UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Firefox required security preferences cannot be changed by user.


Overview

Finding ID Version Rule ID IA Controls Severity
V-19743 DTBF070 SV-21889r7_rule Medium
Description
Locked settings prevent users from accessing about:config and changing the security settings set by the system administrator. Locked settings should be placed in the mozilla.cfg file. The mozilla.cfg file is an encoded file of JavaScript commands. The encoding is a simple "byte-shifting" with an offset of 13 (Netscape 4 used a similar encoding, but with a 7 instead). This file also needs to be "called" from the configuration file local-settings.js
STIG Date
Mozilla Firefox 2017-03-22

Details

Check Text ( C-24189r9_chk )
Verify that required settings are marked as locked in "about:config". Verify that "mozilla.cfg" file is used to lock required security settings. If settings are enable, and not locked, this is a finding.

Sample file:
//
lockPref("browser.startup.homepage", "https://www.us.army.mil/suite/page/429668");
lockPref("browser.download.dir", "N:");
lockPref("browser.download.downloadDir", "N:");
lockPref("app.update.enabled", false);
lockPref("extensions.update.enabled", false);
lockPref("browser.shell.checkDefaultBrowser", false);
lockPref("browser.search.update", false);
lockPref("browser.formfill.enable", false);
lockPref("signon.prefillForms", false);
lockPref("dom.disable_open_during_load", true);
lockPref("dom.disable_window_move_resize", true);
lockPref("dom.event.contextmenu.enabled", false);
lockPref("dom.disable_window_status_change", true);
lockPref("dom.disable_window_flip", true);
lockPref("dom.disable_window_open_feature.status", true);
lockPref("security.warn_leaving_secure", true);
lockPref("privacy.sanitize.promptOnSanitize", false);
lockPref("privacy.sanitize.sanitizeOnShutdown", true);
lockPref("security.default_personal_cert", "Ask Every Time");
lockPref("signon.rememberSignons", false);
lockPref("xpinstall.whitelist.required", true);
lockPref(“network.protocol-handler.external.shell”,false);
lockPref("security.tls.version.min" ,"1");
lockPref(“security.tls.version.max", "3");
lockPref("plugin.disable_full_page_plugin_for_types", "application/pdf,application/doc,application/xls,application/bat,application/ppt,application/mdb,application/mde,application/fdf,application/xfdf,application/lsl,application/lso,application/lss,application/iqy,application/rqy,application/xlk,application/pot,application/pps,application/dot,application/wbk,application/ps,application/eps,application/wch,application/wcm,application/wbi,application/wb1,application/wb3,application/rtf,application/wch,application/wcm,application/ad,application/adp,application/xlt, application/dos, application/wks");
lockPref("privacy.item.history", false)

Note: Append line into local-settings.js file to include in the Mozilla config file.
Fix Text (F-22495r7_fix)
Ensure the required settings in "about:config" are locked using the "mozilla.cfg" file.