Professional Documents
Culture Documents
Compliance Report Hardening Web Browser Firefox Axacp2sg 20200826
Compliance Report Hardening Web Browser Firefox Axacp2sg 20200826
In the case of CIS-required Control duplication (where a Control requirement appears in more than one section of the benchmark), Qualys
Policy Compliance Policy Editor limits the existence of any Controls within a single policy to one (1) occurrence of each control.
CIS has stated that these settings should be considered as minimum allowable values; if an Organization requires more stringency than the
CIS minimum, these more restrictive and/or stringent values shall all be considered as a PASS. The settings assigned to any given control by
CIS are not guaranteed to be appropriate for any particular environment and all settings should be reviewed and applied according to the
needs of the business. Before you apply the recommendations from the policy, check the relevant vendor documentation to avoid
discrepancies. Also, it is recommended that these values be tested before applying to the Production Environment.
To successfully run remote scans and fetch results from a Windows system, Windows targets needs to be configured as follows:
A. There must be 'Inbound' rules set on the network interface used by the Qualys scan via the 'Local Group Policy, Windows Firewall with
Advanced Security on the Local Computer, Inbound Security Rules' configuration interface for a scan to succeed, as the OS blocks all other
port openings by default once that specific network interface (Public, Private, or Domain) is set to Block:
1) TCP/UDP inbound ports--135,137,445,389 (Qualys port scan)
2) UDP inbound ports--135,137,445,389 (Qualys port scan),and
3) Remote Desktop--3389 (a predefined setting for RDP connections).
CAUTION: The above OS configuration requirements may vary or unnecessary depending on the Customers' requirements. However, it is
important to note that multiple unsuccessful authentications during the scans could result in LOCKING OUT the built-in administrative user, or
the user account used in running the scans.
Additional Information:
Following checks are not part of the policy as being procedural:
1.5, 3.1
Report Summary
Created: 08/25/2020 at 19:23:52 (GMT-0500)
Company: AXA Colpatria
Address: Cra 7 No 24 - 89
City: Bogotá
Zip: 110311
Country: Colombia
User Name: Santiago Adolfo García Giraldo
Login Name: axacp2sg
User Role: Manager
Report Summary
Policy: MTSB-MozFirefox
Policy Locking: Locked - CIS Certified Policy
Template: Policy Report Template
Asset Groups: Windows 7,Windows 10,Web Browser
Ips: N/A
Asset Tags: N/A
PC Agent IPs: No
Active Hosts: 1
Controls: 53
Technologies: 1 (Mozilla Firefox (Windows))
(1.1) 17250 Status of the permission set for the Mozilla firefox '.js' file(Mozilla Firefox (Windows)) Failed MEDIUM
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
The '.js' file is used by Firefox to reference and load the '.cfg' file which contains all the locked preferences. If file access is
not restricted then it is possible for the user to be accidentally or maliciously changed or replaced the file contains without
the owner's intent or knowledge. This would cause a system security breach, thus this should be configured according to
the needs of the business.
The following List String value(s) of X indicates the permssion of the active .js file present on the host.
Extended Evidence:
File Value
(1.2) 17251 Status of the permission set for the firefox config file(Mozilla Firefox (Windows)) Failed MEDIUM
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
The config file is used by Firefox to configure all the locked preferences. If file access is not restricted then it is possible for
the user to be accidentally or maliciously changed or replaced the file contains without the owner's intent or knowledge.
This would cause a system security breach, thus this should be configured according to the needs of the business.
The following List String value(s) of X indicates the permssion of the mozilla firefox .config file present on the host.
Extended Evidence:
File Value
2. Updating Firefox
(2.1) 13877 Status of the software update setting(Mozilla Firefox (Windows)) Failed CRITICAL
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
This check is used to controls the application updates of the installed Firefox. Allowing software updates from non-trusted
sites can introduce settings that will override a secured installation of the application. This can place DoD information at
risk. If this setting is enabled, then there are many other default settings which point to untrusted sites which must be
changed to point to an authorized update site that is not publicly accessible. This setting should be configured according to
the needs of the business.
The following List String value(s) of X indicates the status of the app.update.enabled setting defined within the Firefox configuration file.
(2.2) 13881 Status of the 'automatic software updates' setting(Mozilla Firefox (Windows)) Failed CRITICAL
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
This feature configures Firefox to automatically download and install updates as they are made available. Security updates
ensure that users are safe from known software bugs and vulnerabilities. This setting should be configured according to
the needs of the business.
The following List String value(s) of X indicates the status of the app.update.auto setting defined within the Firefox configuration file.
(2.3) 13882 Status of the 'app update staging' setting(Mozilla Firefox (Windows)) Failed CRITICAL
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
This feature configures Firefox to automatically download and install updates as they are made available. Security updates
ensure that users are safe from known software bugs and vulnerabilities. This setting should be configured according to
the needs of the business.
The following List String value(s) of X indicates the status of the app.update.staging.enabled setting defined within the Firefox configuration file.
(2.4) 13884 Status of the 'auto-notification of outdated plugins' setting(Mozilla Firefox (Windows)) Failed CRITICAL
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
This setting automatically detects when installed plugins are out of date and notifies the users to update the plugins.
Outdated plugins can be vulnerable or unstable, and can be exploited by malicious websites. This setting should be
configured according to the needs of the business.
The following List String value(s) of X indicates the status of the plugins.update.notifyUser setting defined within the Firefox configuration file.
This feature automatically shows an information bar when installed Plugins are out of date and notifies the users to update
the plugins. Outdated plugins can be vulnerable or unstable, and can be exploited by malicious websites.
The following List String value(s) of X indicates the status of the plugins.hide_infobar_for_outdated_plugin setting defined within the Firefox configuration
file.
(2.6) 13883 Status of the 'update interval time checks' setting(Mozilla Firefox (Windows)) Failed CRITICAL
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
This configuration sets the amount of time the system waits in between each check for updates. Frequent checks for
updates will mitigate the risk that a system is left vulnerable to known risks for an extended period of time. This setting
should be configured according to the needs of the business.
The following Integer value(s) of X indicates the status of the app.update.interval setting defined within the Firefox configuration file.
Expected equal to
43200
OR, any of the selected values below:
Default: 43200
File not found
(2.7) 13886 Status of the 'update wait time prompt' setting(Mozilla Firefox (Windows)) Failed SERIOUS
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
This setting determines the amount of time, in seconds, which the system will wait before displaying the Software Update
dialogue box. Encouraging the user to update software as soon as possible mitigates the risk that a system will be left
vulnerable. This setting should be configured according to the needs of the business.
The following Integer value(s) of X indicates the status of the app.update.promptWaitTime setting defined within the Firefox configuration file.
Expected equal to
172800
OR, any of the selected values below:
Setting not found (Using default value 172800)
File not found (Using default value 172800)
(2.8) 13887 Status of the 'update-related ui components' setting(Mozilla Firefox (Windows)) Failed SERIOUS
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
This setting dictates whether the Firefox Update service will notify the user when update related events occur, such as
updates being available or downloaded. It is recommended that updated-related notifications be displayed. Ensuring users
are aware of update-related events may reduce the amount of time Firefox remains unpatched. This setting should be
configured according to the needs of the business.
The following List String value(s) of X indicates the status of the app.update.silent setting defined within the Firefox configuration file.
(2.9) 13888 Status of the 'browser.search.update' setting(Mozilla Firefox (Windows)) Failed SERIOUS
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
Updates need to be controlled and installed from authorized and trusted servers. This setting overrides a number of other
settings which may direct the application to access external URLs. This setting should be configured according to the
needs of the business.
The following List String value(s) of X indicates the status of the browser.search.update setting defined within the Firefox configuration file.
This setting dictates whether Firefox will send the URL of the SSL/TLS-protected referring site to the referred SSL/TLS
protected site. The URL of the SSL-protected referring site may contain sensitive information. Preventing this URL from
being sent mitigates the risk that the sensitive information will be disclosed. This setting should be configured according to
the needs of the business.
The following List String value(s) of X indicates the status of the network.http.sendSecureXSiteReferrer setting defined within the Firefox configuration
file.
(3.2) 13976 Status of the 'NTLM' protocol setting used for authentication(Mozilla Firefox (Windows)) Failed CRITICAL
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
This feature NT Lan Manager (NTLM) v1 protocol to be used for authentication to resources that request this
authentication type. NTLM v1 contains cryptographic weaknesses that can be easily exploited to obtain user credentials.
This setting should be configured according to the needs of the business.
The following List String value(s) of X indicates the status of the network.auth.force-generic-ntlm-v1 setting defined within the Firefox configuration file.
This setting will help protect the browser against phishing.It is possible to disguise a website's true location by making use
of username/password syntax within the URL (known as "phishy URLs"). This setting will display a warning message
whenever a user clicks a link to a phishy URL. This setting should be configured according to the needs of the business.
The following List String value(s) of X indicates the status of the network.http.phishy-userpass-length setting defined within the Firefox configuration file.
This feature determines whether all Internationalized Domain Names (IDNs) displayed in the browser are displayed as
Punycode or as Unicode. IDNs displayed in Punycode are easier to identify and therefore help mitigate the risk of
accessing spoofed web pages. This setting should be configured according to the needs of the business.
The following List String value(s) of X indicates the status of the network.IDN_show_punycode setting defined within the Firefox configuration file.
(3.5) 13978 Status of the 'file uri origin policy' setting(Mozilla Firefox (Windows)) Failed SERIOUS
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
This setting determines the restrictions placed on the scripts and links loaded into the browser from local HTML files.
Applying the same origin policy to local files will help mitigate the risk of unauthorized access to sensitive information. This
setting should be configured according to the needs of the business.
The following List String value(s) of X indicates the status of the security.fileuri.strict_origin_policy setting defined within the Firefox configuration file.
This settings is to disable cloud sync in order to ensure that personal data and credentials are not compromised. Firefox
allows users to sync preferences and settings, including saved credentials, to cloud-based servers in order to retrieve them
from other computers. This setting determines whether cloud sync in enabled.This setting should be configured according
to the needs of the business.
The following List String value(s) of X indicates the status of the services.sync.enabled setting defined within the Firefox configuration file.
(3.7) 13979 Status of the 'RTCPeerConnection(WebRTC)' setting(Mozilla Firefox (Windows)) Failed CRITICAL
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
The following List String value(s) of X indicates the status of the media.peerconnection.enabled setting defined within the Firefox configuration file.
(3.8) 13980 Status of the 'peerconnection document iceservers(WebRTC)' setting(Mozilla Firefox Failed CRITICAL
(Windows))
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
This feature allows to use STUN/TURN servers provided by the page for the WebRTC. WebRTC is used for peer to peer
communication such as file sharing or video calls. WebRTC can expose private information such as internal IP addresses
and computer settings. This setting should be configured according to the needs of the business.
The following List String value(s) of X indicates the status of the media.peerconnection.use_document_iceservers setting defined within the Firefox
configuration file.
4. Encryption Settings
(4.1) 13983 Status of the 'ssl override behavior' setting(Mozilla Firefox (Windows)) Failed SERIOUS
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
This preference controls whether Firefox will or will not automatically fill in the URL text box and auto-fetch the certificate
on behalf of the user. Setting this preference to 0 forces the user to enter a URL and click the 'Get Certificate' button before
adding an exception for an invalid cert. Requiring the user to manually enter the server's URL and fetch the certificate may
provide additional opportunity to scrutinize the certificate before adding an exception for a potentially fraudulent certificate.
This setting should be configured according to the needs of the business.
The following Integer value(s) of X indicates the status of the browser.ssl_override_behavior setting defined within the Firefox configuration file.
Expected equal to
Do not pre-populate the current URL as an exception and do not pre-fetch the SSL certificate (0)
OR, any of the selected values below:
Do not pre-populate the current URL as an exception and do not pre-fetch the SSL certificate( 0 )
Pre-populate the current URL but do not pre-fetch the certificate. (Default)( 1 )
Setting not found (Using default value 2)
Pre-populate the current URL and pre-fetch the certificate( 2 )
File not found (Using default value 2)
This setting specifies maximum TLS protocol version that will be used for the TLS communication. The value 1 means TLS
1.0 is used, The value 2 means TLS 1.1 is used and The value 3 means TLS 1.2 is used. If older and weak TLS version is
used, it would increase the risk of 'man-in-the-middle attack' which can force the communication to a less secure level. The
attacker can also truncate the encrypted messages. This should be configured according to the needs of the business.
The following Integer value(s) of X indicates the status of the security.tls.version.max setting defined within the Firefox configuration file.
Expected equal to
TLS 1.2 (3)
OR, any of the selected values below:
SSL 3.0( 0 )
TLS 1.0( 1 )
Setting not found (Using default value 1)
TLS 1.1( 2 )
TLS 1.2( 3 )
File not found (Using default value 1)
(4.3) 13985 Status of the 'TLS min version' setting(Mozilla Firefox (Windows)) Failed CRITICAL
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
This setting specifies minimum TLS protocol version that will be used for the TLS communication. The value 1 means TLS
1.0 is used, The value 2 means TLS 1.1 is used and The value 3 means TLS 1.2 is used. If older and weak TLS version is
used, it would increase the risk of 'man-in-the-middle attack' which can force the communication to a less secure level. The
attacker can also truncate the encrypted messages. This should be configured according to the needs of the business.
The following Integer value(s) of X indicates the status of the security.tls.version.min setting defined within the Firefox configuration file.
Expected equal to
TLS 1.0 (1)
OR, any of the selected values below:
SSl 3.0( 0 )
TLS 1.0( 1 )
Setting not found (Using default value 0)
TLS 1.1( 2 )
TLS 1.2( 3 )
File not found (Using default value 0)
(4.4) 13986 Status of the 'ocsp use policy' setting (Mozilla Firefox)(Mozilla Firefox (Windows)) Failed SERIOUS
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
This setting dictates whether Firefox will leverage Online Certificate Status Protocol (OCSP) to determine if a given
certificate has been revoked. Leveraging OCSP may help identify revoked certificates. This setting should be configured
according to the needs of the business.
The following Integer value(s) of X indicates the status of the security.OCSP.enabled setting defined within the Firefox configuration file.
Expected equal to
(4.5) 13987 Status of the 'Mixed Active Content' setting(Mozilla Firefox (Windows)) Failed CRITICAL
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
This feature disables the ability to view HTTP content such as JavaScript, CSS, objects, and xhr requests. Blocking active
mixed content minimizes the risk of man-in-the-middle attacks. This setting should be configured according to the needs of
the business.
The following List String value(s) of X indicates the status of the security.mixed_content.block_active_content setting defined within the Firefox
configuration file.
(4.6) 13988 Status of the 'OCSP Response Policy' setting (Mozilla Firefox)(Mozilla Firefox Failed SERIOUS
(Windows))
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
This setting dictates whether Firefox will consider a given certificate to be invalid if Firefox is unable to obtain an Online
Certificate Status Protocol (OCSP) response for it. Requiring an OCSP response will reduce an adversary's ability to
successfully leverage a compromised and revoked certificate. This setting should be configured according to the needs of
the business.
The following List String value(s) of X indicates the status of the security.ocsp.require setting defined within the Firefox configuration file.
5. JavaScript Settings
(5.1) 14000 Status of the 'javascript's ability to change the status bar text' setting(Mozilla Firefox Failed CRITICAL
(Windows))
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
The Status Bar shows the location of the content when a user hovers over a hyperlink, a user visits a link, or when content
The following List String value(s) of X indicates the status of the dom.disable_window_status_change setting defined within the Firefox configuration file.
This setting reduce a malicious script's ability to exploit vulnerabilities in plug-ins or abuse plug-in features. This setting
determines whether cloud sync in enabled.This setting should be configured according to the needs of the business.
The following List String value(s) of X indicates the status of the security.xpconnect.plugin.unrestricted setting defined within the Firefox configuration
file.
(5.3) 13992 Status of the 'hide the address bar' setting(Mozilla Firefox (Windows)) Failed SERIOUS
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
The Address Bar shows the current URL, which can be used to identify the website. Some malicious websites can use
JavaScript to hide the address bar so that a user cannot determine the URL. This setting should be configured according to
the needs of the business.
The following List String value(s) of X indicates the status of the dom.disable_window_open_feature.location setting defined within the Firefox
configuration file.
(5.4) 13993 Status of the 'javascript's ability to hide the status bar' setting(Mozilla Firefox Failed SERIOUS
(Windows))
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
The Status Bar shows the location of the content when a user visits a link or when content is being downloaded on a web
page. Some malicious websites can use JavaScript to hide the status bar so that a user cannot determine the location of
The following List String value(s) of X indicates the status of the dom.disable_window_open_feature.status setting defined within the Firefox
configuration file.
(5.5) 13994 Status of the 'closing of windows via scripts' setting(Mozilla Firefox (Windows)) Failed SERIOUS
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
Firefox can be configured to prevent scripts from closing browser windows. Preventing an arbitrary web site from closing
the browser window will reduce the probability of a user losing work or state being performed in another tab within the
same window. This setting should be configured according to the needs of the business.
The following List String value(s) of X indicates the status of the dom.allow_scripts_to_close_windows setting defined within the Firefox configuration
file.
(5.6) 13995 Status of the 'pop-up windows' setting(Mozilla Firefox (Windows)) Failed SERIOUS
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
The 'Pop-up Blocker' is used to block Pop-ups which a website might open with or without any user interaction. These Pop-
Ups can be used to open un-trusted malicious content. By enabling the Pop-up blocker, all Pop-ups will be blocked which
will guard a user against any attacks launched using a Pop-up. This setting should be configured according to the needs of
the business.
The following List String value(s) of X indicates the status of the privacy.popups.policy setting defined within the Firefox configuration file.
(5.7) 13996 Status of the 'displaying javascript in history urls' setting(Mozilla Firefox (Windows)) Failed SERIOUS
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
This setting will ensure that JavaScript URLs are not displayed in the history bar. Various browser elements, even a simple
link, access the javascript protocol. The JavaScript statement used in a javascript URL can be used to encapsulate a
specially crafted URL that performs a malicious function. This setting should be configured according to the needs of the
The following List String value(s) of X indicates the status of the browser.urlbar.filter.javascript setting defined within the Firefox configuration file.
6. Privacy Settings
(6.1) 14001 Status of the 'credential storage' setting(Mozilla Firefox (Windows)) Failed CRITICAL
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
Firefox allows credentials to be stored for certain websites. Stored credentials may be harvested by an adversary that
gains local privileges equal to or greater than the principal running Firefox, which may increase the scope and impact of a
breach. However, preventing Firefox from storing credentials will not prevent such an adversary from harvesting
credentials used while compromised. This setting should be configured according to the needs of the business.
The following List String value(s) of X indicates the status of the signon.rememberSignons setting defined within the Firefox configuration file.
(6.2) 14002 Status of the 'Do Not Accept Third Party Cookies' setting(Mozilla Firefox (Windows)) Failed CRITICAL
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
A third-party cookie is a cookie sent by a domain that differs from the domain in the browser's address bar. Third party
cookies are often used for tracking user browsing behaviors, which has privacy implications. However, preventing third-
party cookies does not completely mitigate privacy concerns as several other active tracking mechanisms exist. This
setting should be configured according to the needs of the business.
The following Integer value(s) of X indicates the status of the network.cookie.cookieBehavior setting defined within the Firefox configuration file.
Expected equal to
Only cookies from the originating server are allowed (1)
OR, any of the selected values below:
All cookies are allowed (Default)( 0 )
Only cookies from the originating server are allowed( 1 )
Setting not found (Using default value 0)
No cookies are allowed( 2 )
Third-party cookies are allowed only if that site has stored cookies already from a previous visit( 3 )
File not found (Using default value 0)
This feature is a mechanism that allows to communicate a user's tracking preferences to websites. The value true means
send information about the user's tracking preferences to all websites, the value false means do not send any tracking
preferences to any website. This setting should be configured according to the needs of the business.
The following List String value(s) of X indicates the status of the privacy.donottrackheader.enabled setting defined within the Firefox configuration file.
(6.4) 14004 Status of the 'Do not track header value(Tracking Protection)' setting(Mozilla Firefox Failed CRITICAL
(Windows))
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
This feature is a mechanism that allows to communicate a user's tracking preferences to websites. The value 0 means a
header stating consent to being tracked is sent to all websites, the value 1 means a header stating the request not to be
tracked is sent to all websites. This setting should be configured according to the needs of the business.
The following Integer value(s) of X indicates the status of the privacy.donottrackheader.value setting defined within the Firefox configuration file.
Expected equal to
A header stating the request not to be tracked is sent to all websites if privacy.donottrackheader.enabled is set True (1)
OR, any of the selected values below:
A header stating consent to being tracked is sent to all websites if privacy.donottrackheader.enabled is set True( 0 )
A header stating the request not to be tracked is sent to all websites if privacy.donottrackheader.enabled is set True( 1 )
Setting not found
File not found
(6.5) 14005 Status of the 'enable Tracking Protection' setting(Mozilla Firefox (Windows)) Failed CRITICAL
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
This feature is used to enable Tracking Protection globally to prevent cross-site tracking. These settings instruct the
browser to communicate the preference not to be tracked to websites to which it connects, and additionally attempt to
block tracking. This setting should be configured according to the needs of the business.
The following List String value(s) of X indicates the status of the privacy.trackingprotection.enabled setting defined within the Firefox configuration file.
This feature is used to enable Tracking Protection in Private Browsing mode. These settings instruct the browser to
communicate the preference not to be tracked to websites to which it connects, and additionally attempt to block tracking.
This setting should be configured according to the needs of the business.
The following List String value(s) of X indicates the status of the privacy.trackingprotection.pbmode setting defined within the Firefox configuration file.
(6.7) 14007 Status of the 'delay for security sensitive dialog boxes' setting(Mozilla Firefox Failed SERIOUS
(Windows))
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
The 'delay for security sensitive dialog boxes' setting sets the amount of time in milliseconds that elapse before the buttons
on security-sensitive dialog boxes are enabled. This delay help prevents Firefox users from inadvertently installing
malicious software. This setting should be configured according to the needs of the business.
The following Integer value(s) of X indicates the status of the security.dialog_enable_delay setting defined within the Firefox configuration file.
Expected equal to
2000
OR, any of the selected values below:
Setting not found (Using default value 1000)
File not found (Using default value 1000)
(6.8) 14008 Status of the 'geolocation serivces' setting(Mozilla Firefox (Windows)) Failed SERIOUS
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
The 'geolocation serivces' setting determines whether Firefox will provide geographic location information to websites. The
geo-location services can expose private information to remote websites. This setting should be configured according to
the needs of the business.
The following List String value(s) of X indicates the status of the geo.enabled setting defined within the Firefox configuration file.
This check is used to control automatically loads of active content such as audio and video by firefox. Some malicious
websites use active content to exploit vulnerabilities in the active content handling application plug-in. It is recommended to
always prompt the user when a website is about to load active content. This value should be set as appropriate to the
needs of the business.
The following List String value(s) of X indicates the status of the browser.helperApps.alwaysAsk.force setting defined within the Firefox configuration file.
(7.2) 14016 Status of the 'auto-install of add-ons' setting(Mozilla Firefox (Windows)) Failed CRITICAL
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
This configuration will show how to ensure that no website is allowed to automatically install Add-Ons. Add-Ons are
extensions of the browser that add new functionality to Firefox or change its appearance. These run in a user's session
allowing them do manipulate data and the behavior of the way Firefox interacts with other application and user commands.
If malicious Add-Ons are installed automatically, a user's security could be completely compromised. This setting should be
configured according to the needs of the business.
The following List String value(s) of X indicates the status of the xpinstall.whitelist.required setting defined within the Firefox configuration file.
(7.3) 14017 Status of the 'extension block list' setting(Mozilla Firefox (Windows)) Failed SERIOUS
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
The 'extension block list' setting enables Mozilla to retrieve a list of blocked applications from the server. Enabling Mozilla
to access the list of blocked applications mitigates the risk of installing a known malicious application. This setting should
be configured according to the needs of the business.
The following List String value(s) of X indicates the status of the extensions.blocklist.enabled setting defined within the Firefox configuration file.
The 'extension block list interval' setting determines how often Mozilla will attempt to retrieve a list of blocked applications
from the server. An updated list of blocked applications mitigates the risk of installing and using a known malicious
application. This setting should be configured according to the needs of the business.
The following Integer value(s) of X indicates the status of the extensions.blocklist.interval setting defined within the Firefox configuration file.
Expected equal to
86400
OR, any of the selected values below:
Setting not found (Using default value 86400)
File not found (Using default value 86400)
(7.5) 14019 Status of the 'warning for external protocol handler' setting(Mozilla Firefox (Windows)) Failed SERIOUS
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
This feature indicates whether the user is warned before opening an external application for pre-configured protocols were
its behavior is undefined. Enabling a warning to appear before passing data to an external application mitigates the risk
that sensitive information will be made vulnerable to outside threats. This setting should be configured according to the
needs of the business.
The following List String value(s) of X indicates the status of the network.protocol-handler.warn-external-default setting defined within the Firefox
configuration file.
(7.6) 14020 Status of the 'popups initiated by plugins' setting(Mozilla Firefox (Windows)) Failed SERIOUS
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
The 'popups initiated by plugins' setting controls popups that are initiated by plugins. Disabling plugin popups (except from
white-listed sites) from being displayed, guard a user against any attacks launched using a Pop-up. This setting should be
configured according to the needs of the business.
The following Integer value(s) of X indicates the status of the privacy.popups.disable_from_plugins setting defined within the Firefox configuration file.
Expected equal to
Block all plugin initiated popups (2)
OR, any of the selected values below:
No restrictions on plugin initiated popups( 0 )
Limit the number of plugin initiated popups to value defined in dom.popup_maximum( 1 )
Setting not found (Using default value 2)
Block all plugin initiated popups( 2 )
Block all plugin initiated popups, even those on whitelisted sites( 3 )
File not found (Using default value 2)
(7.7) 14021 Status of 'extension auto update' setting(Mozilla Firefox (Windows)) Failed CRITICAL
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
This feature configures Firefox to automatically download and install updates as they are made available. The security
updates ensure that users are safe from known software bugs and vulnerabilities. This setting should be configured
according to the needs of the business.
The following List String value(s) of X indicates the status of the extensions.update.autoUpdateDefault setting defined within the Firefox configuration
file.
(7.8) 14022 Status of the 'extension update' setting(Mozilla Firefox (Windows)) Failed CRITICAL
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
This setting configures Firefox to prompt when updates are made available. The security updates ensure that users are
safe from known software bugs and vulnerabilities. This setting should be configured according to the needs of the
business.
The following List String value(s) of X indicates the status of the extensions.update.enabled setting defined within the Firefox configuration file.
(7.9) 14023 Status of the 'extension update interval time checks' setting(Mozilla Firefox (Windows)) Failed SERIOUS
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
The 'extension update interval time checks' setting sets the amount of time the system waits between checking for
updates. Setting a specific amount of time between automatically checking for updates mitigates the risk that a system will
left vulnerable to known risks for an extended period of time. This setting should be configured according to the needs of
the business.
The following Integer value(s) of X indicates the status of the extensions.update.interval setting defined within the Firefox configuration file.
Expected equal to
86400
OR, any of the selected values below:
Setting not found (Using default value 86400)
File not found (Using default value 86400)
8. Malware Settings
(8.1) 15786 Status of the 'Virus Scanning for Downloads' setting(Mozilla Firefox (Windows)) Failed SERIOUS
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
This feature configures the browser to scan downloads for viruses. This will ensure that a downloaded file is scanned for
viruses before the user has an opportunity to interact with the download. It will also ensure that Windows Policy for
downloaded files is followed properly, this value should be set as appropriate to the needs of the business.
The following List String value(s) of X indicates the status of the browser.download.manager.scanWhenDone setting defined within the Firefox
configuration file.
(8.2) 14025 Status of the 'JAR Opening unsafe file types' setting(Mozilla Firefox (Windows)) Failed SERIOUS
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
This setting gives user the ability to override the restriction on only loading files with application/java-archive or application/
x-jar content types. Enabling the browser to only load application/java-archive or application/x-jar content types mitigates
the risk of malware infection and other attack vectors. This setting should be configured according to the needs of the
business.
The following List String value(s) of X indicates the status of the network.jar.open-unsafe-types setting defined within the Firefox configuration file.
(8.3) 15787 Status of the 'Block Reported Web Forgeries' setting(Mozilla Firefox (Windows)) Failed MEDIUM
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
This feature alerts the user if they are visiting a known phishing website. Enabling this feature helps mitigate the threat of
phishing attacks, this value should be set as appropriate to the needs of the business.
The following List String value(s) of X indicates the status of the browser.safebrowsing.enabled setting defined within the Firefox configuration file.
(8.4) 14026 Status of the 'Block Reported Attack Sites' setting(Mozilla Firefox (Windows)) Failed CRITICAL
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
The 'Block Reported Attack Sites' setting alerts the user if they are visiting a known malicious website. Enabling this feature
will decrease the probability of a user falling victim to a known malicious web site. This setting should be configured
according to the needs of the business.
The following List String value(s) of X indicates the status of the browser.safebrowsing.malware.enabled setting defined within the Firefox configuration
file.
Report Template
Template Settings
Time Frame: None
Trend Duration: Last 90 days
Group By: Hosts
Status: Passed, Failed and Error
Criticality: UNDEFINED, MINIMAL, MEDIUM, SERIOUS, CRITICAL, URGENT
Control Statistics: Yes
Host Statistics: Yes
Show Report details: Yes
Show control rationale: Yes
Show hosts summary: Yes
Show control evidence: Yes
Show extended evidence (if applicable): Yes
Show control exceptions: Yes
Show exception history: Yes
Show cause of failure: No
Show control glossary: No
Show Appendix: Yes
Frameworks selected: All