Is anyone securing Firefox? halp!?

Discussion in 'Business & Enterprise Computing' started by power, Mar 1, 2019.

  1. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    59,738
    Location:
    brisbane
    It's a while since i've needed to secure this browser for a specific environment in our organisation and i want to update the machines and version of firefox in the deployment.

    Currently i have several challenges with this browser.

    The environment talks to a WAN for RDP and a local server for a webpage, there is a csp for internet filtering and this in itself shouldn't be an issue the issue is the browser itself.

    So in the past we used two extensions, public fox and easy whitelist. This setup was pretty much perfect, the machines use their rdp with no hassle, users have no access to the browser and the whitelist does it's thing to lock them to the intranet site. Further to this Public Fox looks like they threw in the towel as it's riddled with holes on new versions of ff and easy whitelist has been completely removed.

    Moving to the newer Firefox and ho boy here's where the fun begins, firstly extensions are a joke starting the browser in safe mode disables them and allows for their removal - yay. secondly and this has always been a firefox bug it always asks for proxy settings even when it has them already and you check the box that says don't bug me. That said even if you put them in they are through the previous bug removable.

    Serious question, how does anyone outside of standalone, unrestricted users use this browser?

    Now I'm reading there are some policies, i don't know if they will help i could use a local security policy if needed but i'm unsure if this is the path i should go down.

    any suggestions from people who may be in a similar boat?

    The TLDR, i want to restrict access to any and all settings - and the browser should be locked to one intranet site. Come at me.

    ok, maybe i will look at the gp stuff, seems to have a few things. see if it covers my needs.

    https://www.ghacks.net/2018/03/10/firefox-60-ships-with-windows-group-policy-support/

    yep looks like this might get me there. if anyone has any feedback i'll still take it on board though.
     
    Last edited by a moderator: Mar 5, 2019
  2. domsmith

    domsmith Member

    Joined:
    Nov 7, 2002
    Messages:
    287
    Create a file called local-settings.js where Mozilla gets installed to with the following code inside.

    Code:
    pref(“general.config.obscure_value”, 0);
    pref(“general.config.filename”, “Mozilla.cfg”);
    Then edit the Mozilla.cfg file and put in the settings you want to to apply. This file also needs to go in the folder Mozilla installs to.

    Code:
    // Firefox Default Settings
    // set Firefox Default homepage
    pref("browser.startup.homepage","http://www.yourwebsite.com");
    // disable default browser check
    pref("browser.shell.checkDefaultBrowser", false);
    pref("browser.startup.homepage_override.mstone", "ignore");
    // disable application updates
    pref("app.update.enabled", false)
    // disable extension updates
    pref("extensions.update.enabled", false);
    // prevent autofilling web forms (for security)
    pref("signon.autofillForms", false);
    // disable remember passwords for sites
    pref("signon.rememberSignons", false);
    // disable first run homepage
    lockPref("browser.startup.homepage_override.mstone", "ignore");
    
    // disable add-on selection screen after upgrade
    lockPref("extensions.shownSelectionUI", true);
    
    
    Added some examples you might find useful. Try messing around with the lockPref setting in the config file
     
    Last edited: Mar 1, 2019
    Bold Eagle likes this.
  3. OP
    OP
    power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    59,738
    Location:
    brisbane
    cheers, looks like the policies are a bit of a mish mash and don't include everything or just random bits and pieces.

    all that stuff you've listed is in the policies though.

    i miss public fox's "block all" approach.
     
  4. domsmith

    domsmith Member

    Joined:
    Nov 7, 2002
    Messages:
    287
    Just find the policy you want to enforce from the thousands under about:config and put it in mozilla.cfg file using lockPref()
     
  5. OP
    OP
    power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    59,738
    Location:
    brisbane
    i'm pretty much there just want to stop firefox asking for the proxy settings all the time.
     
  6. domsmith

    domsmith Member

    Joined:
    Nov 7, 2002
    Messages:
    287
    Try this in your mozilla.cfg

    Code:
    //Firefox Default Settings
    // set proxy settings to 'Auto-detect proxy settings for this network'
    pref("network.proxy.type", 4);
     
  7. domsmith

    domsmith Member

    Joined:
    Nov 7, 2002
    Messages:
    287
    The issue with the proxy might not be a bug it might be something that was migrated from the users existing profile.

    You can disable profile migration but that might create other problems for you.
     
  8. OP
    OP
    power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    59,738
    Location:
    brisbane
    i'm still poking around it needs auth, not auto.

    I really wish it just had a whitelist/kiosk mode instead.

    this is a fresh install so there's not migrated user.

    then i get this up the top on each launch as well, even though i've blocked the network login page, be nice if that removed the prompt too.

    upload_2019-3-1_14-26-42.png
     
    Last edited: Mar 1, 2019
  9. domsmith

    domsmith Member

    Joined:
    Nov 7, 2002
    Messages:
    287
    Are you wanting to manually configure the proxy settings on the client or pushing out the settings using a wpad file or proxy.pac
    I don't know your proxy setup so you might need to look at what these are set to under your about:config

    network.automatic-ntlm-auth.trusted-uris
    network.automatic-ntlm-auth.allow-proxies
    network.negotiate-auth.allow-proxies
    signon.autologin.proxy
     
    power likes this.
  10. OP
    OP
    power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    59,738
    Location:
    brisbane
    just manual prompt and then it saves, we're talking roughly 20 machines in the one location that won't have internet. IE does it's thing just fine but ff chucks a hissy fit. The user will never enter the password, it'll just be built into the images.
     
  11. domsmith

    domsmith Member

    Joined:
    Nov 7, 2002
    Messages:
    287
    some of the options I supplied above in the mozilla.cfg would interfere with doing that.

    the options i supplied above clear logins/passwords at each session.
    Change the preference back to true

    Code:
    pref("signon.rememberSignons", true);
    Users would be able to go into your firefox options and view the login/password you have manually set.

    Unless you modify firefox to hide the button by creating a userChrome.css file https://superuser.com/questions/12195/how-do-i-hide-the-saved-passwords-button-in-firefox
     
  12. OP
    OP
    power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    59,738
    Location:
    brisbane
    thanks for that, will nut it out on Monday. just this one last thing and i'm almost happy.
     
  13. OP
    OP
    power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    59,738
    Location:
    brisbane
    goddamit, no matter what i do firefox refuses to remember proxy auth.

    i've gone down use system setting, then added the config to the credential manager, IE is happy and works perfectly, FF just pops up the box to enter creds.
     
  14. cvidler

    cvidler Member

    Joined:
    Jun 29, 2001
    Messages:
    12,473
    Location:
    Canberra
    Check the network traffic (packet cap), maybe IE is just passing NTLM silently, and firefox not, so prompting for login.
     
  15. OP
    OP
    power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    59,738
    Location:
    brisbane
    ff looks like it's trying to auth with the local user account and doesn't grab the saved credentials. i'm not sure what whitelist this user is using. I tried putting it in the bypass but even still no joy.

    this looks similar

    https://github.com/kee-org/browser-addon/issues/92

    upload_2019-3-4_13-5-26.png
     
    Last edited: Mar 4, 2019
  16. ShaggyMoose

    ShaggyMoose Member

    Joined:
    Jul 1, 2002
    Messages:
    397
    Location:
    Sydney
    If you are locking down the site access that severely, can you just use an older version where the plugins still work as expected?
     
    ozzy? likes this.
  17. OP
    OP
    power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    59,738
    Location:
    brisbane
    i can't even get the plugins anymore that I wanted.

    shifted to Chrome, because well Chrome behaves itself.
     
  18. bart5986

    bart5986 Member

    Joined:
    Jan 31, 2006
    Messages:
    3,808
    Location:
    Brisbane
    This might not suit your needs but I use Porteus Kiosk after not being able to secure Firefox/Chrome to my liking.

    I've found it very good.
     
  19. OP
    OP
    power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    59,738
    Location:
    brisbane
    nah that wouldn't suit, these are thin clients i manage with HPDM so replacing the OS isn't an option.

    good idea though.
     
  20. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,537
    It really doesn't.
     

Share This Page

Advertisement: