Firefox_Recommended_Security_Settings[1].pdf

Proprietary Notice

This information is confidential and is the trade secret property of Schlumberger. Does not use, disclose, or reproduce without the prior written permission of Schlumberger

Schlumberger Private

Firefox Recommended Security Settings

Author David Busby Email address [email protected] Last Updated September 30, 2009

Version number 0.1

Template Version:

V 1.0 10-Jan-06

This information is confidential and is the trade secret property of Schlumberger. Do not use, disclose, or reproduce without the prior written permission of Schlumberger Page i


Table of contents

1. EXECUTIVE SUMMARY ................................................................................................................................ 1

2. SETTINGS .......................................................................................................................................................... 2

2.1 SSL PROTOCOLS ........................................................................................................................................... 2 2.1.1 Procedure: Disable SSLv2 Protocol ........................................................................................................ 2 2.1.2 Procedure: Enable SSLv3 & TLS 1.0 Protocols ...................................................................................... 3 2.1.3 Procedure: Import Schlumberger Certificate Authority .......................................................................... 4

2.2 SETTING: SECURITY.DEFAULT_PERSONAL_CERT .......................................................................................... 5 2.3 SETTING: OCSP CERTIFICATE PROTOCOL .................................................................................................... 6 2.4 SETTING: NON-SECURE PAGE WARNING ...................................................................................................... 7 2.5 JAVASCRIPT SETTINGS .................................................................................................................................. 8

3. ABOUT:CONFIG SETTINGS ........................................................................................................................ 10

3.1 SETTING: USER AGENT SECURITY .............................................................................................................. 10 3.2 SETTING: NETWORK.PREFETCH-NEXT ......................................................................................................... 10 3.3 SETTING: NETWORK.NTLM.SEND-LM-RESPONSE ......................................................................................... 10 3.4 SETTING: NETWORK.PROTOCOL-HANDLER.EXTERNAL.SHELL ..................................................................... 10 3.5 SETTING: BROWSER.DOWNLOAD.MANAGER.SCANWHENDONE ................................................................... 11 3.6 SETTING: BROWSER.DOWNLOAD.MANAGER.SKIPWINSECURITYPOLICYCHECKS ........................................ 11 3.7 SETTING: FILEURI.STRICT_ORIGIN_POLICY ................................................................................................. 11

4. SINGLE SIGN-ON SUPPORT ........................................................................................................................ 12

5. PRIVATE BROWSING ................................................................................................................................... 13

6. NOSCRIPT PLUGIN ....................................................................................................................................... 14

7. GEOGRAPHIC LOCATION .......................................................................................................................... 16

This information is confidential and is the trade secret property of Schlumberger. Do not use, disclose, or reproduce without the prior written permission of Schlumberger Page ii


Table of Figures Figure 1: Location Bar ............................................................................................................................ 2Figure 2:Void Warranty .......................................................................................................................... 2Figure 3: Security Dialog ........................................................................................................................ 4Figure 4: OCSP Protocol ........................................................................................................................ 7Figure 5: Encryption Warnings ............................................................................................................... 8Figure 6:Additional JavaScript Settings ................................................................................................. 9Figure 7: User Agent Security .............................................................................................................. 10

This information is confidential and is the trade secret property of Schlumberger. Do not use, disclose, or reproduce without the prior written permission of Schlumberger Page 1


1. Executive Summary In a continuing effort to provide a secure computing environment for the end user community; the Enterprise Services is releasing these recommendations for securing the Firefox browser. Firefox is an unmanaged application. Support for Firefox will be on a best effort via a Firefox BB.



2. Settings 2.1 SSL Protocols SSLv2 protocol has several vulnerabilities and is subject to man-in-the-middle attacks and should be disabled.

2.1.1 Procedure: Disable SSLv2 Protocol Type About:Config in the location bar in Firefox

Figure 1: Location Bar

Confirm on the warning dialog box.

Figure 2:Void Warranty

Type into the Filter: Security.enable_ssl2 Verify that the value is false. If the value is not false then double click the value to change it to false. 2.1.1.1 Remove SSL2 Cipher Suites

Type About:config In the filter box type: security.ssl2 All should be false



Preference Name Value security.ssl2.des_64 FALSE security.ssl2.des_ede3_192 security.ssl2.rc2_128 security.ssl2.rc2_40 security.ssl2.rc4_128 security.ssl2.rc4_40

2.1.2 Procedure: Enable SSLv3 & TLS 1.0 Protocols Type About:Config in the location bar in Firefox Type in the filter: security.enable

Preference Name Value Security.enable_java True Security.enable_ssl2 False Security.enable_ssl3 True Security.enable_tls True Security.enable_tls_session_tickets True security. ssl3. rsa_null_sha False security. ssl3. rsa_null_md5 False Tools/Options/Advanced/Encryption Tab



Figure 3: Security Dialog

2.1.3 Procedure: Import Schlumberger Certificate Authority 1. Goto www.pki.slb.com and download the Schlumberger Certificate Authority Certificate Chain 2. Tools->Options->Advanced 3. View Certificates->Authorities->Import 4. Indicate the Certificate to import and click ok.



Select All Trust Settings:

Trust this CA to identify web sites. Trust this CA to identify email users. Trust this CA to identify software developers

2.2 Setting: security.default_personal_cert Firefox is not configured to ask which certificate to present to a web site when a certificate is required.

1. Menu: Tools/Options/Advanced



2.3 Setting: OCSP Certificate Protocol Online Certificate Status Protocol for validating x.509 digital certificates.

1. Menu: Tools/Options/Advanced 2. Encryption Tab/Validation



Figure 4: OCSP Protocol

2.4 Setting: Non-Secure Page Warning This setting will warn you if youre directed from a secure page to a non-secure page.



Figure 5: Encryption Warnings

2.5 JavaScript Settings Many of the settings for JavaScript need to be set to help prevent things like clickjacking.

1. Tools/Options/Content Tab 2. Click on the Advanced Button next to the JavaScript checkbox. 3. Disable the Advanced JavaScript Options



Figure 6:Additional JavaScript Settings



3. About:Config Settings 3.1 Setting: User Agent Security The user agent is the browser and you can confirm/set this setting by following the steps below:

5. Type about:config in the location bar 6. Type general.useragent.security in the filter 7. Double click to set value to U if not set

Figure 7: User Agent Security

3.2 Setting: network.prefetch-next If you use the Firefox browser in conjunction with the Google search engine, Google will (under various circumstances) prefetch the first page returned in the results. In other words, that page and any cookies associated will be downloaded to your computer even though you never clicked the link.

1. Type About:config in the location bar 2. Type filter: network.prefetch-next 3. If true, double click to set to false

3.3 Setting: network.ntlm.send-lm-response This setting determines whether or not the LM hash will be included in response to a NTLM challenge. Servers should almost never need the LM hash, and the LM hash is what makes NTLM authentication less secure.

1. Type about:config in the location bar 2. Type network.ntlm.send-lm-response in the filter 3. If true double click to set to false.

3.4 Setting: network.protocol-handler.external.shell This setting is used to enable/disable the shell protocol. With this setting enabled an attacker could shell out to the operating system.

1. Type about:config in the location bar



2. Type network.protocol-handler.external.shell in the filter 3. If the value is not false double click to set to false.

3.5 Setting: browser.download.manager.scanWhenDone This setting will tell the browser to scan any downloads with the installed Virus Scan software.

1. Type about:config in the location bar 2. Type browser.download.manager.scanWhenDone in the filter 3. If the value is not true double click to set to true.

3.6 Setting: browser.download.manager.skipWinSecurityPolicyChecks If this setting is present it should be set to FALSE to honor Windows Security Policy Checks

1. Type about:config in the location bar 2. Type browser.download.manager.skipWinSecurityPolicyChecks in the filter 3. If the value is not false double click to set to false.

3.7 Setting: fileuri.strict_origin_policy Having this set to false could allow locally saved content to traverse up the directory tree on a users hard drive. (note)

1. Type about:config in the location bar 2. Type security.fileuri.strict_origin_policy in the filter 3. If the value is not true double click to set to true.



4. Single Sign-On Support 1. Type about:config in the location bar 2. Type into the filter: network.automatic-ntlm-auth.trusted-uris 3. If found then right click on the preference name and add:

a. .slb.com yes include the leading dot. 4. If not found then right click in the about:config window 5. New->String 6. Enter: network.automatic-ntlm-auth.trusted-uris

Then go back to Step 3



5. Private Browsing Private browsing is a new feature. Initially set to Use custom settings for history



6. NoScript Plugin The NoScript plugin is not part of Filefox but an extension to it that provides increased security and is highly recommended. NoScript stops JavaScript, Flash, and other scripting languages from running in your browser except if you say the site is trusted. After you install NoScript and restart when you go to someplace like www.cnet.com you will notice a decrease in the functionality because NoScript will block the scripts on the site. You can either always trust or temporarily trust the site. Here is where you can install the latest version of NoScript.

Click the Options Button:



To trust *.slb.com follow these steps after installing and NoScript and restarting Firefox.

1. Tools->Addons 2. Find the NoScript Addon and select Options 3. Click on the whitelist tab 4. Add slb.com



7. Geographic Location Disabling

1. About:config 2. Geo.wifi.uri 3. Double click and delete the entry: https://www.google.com/loc/json

Total Disabling can be accomplished by deleting or renaming the file: NetworkGeolocationProvider.js

1. Executive Summary2. Settings2.1 SSL Protocols2.1.1 Procedure: Disable SSLv2 Protocol2.1.1.1 Remove SSL2 Cipher Suites

2.1.2 Procedure: Enable SSLv3 & TLS 1.0 Protocols2.1.3 Procedure: Import Schlumberger Certificate Authority

2.2 Setting: security.default_personal_cert2.3 Setting: OCSP Certificate Protocol2.4 Setting: Non-Secure Page Warning2.5 JavaScript Settings

3. About:Config Settings3.1 Setting: User Agent Security3.2 Setting: network.prefetch-next3.3 Setting: network.ntlm.send-lm-response3.4 Setting: network.protocol-handler.external.shell3.5 Setting: browser.download.manager.scanWhenDone3.6 Setting: browser.download.manager.skipWinSecurityPolicyChecks3.7 Setting: fileuri.strict_origin_policy

4. Single Sign-On Support5. Private Browsing6. NoScript Plugin7. Geographic Location

Firefox_Recommended_Security_Settings[1].pdf

Documents

javascript settings

config settings

ocsp certificate protocol

sslv2 protocol

user agent security

version number

template version

ssl protocols