Thursday, December 24, 2009

Locking Down Mozilla Firefox

One of the main draw backs to Mozilla Firefox from most corporate IT people is its inability to be locked down, or taken care of by Group Policy. While you cannot lock down Firefox from within Group Policy alone, you can script these fixes into place to lock settings down.

To start you will need a program to byte shift a config file so that Firefox can read it. I used Byte Shifter.exe. There are also websites that do it all in a browser, but I haven't used them.

You will also need to edit the all.js file in "C:\Program Files\Mozilla Firefox\greprefs\" to include:
pref("general.config.filename", "mozilla.cfg");
I put that line at the absolute bottom, but it might not matter where it goes.

To start create an empty file. I called mine mozilla.txt since the result file will be mozilla.cfg.
The file must start with // on its own line.
Add in any settings you want to lock down. You can peruse about:config for settings, and again after you lock them down to check for the "locked" option.

Below is my mozilla.txt file, with host names changed to protect the innocent. I have included comments (They start with //) to explain things a bit further.

//
//Lock the option for startup page. 0 = "Show a blank page", 1 = "Show my home page", and 3 = " Show my windows and tabs from last time"
lockPref("browser.startup.page", 1);
//Set the home page. Use a pipe to include many home pages as tabs.
lockPref("browser.startup.homepage", "http://www.mysuperawesomecompany.com|https://mail.google.com");
//Set the browser history to something a bit longer than the default 7 days.
lockPref("browser.history_expire_days", 90);
lockPref("browser.history_expire_days.mirror", 90);
// Clean up certain things every time Firefox shuts down. This keeps things clean and running smooth for us, your results may very.
lockPref("privacy.sanitize.sanitizeOnShutdown", true);
//We do not want to clear the history on shutdown.
lockPref("privacy.clearOnShutdown.history", false);
lockPref("privacy.item.history", false);
//We can clean up the downloads history. I have seen things get really slow if this doesn't happen.
lockPref("privacy.item.downloads", true);
//Clear the cache.
lockPref("privacy.item.cache", true);
//Clean up cookies.
lockPref("privacy.item.cookies", true);
//Remove any session info.
lockPref("privacy.item.sessions", true);
//We do not want to keep passwords saved.
lockPref("privacy.item.passwords", true);
//Do not prompt to do this, just do it.
lockPref("privacy.sanitize.promptOnSanitize", false);

lockPref("signon.rememberSignons", true);
//Do not allow the "Show passwords" button.
lockPref("pref.privacy.disable_button.view_passwords", true);
//Don't use a proxy.
lockPref("network.proxy.type", 0);
//We keep one version of Firefox for a while. The newest version breaks things in our application, so we currently need to just run what we have.
lockPref("app.update.enabled", false);
//Disable extensions.
lockPref("config.lockdown.disable_extensions", true);
//Disable themes.
lockPref("config.lockdown.disable_themes", true);
//Show the downloads window when downloading a file.
lockPref("browser.download.manager.showWhenStarting", false);
//Close the downloads window when all downloads are done.
lockPref("browser.download.manager.closeWhenDone", true);
//Save files to:
lockPref("browser.download.useDownloadDir", true);
lockPref("browser.download.dir", "c:\\%homepath%\\Desktop");
lockPref("browser.download.downloadDir", "c:\\%homepath%\\Desktop");
lock{ref("browser.download.folderList", 2);
//Always ask me where to save files.
lockPref("browser.download.useDownloadDir", false);
//Always check to see if Firefox is the default browser.
lockPref("browser.shell.checkDefaultBrowser", false);
//New pages should open in a new window.
lockPref("browser.link.open_external", 2);
lockPref("browser.link.open_newwindow", 2);
//New pages should open in a new tab.
lockPref("browser.link.open_external", 1);
lockPref("browser.link.open_newwindow", 1);
//Warn me when closing multiple tabs.
lockPref("browser.tabs.warnOnClose", false);
//Warn me when openining multiple tabs might slow down Firefox.
lockPref("browser.tabs.warnOnOpen", false);
//Always show the tab bar.
lockPref("browser.tabs.autoHide", false);
//When I open a link in a new tab, switch to it immediately.
lockPref("browser.tabs.loadInBackground", false);
//Block pop-up windows.
lockPref("dom.disable_open_during_load", false);
//Load images automatically. 1 = check 2 = unchecked.
lockPref("permissions.default.image", 2);
//enable JavaScript.
lockPref("javascript.enabled", true);
//Some of the advanced JavaScript options.
//Disable the Advanced Button.
lockPref("pref.advanced.javascript.disable_button.advanced", true);
//Move or resize existing windows.
lockPref("dom.disable_window_move_resize", true);
//Raise or lower windows.
lockPref("dom.disable_windows_flip", false);
//Disable or replace context menus.
lockPref("dom.event.contextmenu.enabled", false);
//Hide the status bar.
lockPref("dom.disable_window_open_feature.status", false);
//Enable Java.
lockPref("security.enable_java", false);

Of course there are others and many more settings, but that covers a good number of them. Also I have only tested this on our version of Firefox, which is 2.0.0.20.