Firefox required security preferences can not be changed by user.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19743	DTBF070	SV-21889r2_rule	ECSC-1	Medium

Description
Locked settings prevents users from accessing about:config and changing the security settings set by the system administrator. Locked settings should be placed in the mozilla.cfg file. The mozilla.cfg file is an encoded file of javascript commands. The encoding is a simple "byte-shifting" with an offset of 13 (netscape 4 used a similar encoding, but with a 7 instead). This file also needs to be "called" from the configuration file all.js

Description

Locked settings prevents users from accessing about:config and changing the security settings set by the system administrator. Locked settings should be placed in the mozilla.cfg file. The mozilla.cfg file is an encoded file of javascript commands. The encoding is a simple "byte-shifting" with an offset of 13 (netscape 4 used a similar encoding, but with a 7 instead). This file also needs to be "called" from the configuration file all.js

STIG	Date
Mozilla FireFox	2014-07-03

Details

Check Text ( C-24189r3_chk )
Verify that required settings are marked as locked in about:config. Verify that mozilla.cfg file is used to lock required security settings. For instructions and a tool for reading the bitshifted file go to http://www.alain.knaff.lu/howto/MozillaCustomization/cgi/byteshf.cgi Sample file: // lockPref("browser.startup.homepage", "https://www.us.army.mil/suite/page/429668"); lockPref("browser.download.dir", "N:"); lockPref("browser.download.downloadDir", "N:"); lockPref("app.update.enabled", false); lockPref("extensions.update.enabled", false); lockPref("browser.shell.checkDefaultBrowser", false); lockPref("browser.search.update", false); lockPref("browser.formfill.enable", false); lockPref("signon.prefillForms", false); lockPref("dom.disable_open_during_load", true); lockPref("dom.disable_window_move_resize", true); lockPref("dom.event.contextmenu.enabled", false); lockPref("dom.disable_window_status_change", true); lockPref("dom.disable_window_flip", true); lockPref("dom.disable_window_open_feature.status", true); lockPref("security.warn_leaving_secure", true); lockPref("privacy.sanitize.promptOnSanitize", false); lockPref("privacy.sanitize.sanitizeOnShutdown", true); lockPref("security.default_personal_cert", "Ask Every Time"); lockPref("signon.rememberSignons", false); lockPref("xpinstall.whitelist.required", true); lockPref(“network.protocol-handler.external.shell”,false); lockPref(“security.enable_ssl3”,true); lockPref(“security.enable_ssl2”,false); lockPref(“security.enable_tls”,true); lockPref("plugin.disable_full_page_plugin_for_types", "application/pdf,application/doc,application/xls,application/bat,application/ppt,application/mdb,application/mde,application/fdf,application/xfdf,application/lsl,application/lso,appliation/lss,application/iqy,application/rqy,application/xlk,application/pot,application/pps,application/dot,application/wbk,application/ps,application/eps,application/wch,application/wcm,application/wbi,application/wb1,application/wb3,application/rtf,application/wch,application/wcm,application/ad,application/adp,application/xlt, application/dos, application/wks"); lockPref("privacy.item.history", false) Note: Append line into all.js file to include in the Mozilla config file

Check Text ( C-24189r3_chk )

Verify that required settings are marked as locked in about:config. Verify that mozilla.cfg file is used to lock required security settings.

For instructions and a tool for reading the bitshifted file go to http://www.alain.knaff.lu/howto/MozillaCustomization/cgi/byteshf.cgi

Sample file:
//
lockPref("browser.startup.homepage", "https://www.us.army.mil/suite/page/429668");
lockPref("browser.download.dir", "N:");
lockPref("browser.download.downloadDir", "N:");
lockPref("app.update.enabled", false);
lockPref("extensions.update.enabled", false);
lockPref("browser.shell.checkDefaultBrowser", false);
lockPref("browser.search.update", false);
lockPref("browser.formfill.enable", false);
lockPref("signon.prefillForms", false);
lockPref("dom.disable_open_during_load", true);
lockPref("dom.disable_window_move_resize", true);
lockPref("dom.event.contextmenu.enabled", false);
lockPref("dom.disable_window_status_change", true);
lockPref("dom.disable_window_flip", true);
lockPref("dom.disable_window_open_feature.status", true);
lockPref("security.warn_leaving_secure", true);
lockPref("privacy.sanitize.promptOnSanitize", false);
lockPref("privacy.sanitize.sanitizeOnShutdown", true);
lockPref("security.default_personal_cert", "Ask Every Time");
lockPref("signon.rememberSignons", false);
lockPref("xpinstall.whitelist.required", true);
lockPref(“network.protocol-handler.external.shell”,false);
lockPref(“security.enable_ssl3”,true);
lockPref(“security.enable_ssl2”,false);
lockPref(“security.enable_tls”,true);
lockPref("plugin.disable_full_page_plugin_for_types", "application/pdf,application/doc,application/xls,application/bat,application/ppt,application/mdb,application/mde,application/fdf,application/xfdf,application/lsl,application/lso,appliation/lss,application/iqy,application/rqy,application/xlk,application/pot,application/pps,application/dot,application/wbk,application/ps,application/eps,application/wch,application/wcm,application/wbi,application/wb1,application/wb3,application/rtf,application/wch,application/wcm,application/ad,application/adp,application/xlt, application/dos, application/wks");
lockPref("privacy.item.history", false)

Note: Append line into all.js file to include in the Mozilla config file

Fix Text (F-22495r3_fix)
Ensure the required settings In "About:config" are locked using the Mozilla.cfg file.