Compliance Report Hardening Web Browser Firefox Axacp2sg 20200826

The CIS certified policy for Mozilla Firefox is based on the CIS Benchmark for Mozilla Firefox 38 ESR,
v1.0.0. The policy contains Scored

types of Level 1 and Level 2 checks from the benchmark. The controls within the policy are configured on the basis of values provided by the
CIS benchmark. As this policy and the controls within the policy are certified by CIS, the policy is LOCKED for prohibiting any changes to the
controls or their configuration values. If the organizational security policy requires different configuration values or changes to the policy,
please make a copy of this policy and modify the configured values for the required controls as per the need of the organization's security/
configuration policy.
In the case of CIS-required Control duplication (where a Control requirement appears in more than one section of the benchmark), Qualys
Policy Compliance Policy Editor limits the existence of any Controls within a single policy to one (1) occurrence of each control.
CIS has stated that these settings should be considered as minimum allowable values; if an Organization requires more stringency than the
CIS minimum, these more restrictive and/or stringent values shall all be considered as a PASS. The settings assigned to any given control by
CIS are not guaranteed to be appropriate for any particular environment and all settings should be reviewed and applied according to the
needs of the business. Before you apply the recommendations from the policy, check the relevant vendor documentation to avoid
discrepancies. Also, it is recommended that these values be tested before applying to the Production Environment.
To successfully run remote scans and fetch results from a Windows system, Windows targets needs to be configured as follows:
A. There must be 'Inbound' rules set on the network interface used by the Qualys scan via the 'Local Group Policy, Windows Firewall with
Advanced Security on the Local Computer, Inbound Security Rules' configuration interface for a scan to succeed, as the OS blocks all other
port openings by default once that specific network interface (Public, Private, or Domain) is set to Block:
1) TCP/UDP inbound ports--135,137,445,389 (Qualys port scan)
2) UDP inbound ports--135,137,445,389 (Qualys port scan),and
3) Remote Desktop--3389 (a predefined setting for RDP connections).
CAUTION: The above OS configuration requirements may vary or unnecessary depending on the Customers' requirements. However, it is
important to note that multiple unsuccessful authentications during the scans could result in LOCKING OUT the built-in administrative user, or
the user account used in running the scans.
Additional Information:
Following checks are not part of the policy as being procedural:
1.5, 3.1
Hardening (Web Browser) Firefox page 1

Hardening (Web Browser) Firefox
August 25, 2020
Report Summary
Created: 08/25/2020 at 19:23:52 (GMT-0500)
Company: AXA Colpatria
Address: Cra 7 No 24 - 89
City: Bogotá
Zip: 110311
Country: Colombia
User Name: Santiago Adolfo García Giraldo
Login Name: axacp2sg
User Role: Manager
Report Summary
Policy: MTSB-MozFirefox
Policy Locking: Locked - CIS Certified Policy
Template: Policy Report Template
Asset Groups: Windows 7,Windows 10,Web Browser
Ips: N/A
Asset Tags: N/A
PC Agent IPs: No
Active Hosts: 1
Controls: 53
Technologies: 1 (Mozilla Firefox (Windows))
Total Control Instances: 53

Total Passed: 0
Total Failed: 53 (100%)
Total Error: 0
Approved Exceptions: 0
Pending Exceptions: 0
Policy Modified: 08/25/2020 at 18:24:14 (GMT-0500)
Policy Last Evaluated: 08/25/2020 at 19:06:46 (GMT-0500)

The following pie charts display the number of control instances and their states at the time this report was generated.
Pass/Fail/Error Summary Pass/Fail/Error and Exceptions Summary
Pass Criticality Summary Fail Criticality Summary

Control Statistics (Percentage of Hosts Passed per Control)
1. Configure Locked Preferences
Order Control ID Statement % Criticality

1.1 17250 Status of the permission set for the Mozilla firefox '.js' file 0% (0 of 1) MEDIUM
1.2 17251 Status of the permission set for the firefox config file 0% (0 of 1) MEDIUM
2. Updating Firefox

2.1 13877 Status of the software update setting 0% (0 of 1) CRITICAL
2.2 13881 Status of the 'automatic software updates' setting 0% (0 of 1) CRITICAL
2.3 13882 Status of the 'app update staging' setting 0% (0 of 1) CRITICAL
2.4 13884 Status of the 'auto-notification of outdated plugins' setting 0% (0 of 1) CRITICAL
2.5 15745 Status of "plugins.hide_infobar_for_outdated_plugin" setting 0% (0 of 1) MEDIUM
2.6 13883 Status of the 'update interval time checks' setting 0% (0 of 1) CRITICAL
2.7 13886 Status of the 'update wait time prompt' setting 0% (0 of 1) SERIOUS
2.8 13887 Status of the 'update-related ui components' setting 0% (0 of 1) SERIOUS
2.9 13888 Status of the 'browser.search.update' setting 0% (0 of 1) SERIOUS
3. Network Settings

3.1 15675 Status of 'network.http.sendSecureXSiteReferrer' setting 0% (0 of 1) MEDIUM
3.2 13976 Status of the 'NTLM' protocol setting used for authentication 0% (0 of 1) CRITICAL
3.3 15676 Status of 'network.http.phishy-userpass-length' setting 0% (0 of 1) MEDIUM
3.4 13977 Status of the 'IDN show punycode' setting 0% (0 of 1) SERIOUS
3.5 13978 Status of the 'file uri origin policy' setting 0% (0 of 1) SERIOUS
3.6 15677 Status of 'services.sync.enabled' Setting 0% (0 of 1) MEDIUM
3.7 13979 Status of the 'RTCPeerConnection(WebRTC)' setting 0% (0 of 1) CRITICAL
3.8 13980 Status of the 'peerconnection document iceservers(WebRTC)' setting 0% (0 of 1) CRITICAL
4. Encryption Settings

4.1 13983 Status of the 'ssl override behavior' setting 0% (0 of 1) SERIOUS
4.2 13984 Status of the 'TLS max version' setting 0% (0 of 1) CRITICAL
4.3 13985 Status of the 'TLS min version' setting 0% (0 of 1) CRITICAL
4.4 13986 Status of the 'ocsp use policy' setting (Mozilla Firefox) 0% (0 of 1) SERIOUS
4.5 13987 Status of the 'Mixed Active Content' setting 0% (0 of 1) CRITICAL
4.6 13988 Status of the 'OCSP Response Policy' setting (Mozilla Firefox) 0% (0 of 1) SERIOUS
5. JavaScript Settings

5.1 14000 Status of the 'javascript's ability to change the status bar text' setting 0% (0 of 1) CRITICAL
5.2 15678 Status of 'security.xpconnect.plugin.unrestricted' setting 0% (0 of 1) MEDIUM
5.3 13992 Status of the 'hide the address bar' setting 0% (0 of 1) SERIOUS
5.4 13993 Status of the 'javascript's ability to hide the status bar' setting 0% (0 of 1) SERIOUS
5.5 13994 Status of the 'closing of windows via scripts' setting 0% (0 of 1) SERIOUS
5.6 13995 Status of the 'pop-up windows' setting 0% (0 of 1) SERIOUS
5.7 13996 Status of the 'displaying javascript in history urls' setting 0% (0 of 1) SERIOUS
6. Privacy Settings

6.1 14001 Status of the 'credential storage' setting 0% (0 of 1) CRITICAL
6.2 14002 Status of the 'Do Not Accept Third Party Cookies' setting 0% (0 of 1) CRITICAL

6.3 14003 Status of the 'Do not track(Tracking Protection)' setting 0% (0 of 1) CRITICAL
6.4 14004 Status of the 'Do not track header value(Tracking Protection)' setting 0% (0 of 1) CRITICAL
6.5 14005 Status of the 'enable Tracking Protection' setting 0% (0 of 1) CRITICAL
6.6 14006 Status of the 'Private Browsing mode(Tracking Protection)' setting 0% (0 of 1) CRITICAL
6.7 14007 Status of the 'delay for security sensitive dialog boxes' setting 0% (0 of 1) SERIOUS
6.8 14008 Status of the 'geolocation serivces' setting 0% (0 of 1) SERIOUS
7. Extensions and Add-ons

7.1 15785 Status of the 'Secure Application Plug-ins' setting 0% (0 of 1) SERIOUS
7.2 14016 Status of the 'auto-install of add-ons' setting 0% (0 of 1) CRITICAL
7.3 14017 Status of the 'extension block list' setting 0% (0 of 1) SERIOUS
7.4 14018 Status of the 'extension block list interval' setting 0% (0 of 1) SERIOUS
7.5 14019 Status of the 'warning for external protocol handler' setting 0% (0 of 1) SERIOUS
7.6 14020 Status of the 'popups initiated by plugins' setting 0% (0 of 1) SERIOUS
7.7 14021 Status of 'extension auto update' setting 0% (0 of 1) CRITICAL
7.8 14022 Status of the 'extension update' setting 0% (0 of 1) CRITICAL
7.9 14023 Status of the 'extension update interval time checks' setting 0% (0 of 1) SERIOUS
8. Malware Settings

8.1 15786 Status of the 'Virus Scanning for Downloads' setting 0% (0 of 1) SERIOUS
8.2 14025 Status of the 'JAR Opening unsafe file types' setting 0% (0 of 1) SERIOUS
8.3 15787 Status of the 'Block Reported Web Forgeries' setting 0% (0 of 1) MEDIUM
8.4 14026 Status of the 'Block Reported Attack Sites' setting 0% (0 of 1) CRITICAL

Host Statistics (Percentage of Controls Passed per Host)
Qualys Host DNS Name

IP TRACKING Netbios Name OS Last Scan Date %
ID
Windows 7
dtjocolmenaresc. Professional 64 bit 08/25/2020 at 18:42:52 0% (0 of 53)
10.65.96.154 IP - DTJOCOLMENARESC
uinversion.colpatria.com Edition Service (GMT-0500)
Pack 1

Detailed Results
Windows 7 Professional 64 bit

10.65.96.154 (dtjocolmenaresc.uinversion.colpatria.com, Edition Service Pack 1
DTJOCOLMENARESC) cpe:/o:microsoft:windows_7::
sp1:x64:
Controls: 53
Passed: 0
Failed: 53 (100%)
Error: 0
Approved Exceptions: 0
Pending Exceptions: 0
Last Scan Date: 08/25/2020 at 18:42:52 (GMT-0500)
Tracking Method: IP
Qualys Host ID: -
Asset Tags:
ScannedLast60days, Windows 7, Webservices
Mozilla Firefox (Windows)

1. Configure Locked Preferences
(1.1) 17250 Status of the permission set for the Mozilla firefox '.js' file(Mozilla Firefox (Windows)) Failed MEDIUM
Instance Mozilla Firefox (Windows)
Evaluation Date 08/25/2020 at 19:06:45 (GMT-0500)
The '.js' file is used by Firefox to reference and load the '.cfg' file which contains all the locked preferences. If file access is
not restricted then it is possible for the user to be accidentally or maliciously changed or replaced the file contains without
the owner's intent or knowledge. This would cause a system security breach, thus this should be configured according to
the needs of the business.
The following List String value(s) of X indicates the permssion of the active .js file present on the host.
Expected matches regular expression list

.+
OR, any of the selected values below:
File not found
Actual Last Updated:08/25/2020 at 18:42:52 (GMT-0500)

File not found
Extended Evidence:
File Value
(1.2) 17251 Status of the permission set for the firefox config file(Mozilla Firefox (Windows)) Failed MEDIUM
The config file is used by Firefox to configure all the locked preferences. If file access is not restricted then it is possible for
the user to be accidentally or maliciously changed or replaced the file contains without the owner's intent or knowledge.
This would cause a system security breach, thus this should be configured according to the needs of the business.
The following List String value(s) of X indicates the permssion of the mozilla firefox .config file present on the host.

.+
File not found

File not found
Extended Evidence:
File Value
2. Updating Firefox
(2.1) 13877 Status of the software update setting(Mozilla Firefox (Windows)) Failed CRITICAL
This check is used to controls the application updates of the installed Firefox. Allowing software updates from non-trusted
sites can introduce settings that will override a secured installation of the application. This can place DoD information at
risk. If this setting is enabled, then there are many other default settings which point to untrusted sites which must be
changed to point to an authorized update site that is not publicly accessible. This setting should be configured according to
The following List String value(s) of X indicates the status of the app.update.enabled setting defined within the Firefox configuration file.

true
Setting not found (Using default value "true")
File not found (Using default value "true")

(2.2) 13881 Status of the 'automatic software updates' setting(Mozilla Firefox (Windows)) Failed CRITICAL
This feature configures Firefox to automatically download and install updates as they are made available. Security updates
ensure that users are safe from known software bugs and vulnerabilities. This setting should be configured according to
The following List String value(s) of X indicates the status of the app.update.auto setting defined within the Firefox configuration file.

true
Setting not found (using default value "true")

(2.3) 13882 Status of the 'app update staging' setting(Mozilla Firefox (Windows)) Failed CRITICAL
This feature configures Firefox to automatically download and install updates as they are made available. Security updates
ensure that users are safe from known software bugs and vulnerabilities. This setting should be configured according to
The following List String value(s) of X indicates the status of the app.update.staging.enabled setting defined within the Firefox configuration file.

true


(2.4) 13884 Status of the 'auto-notification of outdated plugins' setting(Mozilla Firefox (Windows)) Failed CRITICAL
This setting automatically detects when installed plugins are out of date and notifies the users to update the plugins.
Outdated plugins can be vulnerable or unstable, and can be exploited by malicious websites. This setting should be
configured according to the needs of the business.
The following List String value(s) of X indicates the status of the plugins.update.notifyUser setting defined within the Firefox configuration file.

true
Setting not found (Using default value "false")
File not found (Using default value "false")

(2.5) 15745 Status of "plugins.hide_infobar_for_outdated_plugin" setting(Mozilla Firefox Failed MEDIUM

(Windows))
This feature automatically shows an information bar when installed Plugins are out of date and notifies the users to update
the plugins. Outdated plugins can be vulnerable or unstable, and can be exploited by malicious websites.
The following List String value(s) of X indicates the status of the plugins.hide_infobar_for_outdated_plugin setting defined within the Firefox configuration
file.

false
Setting not found
File not found

File not found
(2.6) 13883 Status of the 'update interval time checks' setting(Mozilla Firefox (Windows)) Failed CRITICAL
This configuration sets the amount of time the system waits in between each check for updates. Frequent checks for
updates will mitigate the risk that a system is left vulnerable to known risks for an extended period of time. This setting
should be configured according to the needs of the business.
The following Integer value(s) of X indicates the status of the app.update.interval setting defined within the Firefox configuration file.
Expected equal to
43200
Default: 43200
File not found

File not found
(2.7) 13886 Status of the 'update wait time prompt' setting(Mozilla Firefox (Windows)) Failed SERIOUS
This setting determines the amount of time, in seconds, which the system will wait before displaying the Software Update
dialogue box. Encouraging the user to update software as soon as possible mitigates the risk that a system will be left
vulnerable. This setting should be configured according to the needs of the business.
The following Integer value(s) of X indicates the status of the app.update.promptWaitTime setting defined within the Firefox configuration file.
Expected equal to
172800
Setting not found (Using default value 172800)
File not found (Using default value 172800)

(2.8) 13887 Status of the 'update-related ui components' setting(Mozilla Firefox (Windows)) Failed SERIOUS
This setting dictates whether the Firefox Update service will notify the user when update related events occur, such as
updates being available or downloaded. It is recommended that updated-related notifications be displayed. Ensuring users
are aware of update-related events may reduce the amount of time Firefox remains unpatched. This setting should be
The following List String value(s) of X indicates the status of the app.update.silent setting defined within the Firefox configuration file.

false

(2.9) 13888 Status of the 'browser.search.update' setting(Mozilla Firefox (Windows)) Failed SERIOUS
Updates need to be controlled and installed from authorized and trusted servers. This setting overrides a number of other
settings which may direct the application to access external URLs. This setting should be configured according to the
needs of the business.
The following List String value(s) of X indicates the status of the browser.search.update setting defined within the Firefox configuration file.

true


3. Network Settings
(3.1) 15675 Status of 'network.http.sendSecureXSiteReferrer' setting(Mozilla Firefox (Windows)) Failed MEDIUM

This setting dictates whether Firefox will send the URL of the SSL/TLS-protected referring site to the referred SSL/TLS
protected site. The URL of the SSL-protected referring site may contain sensitive information. Preventing this URL from
being sent mitigates the risk that the sensitive information will be disclosed. This setting should be configured according to
The following List String value(s) of X indicates the status of the network.http.sendSecureXSiteReferrer setting defined within the Firefox configuration
file.

false
Setting not found
File not found

File not found
(3.2) 13976 Status of the 'NTLM' protocol setting used for authentication(Mozilla Firefox (Windows)) Failed CRITICAL
This feature NT Lan Manager (NTLM) v1 protocol to be used for authentication to resources that request this
authentication type. NTLM v1 contains cryptographic weaknesses that can be easily exploited to obtain user credentials.
This setting should be configured according to the needs of the business.
The following List String value(s) of X indicates the status of the network.auth.force-generic-ntlm-v1 setting defined within the Firefox configuration file.

false

(3.3) 15676 Status of 'network.http.phishy-userpass-length' setting(Mozilla Firefox (Windows)) Failed MEDIUM

This setting will help protect the browser against phishing.It is possible to disguise a website's true location by making use
of username/password syntax within the URL (known as "phishy URLs"). This setting will display a warning message
whenever a user clicks a link to a phishy URL. This setting should be configured according to the needs of the business.
The following List String value(s) of X indicates the status of the network.http.phishy-userpass-length setting defined within the Firefox configuration file.

1\b
Setting not found
File not found

File not found

(3.4) 13977 Status of the 'IDN show punycode' setting(Mozilla Firefox (Windows)) Failed SERIOUS
This feature determines whether all Internationalized Domain Names (IDNs) displayed in the browser are displayed as
Punycode or as Unicode. IDNs displayed in Punycode are easier to identify and therefore help mitigate the risk of
accessing spoofed web pages. This setting should be configured according to the needs of the business.
The following List String value(s) of X indicates the status of the network.IDN_show_punycode setting defined within the Firefox configuration file.

true

(3.5) 13978 Status of the 'file uri origin policy' setting(Mozilla Firefox (Windows)) Failed SERIOUS
This setting determines the restrictions placed on the scripts and links loaded into the browser from local HTML files.
Applying the same origin policy to local files will help mitigate the risk of unauthorized access to sensitive information. This
setting should be configured according to the needs of the business.
The following List String value(s) of X indicates the status of the security.fileuri.strict_origin_policy setting defined within the Firefox configuration file.

true

(3.6) 15677 Status of 'services.sync.enabled' Setting(Mozilla Firefox (Windows)) Failed MEDIUM

This settings is to disable cloud sync in order to ensure that personal data and credentials are not compromised. Firefox
allows users to sync preferences and settings, including saved credentials, to cloud-based servers in order to retrieve them
from other computers. This setting determines whether cloud sync in enabled.This setting should be configured according
to the needs of the business.
The following List String value(s) of X indicates the status of the services.sync.enabled setting defined within the Firefox configuration file.

false
Setting not found
File not found

File not found
(3.7) 13979 Status of the 'RTCPeerConnection(WebRTC)' setting(Mozilla Firefox (Windows)) Failed CRITICAL

This feature allows enables or disabled the ability to create RTCPeerConnection objects for the WebRTC. WebRTC is
used for peer to peer communication such as file sharing or video calls. WebRTC can expose private information such as
internal IP addresses and computer settings. This setting should be configured according to the needs of the business.
The following List String value(s) of X indicates the status of the media.peerconnection.enabled setting defined within the Firefox configuration file.

false

(3.8) 13980 Status of the 'peerconnection document iceservers(WebRTC)' setting(Mozilla Firefox Failed CRITICAL
(Windows))
This feature allows to use STUN/TURN servers provided by the page for the WebRTC. WebRTC is used for peer to peer
communication such as file sharing or video calls. WebRTC can expose private information such as internal IP addresses
and computer settings. This setting should be configured according to the needs of the business.
The following List String value(s) of X indicates the status of the media.peerconnection.use_document_iceservers setting defined within the Firefox
configuration file.

false

4. Encryption Settings
(4.1) 13983 Status of the 'ssl override behavior' setting(Mozilla Firefox (Windows)) Failed SERIOUS
This preference controls whether Firefox will or will not automatically fill in the URL text box and auto-fetch the certificate
on behalf of the user. Setting this preference to 0 forces the user to enter a URL and click the 'Get Certificate' button before
adding an exception for an invalid cert. Requiring the user to manually enter the server's URL and fetch the certificate may
provide additional opportunity to scrutinize the certificate before adding an exception for a potentially fraudulent certificate.
The following Integer value(s) of X indicates the status of the browser.ssl_override_behavior setting defined within the Firefox configuration file.
Expected equal to
Do not pre-populate the current URL as an exception and do not pre-fetch the SSL certificate (0)
Do not pre-populate the current URL as an exception and do not pre-fetch the SSL certificate( 0 )
Pre-populate the current URL but do not pre-fetch the certificate. (Default)( 1 )
Pre-populate the current URL and pre-fetch the certificate( 2 )


(4.2) 13984 Status of the 'TLS max version' setting(Mozilla Firefox (Windows)) Failed CRITICAL
This setting specifies maximum TLS protocol version that will be used for the TLS communication. The value 1 means TLS
1.0 is used, The value 2 means TLS 1.1 is used and The value 3 means TLS 1.2 is used. If older and weak TLS version is
used, it would increase the risk of 'man-in-the-middle attack' which can force the communication to a less secure level. The
attacker can also truncate the encrypted messages. This should be configured according to the needs of the business.
The following Integer value(s) of X indicates the status of the security.tls.version.max setting defined within the Firefox configuration file.
Expected equal to
TLS 1.2 (3)
SSL 3.0( 0 )
TLS 1.0( 1 )
TLS 1.1( 2 )
TLS 1.2( 3 )

(4.3) 13985 Status of the 'TLS min version' setting(Mozilla Firefox (Windows)) Failed CRITICAL
This setting specifies minimum TLS protocol version that will be used for the TLS communication. The value 1 means TLS
1.0 is used, The value 2 means TLS 1.1 is used and The value 3 means TLS 1.2 is used. If older and weak TLS version is
used, it would increase the risk of 'man-in-the-middle attack' which can force the communication to a less secure level. The
attacker can also truncate the encrypted messages. This should be configured according to the needs of the business.
The following Integer value(s) of X indicates the status of the security.tls.version.min setting defined within the Firefox configuration file.
Expected equal to
TLS 1.0 (1)
SSl 3.0( 0 )
TLS 1.0( 1 )
TLS 1.1( 2 )
TLS 1.2( 3 )

(4.4) 13986 Status of the 'ocsp use policy' setting (Mozilla Firefox)(Mozilla Firefox (Windows)) Failed SERIOUS
This setting dictates whether Firefox will leverage Online Certificate Status Protocol (OCSP) to determine if a given
certificate has been revoked. Leveraging OCSP may help identify revoked certificates. This setting should be configured
according to the needs of the business.
The following Integer value(s) of X indicates the status of the security.OCSP.enabled setting defined within the Firefox configuration file.
Expected equal to

Enabled (1)
Disabled( 0 )
Enabled( 1 )

(4.5) 13987 Status of the 'Mixed Active Content' setting(Mozilla Firefox (Windows)) Failed CRITICAL
This feature disables the ability to view HTTP content such as JavaScript, CSS, objects, and xhr requests. Blocking active
mixed content minimizes the risk of man-in-the-middle attacks. This setting should be configured according to the needs of
the business.
The following List String value(s) of X indicates the status of the security.mixed_content.block_active_content setting defined within the Firefox
configuration file.

true

(4.6) 13988 Status of the 'OCSP Response Policy' setting (Mozilla Firefox)(Mozilla Firefox Failed SERIOUS
(Windows))
This setting dictates whether Firefox will consider a given certificate to be invalid if Firefox is unable to obtain an Online
Certificate Status Protocol (OCSP) response for it. Requiring an OCSP response will reduce an adversary's ability to
successfully leverage a compromised and revoked certificate. This setting should be configured according to the needs of
the business.
The following List String value(s) of X indicates the status of the security.ocsp.require setting defined within the Firefox configuration file.

true

5. JavaScript Settings
(5.1) 14000 Status of the 'javascript's ability to change the status bar text' setting(Mozilla Firefox Failed CRITICAL
(Windows))
The Status Bar shows the location of the content when a user hovers over a hyperlink, a user visits a link, or when content

is being downloaded on a web page. Some malicious websites can use JavaScript to manipulate the text on the status bar
so that a user cannot determine the actual location of the content for hyperlinks and downloads. This setting should be
The following List String value(s) of X indicates the status of the dom.disable_window_status_change setting defined within the Firefox configuration file.

true

(5.2) 15678 Status of 'security.xpconnect.plugin.unrestricted' setting(Mozilla Firefox (Windows)) Failed MEDIUM

This setting reduce a malicious script's ability to exploit vulnerabilities in plug-ins or abuse plug-in features. This setting
determines whether cloud sync in enabled.This setting should be configured according to the needs of the business.
The following List String value(s) of X indicates the status of the security.xpconnect.plugin.unrestricted setting defined within the Firefox configuration
file.

false
Setting not found
File not found

File not found
(5.3) 13992 Status of the 'hide the address bar' setting(Mozilla Firefox (Windows)) Failed SERIOUS
The Address Bar shows the current URL, which can be used to identify the website. Some malicious websites can use
JavaScript to hide the address bar so that a user cannot determine the URL. This setting should be configured according to
The following List String value(s) of X indicates the status of the dom.disable_window_open_feature.location setting defined within the Firefox
configuration file.

true

(5.4) 13993 Status of the 'javascript's ability to hide the status bar' setting(Mozilla Firefox Failed SERIOUS
(Windows))
The Status Bar shows the location of the content when a user visits a link or when content is being downloaded on a web
page. Some malicious websites can use JavaScript to hide the status bar so that a user cannot determine the location of

the content for hyperlinks and downloads. This setting should be configured according to the needs of the business.
The following List String value(s) of X indicates the status of the dom.disable_window_open_feature.status setting defined within the Firefox
configuration file.

true

(5.5) 13994 Status of the 'closing of windows via scripts' setting(Mozilla Firefox (Windows)) Failed SERIOUS
Firefox can be configured to prevent scripts from closing browser windows. Preventing an arbitrary web site from closing
the browser window will reduce the probability of a user losing work or state being performed in another tab within the
same window. This setting should be configured according to the needs of the business.
The following List String value(s) of X indicates the status of the dom.allow_scripts_to_close_windows setting defined within the Firefox configuration
file.

false

(5.6) 13995 Status of the 'pop-up windows' setting(Mozilla Firefox (Windows)) Failed SERIOUS
The 'Pop-up Blocker' is used to block Pop-ups which a website might open with or without any user interaction. These Pop-
Ups can be used to open un-trusted malicious content. By enabling the Pop-up blocker, all Pop-ups will be blocked which
will guard a user against any attacks launched using a Pop-up. This setting should be configured according to the needs of
the business.
The following List String value(s) of X indicates the status of the privacy.popups.policy setting defined within the Firefox configuration file.

1\b
Setting not found
File not found

File not found
(5.7) 13996 Status of the 'displaying javascript in history urls' setting(Mozilla Firefox (Windows)) Failed SERIOUS
This setting will ensure that JavaScript URLs are not displayed in the history bar. Various browser elements, even a simple
link, access the javascript protocol. The JavaScript statement used in a javascript URL can be used to encapsulate a
specially crafted URL that performs a malicious function. This setting should be configured according to the needs of the

business.
The following List String value(s) of X indicates the status of the browser.urlbar.filter.javascript setting defined within the Firefox configuration file.

true

6. Privacy Settings
(6.1) 14001 Status of the 'credential storage' setting(Mozilla Firefox (Windows)) Failed CRITICAL
Firefox allows credentials to be stored for certain websites. Stored credentials may be harvested by an adversary that
gains local privileges equal to or greater than the principal running Firefox, which may increase the scope and impact of a
breach. However, preventing Firefox from storing credentials will not prevent such an adversary from harvesting
credentials used while compromised. This setting should be configured according to the needs of the business.
The following List String value(s) of X indicates the status of the signon.rememberSignons setting defined within the Firefox configuration file.

false

(6.2) 14002 Status of the 'Do Not Accept Third Party Cookies' setting(Mozilla Firefox (Windows)) Failed CRITICAL
A third-party cookie is a cookie sent by a domain that differs from the domain in the browser's address bar. Third party
cookies are often used for tracking user browsing behaviors, which has privacy implications. However, preventing third-
party cookies does not completely mitigate privacy concerns as several other active tracking mechanisms exist. This
setting should be configured according to the needs of the business.
The following Integer value(s) of X indicates the status of the network.cookie.cookieBehavior setting defined within the Firefox configuration file.
Expected equal to
Only cookies from the originating server are allowed (1)
All cookies are allowed (Default)( 0 )
Only cookies from the originating server are allowed( 1 )
No cookies are allowed( 2 )
Third-party cookies are allowed only if that site has stored cookies already from a previous visit( 3 )


(6.3) 14003 Status of the 'Do not track(Tracking Protection)' setting(Mozilla Firefox (Windows)) Failed CRITICAL
This feature is a mechanism that allows to communicate a user's tracking preferences to websites. The value true means
send information about the user's tracking preferences to all websites, the value false means do not send any tracking
preferences to any website. This setting should be configured according to the needs of the business.
The following List String value(s) of X indicates the status of the privacy.donottrackheader.enabled setting defined within the Firefox configuration file.

true

(6.4) 14004 Status of the 'Do not track header value(Tracking Protection)' setting(Mozilla Firefox Failed CRITICAL
(Windows))
This feature is a mechanism that allows to communicate a user's tracking preferences to websites. The value 0 means a
header stating consent to being tracked is sent to all websites, the value 1 means a header stating the request not to be
tracked is sent to all websites. This setting should be configured according to the needs of the business.
The following Integer value(s) of X indicates the status of the privacy.donottrackheader.value setting defined within the Firefox configuration file.
Expected equal to
A header stating the request not to be tracked is sent to all websites if privacy.donottrackheader.enabled is set True (1)
A header stating consent to being tracked is sent to all websites if privacy.donottrackheader.enabled is set True( 0 )
A header stating the request not to be tracked is sent to all websites if privacy.donottrackheader.enabled is set True( 1 )
Setting not found
File not found

File not found
(6.5) 14005 Status of the 'enable Tracking Protection' setting(Mozilla Firefox (Windows)) Failed CRITICAL
This feature is used to enable Tracking Protection globally to prevent cross-site tracking. These settings instruct the
browser to communicate the preference not to be tracked to websites to which it connects, and additionally attempt to
block tracking. This setting should be configured according to the needs of the business.
The following List String value(s) of X indicates the status of the privacy.trackingprotection.enabled setting defined within the Firefox configuration file.

true


(6.6) 14006 Status of the 'Private Browsing mode(Tracking Protection)' setting(Mozilla Firefox Failed CRITICAL
(Windows))
This feature is used to enable Tracking Protection in Private Browsing mode. These settings instruct the browser to
communicate the preference not to be tracked to websites to which it connects, and additionally attempt to block tracking.
The following List String value(s) of X indicates the status of the privacy.trackingprotection.pbmode setting defined within the Firefox configuration file.

true

(6.7) 14007 Status of the 'delay for security sensitive dialog boxes' setting(Mozilla Firefox Failed SERIOUS
(Windows))
The 'delay for security sensitive dialog boxes' setting sets the amount of time in milliseconds that elapse before the buttons
on security-sensitive dialog boxes are enabled. This delay help prevents Firefox users from inadvertently installing
malicious software. This setting should be configured according to the needs of the business.
The following Integer value(s) of X indicates the status of the security.dialog_enable_delay setting defined within the Firefox configuration file.
Expected equal to
2000

(6.8) 14008 Status of the 'geolocation serivces' setting(Mozilla Firefox (Windows)) Failed SERIOUS
The 'geolocation serivces' setting determines whether Firefox will provide geographic location information to websites. The
geo-location services can expose private information to remote websites. This setting should be configured according to
The following List String value(s) of X indicates the status of the geo.enabled setting defined within the Firefox configuration file.

false

7. Extensions and Add-ons

(7.1) 15785 Status of the 'Secure Application Plug-ins' setting(Mozilla Firefox (Windows)) Failed SERIOUS
This check is used to control automatically loads of active content such as audio and video by firefox. Some malicious
websites use active content to exploit vulnerabilities in the active content handling application plug-in. It is recommended to
always prompt the user when a website is about to load active content. This value should be set as appropriate to the
The following List String value(s) of X indicates the status of the browser.helperApps.alwaysAsk.force setting defined within the Firefox configuration file.

true
Setting not found
File not found

File not found
(7.2) 14016 Status of the 'auto-install of add-ons' setting(Mozilla Firefox (Windows)) Failed CRITICAL
This configuration will show how to ensure that no website is allowed to automatically install Add-Ons. Add-Ons are
extensions of the browser that add new functionality to Firefox or change its appearance. These run in a user's session
allowing them do manipulate data and the behavior of the way Firefox interacts with other application and user commands.
If malicious Add-Ons are installed automatically, a user's security could be completely compromised. This setting should be
The following List String value(s) of X indicates the status of the xpinstall.whitelist.required setting defined within the Firefox configuration file.

true

(7.3) 14017 Status of the 'extension block list' setting(Mozilla Firefox (Windows)) Failed SERIOUS
The 'extension block list' setting enables Mozilla to retrieve a list of blocked applications from the server. Enabling Mozilla
to access the list of blocked applications mitigates the risk of installing a known malicious application. This setting should
be configured according to the needs of the business.
The following List String value(s) of X indicates the status of the extensions.blocklist.enabled setting defined within the Firefox configuration file.

true


(7.4) 14018 Status of the 'extension block list interval' setting(Mozilla Firefox (Windows)) Failed SERIOUS
The 'extension block list interval' setting determines how often Mozilla will attempt to retrieve a list of blocked applications
from the server. An updated list of blocked applications mitigates the risk of installing and using a known malicious
application. This setting should be configured according to the needs of the business.
The following Integer value(s) of X indicates the status of the extensions.blocklist.interval setting defined within the Firefox configuration file.
Expected equal to
86400

(7.5) 14019 Status of the 'warning for external protocol handler' setting(Mozilla Firefox (Windows)) Failed SERIOUS
This feature indicates whether the user is warned before opening an external application for pre-configured protocols were
its behavior is undefined. Enabling a warning to appear before passing data to an external application mitigates the risk
that sensitive information will be made vulnerable to outside threats. This setting should be configured according to the
The following List String value(s) of X indicates the status of the network.protocol-handler.warn-external-default setting defined within the Firefox
configuration file.

true

(7.6) 14020 Status of the 'popups initiated by plugins' setting(Mozilla Firefox (Windows)) Failed SERIOUS
The 'popups initiated by plugins' setting controls popups that are initiated by plugins. Disabling plugin popups (except from
white-listed sites) from being displayed, guard a user against any attacks launched using a Pop-up. This setting should be
The following Integer value(s) of X indicates the status of the privacy.popups.disable_from_plugins setting defined within the Firefox configuration file.
Expected equal to
Block all plugin initiated popups (2)
No restrictions on plugin initiated popups( 0 )
Limit the number of plugin initiated popups to value defined in dom.popup_maximum( 1 )
Block all plugin initiated popups( 2 )
Block all plugin initiated popups, even those on whitelisted sites( 3 )

(7.7) 14021 Status of 'extension auto update' setting(Mozilla Firefox (Windows)) Failed CRITICAL
This feature configures Firefox to automatically download and install updates as they are made available. The security
updates ensure that users are safe from known software bugs and vulnerabilities. This setting should be configured
The following List String value(s) of X indicates the status of the extensions.update.autoUpdateDefault setting defined within the Firefox configuration
file.

true

(7.8) 14022 Status of the 'extension update' setting(Mozilla Firefox (Windows)) Failed CRITICAL
This setting configures Firefox to prompt when updates are made available. The security updates ensure that users are
safe from known software bugs and vulnerabilities. This setting should be configured according to the needs of the
business.
The following List String value(s) of X indicates the status of the extensions.update.enabled setting defined within the Firefox configuration file.

true

(7.9) 14023 Status of the 'extension update interval time checks' setting(Mozilla Firefox (Windows)) Failed SERIOUS
The 'extension update interval time checks' setting sets the amount of time the system waits between checking for
updates. Setting a specific amount of time between automatically checking for updates mitigates the risk that a system will
left vulnerable to known risks for an extended period of time. This setting should be configured according to the needs of
the business.
The following Integer value(s) of X indicates the status of the extensions.update.interval setting defined within the Firefox configuration file.
Expected equal to
86400

8. Malware Settings
(8.1) 15786 Status of the 'Virus Scanning for Downloads' setting(Mozilla Firefox (Windows)) Failed SERIOUS
This feature configures the browser to scan downloads for viruses. This will ensure that a downloaded file is scanned for
viruses before the user has an opportunity to interact with the download. It will also ensure that Windows Policy for
downloaded files is followed properly, this value should be set as appropriate to the needs of the business.
The following List String value(s) of X indicates the status of the browser.download.manager.scanWhenDone setting defined within the Firefox
configuration file.

true
Setting not found
File not found

File not found
(8.2) 14025 Status of the 'JAR Opening unsafe file types' setting(Mozilla Firefox (Windows)) Failed SERIOUS
This setting gives user the ability to override the restriction on only loading files with application/java-archive or application/
x-jar content types. Enabling the browser to only load application/java-archive or application/x-jar content types mitigates
the risk of malware infection and other attack vectors. This setting should be configured according to the needs of the
business.
The following List String value(s) of X indicates the status of the network.jar.open-unsafe-types setting defined within the Firefox configuration file.

false

(8.3) 15787 Status of the 'Block Reported Web Forgeries' setting(Mozilla Firefox (Windows)) Failed MEDIUM
This feature alerts the user if they are visiting a known phishing website. Enabling this feature helps mitigate the threat of
phishing attacks, this value should be set as appropriate to the needs of the business.
The following List String value(s) of X indicates the status of the browser.safebrowsing.enabled setting defined within the Firefox configuration file.

true
Setting not found
File not found

File not found
(8.4) 14026 Status of the 'Block Reported Attack Sites' setting(Mozilla Firefox (Windows)) Failed CRITICAL
The 'Block Reported Attack Sites' setting alerts the user if they are visiting a known malicious website. Enabling this feature
will decrease the probability of a user falling victim to a known malicious web site. This setting should be configured
The following List String value(s) of X indicates the status of the browser.safebrowsing.malware.enabled setting defined within the Firefox configuration
file.

true


Appendix
Report Template
Policy Report Template
Template Settings
Time Frame: None
Trend Duration: Last 90 days
Group By: Hosts
Status: Passed, Failed and Error
Criticality: UNDEFINED, MINIMAL, MEDIUM, SERIOUS, CRITICAL, URGENT
Control Statistics: Yes
Host Statistics: Yes
Show Report details: Yes
Show control rationale: Yes
Show hosts summary: Yes
Show control evidence: Yes
Show extended evidence (if applicable): Yes
Show control exceptions: Yes
Show exception history: Yes
Show cause of failure: No
Show control glossary: No
Show Appendix: Yes
Frameworks selected: All
CONFIDENTIAL AND PROPRIETARY INFORMATION.

Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is
complete or error-free. Copyright 2020, Qualys, Inc.

Compliance Report Hardening Web Browser Firefox Axacp2sg 20200826

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Compliance Report Hardening Web Browser Firefox Axacp2sg 20200826

Uploaded by

Copyright:

Available Formats

The CIS certified policy for Mozilla Firefox is based on the CIS Benchmark for Mozilla Firefox 38 ESR,

v1.0.0. The policy contains Scored

Hardening (Web Browser) Firefox page 1

Total Control Instances: 53

Hardening (Web Browser) Firefox page 2

Pass/Fail/Error Summary Pass/Fail/Error and Exceptions Summary

Pass Criticality Summary Fail Criticality Summary

Hardening (Web Browser) Firefox page 3

1. Configure Locked Preferences

Order Control ID Statement % Criticality

Order Control ID Statement % Criticality

Order Control ID Statement % Criticality

Order Control ID Statement % Criticality

Order Control ID Statement % Criticality

Order Control ID Statement % Criticality

Hardening (Web Browser) Firefox page 4

Order Control ID Statement % Criticality

Order Control ID Statement % Criticality

Hardening (Web Browser) Firefox page 5

Qualys Host DNS Name

Hardening (Web Browser) Firefox page 6

Windows 7 Professional 64 bit

Mozilla Firefox (Windows)

Expected matches regular expression list

Actual Last Updated:08/25/2020 at 18:42:52 (GMT-0500)

Expected matches regular expression list

Hardening (Web Browser) Firefox page 7

Expected matches regular expression list

Actual Last Updated:08/25/2020 at 18:42:52 (GMT-0500)

Expected matches regular expression list

Actual Last Updated:08/25/2020 at 18:42:52 (GMT-0500)

Expected matches regular expression list

Hardening (Web Browser) Firefox page 8

Actual Last Updated:08/25/2020 at 18:42:52 (GMT-0500)

Expected matches regular expression list

Actual Last Updated:08/25/2020 at 18:42:52 (GMT-0500)

(2.5) 15745 Status of "plugins.hide_infobar_for_outdated_plugin" setting(Mozilla Firefox Failed MEDIUM

Expected matches regular expression list

Actual Last Updated:08/25/2020 at 18:42:52 (GMT-0500)

Hardening (Web Browser) Firefox page 9

Actual Last Updated:08/25/2020 at 18:42:52 (GMT-0500)

Expected matches regular expression list

Actual Last Updated:08/25/2020 at 18:42:52 (GMT-0500)

Expected matches regular expression list

Actual Last Updated:08/25/2020 at 18:42:52 (GMT-0500)

Hardening (Web Browser) Firefox page 10

(3.1) 15675 Status of 'network.http.sendSecureXSiteReferrer' setting(Mozilla Firefox (Windows)) Failed MEDIUM

Expected matches regular expression list

Actual Last Updated:08/25/2020 at 18:42:52 (GMT-0500)

Expected matches regular expression list

Actual Last Updated:08/25/2020 at 18:42:52 (GMT-0500)

(3.3) 15676 Status of 'network.http.phishy-userpass-length' setting(Mozilla Firefox (Windows)) Failed MEDIUM

Expected matches regular expression list

Actual Last Updated:08/25/2020 at 18:42:52 (GMT-0500)

Hardening (Web Browser) Firefox page 11

Expected matches regular expression list

Actual Last Updated:08/25/2020 at 18:42:52 (GMT-0500)

Expected matches regular expression list

Actual Last Updated:08/25/2020 at 18:42:52 (GMT-0500)

(3.6) 15677 Status of 'services.sync.enabled' Setting(Mozilla Firefox (Windows)) Failed MEDIUM

Expected matches regular expression list

Actual Last Updated:08/25/2020 at 18:42:52 (GMT-0500)

Hardening (Web Browser) Firefox page 12