Firefox_Recommended_Security_Settings[1].pdf
Post on 26-Sep-2015
5 Views
Preview:
Transcript
Proprietary Notice
This information is confidential and is the trade secret property of Schlumberger. Does not use, disclose, or reproduce without the prior written permission of Schlumberger
Schlumberger Private
Firefox Recommended Security Settings
Author David Busby Email address dbusby3@slb.com Last Updated September 30, 2009
Version number 0.1
Template Version:
V 1.0 10-Jan-06
This information is confidential and is the trade secret property of Schlumberger. Do not use, disclose, or reproduce without the prior written permission of Schlumberger Page i
Schlumberger Private
Table of contents
1. EXECUTIVE SUMMARY ................................................................................................................................ 1
2. SETTINGS .......................................................................................................................................................... 2
2.1 SSL PROTOCOLS ........................................................................................................................................... 2 2.1.1 Procedure: Disable SSLv2 Protocol ........................................................................................................ 2 2.1.2 Procedure: Enable SSLv3 & TLS 1.0 Protocols ...................................................................................... 3 2.1.3 Procedure: Import Schlumberger Certificate Authority .......................................................................... 4
2.2 SETTING: SECURITY.DEFAULT_PERSONAL_CERT .......................................................................................... 5 2.3 SETTING: OCSP CERTIFICATE PROTOCOL .................................................................................................... 6 2.4 SETTING: NON-SECURE PAGE WARNING ...................................................................................................... 7 2.5 JAVASCRIPT SETTINGS .................................................................................................................................. 8
3. ABOUT:CONFIG SETTINGS ........................................................................................................................ 10
3.1 SETTING: USER AGENT SECURITY .............................................................................................................. 10 3.2 SETTING: NETWORK.PREFETCH-NEXT ......................................................................................................... 10 3.3 SETTING: NETWORK.NTLM.SEND-LM-RESPONSE ......................................................................................... 10 3.4 SETTING: NETWORK.PROTOCOL-HANDLER.EXTERNAL.SHELL ..................................................................... 10 3.5 SETTING: BROWSER.DOWNLOAD.MANAGER.SCANWHENDONE ................................................................... 11 3.6 SETTING: BROWSER.DOWNLOAD.MANAGER.SKIPWINSECURITYPOLICYCHECKS ........................................ 11 3.7 SETTING: FILEURI.STRICT_ORIGIN_POLICY ................................................................................................. 11
4. SINGLE SIGN-ON SUPPORT ........................................................................................................................ 12
5. PRIVATE BROWSING ................................................................................................................................... 13
6. NOSCRIPT PLUGIN ....................................................................................................................................... 14
7. GEOGRAPHIC LOCATION .......................................................................................................................... 16
This information is confidential and is the trade secret property of Schlumberger. Do not use, disclose, or reproduce without the prior written permission of Schlumberger Page ii
Schlumberger Private
Table of Figures Figure 1: Location Bar ............................................................................................................................ 2Figure 2:Void Warranty .......................................................................................................................... 2Figure 3: Security Dialog ........................................................................................................................ 4Figure 4: OCSP Protocol ........................................................................................................................ 7Figure 5: Encryption Warnings ............................................................................................................... 8Figure 6:Additional JavaScript Settings ................................................................................................. 9Figure 7: User Agent Security .............................................................................................................. 10
This information is confidential and is the trade secret property of Schlumberger. Do not use, disclose, or reproduce without the prior written permission of Schlumberger Page 1
Schlumberger Private
1. Executive Summary In a continuing effort to provide a secure computing environment for the end user community; the Enterprise Services is releasing these recommendations for securing the Firefox browser. Firefox is an unmanaged application. Support for Firefox will be on a best effort via a Firefox BB.
This information is confidential and is the trade secret property of Schlumberger. Do not use, disclose, or reproduce without the prior written permission of Schlumberger Page 2
Schlumberger Private
2. Settings 2.1 SSL Protocols SSLv2 protocol has several vulnerabilities and is subject to man-in-the-middle attacks and should be disabled.
2.1.1 Procedure: Disable SSLv2 Protocol Type About:Config in the location bar in Firefox
Figure 1: Location Bar
Confirm on the warning dialog box.
Figure 2:Void Warranty
Type into the Filter: Security.enable_ssl2 Verify that the value is false. If the value is not false then double click the value to change it to false. 2.1.1.1 Remove SSL2 Cipher Suites
Type About:config In the filter box type: security.ssl2 All should be false
This information is confidential and is the trade secret property of Schlumberger. Do not use, disclose, or reproduce without the prior written permission of Schlumberger Page 3
Schlumberger Private
Preference Name Value security.ssl2.des_64 FALSE security.ssl2.des_ede3_192 security.ssl2.rc2_128 security.ssl2.rc2_40 security.ssl2.rc4_128 security.ssl2.rc4_40
2.1.2 Procedure: Enable SSLv3 & TLS 1.0 Protocols Type About:Config in the location bar in Firefox Type in the filter: security.enable
Preference Name Value Security.enable_java True Security.enable_ssl2 False Security.enable_ssl3 True Security.enable_tls True Security.enable_tls_session_tickets True security. ssl3. rsa_null_sha False security. ssl3. rsa_null_md5 False Tools/Options/Advanced/Encryption Tab
This information is confidential and is the trade secret property of Schlumberger. Do not use, disclose, or reproduce without the prior written permission of Schlumberger Page 4
Schlumberger Private
Figure 3: Security Dialog
2.1.3 Procedure: Import Schlumberger Certificate Authority 1. Goto www.pki.slb.com and download the Schlumberger Certificate Authority Certificate Chain 2. Tools->Options->Advanced 3. View Certificates->Authorities->Import 4. Indicate the Certificate to import and click ok.
This information is confidential and is the trade secret property of Schlumberger. Do not use, disclose, or reproduce without the prior written permission of Schlumberger Page 5
Schlumberger Private
Select All Trust Settings:
Trust this CA to identify web sites. Trust this CA to identify email users. Trust this CA to identify software developers
2.2 Setting: security.default_personal_cert Firefox is not configured to ask which certificate to present to a web site when a certificate is required.
1. Menu: Tools/Options/Advanced
This information is confidential and is the trade secret property of Schlumberger. Do not use, disclose, or reproduce without the prior written permission of Schlumberger Page 6
Schlumberger Private
2.3 Setting: OCSP Certificate Protocol Online Certificate Status Protocol for validating x.509 digital certificates.
1. Menu: Tools/Options/Advanced 2. Encryption Tab/Validation
This information is confidential and is the trade secret property of Schlumberger. Do not use, disclose, or reproduce without the prior written permission of Schlumberger Page 7
Schlumberger Private
Figure 4: OCSP Protocol
2.4 Setting: Non-Secure Page Warning This setting will warn you if youre directed from a secure page to a non-secure page.
This information is confidential and is the trade secret property of Schlumberger. Do not use, disclose, or reproduce without the prior written permission of Schlumberger Page 8
Schlumberger Private
Figure 5: Encryption Warnings
2.5 JavaScript Settings Many of the settings for JavaScript need to be set to help prevent things like clickjacking.
1. Tools/Options/Content Tab 2. Click on the Advanced Button next to the JavaScript checkbox. 3. Disable the Advanced JavaScript Options
This information is confidential and is the trade secret property of Schlumberger. Do not use, disclose, or reproduce without the prior written permission of Schlumberger Page 9
Schlumberger Private
Figure 6:Additional JavaScript Settings
This information is confidential and is the trade secret property of Schlumberger. Do not use, disclose, or reproduce without the prior written permission of Schlumberger Page 10
Schlumberger Private
3. About:Config Settings 3.1 Setting: User Agent Security The user agent is the browser and you can confirm/set this setting by following the steps below:
5. Type about:config in the location bar 6. Type general.useragent.security in the filter 7. Double click to set value to U if not set
Figure 7: User Agent Security
3.2 Setting: network.prefetch-next If you use the Firefox browser in conjunction with the Google search engine, Google will (under various circumstances) prefetch the first page returned in the results. In other words, that page and any cookies associated will be downloaded to your computer even though you never clicked the link.
1. Type About:config in the location bar 2. Type filter: network.prefetch-next 3. If true, double click to set to false
3.3 Setting: network.ntlm.send-lm-response This setting determines whether or not the LM hash will be included in response to a NTLM challenge. Servers should almost never need the LM hash, and the LM hash is what makes NTLM authentication less secure.
1. Type about:config in the location bar 2. Type network.ntlm.send-lm-response in the filter 3. If true double click to set to false.
3.4 Setting: network.protocol-handler.external.shell This setting is used to enable/disable the shell protocol. With this setting enabled an attacker could shell out to the operating system.
1. Type about:config in the location bar
This information is confidential and is the trade secret property of Schlumberger. Do not use, disclose, or reproduce without the prior written permission of Schlumberger Page 11
Schlumberger Private
2. Type network.protocol-handler.external.shell in the filter 3. If the value is not false double click to set to false.
3.5 Setting: browser.download.manager.scanWhenDone This setting will tell the browser to scan any downloads with the installed Virus Scan software.
1. Type about:config in the location bar 2. Type browser.download.manager.scanWhenDone in the filter 3. If the value is not true double click to set to true.
3.6 Setting: browser.download.manager.skipWinSecurityPolicyChecks If this setting is present it should be set to FALSE to honor Windows Security Policy Checks
1. Type about:config in the location bar 2. Type browser.download.manager.skipWinSecurityPolicyChecks in the filter 3. If the value is not false double click to set to false.
3.7 Setting: fileuri.strict_origin_policy Having this set to false could allow locally saved content to traverse up the directory tree on a users hard drive. (note)
1. Type about:config in the location bar 2. Type security.fileuri.strict_origin_policy in the filter 3. If the value is not true double click to set to true.
This information is confidential and is the trade secret property of Schlumberger. Do not use, disclose, or reproduce without the prior written permission of Schlumberger Page 12
Schlumberger Private
4. Single Sign-On Support 1. Type about:config in the location bar 2. Type into the filter: network.automatic-ntlm-auth.trusted-uris 3. If found then right click on the preference name and add:
a. .slb.com yes include the leading dot. 4. If not found then right click in the about:config window 5. New->String 6. Enter: network.automatic-ntlm-auth.trusted-uris
Then go back to Step 3
This information is confidential and is the trade secret property of Schlumberger. Do not use, disclose, or reproduce without the prior written permission of Schlumberger Page 13
Schlumberger Private
5. Private Browsing Private browsing is a new feature. Initially set to Use custom settings for history
This information is confidential and is the trade secret property of Schlumberger. Do not use, disclose, or reproduce without the prior written permission of Schlumberger Page 14
Schlumberger Private
6. NoScript Plugin The NoScript plugin is not part of Filefox but an extension to it that provides increased security and is highly recommended. NoScript stops JavaScript, Flash, and other scripting languages from running in your browser except if you say the site is trusted. After you install NoScript and restart when you go to someplace like www.cnet.com you will notice a decrease in the functionality because NoScript will block the scripts on the site. You can either always trust or temporarily trust the site. Here is where you can install the latest version of NoScript.
Click the Options Button:
This information is confidential and is the trade secret property of Schlumberger. Do not use, disclose, or reproduce without the prior written permission of Schlumberger Page 15
Schlumberger Private
To trust *.slb.com follow these steps after installing and NoScript and restarting Firefox.
1. Tools->Addons 2. Find the NoScript Addon and select Options 3. Click on the whitelist tab 4. Add slb.com
This information is confidential and is the trade secret property of Schlumberger. Do not use, disclose, or reproduce without the prior written permission of Schlumberger Page 16
Schlumberger Private
7. Geographic Location Disabling
1. About:config 2. Geo.wifi.uri 3. Double click and delete the entry: https://www.google.com/loc/json
Total Disabling can be accomplished by deleting or renaming the file: NetworkGeolocationProvider.js
1. Executive Summary2. Settings2.1 SSL Protocols2.1.1 Procedure: Disable SSLv2 Protocol2.1.1.1 Remove SSL2 Cipher Suites
2.1.2 Procedure: Enable SSLv3 & TLS 1.0 Protocols2.1.3 Procedure: Import Schlumberger Certificate Authority
2.2 Setting: security.default_personal_cert2.3 Setting: OCSP Certificate Protocol2.4 Setting: Non-Secure Page Warning2.5 JavaScript Settings
3. About:Config Settings3.1 Setting: User Agent Security3.2 Setting: network.prefetch-next3.3 Setting: network.ntlm.send-lm-response3.4 Setting: network.protocol-handler.external.shell3.5 Setting: browser.download.manager.scanWhenDone3.6 Setting: browser.download.manager.skipWinSecurityPolicyChecks3.7 Setting: fileuri.strict_origin_policy
4. Single Sign-On Support5. Private Browsing6. NoScript Plugin7. Geographic Location
top related