-
Proprietary Notice
This information is confidential and is the trade secret
property of Schlumberger. Does not use, disclose, or reproduce
without the prior written permission of Schlumberger
Schlumberger Private
Firefox Recommended Security Settings
Author David Busby Email address [email protected] Last Updated
September 30, 2009
Version number 0.1
Template Version:
V 1.0 10-Jan-06
-
This information is confidential and is the trade secret
property of Schlumberger. Do not use, disclose, or reproduce
without the prior written permission of Schlumberger Page i
Schlumberger Private
Table of contents
1. EXECUTIVE SUMMARY
................................................................................................................................
1
2. SETTINGS
..........................................................................................................................................................
2
2.1 SSL PROTOCOLS
...........................................................................................................................................
2 2.1.1 Procedure: Disable SSLv2 Protocol
........................................................................................................
2 2.1.2 Procedure: Enable SSLv3 & TLS 1.0 Protocols
......................................................................................
3 2.1.3 Procedure: Import Schlumberger Certificate Authority
..........................................................................
4
2.2 SETTING: SECURITY.DEFAULT_PERSONAL_CERT
..........................................................................................
5 2.3 SETTING: OCSP CERTIFICATE PROTOCOL
....................................................................................................
6 2.4 SETTING: NON-SECURE PAGE WARNING
......................................................................................................
7 2.5 JAVASCRIPT SETTINGS
..................................................................................................................................
8
3. ABOUT:CONFIG SETTINGS
........................................................................................................................
10
3.1 SETTING: USER AGENT SECURITY
..............................................................................................................
10 3.2 SETTING: NETWORK.PREFETCH-NEXT
.........................................................................................................
10 3.3 SETTING: NETWORK.NTLM.SEND-LM-RESPONSE
.........................................................................................
10 3.4 SETTING: NETWORK.PROTOCOL-HANDLER.EXTERNAL.SHELL
.....................................................................
10 3.5 SETTING: BROWSER.DOWNLOAD.MANAGER.SCANWHENDONE
...................................................................
11 3.6 SETTING:
BROWSER.DOWNLOAD.MANAGER.SKIPWINSECURITYPOLICYCHECKS
........................................ 11 3.7 SETTING:
FILEURI.STRICT_ORIGIN_POLICY
.................................................................................................
11
4. SINGLE SIGN-ON SUPPORT
........................................................................................................................
12
5. PRIVATE BROWSING
...................................................................................................................................
13
6. NOSCRIPT PLUGIN
.......................................................................................................................................
14
7. GEOGRAPHIC LOCATION
..........................................................................................................................
16
-
This information is confidential and is the trade secret
property of Schlumberger. Do not use, disclose, or reproduce
without the prior written permission of Schlumberger Page ii
Schlumberger Private
Table of Figures Figure 1: Location Bar
............................................................................................................................
2Figure 2:Void Warranty
..........................................................................................................................
2Figure 3: Security Dialog
........................................................................................................................
4Figure 4: OCSP Protocol
........................................................................................................................
7Figure 5: Encryption Warnings
...............................................................................................................
8Figure 6:Additional JavaScript Settings
.................................................................................................
9Figure 7: User Agent Security
..............................................................................................................
10
-
This information is confidential and is the trade secret
property of Schlumberger. Do not use, disclose, or reproduce
without the prior written permission of Schlumberger Page 1
Schlumberger Private
1. Executive Summary In a continuing effort to provide a secure
computing environment for the end user community; the Enterprise
Services is releasing these recommendations for securing the
Firefox browser. Firefox is an unmanaged application. Support for
Firefox will be on a best effort via a Firefox BB.
-
This information is confidential and is the trade secret
property of Schlumberger. Do not use, disclose, or reproduce
without the prior written permission of Schlumberger Page 2
Schlumberger Private
2. Settings 2.1 SSL Protocols SSLv2 protocol has several
vulnerabilities and is subject to man-in-the-middle attacks and
should be disabled.
2.1.1 Procedure: Disable SSLv2 Protocol Type About:Config in the
location bar in Firefox
Figure 1: Location Bar
Confirm on the warning dialog box.
Figure 2:Void Warranty
Type into the Filter: Security.enable_ssl2 Verify that the value
is false. If the value is not false then double click the value to
change it to false. 2.1.1.1 Remove SSL2 Cipher Suites
Type About:config In the filter box type: security.ssl2 All
should be false
-
This information is confidential and is the trade secret
property of Schlumberger. Do not use, disclose, or reproduce
without the prior written permission of Schlumberger Page 3
Schlumberger Private
Preference Name Value security.ssl2.des_64 FALSE
security.ssl2.des_ede3_192 security.ssl2.rc2_128
security.ssl2.rc2_40 security.ssl2.rc4_128 security.ssl2.rc4_40
2.1.2 Procedure: Enable SSLv3 & TLS 1.0 Protocols Type
About:Config in the location bar in Firefox Type in the filter:
security.enable
Preference Name Value Security.enable_java True
Security.enable_ssl2 False Security.enable_ssl3 True
Security.enable_tls True Security.enable_tls_session_tickets True
security. ssl3. rsa_null_sha False security. ssl3. rsa_null_md5
False Tools/Options/Advanced/Encryption Tab
-
This information is confidential and is the trade secret
property of Schlumberger. Do not use, disclose, or reproduce
without the prior written permission of Schlumberger Page 4
Schlumberger Private
Figure 3: Security Dialog
2.1.3 Procedure: Import Schlumberger Certificate Authority 1.
Goto www.pki.slb.com and download the Schlumberger Certificate
Authority Certificate Chain 2. Tools->Options->Advanced 3.
View Certificates->Authorities->Import 4. Indicate the
Certificate to import and click ok.
-
This information is confidential and is the trade secret
property of Schlumberger. Do not use, disclose, or reproduce
without the prior written permission of Schlumberger Page 5
Schlumberger Private
Select All Trust Settings:
Trust this CA to identify web sites. Trust this CA to identify
email users. Trust this CA to identify software developers
2.2 Setting: security.default_personal_cert Firefox is not
configured to ask which certificate to present to a web site when a
certificate is required.
1. Menu: Tools/Options/Advanced
-
This information is confidential and is the trade secret
property of Schlumberger. Do not use, disclose, or reproduce
without the prior written permission of Schlumberger Page 6
Schlumberger Private
2.3 Setting: OCSP Certificate Protocol Online Certificate Status
Protocol for validating x.509 digital certificates.
1. Menu: Tools/Options/Advanced 2. Encryption Tab/Validation
-
This information is confidential and is the trade secret
property of Schlumberger. Do not use, disclose, or reproduce
without the prior written permission of Schlumberger Page 7
Schlumberger Private
Figure 4: OCSP Protocol
2.4 Setting: Non-Secure Page Warning This setting will warn you
if youre directed from a secure page to a non-secure page.
-
This information is confidential and is the trade secret
property of Schlumberger. Do not use, disclose, or reproduce
without the prior written permission of Schlumberger Page 8
Schlumberger Private
Figure 5: Encryption Warnings
2.5 JavaScript Settings Many of the settings for JavaScript need
to be set to help prevent things like clickjacking.
1. Tools/Options/Content Tab 2. Click on the Advanced Button
next to the JavaScript checkbox. 3. Disable the Advanced JavaScript
Options
-
This information is confidential and is the trade secret
property of Schlumberger. Do not use, disclose, or reproduce
without the prior written permission of Schlumberger Page 9
Schlumberger Private
Figure 6:Additional JavaScript Settings
-
This information is confidential and is the trade secret
property of Schlumberger. Do not use, disclose, or reproduce
without the prior written permission of Schlumberger Page 10
Schlumberger Private
3. About:Config Settings 3.1 Setting: User Agent Security The
user agent is the browser and you can confirm/set this setting by
following the steps below:
5. Type about:config in the location bar 6. Type
general.useragent.security in the filter 7. Double click to set
value to U if not set
Figure 7: User Agent Security
3.2 Setting: network.prefetch-next If you use the Firefox
browser in conjunction with the Google search engine, Google will
(under various circumstances) prefetch the first page returned in
the results. In other words, that page and any cookies associated
will be downloaded to your computer even though you never clicked
the link.
1. Type About:config in the location bar 2. Type filter:
network.prefetch-next 3. If true, double click to set to false
3.3 Setting: network.ntlm.send-lm-response This setting
determines whether or not the LM hash will be included in response
to a NTLM challenge. Servers should almost never need the LM hash,
and the LM hash is what makes NTLM authentication less secure.
1. Type about:config in the location bar 2. Type
network.ntlm.send-lm-response in the filter 3. If true double click
to set to false.
3.4 Setting: network.protocol-handler.external.shell This
setting is used to enable/disable the shell protocol. With this
setting enabled an attacker could shell out to the operating
system.
1. Type about:config in the location bar
-
This information is confidential and is the trade secret
property of Schlumberger. Do not use, disclose, or reproduce
without the prior written permission of Schlumberger Page 11
Schlumberger Private
2. Type network.protocol-handler.external.shell in the filter 3.
If the value is not false double click to set to false.
3.5 Setting: browser.download.manager.scanWhenDone This setting
will tell the browser to scan any downloads with the installed
Virus Scan software.
1. Type about:config in the location bar 2. Type
browser.download.manager.scanWhenDone in the filter 3. If the value
is not true double click to set to true.
3.6 Setting:
browser.download.manager.skipWinSecurityPolicyChecks If this
setting is present it should be set to FALSE to honor Windows
Security Policy Checks
1. Type about:config in the location bar 2. Type
browser.download.manager.skipWinSecurityPolicyChecks in the filter
3. If the value is not false double click to set to false.
3.7 Setting: fileuri.strict_origin_policy Having this set to
false could allow locally saved content to traverse up the
directory tree on a users hard drive. (note)
1. Type about:config in the location bar 2. Type
security.fileuri.strict_origin_policy in the filter 3. If the value
is not true double click to set to true.
-
This information is confidential and is the trade secret
property of Schlumberger. Do not use, disclose, or reproduce
without the prior written permission of Schlumberger Page 12
Schlumberger Private
4. Single Sign-On Support 1. Type about:config in the location
bar 2. Type into the filter:
network.automatic-ntlm-auth.trusted-uris 3. If found then right
click on the preference name and add:
a. .slb.com yes include the leading dot. 4. If not found then
right click in the about:config window 5. New->String 6. Enter:
network.automatic-ntlm-auth.trusted-uris
Then go back to Step 3
-
This information is confidential and is the trade secret
property of Schlumberger. Do not use, disclose, or reproduce
without the prior written permission of Schlumberger Page 13
Schlumberger Private
5. Private Browsing Private browsing is a new feature. Initially
set to Use custom settings for history
-
This information is confidential and is the trade secret
property of Schlumberger. Do not use, disclose, or reproduce
without the prior written permission of Schlumberger Page 14
Schlumberger Private
6. NoScript Plugin The NoScript plugin is not part of Filefox
but an extension to it that provides increased security and is
highly recommended. NoScript stops JavaScript, Flash, and other
scripting languages from running in your browser except if you say
the site is trusted. After you install NoScript and restart when
you go to someplace like www.cnet.com you will notice a decrease in
the functionality because NoScript will block the scripts on the
site. You can either always trust or temporarily trust the site.
Here is where you can install the latest version of NoScript.
Click the Options Button:
-
This information is confidential and is the trade secret
property of Schlumberger. Do not use, disclose, or reproduce
without the prior written permission of Schlumberger Page 15
Schlumberger Private
To trust *.slb.com follow these steps after installing and
NoScript and restarting Firefox.
1. Tools->Addons 2. Find the NoScript Addon and select
Options 3. Click on the whitelist tab 4. Add slb.com
-
This information is confidential and is the trade secret
property of Schlumberger. Do not use, disclose, or reproduce
without the prior written permission of Schlumberger Page 16
Schlumberger Private
7. Geographic Location Disabling
1. About:config 2. Geo.wifi.uri 3. Double click and delete the
entry: https://www.google.com/loc/json
Total Disabling can be accomplished by deleting or renaming the
file: NetworkGeolocationProvider.js
1. Executive Summary2. Settings2.1 SSL Protocols2.1.1 Procedure:
Disable SSLv2 Protocol2.1.1.1 Remove SSL2 Cipher Suites
2.1.2 Procedure: Enable SSLv3 & TLS 1.0 Protocols2.1.3
Procedure: Import Schlumberger Certificate Authority
2.2 Setting: security.default_personal_cert2.3 Setting: OCSP
Certificate Protocol2.4 Setting: Non-Secure Page Warning2.5
JavaScript Settings
3. About:Config Settings3.1 Setting: User Agent Security3.2
Setting: network.prefetch-next3.3 Setting:
network.ntlm.send-lm-response3.4 Setting:
network.protocol-handler.external.shell3.5 Setting:
browser.download.manager.scanWhenDone3.6 Setting:
browser.download.manager.skipWinSecurityPolicyChecks3.7 Setting:
fileuri.strict_origin_policy
4. Single Sign-On Support5. Private Browsing6. NoScript Plugin7.
Geographic Location