Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
If the system is on the SIPRNet, this requirement is NA. Navigate to the system-level “deployment.properties” file for JRE. The location of the deployment.properties file is defined in <JRE Installation Directory>\Lib\deployment.config If the key “deployment.security.revocation.check=ALL_CERTIFICATES” is not present, or is set to “PUBLISHER_ONLY”, or “NO_CHECK”, this is a finding. If the key “deployment.security.revocation.check.locked” is not present, this is a finding.
If the system is on the SIPRNet, this requirement is NA. Navigate to the system-level “deployment.properties” file for JRE. The location of the deployment.properties file is defined in <JRE Installation Directory>\Lib\deployment.config Add the key “deployment.security.revocation.check=ALL_CERTIFICATES” to the deployment.properties file. Add the key “deployment.security.revocation.check.locked” to the deployment.properties file.
Verify a JRE deployment configuration file exists as indicated: <JRE Installation Directory>\Lib\deployment.config The default installation directory is C:\Program Files\Java\jre1.8.x_x\ or C:\Program Files (x86)\Java\jre1.8.x_x\ If the configuration file does not exist as indicated, this is a finding.
No default file exists; a text file must be created. Create a JRE deployment configuration file as indicated: <JRE Installation Directory>\Lib\deployment.config
Navigate to the “deployment.config” file for Java: <JRE Installation Directory>\Lib\deployment.config The default installation directory is C:\Program Files\Java\jre1.8.x_x\ or C:\Program Files (x86)\Java\jre1.8.x_x\ The deployment.config file contains two properties: deployment.system.config and deployment.system.config.mandatory. The "deployment.system.config" key points to the location of the deployment.properties file. The location is variable. It can point to a file on the local disk, or a UNC path. The following is an example: “deployment.system.config=file:///C:/Windows/Java/Deployment/deployment.properties" If the “deployment.system.config” key does not exist or does not point to the location of the deployment.properties file, this is a finding. If the “deployment.system.config.mandatory” key does not exist or is set to false, this is a finding.
Navigate to the “deployment.config” file for JRE: <JRE Installation Directory>\Lib\deployment.config Add the key “deployment.system.config=<Path to deployment.properties>” to the deployment.config file. The following is an example: “deployment.system.config=file:///C:/Windows/Java/Deployment/deployment.properties". Note the use of forward slashes. Add the key “deployment.system.config.mandatory=true” to the deployment.config file.
Navigate to the system-level “deployment.properties” file for JRE. The location of the deployment.properties file is defined in <JRE Installation Directory>\Lib\deployment.config If there are no files entitled “deployment.properties”, this is a finding.
Create the JRE deployment.properties file: No default file exists. A text file named deployment.properties, and the directory structure in which it is located must be manually created. The location must be aligned as defined in the <JRE Installation Directory>\Lib\deployment.config file. C:\Windows\Java\Deployment\deployment.properties is an example.
Navigate to the system-level “deployment.properties” file for JRE. The location of the deployment.properties file is defined in <JRE Installation Directory>\Lib\deployment.config If the key “deployment.security.level=VERY_HIGH” is not present in the deployment.properties file, or is set to “HIGH”, this is a finding. If the key “deployment.security.level.locked” is not present in the deployment.properties file, this is a finding.
Navigate to the system-level “deployment.properties” file for JRE. The location of the deployment.properties file is defined in <JRE Installation Directory>\Lib\deployment.config Add the key “deployment.security.level=VERY_HIGH” to the deployment.properties file. Add the key “deployment.security.level.locked” to the deployment.properties file.
Navigate to the system-level “deployment.properties” file for JRE. The location of the deployment.properties file is defined in <JRE Installation Directory>\Lib\deployment.config If the key “deployment.webjava.enabled=true” is not present in the deployment.properties file, or is set to “false”, this is a finding. If the key “deployment.webjava.enabled.locked” is not present in the deployment.properties file, this is a finding.
Navigate to the system-level “deployment.properties” file for JRE. The location of the deployment.properties file is defined in <JRE Installation Directory>\Lib\deployment.config Add the key “deployment.webjava.enabled=true” to the deployment.properties file. Add the key “deployment.webjava.enabled.locked” to the deployment.properties file.
If the system is on the SIPRNet, this requirement is NA. Navigate to the system-level “deployment.properties” file for Java. The location of the deployment.properties file is defined in <JRE Installation Directory>\Lib\deployment.config If the key, “deployment.security.askgrantdialog.notinca=false” is not present, this is a finding. If the key, “deployment.security.askgrantdialog.notinca.locked” is not present, this is a finding. If the key “deployment.security.askgrantdialog.notinca” exists and is set to true, this is a finding.
If the system is on the SIPRNet, this requirement is NA. Disable the “Allow user to grant permissions to content from an untrusted authority” feature. Navigate to the system-level “deployment.properties” file for JRE. The location of the deployment.properties file is defined in <JRE Installation Directory>\Lib\deployment.config Add the key “deployment.security.askgrantdialog.notinca=false” to the deployment.properties file. Add the key “deployment.security.askgrantdialog.notinca.locked” to the deployment.properties file.
If the system is on the SIPRNet, this requirement is NA. Navigate to the system-level “deployment.properties” file for JRE. The location of the deployment.properties file is defined in <JRE Installation Directory>\Lib\deployment.config If the key, “deployment.security.askgrantdialog.show=false” is not present, this is a finding. If the key, “deployment.security.askgrantdialog.show.locked” is not present, this is a finding. If the key “deployment.security.askgrantdialog.show” exists and is set to true, this is a finding.
If the system is on the SIPRNet, this requirement is NA. Lock the “Allow user to grant permissions to content from an untrusted authority” feature. Navigate to the system-level “deployment.properties” file for JRE. The location of the deployment.properties file is defined in <JRE Installation Directory>\Lib\deployment.config Add the key “deployment.security.askgrantdialog.show=false” to the deployment.properties file. Add the key “deployment.security.askgrantdialog.show.locked" to the deployment.properties file.
If the system is on the SIPRNet, this requirement is NA. Navigate to the system-level “deployment.properties” file for JRE. The location of the deployment.properties file is defined in <JRE Installation Directory>\Lib\deployment.config If the key “deployment.security.validation.ocsp=true” is not present in the deployment.properties file, this is a finding. If the key “deployment.security.validation.ocsp.locked” is not present in the deployment.properties file, this is a finding. If the key “deployment.security.validation.ocsp” is set to “false”, this is a finding.
If the system is on the SIPRNet, this requirement is NA. Navigate to the system-level “deployment.properties” file for JRE. The location of the deployment.properties file is defined in <JRE Installation Directory>\Lib\deployment.config Add the key “deployment.security.validation.ocsp=true” to the deployment.properties file. Add the key “deployment.security.validation.ocsp.locked” to the deployment.properties file.
Navigate to the system-level “deployment.properties” file for JRE. The location of the deployment.properties file is defined in <JRE Installation Directory>\Lib\deployment.config If the key “deployment.security.blacklist.check=true” is not present in the deployment.properties file, or is set to “false”, this is a finding. If the key “deployment.security.blacklist.check.locked” is not present in the deployment.properties file, this is a finding.
Navigate to the system-level “deployment.properties” file for JRE. The location of the deployment.properties file is defined in <JRE Installation Directory>\Lib\deployment.config Add the key “deployment.security.blacklist.check=true” to the deployment.properties file. Add the key “deployment.security.blacklist.check.locked” to the deployment.properties file.
Navigate to the system-level “deployment.properties” file for JRE. The location of the deployment.properties file is defined in <JRE Installation Directory>\Lib\deployment.config If the key “deployment.user.security.exception.sites” is not present in the deployment.properties file, this is a finding. If the key “deployment.user.security.exception.sites” is not set to the location of the exception.sites file, this is a finding. An example of a correct setting is: deployment.user.security.exception.sites=C\:\\Program Files\\Java\\jre1.8.x.x\\Lib\exception.sites
Navigate to the system-level “deployment.properties” file for JRE. The location of the deployment.properties file is defined in <JRE Installation Directory>\Lib\deployment.config Add the key “deployment.user.security.exception.sites=C\:\\Program Files\\Java\\jre1.8.x.x\\Lib\exception.sites” to the deployment.properties file.
If the system is on the SIPRNet, this requirement is NA. Navigate to the “exception.sites” file for Java: The location of the exception.sites file is defined in the deployment.properties file. The exception.sites file is a text file containing single-line URLs for accepted risk sites. If there are no AO approved sites to be added to the configuration, it is acceptable for this file to be blank. If the “exception.sites” file does not exist, this is a finding. If the “exception.sites” file contains URLs that are not AO approved, this is a finding.
If the system is on the SIPRNet, this requirement is NA. Create the JRE exception.sites file: No default file exists. A text file named exception.sites, and the directory structure in which it is located must be manually created. The location must be aligned as defined in the deployment.properties file. C:\Windows\Java\Deployment\deployment.properties is an example.
If the system is on the SIPRNet, this requirement is NA. Navigate to the system-level “deployment.properties” file for JRE. The location of the deployment.properties file is defined in <JRE Installation Directory>\Lib\deployment.config If the key “deployment.security.validation.crl=true” is not present in the deployment.properties file, or is set to “false”, this is a finding. If the key “deployment.security.validation.crl.locked” is not present in the deployment.properties file, this is a finding.
If the system is on the SIPRNet, this requirement is NA. Enable the “Check certificates for revocation using Certificate Revocation Lists (CRL)” option. Navigate to the system-level “deployment.properties” file for JRE. The location of the deployment.properties file is defined in <JRE Installation Directory>\Lib\deployment.config Add the key “deployment.security.validation.crl=true” to the deployment.properties file. Add the key “deployment.security.validation.crl.locked” to the deployment.properties file.
Navigate to the system-level “deployment.properties” file for JRE. The location of the deployment.properties file is defined in <JRE Installation Directory>\Lib\deployment.config If the key “deployment.insecure.jres=PROMPT” is not present in the deployment.properties file, this is a finding. If the key “deployment.insecure.jres.locked” is not present in the deployment.properties file, this is a finding. If the key “deployment.insecure.jres” is set to “NEVER”, this is a finding.
Navigate to the system-level “deployment.properties” file for JRE. The location of the deployment.properties file is defined in <JRE Installation Directory>\Lib\deployment.config Add the key “deployment.insecure.jres=PROMPT” to the deployment.properties file. Add the key “deployment.insecure.jres.locked” to the deployment.properties file.
Review the system configuration to ensure old versions of JRE have been removed. Open the Windows Control Panel, and navigate to "Programs and Features". Ensure only one instance of JRE is in the list of installed software. If more than one instance of JRE is listed, this is a finding. Note: A 32 and 64 bit version of the same instance is acceptable.
Remove previous versions of JRE. Open the Windows Control Panel, and navigate to "Programs and Features". Highlight, and click uninstall on all out of date instances of JRE.
Open a terminal window and type the command: "java -version" sans quotes. The return value should contain Java build information: "Java (TM) SE Runtime Environment (build x.x.x.x)" Cross reference the build information on the system with the Oracle Java site to identify the most recent build available. If the version of Oracle JRE 8 running on the system is out of date, this is a finding.
Test applications to ensure operational compatibility with new version of Java. Install latest version of Oracle JRE 8.