Mozilla.cfg not forcing all lockPref / not changing default value for some preferences
Hello Everyone,
Im implementing DOD compliant settings to Mozilla for our enviroment. I am currently in the testing phase - making sure its all set before deployment, Heres where the fun begins.
Ive done the usual - Place the mozilla.cfg in C:\Program Files\Mozilla Firefox Place the autoconfig.js in C:\Program Files\Mozilla Firefox\defaults\pref
and have set the lockPref accordingly for each finding. The issue is that some are being set correctly while others arent being changed at all and most changes arent locked. I have edited the config file to not include the comments (except the top one of course) and changed the \n\r and \r\n to be only \n for the entire file so formatting should not be the issue. I have also changed all commas to match the ones settings that work (no luck) - “” rather than ""
These are working - but doesnt have the lock image
lockPref(“security.default_personal_cert”, “Ask Every Time”; lockPref(“signon.rememberSignons”, false); lockPref(“toolkit.telemetry.archive.enabled”, false); lockPref(“browser.search.update”, false); lockPref(“browser.contentblocking.category”, strict); lockPref(“privacy.trackingprotection.cryptomining.enabled”, true); lockPref(“security.tls.version.max”, 4); lockPref(“dom.disable_window_flip”, true); lockPref(“network.protocol-handler.external.shell”, false);
These have Lock image and cannot be changed -working as it should
lockPref(“toolkit.telemetry.enabled”, false);
These are not working:
lockPref(“extensions.update.enabled”, false); lockPref(“dom.event.contextmenu.enabled”, false); lockPref(“extensions.htmlaboutaddons.recommendations.enabled”, false); lockPref(“datareporting.policy.dataSubmissionEnabled”, false); lockPref(“security.ssl3.rsa_des_ede3_sha”, false); lockPref(“security.enterprise_roots.enabled”, true); lockPref(“security.tls.version.min”, 2); lockPref(“browser.formfill.enable”, false) lockPref(“signon.autofillForms”, false); lockPref(“dom.disable_window_move_resize”, true); lockPref(“devtools.policy.disabled”, true);
These dont even show up in firefox:
lockPref(“xpinstall.enabled”, false); lockPref(“plugin.disable_full_page_plugin_for_types”, PDF, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, XLK, XLS, XLT, POT, PPS, PPT, DOS, DOT, WKS, BAT, PS, EPS, WCH, WCM, WB1, WB3, RTF, DOC, MDB, MDE, WBK, WB1, WCH, WCM, AD, ADP); lockPref(“dom.disable_window_open_feature.status”, true); lockPref(“browser.newtabpage.activity-stream.enabled”, false)
below is the config file
// IMPORTANT: The settings applied within this directory are for STIGS compliance.
// Installed version of Firefox unsupported.
// -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-17988
//NEED MANAGED BY OTHER MEANS
// FireFox is configured to ask which certificate to present to a web site when a certificate is required. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15768
lockPref(“security.default_personal_cert”, “Ask Every Time”;
// FireFox is configured to use a password store with or without a master password. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15776
lockPref(“signon.rememberSignons”, false);
// Fingerprinting protection must be enabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-102879
lockPref(“privacy.trackingprotection.fingerprinting.enabled”, true);
// Telemetry must be disabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-102875
lockPref(“toolkit.telemetry.enabled”, false);
// Telemetry archive must be disabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-102877
lockPref(“toolkit.telemetry.archive.enabled”, false);
// Firefox is configured to allow JavaScript to disable or replace context menus. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15986
lockPref(“dom.event.contextmenu.enabled”, false);
// Firefox automatically updates installed add-ons and plugins. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-19742
lockPref(“extensions.update.enabled”, false);
// Firefox automatically checks for updated version of installed Search plugins. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-19744
lockPref(“browser.search.update”, false);
// Enhanced Tracking Protection must be enabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-102883
lockPref(“browser.contentblocking.category”, strict);
// Cryptomining protection must be enabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-102881
lockPref(“privacy.trackingprotection.cryptomining.enabled”, true);
// Extension recommendations must be disabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-102885
lockPref(“extensions.htmlaboutaddons.recommendations.enabled”, false);
// Background submission of information to Mozilla must be disabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-79053
lockPref(“datareporting.policy.dataSubmissionEnabled”, false);
// Deprecated ciphers must be disabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-102889
lockPref(“security.ssl3.rsa_des_ede3_sha”, false);
// The DOD Root Certificate is not installed. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-6318 // --Note: In a Windows environment, use of policy setting "security.enterprise_roots.enabled=true" will point Firefox to the Windows Trusted Root Certification Authority Store, this is not a finding.
lockPref(“security.enterprise_roots.enabled”, true);
// Firefox must be configured to allow only TLS. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15983
lockPref(“security.tls.version.min”, 2); lockPref(“security.tls.version.max”, 4);
// Extensions install must be disabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-64891
lockPref(“xpinstall.enabled”, false);
// Firefox is configured to allow JavaScript to raise or lower windows. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15985
lockPref(“dom.disable_window_flip”, true);
// Firefox formfill assistance option is disabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15774
lockPref(“browser.formfill.enable”, false)
// Firefox is configured to autofill passwords. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15775
lockPref(“signon.autofillForms”, false);
// Firefox is not configured to prompt a user before downloading and opening required file types. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15772
lockPref(“plugin.disable_full_page_plugin_for_types”, PDF, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, XLK, XLS, XLT, POT, PPS, PPT, DOS, DOT, WKS, BAT, PS, EPS, WCH, WCM, WB1, WB3, RTF, DOC, MDB, MDE, WBK, WB1, WCH, WCM, AD, ADP);
// FireFox plug-in for ActiveX controls is installed. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15773
//NEED MANAGED BY OTHER MEANS
//Firefox automatically executes or downloads MIME types which are not authorized for auto-download. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15770
//NEED MANAGED BY OTHER MEANS
// Network shell protocol is enabled in FireFox. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15771
lockPref(“network.protocol-handler.external.shell”, false);
// FireFox is not configured to block pop-up windows. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15778
lockPref(“dom.disable_window_open_feature.status”, true);
// FireFox is configured to allow JavaScript to move or resize windows. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-15779
lockPref(“dom.disable_window_move_resize”, true);
// Firefox Development Tools Must Be Disabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-97529
lockPref(“devtools.policy.disabled”, true);
// Activity Stream must be disabled. // -https://www.stigviewer.com/stig/mozilla_firefox/2020-06-19/finding/V-102887
lockPref(“browser.newtabpage.activity-stream.enabled”, false)
// Created by: Kaige Royal // Date: 2/7/2021
Chosen solution
If I look closely to your above posted code then I notice you use Unicode quotes (”: Éd;) and not the ASCII quotes (": ), so you need to make sure that all quotes are the latter.
Skaityti atsakymą kartu su kontekstu 👍 0All Replies (4)
Chosen Solution
If I look closely to your above posted code then I notice you use Unicode quotes (”: Éd;) and not the ASCII quotes (": ), so you need to make sure that all quotes are the latter.
The pref you posted under "These dont even show up in firefox:" are no longer supported in current Firefox releases. You can check about:config to see what prefs are suprorted or search the source code via https://searchfox.org/mozilla-release
Note that you can also use policies.json to deploy Firefox settings and there is support for quite a few prefs.
Also, this preference:
lockPref(“plugin.disable_full_page_plugin_for_types”, PDF, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, XLK, XLS, XLT, POT, PPS, PPT, DOS, DOT, WKS, BAT, PS, EPS, WCH, WCM, WB1, WB3, RTF, DOC, MDB, MDE, WBK, WB1, WCH, WCM, AD, ADP);
Is missing quotes for the types.
If you email the actual config file to me at mkaply at mozilla.com, I'll fix it up
Side note, I'm working with the DOD to update the STIG. Hopefully updates out soon and will remove all these old prefs and switch to using policies.
I worked on this via email with Royal and we also found some unquoted strings. I marked the quote problem as the fix since that was the primary problem.
It's still not working locally for them (although it is for me), so I think they are having a separate issue. I'll continue to help as needed.