Group
Guide to the Secure Configuration of Firefox
Group contains 4 groups and 28 rules |
Group
Firefox
Group contains 3 groups and 28 rules |
[ref]
Firefox is an open-source web browser and developed by Mozilla.
Web browsers such as Firefox are used for a number of reasons. This section
provides settings for configuring Firefox policies to meet compliance
settings for Firefox running on Red Hat Enterprise Linux systems.
|
Group
Clearing Cookies And Other Data
Group contains 2 rules |
[ref]
Browser preferences should be set to perform a Clear Private Data
operation when closing the browser in order to clear cookies and other
data installed by websites visited during the session. |
Rule
Disable User Prompt When Data Is Cleared
[ref] | By default, users are asked if it is okay to clear out cookies and data
when Firefox closes. This can be disabled by
setting privacy.sanitize.promptOnSanitize to false . | Rationale: | Cookies can help websites perform better but can also be part of spyware.
To mitigate this risk, set browser preferences to perform a Clear Private
Data operation when closing the browser in order to clear cookies and
other data installed by websites visited during the session. | Severity: | medium | Identifiers and References | References:
ECSC-1, FIREFOX-DTBF170 | |
|
Rule
Clear Data When Firefox Closes
[ref] | When a user browses to a website, cookies and other types of data
get stored on the system. This can be disabled by setting
privacy.sanitize.sanitizeOnShutdown to true . | Rationale: | Cookies can help websites perform better but can also be part of spyware.
To mitigate this risk, set browser preferences to perform a Clear Private
Data operation when closing the browser in order to clear cookies and
other data installed by websites visited during the session. | Severity: | medium | Identifiers and References | References:
ECSC-1, FIREFOX-DTBF170 | |
|
Group
Prevent Users from Changing Firefox Configuration Settings
Group contains 2 rules |
[ref]
Firefox required security preferences cannot be changed by users. |
Rule
Disable Firefox Configuration File ROT-13 Encoding
[ref] | Disable ROT-13 encoding by setting general.config.obscure_value
to 0 . | Rationale: | ROT-13 encoded prevents system adminstrators from easily configuring
and deploying Firefox configuration settings. It also prevents validating
settings easily from automated security tools. | Severity: | medium | Identifiers and References | References:
ECSC-1, FIREFOX-DTBF070 | |
|
Rule
Set Firefox Configuration File Location
[ref] | Specify the Firefox configuration file location by setting
general.config.filename to the configuration (i.e. mozilla.cfg )
filename that contains the Firefox security preferences. | Rationale: | Locked settings prevents users from accessing about:config and changing
the security settings set by the system administrator. | Severity: | medium | Identifiers and References | References:
ECSC-1, FIREFOX-DTBF070 | |
|
Group
The DoD Root Certificate Is Required
Group contains 2 rules |
[ref]
The Shared System Certificates store contains certificates that
applications can access for a single certificate repository.
If enabled, Firefox can access that single system certificate
repository. If the DoD root certificate is also installed into
the shared system certificate repository, Firefox will see and
use the DoD root certificate as a valid certificate authority. |
Rule
The DoD Root Certificate Exists
[ref] | The DoD root certificate should be installed in the Shared System Certificates store
for Firefox to be able to access the DoD certificate. To install the root certificated
into the Shared System Certificates store, copy the DoD root certificate into
/etc/pki/ca-trust/source/anchors . Once the file is copied, run the following
command:
$ sudo update-ca-trust extract | Rationale: | The DOD root certificate will ensure that the trust chain is
established for server certificates issued from the DOD CA. | Severity: | medium | Identifiers and References | Identifiers:
CCE-82056-3 References:
CCI-000054, AC-10 | |
|
Rule
Enable Shared System Certificates
[ref] | The Shared System Certificates store makes NSS, GnuTLS, OpenSSL, and Java
share a default source for retrieving system certificate anchors and blacklist
information. Firefox has the capability of using this centralized store for its
CA certificates. If the Shared System Certificates store is disabled, it can
be enabled by running the following command:
$ sudo update-ca-trust enable | Rationale: | The DOD root certificate will ensure that the trust chain is
established for server certificates issued from the DOD CA. | Severity: | medium | Identifiers and References | Identifiers:
CCE-82057-1 References:
CCI-000054, AC-10 | |
|
Rule
Enable TLS Usage in Firefox
[ref] | To enable TLS, set security.enable_tls to true . | Rationale: | Earlier versions of SSL have known security vulnerabilities and are not
authorized for use in DOD environments. | Severity: | medium | Identifiers and References | References:
ECSC-1, FIREFOX-DTBF030 | |
|
Rule
Default Firefox Home Page Configured
[ref] | The default home page is set to a vendor's defined website or
Firefox's own website. This can be changed to an organizationally defined website
or about:blank . To set the default home page, set
browser.startup.homepage to about:blank . | Rationale: | The browser home page parameter specifies the web page that is to be
displayed when the browser is started explicitly and when product-specific
buttons or key sequences for the home page are accessed. This helps to
mitigate the possibility of automatic inadvertent execution of scripts
added to a previously safe site. | Severity: | medium | Identifiers and References | References:
ECSC-1, FIREFOX-DTBF017 | |
|
Rule
Disable Firefox Access to Shell Protocols
[ref] | Access to the shell is disabled by default but can be changed.
To prevent shell access from being enabled, set
network.protocol-handler.external.shell to false . | Rationale: | If enabled, this setting would allow the browser to access the Windows shell.
This could allow access to the underlying system. | Severity: | medium | Identifiers and References | References:
ECSC-1, FIREFOX-DTBF105 | |
|
Rule
Disable Automatic Downloads of MIME Types
[ref] | MIME type files are automatically downloaded or executed in Firefox. This
can be disabled by setting browser.helperApps.alwaysAsk.force to
true . | Rationale: | The default action for file types for which a plugin is installed is to
automatically download and execute the file using the associated plugin.
Firefox allows users to change the specified download action so that the
file is opened with a selected external application or saved to disk
instead. | Severity: | medium | Identifiers and References | References:
DCMC-1, FIREFOX-DTBF100 | |
|
Rule
Disable Installed Search Plugins Update Checking
[ref] | Firefox automatically checks for updated versions of search plugins.
To disable the automatic updates of plugins, set
browser.search.update to false . | Rationale: | Updates need to be controlled and installed from authorized and trusted servers.
This setting overrides a number of other settings which may direct the application
to access external URLs. | Severity: | medium | Identifiers and References | References:
ECSC-1, FIREFOX-DTBF085 | |
|
Rule
Disable Addons Plugin Updates
[ref] | Firefox automatically updates installed add-ons and plugins which
can be disabled by setting extensions.update.enabled to
false . | Rationale: | Automatic updates from untrusted sites puts the enclave at
risk of attack and may override security settings. | Severity: | medium | Identifiers and References | References:
ECSC-1, FIREFOX-DTBF090 | |
|
Rule
Enable Downloading and Opening File Confirmation
[ref] | To have an action dialog box appear promping users what action to take when
certain types of files are downloaded or opened, set
plugin.disable_full_page_plugin_for_types to
application/pdf,application/doc,application/xls,application/bat,application/ppt,application/mdb,application/mde,application/fdf,application/xfdf,application/lsl,application/lso,appliation/lss,application/iqy,application/rqy,application/xlk,application/pot,application/pps,application/dot,application/wbk,application/ps,application/eps,application/wch,application/wcm,application/wbi,application/wb1,application/wb3,application/rtf,application/wch,application/wcm,application/ad,application/adp,application/xlt,application/dos,application/wks . | Rationale: | When the user receives a dialog box asking if they want to save the file
or open it with a specified application, this indicates that a plugin does
not exist. Also, the user has not previously selected a download action or helper
application to automatically use for that type of file. When prompted, if the user
checks the option to 'Do this automatically for files like this from now on', then
an entry will appear for that type of file in the plugins listing, and this file
type is automatically opened in the future. This can be a security issue. New file
types cannot be added directly to the Application plugin listing. | Severity: | medium | Identifiers and References | References:
ECSC-1, FIREFOX-DTBF110 | |
|
Rule
Disable JavaScript's Moving Or Resizing Windows Capability
[ref] | JavaScript can configure and make changes to the web browser's appearance by
specifically moving and resizing browser windows. This can be disabled by
setting dom.disable_window_move_resize to true . | Rationale: | JavaScript can make changes to the browser’s appearance. This activity
can help disguise an attack taking place in a minimized background window. | Severity: | medium | Identifiers and References | References:
ECSC-1, FIREFOX-DTBF181 | |
|
Rule
Enable Certificate Verification
[ref] | Firefox can be configured to prompt the user to choose a certificate
to present to a website when asked. To enable certificate verification,
set security.default_personal_cert to Ask Every Time . | Rationale: | Websites within DoD require user authentication for access which increases
security for DoD information. Access will be denied to the user if
certificate management is not configured. | Severity: | medium | Identifiers and References | References:
ECSC-1, FIREFOX-DTBF050 | |
|
Rule
Enable Firefox Pop-up Blocker
[ref] | The pop-up blocker can be enabled by setting
dom.disable_window_open_feature.status to true . | Rationale: | Popup windows may be used to launch an attack within a new browser window
with altered settings. | Severity: | medium | Identifiers and References | References:
ECSC-1, FIREFOX-DTBF180 | |
|
Rule
Disable SSL Version 2.0 in Firefox
[ref] | SSL version 2 is not enabled by default and should not be enabled.
To prevent SSL version 2 from being enabled set
security.enable_ssl2 to false . | Rationale: | Use of versions prior to TLS 1.0 are not permitted because these versions are
non-standard. SSL 2.0 and SSL 3.0 contain a number of security flaws. | Severity: | medium | Identifiers and References | References:
ECSC-1, FIREFOX-DTBF010 | |
|
Rule
Disable SSL Version 3.0 in Firefox
[ref] | SSL version 3.0 is vulnerable and should be disabled by setting
security.enable_ssl3 to false . | Rationale: | Earlier versions of SSL have known security vulnerabilities and are not
authorized for use in DOD. | Severity: | medium | Identifiers and References | References:
ECSC-1, FIREFOX-DTBF020 | |
|
Rule
Disable Firefox Auto-Update Capability
[ref] | Firefox can be set to automatically update as new updates. This can be
disabled by setting app.update.enable to false . | Rationale: | Allowing software updates from non-trusted sites can introduce settings
that will override a secured installation of the application. This can
place DoD information at risk. If this setting is enabled, then there are
many other default settings which point to untrusted sites which must be
changed to point to an authorized update site that is not publicly accessible. | Severity: | medium | Identifiers and References | References:
ECSC-1, FIREFOX-DTBF080 | |
|
Rule
Disable JavaScript's Raise Or Lower Windows Capability
[ref] | JavaScript can configure and make changes to the web browser's appearance by
specifically raising and lowering windows. This can be disabled by
setting dom.disable_window_flip to true . | Rationale: | JavaScript can make changes to the browser’s appearance. Allowing a website
to use JavaScript to raise and lower browser windows may disguise an attack. | Severity: | medium | Identifiers and References | References:
ECSC-1, FIREFOX-DTBF182 | |
|
Rule
Disable JavaScript's Ability To Change The Status Bar
[ref] | JavaScript can configure and make changes to the web browser's appearance by
specifically hiding or changing the status bar. This can be disabled by
setting dom.disable_window_status_change to true . | Rationale: | When a user visits some webpages, JavaScript can hide or make changes
to the browser’s appearance to hide unauthorized activity. This activity
can help disguise an attack taking place in a minimized background window. | Severity: | medium | Identifiers and References | References:
ECSC-1, FIREFOX-DTBF184 | |
|
Rule
Supported Version of Firefox Installed
[ref] | If the system is joined to the Red Hat Network, a Red Hat Satellite Server,
or a yum server, run the following command to install updates:
$ sudo yum update
If the system is not configured to use one of these sources, updates (in the form of RPM packages)
can be manually downloaded and installed using rpm . | Rationale: | Use of versions of an application which are not supported by the vendor
are not permitted. Vendors respond to security flaws with updates and
patches. These updates are not available for unsupported version which
can leave the application vulnerable to attack. | Severity: | high | Identifiers and References | References:
DCMC-1, FIREFOX-DTBF003 | |
|
Rule
Disable User Ability To Autofill Passwords
[ref] | Firefox automatically allows users to save passwords to be auto-filled
into password forms. This can be disabled by setting
signon.prefillForms to false . | Rationale: | While on the internet, it may be possible for an attacker to view
the saved password files and gain access to the user's accounts on
various hosts. | Severity: | medium | Identifiers and References | References:
ECSC-1, FIREFOX-DTBF150 | |
|
Rule
Enable Non-Secure Page Warnings
[ref] | When users browse websites, web pages can switch in between secure and
non-secure protocols. Users can be warned each time by
setting security.warn_leaving_secure to true . | Rationale: | Users may not be aware that the information being viewed under secure
conditions in a previous page are not currently being viewed under
the same security settings. | Severity: | medium | Identifiers and References | References:
ECSC-1, FIREFOX-DTBF130 | |
|
Rule
Disable Autofill Form Assistance
[ref] | Firefox provides tools to auto-fill forms from prefilled information.
This can be disabled by setting browser.formfill.enable to
false . | Rationale: | In order to protect privacy and sensitive data, Firefox provides
the ability to configure Firefox such that data entered into forms
is not saved. This mitigates the risk of a website gleaning private
information from prefilled information. | Severity: | medium | Identifiers and References | References:
ECSC-1, FIREFOX-DTBF140 | |
|
Rule
Disable the Firefox Password Store
[ref] | Firefox allows users to store passwords whether or not a master password
is set for the password store. To disable the storing of passwords, set
signon.rememberSignons to false . | Rationale: | Autofill of a password can be enabled when a site is visited. This feature could also
be used to autofill the certificate pin which could lead to compromise of DoD information. | Severity: | medium | Identifiers and References | References:
ECSC-1, FIREFOX-DTBF160 | |
|
Rule
Disable JavaScript's Ability To Modify The Browser Appearance
[ref] | JavaScript can configure and make changes to the web browser's appearance by
specifically hiding the status bar from view. This can disabled by
setting dom.disable_window_open_feature.status to true . | Rationale: | JavaScript can make changes to the browser’s appearance. This activity
can help disguise an attack taking place in a minimized background window.
Webpage authors can disable many features of a popup window that they open.
This setting prevents the status bar from being hidden. | Severity: | medium | Identifiers and References | References:
ECSC-1, FIREFOX-DTBF185 | |
|