8.3.1 Set 'Java permissions' to 'Enabled:Disable Java'

Information



This policy setting allows you to manage permissions for Java applets. If you enable this
policy setting, you can choose options from the drop-down box. Set to Custom to control
permissions settings individually. Low Safety enables applets to perform all operations.
Medium Safety enables applets to run in their sandbox (an area in memory outside of
which the program cannot make calls), plus capabilities like scratch space (a safe and
secure storage area on the client computer) and user-controlled file I/O. High Safety
enables applets to run in their sandbox. Disable Java to prevent any applets from running.
If you disable this policy setting, Java applets cannot run. If you do not configure this policy
setting, the permission is set to High Safety. The recommended state for this setting is-
Enabled-Disable Java.

*Rationale*

Java applications could contain malicious code, sites located in this security zone are more
likely to be hosted by malicious people.

Solution

To establish the recommended configuration via Group Policy, set the following UI path to
Enabled.

Computer Configuration\Administrative Templates\Windows Components\Internet
Explorer\Internet Control Panel\Security Page\Restricted Sites Zone\Java permissionsThen set the Java permissions option to Disable Java.

Default Value-
High Safety

See Also

https://workbench.cisecurity.org/files/1518

Item Details

Audit Name: CIS IE 11 v1.0.0

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7a.

Plugin: Windows

Control ID: af63c7eae8073f23d43c59f31e94482259e7e905f792910321ee6a079d8fb239