRE, you need to update both deployment.config files. The following are examples, drive letters may vary. 32 bit 'deployment.system.config=file:C\:\\Program Files (x86)\\Java\\jre7\\lib\\deployment.properties' 'deployment.system.config.mandatory=false'. 64 bit 'deployment.system.config=file:C\:\\Program Files\\Java\\jre7\\lib\\deployment.properties' 'deployment.system.config.mandatory=false'.
On 32-bit systems, verify that one JRE deployment configuration file exists as indicated: C:\Program Files\Java\jre7\lib\deployment.config On 64-bit systems, verify that two JRE deployment configuration files exist as indicated: C:\Program Files\Java\jre7\lib\deployment.config C:\Program Files (x86)\Java\jre7\lib\deployment.config If there are 32 bit and 64 bit versions of java running on the system and these configuration files do not exist as indicated, this is a finding.
On 32-bit systems, create a JRE deployment configuration file as indicated: C:\Program Files\Java\jre7\lib\deployment.config On 64-bit systems, create two JRE deployment configuration files as indicated: C:\Program Files\Java\jre7\lib\deployment.config C:\Program Files (x86)\Java\jre7\lib\deployment.config The deployment.config file is a text file containing 2 keys. The keys are: deployment.system.config = deployment.system.config.mandatory =
Locate the deployment.properties files. For 32 bit systems the path is: 'C:\Program Files\Java\jre7\lib\deployment.properties' For 64 bit systems there are 2 potential paths as there can be 2 separate JRE's one 32 bit and one 64 bit: 'C:\Program Files\Java\jre7\lib\deployment.properties' 'C:\Program Files (x86)\Java\jre7\lib\deployment.properties' If there are no files entitled 'deployment.properties', this is a finding.
Create the Java deployment properties file. The location of this file can vary. For 32 bit systems: C:\Program Files\Java\jre7\lib\deployment.properties. For 64 bit systems you must check both the 64 bit and the 32 bit files in order for both runtimes to be affected. C:\Program Files\Java\jre7\lib\deployment.properties C:\Program Files (x86)\Java\jre7\lib\deployment.properties Create a properties file entitled 'deployment.properties'. At a minimum, the following keys must be present in the deployment.properties file. deployment.security.askgrantdialog.notinca=false deployment.security.askgrantdialog.notinca.locked deployment.security.validation.crl=true deployment.security.validation.crl.locked deployment.security.validation.ocsp=true deployment.security.validation.ocsp.locked
Open a terminal window and type the command; "java -version" sans quotes. The return value should contain Java build information; "Java (TM) SE Runtime Environment (build x.x.x.x)" Cross reference the build information on the system with the Oracle Java site to identify the most recent build available. http://www.oracle.com/technetwork/java/javase/downloads/index.html
Test applications to ensure operational compatability with new version of Java. Install latest version of Java JRE.
Check the OS version to ensure it is supported by the vendor. Microsoft support for Windows XP ended April 8 2014. If the JRE is installed on an XP system, this is a finding.
Upgrade the operating system platform the JRE is installed on to a supported OS version.