Firefox required security preferences cannot be changed by user.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19743	DTBF070	SV-21889r8_rule		Medium

Description
Locked settings prevent users from accessing about:config and changing the security settings set by the system administrator. Locked settings should be placed in the mozilla.cfg file. The mozilla.cfg file is an encoded file of JavaScript commands. The encoding is a simple "byte-shifting" with an offset of 13 (Netscape 4 used a similar encoding, but with a 7 instead). This file also needs to be "called" from the configuration file local-settings.js

Description

Locked settings prevent users from accessing about:config and changing the security settings set by the system administrator. Locked settings should be placed in the mozilla.cfg file. The mozilla.cfg file is an encoded file of JavaScript commands. The encoding is a simple "byte-shifting" with an offset of 13 (Netscape 4 used a similar encoding, but with a 7 instead). This file also needs to be "called" from the configuration file local-settings.js

STIG	Date
Mozilla Firefox Security Technical Implementation Guide	2018-09-17

Details

Check Text ( C-24189r10_chk )
Verify that required settings are marked as locked in "about:config". Verify that "mozilla.cfg" file is used to lock required security settings. If settings are enable, and not locked, this is a finding. Sample file: // lockPref("browser.download.dir", "N:"); lockPref("browser.download.downloadDir", "N:"); lockPref("app.update.enabled", false); lockPref("extensions.update.enabled", false); lockPref("browser.shell.checkDefaultBrowser", false); lockPref("browser.search.update", false); lockPref("browser.formfill.enable", false); lockPref("signon.prefillForms", false); lockPref("dom.disable_open_during_load", true); lockPref("dom.disable_window_move_resize", true); lockPref("dom.event.contextmenu.enabled", false); lockPref("dom.disable_window_status_change", true); lockPref("dom.disable_window_flip", true); lockPref("dom.disable_window_open_feature.status", true); lockPref("security.warn_leaving_secure", true); lockPref("security.default_personal_cert", "Ask Every Time"); lockPref("signon.rememberSignons", false); lockPref("xpinstall.whitelist.required", true); lockPref(“network.protocol-handler.external.shell”,false); lockPref("security.tls.version.min" ,"2"); lockPref(“security.tls.version.max", "3"); lockPref("plugin.disable_full_page_plugin_for_types", "application/pdf,application/doc,application/xls,application/bat,application/ppt,application/mdb,application/mde,application/fdf,application/xfdf,application/lsl,application/lso,application/lss,application/iqy,application/rqy,application/xlk,application/pot,application/pps,application/dot,application/wbk,application/ps,application/eps,application/wch,application/wcm,application/wbi,application/wb1,application/wb3,application/rtf,application/wch,application/wcm,application/ad,application/adp,application/xlt, application/dos, application/wks"); lockPref("privacy.item.history", false) Note: Append line into local-settings.js file to include in the Mozilla config file.

Check Text ( C-24189r10_chk )

Verify that required settings are marked as locked in "about:config". Verify that "mozilla.cfg" file is used to lock required security settings. If settings are enable, and not locked, this is a finding.

Sample file:
//
lockPref("browser.download.dir", "N:");
lockPref("browser.download.downloadDir", "N:");
lockPref("app.update.enabled", false);
lockPref("extensions.update.enabled", false);
lockPref("browser.shell.checkDefaultBrowser", false);
lockPref("browser.search.update", false);
lockPref("browser.formfill.enable", false);
lockPref("signon.prefillForms", false);
lockPref("dom.disable_open_during_load", true);
lockPref("dom.disable_window_move_resize", true);
lockPref("dom.event.contextmenu.enabled", false);
lockPref("dom.disable_window_status_change", true);
lockPref("dom.disable_window_flip", true);
lockPref("dom.disable_window_open_feature.status", true);
lockPref("security.warn_leaving_secure", true);
lockPref("security.default_personal_cert", "Ask Every Time");
lockPref("signon.rememberSignons", false);
lockPref("xpinstall.whitelist.required", true);
lockPref(“network.protocol-handler.external.shell”,false);
lockPref("security.tls.version.min" ,"2");
lockPref(“security.tls.version.max", "3");
lockPref("plugin.disable_full_page_plugin_for_types", "application/pdf,application/doc,application/xls,application/bat,application/ppt,application/mdb,application/mde,application/fdf,application/xfdf,application/lsl,application/lso,application/lss,application/iqy,application/rqy,application/xlk,application/pot,application/pps,application/dot,application/wbk,application/ps,application/eps,application/wch,application/wcm,application/wbi,application/wb1,application/wb3,application/rtf,application/wch,application/wcm,application/ad,application/adp,application/xlt, application/dos, application/wks");
lockPref("privacy.item.history", false)

Note: Append line into local-settings.js file to include in the Mozilla config file.

Fix Text (F-22495r7_fix)
Ensure the required settings in "about:config" are locked using the "mozilla.cfg" file.