Firefox Lockdown Information

This page shows how to easily lock-down Mozilla Firefox's Settings before you deploy the app with my Deployment Utility. These instructions are based on Chris LLias's Blog entry about Locking Down Firefox.

  1. Edit the file "Mozilla Firefox\greprefs\all.js" and add the following to the end of it:
  2. pref("general.config.filename", "mozilla.cfg");
  3. Create a new file called "mozilla.txt" and add any lockdown settings you want, an example is:
  4. //
    lockPref("app.update.enabled", false);
    lockPref("network.proxy.type", 0);
    lockPref("browser.startup.page", 1);
    lockPref("browser.startup.homepage", "http://www.google.com/");

    You can find more options to lockdown below, or you can browse the "about:config" page to find more settings to lockdown.

  5. Now, you must "encode" the "mozilla.txt" file into a "mozilla.cfg" file. To do this use the application located here, or even easier is the online converter located at:
    http://www.alain.knaff.lu/%7Eaknaff/howto/MozillaCustomization/cgi/byteshf.cgi.
  6. Finally, put the new "mozilla.cfg" file into the "Mozilla Firefox" directory. Now you are ready to deploy Firefox with the appropriate settings "Locked-Down".

Note: If you do not wish to "byte-shift" the mozilla.cfg file, simply add the following to the greprefs\all.js file:

pref("general.config.obscure_value", 0); 

Also, you may be able to store your mozilla.cfg file on a server with the following - although I haven't full tested it yet:

lockPref("autoadmin.global_config_url", "http://yourserver.companyname.com/mozilla.cfg"); 

Update for Mozilla Firefox 4

I received these instructions from Landon Veitch (Thank You!!), which since I haven't had time to test these, I will post the email in it's entirety.


Mike,

I know that Firefox 4 was just released but I wanted to write you to inform you that I figured out how to apply your locks to the new changes in Firefox 4. This way you can keep your customers up to date. I did this on a Vista and 7 machine so I know this works for these installs.

ENSURE YOU HAVE WINZIP

  1. Install Firefox 4 (using standard defaults)
  2. Navigate to C:\Program Files\Mozilla Firefox
  3. Right click the OMNI.JAR file and open with Winzip
  4. Extract all files to a folder somewhere on the PC
  5. Go to that extraction folder and you will see the files in their applicable folder structure.
  6. Navigate to the defaults\profile\firefox.js
  7. Add the following line to the end of that file:
  8. \\MOZILLA FIREFOX LOCKDOWN
    pref("general.config.filename", "mozilla.cfg");
  9. Save the file
  10. Re-Zip all the files back into a file called OMNI.JAR
  11. Replace the original OMNI.JAR file with the new one
  12. Drop your mozilla.cfg file in the root of Program Files\Mozilla Firefox
  13. Launch Firefox and see your lockdowns work

Again, I haven't fully test this yet and I am not sure if you have to use Winzip or if you could also use 7-zip.

Thanks again Landon for the input!

Here is a Youtube Video Showing Firefox 4 Lockdown

Firefox Lockdown Settings

There are many ways to find various settings you can lock down within firefox. The most thorough way is to simply browse through the "about:config" page within Firefox. A few settings not readily apparent is the ability to disable extensions and themes, you can do this by setting the following:

lockPref("config.lockdown.disable_extensions", true);
lockPref("config.lockdown.disable_themes", true);

Also, if you want to disable the ability to access the "about:config" page you must copy this file into the "Mozilla Firefox\components\" directory.

To lock down basic settings, here is a list of the settings available through the "Options" Dialog (Current with Firefox 2.0.0.6). Remember, there are quite a few more available through the "about:config" Firefox page, but these should get you started.

Main Tab

Firefox Options - Main Tab

  • Startup - "When Firefox Starts:"
  • lockPref("browser.startup.page", 0);

    Where:

    0 = "Show a blank page"
    1 = "Show my home page"
    3 = "Show my windows and tabs from last time"
  • Startup - "Home Page"
  • lockPref("browser.startup.homepage", "http://www.google.com/");
  • Downloads - "Show the Downloads window when downloading a file"
  • lockPref("browser.download.manager.showWhenStarting", false);
  • Downloads - "Close it when all downloads are finished"
  • lockPref("browser.download.manager.closeWhenDone", true);
  • Downloads - "Save files to:" (All must be set)
  • lockPref("browser.download.useDownloadDir", true);
    lockPref("browser.download.dir", "C:\\Downloads");
    lockPref("browser.download.downloadDir", "C:\\Downloads");
    lockPref("browser.download.folderList", 2);
  • Downloads - "Always ask me where to save files"
  • lockPref("browser.download.useDownloadDir", false);
  • System Defaults - Always check to see if Firefox is the default browser on startup:
  • lockPref("browser.shell.checkDefaultBrowser", false);

Tabs Tab

Firefox Options - Tabs tab

  • New pages should be opened in: a new window
  • lockPref("browser.link.open_external", 2);
    lockPref("browser.link.open_newwindow", 2);
  • New pages should be opened in: a new tab
  • lockPref("browser.link.open_external", 1);
    lockPref("browser.link.open_newwindow", 1);
  • Warn me when closing multiple tabs
  • lockPref("browser.tabs.warnOnClose", false);
  • Warn me when opening multiple tabs might slow down Firefox
  • lockPref("browser.tabs.warnOnOpen", false);
  • Always show the tab bar
  • lockPref("browser.tabs.autoHide", false);
  • When I open a link in a new tab, switch to it immediately
  • lockPref("browser.tabs.loadInBackground", false);

Content Tab

Firefox Options - Content Tab

  • Block pop-up windows
  • lockPref("dom.disable_open_during_load", false);

    Note that exceptions are added to the hostperm.1 file in the user's Firefox profile.

  • Load images automatically
  • lockPref("permissions.default.image", 2);

    Where (1) is checked and (2) is unchecked.

    Note that exceptions are added to the hostperm.1 file in the user's Firefox profile.

  • Enable JavaScript
  • lockPref("javascript.enabled", false);

      Advanced JavaScript Settings

    • To disable the Advanced button
    • lockPref("pref.advanced.javascript.disable_button.advanced", true);
    • Move or resize existing windows
    • lockPref("dom.disable_window_move_resize", true);
    • Raise or lower windows
    • lockPref("dom.disable_window_flip", false);
    • Disable or replace context menus
    • lockPref("dom.event.contextmenu.enabled", false);
    • Hide the status bar
    • lockPref("dom.disable_window_open_feature.status", false);
    • Change status bar text
    • lockPref("dom.disable_window_status_change", false);
  • Enable Java
  • lockPref("security.enable_java", false);
  • Fonts & Colors
  • You could lock down these settings, but not recommended as each user utilizes their own preferences

  • File Types
  • The app that opens each type of file is written to the "mimeTypes.rdf" file in the user's profile. However, you can disable the apps "browser plugin" by adding something similar to the following, forcing the user to "save the file" to disk:

    lockPref("plugin.disable_full_page_plugin_for_types", "audio/x-ms-wma,application/pdf");

Privacy Tab

Firefox Options - Privacy tab

  • History - Remember visted pages for the last _ days
  • lockPref("browser.history_expire_days", 4);
    lockPref("browser.history_expire_days.mirror", 4);

    Set "browser.history_expire_days" to "0" to disable History completely

  • History - Remember what I enter in forms and the search bar
  • lockPref("browser.formfill.enable", false);
  • History - Remember what I've Downloaded
  • lockPref("browser.download.manager.retention", 0);

    Set to "2" to enable

  • Cookies - Accept cookies from sites
  • lockPref("network.cookie.cookieBehavior", 2);

    Where "0" is enabled, "2" is disable cookies

  • Cookies - Keep until:
  • lockPref("network.cookie.lifetimePolicy", 2);

    Where "0" is "they expire" - "1" is "ask me every time" - "2" is "I close Firefox"

  • Cookies - Exceptions (disable the button)
  • lockPref("pref.privacy.disable_button.cookie_exceptions", false);

    Note that Cookie exceptions are added to the hostperm.1 file in the user's Firefox profile.

  • Private Data - Always clear my private data when I close Firefox
  • lockPref("privacy.sanitize.sanitizeOnShutdown", true);

      Clear Private Data Settings

    • Browsing History
    • lockPref("privacy.item.history", true);
    • Download History
    • lockPref("privacy.item.downloads", true);
    • Saved Form Information
    • lockPref("privacy.item.formdata", true);
    • Cache
    • lockPref("privacy.item.cache", true);
    • Cookies
    • lockPref("privacy.item.cookies", false);
    • Saved Passwords
    • lockPref("privacy.item.passwords", false);
    • Authenticated Sessions
    • lockPref("privacy.item.sessions", true);
  • Private Data - Ask me before clearing private data
  • lockPref("privacy.sanitize.promptOnSanitize", false);

Security Tab

Firefox Options - Security tab

  • Warn me when sites try to install add-ons
  • lockPref("xpinstall.whitelist.required", true);

    Note that "Add-ons" exceptions are added to the hostperm.1 file in the user's Firefox profile.

  • Tell me if the site I'm visiting is a suspected forgery
  • lockPref("browser.safebrowsing.enabled", true);

    Note: To utilize "Google" to check for web forgeries the user must Accept an EULA.

  • Passwords - Remember passwords for sites
  • lockPref("signon.rememberSignons", true);
  • Passwords - Use a master password
  • The user must enter a master password when enabling, thus you cannot enforce this setting

  • Passwords - Disable the "Show Passwords" Button
  • lockPref("pref.privacy.disable_button.view_passwords", true);
  • Warning Messages
    • I am about to view an encrypted page
    • lockPref("security.warn_entering_secure", false);
    • I am about to view a page that uses low-grade encryption
    • lockPref("security.warn_entering_weak", false);
    • I leave an encrypted page for one that isn't encrypted
    • lockPref("security.warn_leaving_secure", false);
    • I submit information that's not encrypted
    • lockPref("security.warn_submit_insecure", false);
    • I am about to view an encrypted page that contains some unencrypted information
    • lockPref("security.warn_viewing_mixed", false);

Advanced Tab

Firefox Options - Advanced tabs

  • General - Accessibility - Always use the cursor keys to navigate within pages
  • lockPref("accessibility.browsewithcaret", true);
  • General - Accessibility - Search for text when I start typing
  • lockPref("accessibility.typeaheadfind", true);
  • General - Browsing - Use autoscrolling
  • lockPref("general.autoScroll", false);
  • General - Browsing - Use smooth scrolling
  • lockPref("general.smoothScroll", true);
  • General - Browsing - Check my spelling as I type
  • lockPref("layout.spellcheckDefault", 1);

    Where "0" is no spell checking and "1" is spell checking enabled

  • Network - Connection - Configure how Firefox connects to the Internet
  • lockPref("network.proxy.type", 0);

      Where

    • "0" is "Direct connection to the Internet"
    • "1" is "Manual proxy configuration"
    • You must also set the following:

      lockPref("network.proxy.http", "firewall.private.lan");
      lockPref("network.proxy.http_port", 3128);
      lockPref("network.proxy.ssl", "firewall.private.lan");
      lockPref("network.proxy.ssl_port", 3128);
      lockPref("network.proxy.ftp", "firewall.private.lan");
      lockPref("network.proxy.ftp_port", 3128);
      lockPref("network.proxy.gopher", "firewall.private.lan");
      lockPref("network.proxy.gopher_port", 3128);
      lockPref("network.proxy.socks", "firewall.private.lan");
      lockPref("network.proxy.socks_port", 3128);
      

      You can also list addresses that you do not want to use the proxy for:

      lockPref("network.proxy.no_proxies_on", "localhost, 127.0.0.1, www.mozilla.com");
    • "2" is "Automatic proxy configuration URL"
    • You can also set the following setting for the correct autoconfig URL

      lockPref("network.proxy.autoconfig_url", "http://mysite.com/");
    • "4" is "Auto-Detect proxy settings for this network"
  • Network - Cache - Size (Use up to _ MB of space for the cache)
  • lockPref("browser.cache.disk.capacity", 5000);

    Where 5000 is 5MB, etc.

  • Update - Automatically Check For Updates to: Firefox
  • lockPref("app.update.enabled", false);
  • Update - Automatically Check For Updates to: Installed Add-ons
  • lockPref("extensions.update.enabled", true);
  • Update - Automatically Check For Updates to: Search Engines
  • lockPref("browser.search.update", true);
  • Update - When Updates to Firefox are found:
  • lockPref("app.update.auto", false);

    Will set the checkbox to "Ask me what I want to do, While

    lockPref("app.update.mode", 0);

    Set to "0" will set to Automatically download and install the update and not check the "Warn me if this will disable any of my add-ons", Set to "1" will check both the Automatically download/install as well as the warn about disabling add-ons.

  • Encryption - Protocols - Use SSL 3.0
  • lockPref("security.enable_ssl3", true);
  • Encryption - Protocols - Use TLS 1.0
  • lockPref("security.enable_tls", true);
  • Encryption - Certificates - When a web site requires a certificate
  • lockPref("security.default_personal_cert", "Ask Every Time");

Google Ad

© 2017 Mike Petersen - All Rights Reserved