Firefox Lockdown Information - pcc-services.

com

http://www.pcc-services.com/kixtart/firefox-lockdown.html

Firefox Lockdown Information

This page shows how to easily lock-down Mozilla Firefox's Settings before you deploy the app with my Deployment Utility. These instructions are based on Chris LLias's Blog entry about Locking Down Firefox. 1. Edit the file "Mozilla Firefox\greprefs\all.js" and add the following to the end of it:
pref("general.config.filename", "mozilla.cfg");

2. Create a new file called "mozilla.txt" and add any lockdown settings you want, an example is:
// lockPref("app.update.enabled", false); lockPref("network.proxy.type", 0); lockPref("browser.startup.page", 1); lockPref("browser.startup.homepage", "http://www.google.com/");

You can find more options to lockdown below, or you can browse the "about:config" page to find more settings to lockdown. 3. Now, you must "encode" the "mozilla.txt" file into a "mozilla.cfg" file. To do this use the application located here, or even easier is the online converter located at: http://www.alain.knaff.lu/%7Eaknaff/howto/MozillaCustomization/cgi/byteshf.cgi. 4. Finally, put the new "mozilla.cfg" file into the "Mozilla Firefox" directory. Now you are ready to deploy Firefox with the appropriate settings "Locked-Down". Note: If you do not wish to "byte-shift" the mozilla.cfg file, simply add the following to the greprefs\all.js file:
pref("general.config.obscure_value", 0);

Also, you may be able to store your mozilla.cfg file on a server with the following - although I haven't full tested it yet:
lockPref("autoadmin.global_config_url", "http://yourserver.companyname.com/mozilla.cfg");

Update for Mozilla Firefox 4

I received these instructions from Landon Veitch (Thank You!!), which since I haven't had time to test these, I will post the email in it's entirety. Mike, I know that Firefox 4 was just released but I wanted to write you to inform you that I figured out how to apply your locks to the new changes in Firefox 4. This way you can keep your customers up to date. I did this on a Vista and 7 machine so I know this works for these installs. ENSURE YOU HAVE WINZIP 1. Install Firefox 4 (using standard defaults) 2. Navigate to C:\Program Files\Mozilla Firefox 3. Right click the OMNI.JAR file and open with Winzip 4. Extract all files to a folder somewhere on the PC 5. Go to that extraction folder and you will see the files in their applicable folder structure. 6. Navigate to the defaults\profile\firefox.js 7. Add the following line to the end of that file:
\\MOZILLA FIREFOX LOCKDOWN pref("general.config.filename", "mozilla.cfg");

8. Save the file 9. Re-Zip all the files back into a file called OMNI.JAR 10. Replace the original OMNI.JAR file with the new one 11. Drop your mozilla.cfg file in the root of Program Files\Mozilla Firefox 12. Launch Firefox and see your lockdowns work Again, I haven't fully test this yet and I am not sure if you have to use Winzip or if you could also use 7-zip. Thanks again Landon for the input! Here is a Youtube Video Showing Firefox 4 Lockdown

Firefox Lockdown Settings

There are many ways to find various settings you can lock down within firefox. The most thorough way is to simply browse through the "about:config" page within Firefox. A few settings not readily apparent is the ability to disable extensions and themes, you can do this by setting the following:
lockPref("config.lockdown.disable_extensions", true); lockPref("config.lockdown.disable_themes", true);

Also, if you want to disable the ability to access the "about:config" page you must copy this file into the "Mozilla Firefox\components\" directory. To lock down basic settings, here is a list of the settings available through the "Options" Dialog (Current with Firefox 2.0.0.6). Remember, there are quite a few more available through the "about:config" Firefox page, but these should get you started.

Main Tab

1 of 7

3/16/2012 3:06 PM

Firefox Lockdown Information - pcc-services.com

http://www.pcc-services.com/kixtart/firefox-lockdown.html

Startup - "When Firefox Starts:"

lockPref("browser.startup.page", 0);

Where:
0 = "Show a blank page" 1 = "Show my home page" 3 = "Show my windows and tabs from last time"

Startup - "Home Page"

lockPref("browser.startup.homepage", "http://www.google.com/");

Downloads - "Show the Downloads window when downloading a file"

lockPref("browser.download.manager.showWhenStarting", false);

Downloads - "Close it when all downloads are finished"

lockPref("browser.download.manager.closeWhenDone", true);

Downloads - "Save files to:" (All must be set)

lockPref("browser.download.useDownloadDir", true); lockPref("browser.download.dir", "C:\\Downloads"); lockPref("browser.download.downloadDir", "C:\\Downloads"); lockPref("browser.download.folderList", 2);

Downloads - "Always ask me where to save files"

lockPref("browser.download.useDownloadDir", false);

System Defaults - Always check to see if Firefox is the default browser on startup:
lockPref("browser.shell.checkDefaultBrowser", false);

Tabs Tab

2 of 7

3/16/2012 3:06 PM

Firefox Lockdown Information - pcc-services.com

http://www.pcc-services.com/kixtart/firefox-lockdown.html

New pages should be opened in: a new window

lockPref("browser.link.open_external", 2); lockPref("browser.link.open_newwindow", 2);

New pages should be opened in: a new tab

lockPref("browser.link.open_external", 1); lockPref("browser.link.open_newwindow", 1);

Warn me when closing multiple tabs

lockPref("browser.tabs.warnOnClose", false);

Warn me when opening multiple tabs might slow down Firefox

lockPref("browser.tabs.warnOnOpen", false);

Always show the tab bar

lockPref("browser.tabs.autoHide", false);

When I open a link in a new tab, switch to it immediately

lockPref("browser.tabs.loadInBackground", false);

Content Tab

Block pop-up windows

lockPref("dom.disable_open_during_load", false);

3 of 7

3/16/2012 3:06 PM

Firefox Lockdown Information - pcc-services.com

http://www.pcc-services.com/kixtart/firefox-lockdown.html

Note that exceptions are added to the hostperm.1 file in the user's Firefox profile. Load images automatically
lockPref("permissions.default.image", 2);

Where (1) is checked and (2) is unchecked. Note that exceptions are added to the hostperm.1 file in the user's Firefox profile. Enable JavaScript
lockPref("javascript.enabled", false);

Advanced JavaScript Settings To disable the Advanced button

lockPref("pref.advanced.javascript.disable_button.advanced", true);

Move or resize existing windows

lockPref("dom.disable_window_move_resize", true);

Raise or lower windows

lockPref("dom.disable_window_flip", false);

Disable or replace context menus

lockPref("dom.event.contextmenu.enabled", false);

Hide the status bar

lockPref("dom.disable_window_open_feature.status", false);

Change status bar text

lockPref("dom.disable_window_status_change", false);

Enable Java
lockPref("security.enable_java", false);

Fonts & Colors You could lock down these settings, but not recommended as each user utilizes their own preferences File Types The app that opens each type of file is written to the "mimeTypes.rdf" file in the user's profile. However, you can disable the apps "browser plugin" by adding something similar to the following, forcing the user to "save the file" to disk:
lockPref("plugin.disable_full_page_plugin_for_types", "audio/x-ms-wma,application/pdf");

Privacy Tab

History - Remember visted pages for the last _ days

lockPref("browser.history_expire_days", 4); lockPref("browser.history_expire_days.mirror", 4);

Set "browser.history_expire_days" to "0" to disable History completely History - Remember what I enter in forms and the search bar
lockPref("browser.formfill.enable", false);

4 of 7

3/16/2012 3:06 PM

Firefox Lockdown Information - pcc-services.com

http://www.pcc-services.com/kixtart/firefox-lockdown.html

History - Remember what I've Downloaded

lockPref("browser.download.manager.retention", 0);

Set to "2" to enable Cookies - Accept cookies from sites

lockPref("network.cookie.cookieBehavior", 2);

Where "0" is enabled, "2" is disable cookies Cookies - Keep until:

lockPref("network.cookie.lifetimePolicy", 2);

Where "0" is "they expire" - "1" is "ask me every time" - "2" is "I close Firefox" Cookies - Exceptions (disable the button)
lockPref("pref.privacy.disable_button.cookie_exceptions", false);

Note that Cookie exceptions are added to the hostperm.1 file in the user's Firefox profile. Private Data - Always clear my private data when I close Firefox
lockPref("privacy.sanitize.sanitizeOnShutdown", true);

Clear Private Data Settings Browsing History

lockPref("privacy.item.history", true);

Download History
lockPref("privacy.item.downloads", true);

Saved Form Information

lockPref("privacy.item.formdata", true);

Cache
lockPref("privacy.item.cache", true);

Cookies
lockPref("privacy.item.cookies", false);

Saved Passwords
lockPref("privacy.item.passwords", false);

Authenticated Sessions
lockPref("privacy.item.sessions", true);

Private Data - Ask me before clearing private data

lockPref("privacy.sanitize.promptOnSanitize", false);

Security Tab

Warn me when sites try to install add-ons

lockPref("xpinstall.whitelist.required", true);

5 of 7

3/16/2012 3:06 PM

Firefox Lockdown Information - pcc-services.com

http://www.pcc-services.com/kixtart/firefox-lockdown.html

Note that "Add-ons" exceptions are added to the hostperm.1 file in the user's Firefox profile. Tell me if the site I'm visiting is a suspected forgery
lockPref("browser.safebrowsing.enabled", true);

Note: To utilize "Google" to check for web forgeries the user must Accept an EULA. Passwords - Remember passwords for sites
lockPref("signon.rememberSignons", true);

Passwords - Use a master password The user must enter a master password when enabling, thus you cannot enforce this setting Passwords - Disable the "Show Passwords" Button
lockPref("pref.privacy.disable_button.view_passwords", true);

Warning Messages I am about to view an encrypted page

lockPref("security.warn_entering_secure", false);

I am about to view a page that uses low-grade encryption

lockPref("security.warn_entering_weak", false);

I leave an encrypted page for one that isn't encrypted

lockPref("security.warn_leaving_secure", false);

I submit information that's not encrypted

lockPref("security.warn_submit_insecure", false);

I am about to view an encrypted page that contains some unencrypted information

lockPref("security.warn_viewing_mixed", false);

Advanced Tab

General - Accessibility - Always use the cursor keys to navigate within pages
lockPref("accessibility.browsewithcaret", true);

General - Accessibility - Search for text when I start typing

lockPref("accessibility.typeaheadfind", true);

General - Browsing - Use autoscrolling

lockPref("general.autoScroll", false);

General - Browsing - Use smooth scrolling

lockPref("general.smoothScroll", true);

General - Browsing - Check my spelling as I type

lockPref("layout.spellcheckDefault", 1);

Where "0" is no spell checking and "1" is spell checking enabled Network - Connection - Configure how Firefox connects to the Internet

6 of 7

3/16/2012 3:06 PM

Firefox Lockdown Information - pcc-services.com

http://www.pcc-services.com/kixtart/firefox-lockdown.html

lockPref("network.proxy.type", 0);

Where "0" is "Direct connection to the Internet" "1" is "Manual proxy configuration" You must also set the following:
lockPref("network.proxy.http", "firewall.private.lan"); lockPref("network.proxy.http_port", 3128); lockPref("network.proxy.ssl", "firewall.private.lan"); lockPref("network.proxy.ssl_port", 3128); lockPref("network.proxy.ftp", "firewall.private.lan"); lockPref("network.proxy.ftp_port", 3128); lockPref("network.proxy.gopher", "firewall.private.lan"); lockPref("network.proxy.gopher_port", 3128); lockPref("network.proxy.socks", "firewall.private.lan"); lockPref("network.proxy.socks_port", 3128);

You can also list addresses that you do not want to use the proxy for:
lockPref("network.proxy.no_proxies_on", "localhost, 127.0.0.1, www.mozilla.com");

"2" is "Automatic proxy configuration URL" You can also set the following setting for the correct autoconfig URL
lockPref("network.proxy.autoconfig_url", "http://mysite.com/");

"4" is "Auto-Detect proxy settings for this network" Network - Cache - Size (Use up to _ MB of space for the cache)
lockPref("browser.cache.disk.capacity", 5000);

Where 5000 is 5MB, etc. Update - Automatically Check For Updates to: Firefox
lockPref("app.update.enabled", false);

Update - Automatically Check For Updates to: Installed Add-ons

lockPref("extensions.update.enabled", true);

Update - Automatically Check For Updates to: Search Engines

lockPref("browser.search.update", true);

Update - When Updates to Firefox are found:

lockPref("app.update.auto", false);

Will set the checkbox to "Ask me what I want to do, While

lockPref("app.update.mode", 0);

Set to "0" will set to Automatically download and install the update and not check the "Warn me if this will disable any of my add-ons", Set to "1" will check both the Automatically download/install as well as the warn about disabling add-ons. Encryption - Protocols - Use SSL 3.0
lockPref("security.enable_ssl3", true);

Encryption - Protocols - Use TLS 1.0

lockPref("security.enable_tls", true);

Encryption - Certificates - When a web site requires a certificate

lockPref("security.default_personal_cert", "Ask Every Time");

7 of 7

3/16/2012 3:06 PM