StigData/Archive/browser/U_Mozilla_Firefox_STIG_V5R2_Manual-xccdf.xml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" id="Mozilla_Firefox_STIG" xml:lang="en" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2021-06-09">accepted</status><title>Mozilla Firefox Security Technical Implementation Guide</title><description>This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.</description><notice id="terms-of-use" xml:lang="en"></notice><front-matter xml:lang="en"></front-matter><rear-matter xml:lang="en"></rear-matter><reference href="https://cyber.mil"><dc:publisher>DISA</dc:publisher><dc:source>STIG.DOD.MIL</dc:source></reference><plain-text id="release-info">Release: 2 Benchmark Date: 23 Jul 2021</plain-text><plain-text id="generator">3.2.2.36079</plain-text><plain-text id="conventionsVersion">1.10.0</plain-text><version>5</version><Profile id="MAC-1_Classified"><title>I - Mission Critical Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-223151" selected="true" /><select idref="V-223152" selected="true" /><select idref="V-223153" selected="true" /><select idref="V-223154" selected="true" /><select idref="V-223155" selected="true" /><select idref="V-223156" selected="true" /><select idref="V-223157" selected="true" /><select idref="V-223158" selected="true" /><select idref="V-223159" selected="true" /><select idref="V-223160" selected="true" /><select idref="V-223161" selected="true" /><select idref="V-223162" selected="true" /><select idref="V-223163" selected="true" /><select idref="V-223164" selected="true" /><select idref="V-223165" selected="true" /><select idref="V-223166" selected="true" /><select idref="V-223167" selected="true" /><select idref="V-223168" selected="true" /><select idref="V-223169" selected="true" /><select idref="V-223170" selected="true" /><select idref="V-223171" selected="true" /><select idref="V-223172" selected="true" /><select idref="V-223173" selected="true" /><select idref="V-223174" selected="true" /><select idref="V-223175" selected="true" /><select idref="V-223177" selected="true" /><select idref="V-223179" selected="true" /></Profile><Profile id="MAC-1_Public"><title>I - Mission Critical Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-223151" selected="true" /><select idref="V-223152" selected="true" /><select idref="V-223153" selected="true" /><select idref="V-223154" selected="true" /><select idref="V-223155" selected="true" /><select idref="V-223156" selected="true" /><select idref="V-223157" selected="true" /><select idref="V-223158" selected="true" /><select idref="V-223159" selected="true" /><select idref="V-223160" selected="true" /><select idref="V-223161" selected="true" /><select idref="V-223162" selected="true" /><select idref="V-223163" selected="true" /><select idref="V-223164" selected="true" /><select idref="V-223165" selected="true" /><select idref="V-223166" selected="true" /><select idref="V-223167" selected="true" /><select idref="V-223168" selected="true" /><select idref="V-223169" selected="true" /><select idref="V-223170" selected="true" /><select idref="V-223171" selected="true" /><select idref="V-223172" selected="true" /><select idref="V-223173" selected="true" /><select idref="V-223174" selected="true" /><select idref="V-223175" selected="true" /><select idref="V-223177" selected="true" /><select idref="V-223179" selected="true" /></Profile><Profile id="MAC-1_Sensitive"><title>I - Mission Critical Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-223151" selected="true" /><select idref="V-223152" selected="true" /><select idref="V-223153" selected="true" /><select idref="V-223154" selected="true" /><select idref="V-223155" selected="true" /><select idref="V-223156" selected="true" /><select idref="V-223157" selected="true" /><select idref="V-223158" selected="true" /><select idref="V-223159" selected="true" /><select idref="V-223160" selected="true" /><select idref="V-223161" selected="true" /><select idref="V-223162" selected="true" /><select idref="V-223163" selected="true" /><select idref="V-223164" selected="true" /><select idref="V-223165" selected="true" /><select idref="V-223166" selected="true" /><select idref="V-223167" selected="true" /><select idref="V-223168" selected="true" /><select idref="V-223169" selected="true" /><select idref="V-223170" selected="true" /><select idref="V-223171" selected="true" /><select idref="V-223172" selected="true" /><select idref="V-223173" selected="true" /><select idref="V-223174" selected="true" /><select idref="V-223175" selected="true" /><select idref="V-223177" selected="true" /><select idref="V-223179" selected="true" /></Profile><Profile id="MAC-2_Classified"><title>II - Mission Support Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-223151" selected="true" /><select idref="V-223152" selected="true" /><select idref="V-223153" selected="true" /><select idref="V-223154" selected="true" /><select idref="V-223155" selected="true" /><select idref="V-223156" selected="true" /><select idref="V-223157" selected="true" /><select idref="V-223158" selected="true" /><select idref="V-223159" selected="true" /><select idref="V-223160" selected="true" /><select idref="V-223161" selected="true" /><select idref="V-223162" selected="true" /><select idref="V-223163" selected="true" /><select idref="V-223164" selected="true" /><select idref="V-223165" selected="true" /><select idref="V-223166" selected="true" /><select idref="V-223167" selected="true" /><select idref="V-223168" selected="true" /><select idref="V-223169" selected="true" /><select idref="V-223170" selected="true" /><select idref="V-223171" selected="true" /><select idref="V-223172" selected="true" /><select idref="V-223173" selected="true" /><select idref="V-223174" selected="true" /><select idref="V-223175" selected="true" /><select idref="V-223177" selected="true" /><select idref="V-223179" selected="true" /></Profile><Profile id="MAC-2_Public"><title>II - Mission Support Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-223151" selected="true" /><select idref="V-223152" selected="true" /><select idref="V-223153" selected="true" /><select idref="V-223154" selected="true" /><select idref="V-223155" selected="true" /><select idref="V-223156" selected="true" /><select idref="V-223157" selected="true" /><select idref="V-223158" selected="true" /><select idref="V-223159" selected="true" /><select idref="V-223160" selected="true" /><select idref="V-223161" selected="true" /><select idref="V-223162" selected="true" /><select idref="V-223163" selected="true" /><select idref="V-223164" selected="true" /><select idref="V-223165" selected="true" /><select idref="V-223166" selected="true" /><select idref="V-223167" selected="true" /><select idref="V-223168" selected="true" /><select idref="V-223169" selected="true" /><select idref="V-223170" selected="true" /><select idref="V-223171" selected="true" /><select idref="V-223172" selected="true" /><select idref="V-223173" selected="true" /><select idref="V-223174" selected="true" /><select idref="V-223175" selected="true" /><select idref="V-223177" selected="true" /><select idref="V-223179" selected="true" /></Profile><Profile id="MAC-2_Sensitive"><title>II - Mission Support Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-223151" selected="true" /><select idref="V-223152" selected="true" /><select idref="V-223153" selected="true" /><select idref="V-223154" selected="true" /><select idref="V-223155" selected="true" /><select idref="V-223156" selected="true" /><select idref="V-223157" selected="true" /><select idref="V-223158" selected="true" /><select idref="V-223159" selected="true" /><select idref="V-223160" selected="true" /><select idref="V-223161" selected="true" /><select idref="V-223162" selected="true" /><select idref="V-223163" selected="true" /><select idref="V-223164" selected="true" /><select idref="V-223165" selected="true" /><select idref="V-223166" selected="true" /><select idref="V-223167" selected="true" /><select idref="V-223168" selected="true" /><select idref="V-223169" selected="true" /><select idref="V-223170" selected="true" /><select idref="V-223171" selected="true" /><select idref="V-223172" selected="true" /><select idref="V-223173" selected="true" /><select idref="V-223174" selected="true" /><select idref="V-223175" selected="true" /><select idref="V-223177" selected="true" /><select idref="V-223179" selected="true" /></Profile><Profile id="MAC-3_Classified"><title>III - Administrative Classified</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-223151" selected="true" /><select idref="V-223152" selected="true" /><select idref="V-223153" selected="true" /><select idref="V-223154" selected="true" /><select idref="V-223155" selected="true" /><select idref="V-223156" selected="true" /><select idref="V-223157" selected="true" /><select idref="V-223158" selected="true" /><select idref="V-223159" selected="true" /><select idref="V-223160" selected="true" /><select idref="V-223161" selected="true" /><select idref="V-223162" selected="true" /><select idref="V-223163" selected="true" /><select idref="V-223164" selected="true" /><select idref="V-223165" selected="true" /><select idref="V-223166" selected="true" /><select idref="V-223167" selected="true" /><select idref="V-223168" selected="true" /><select idref="V-223169" selected="true" /><select idref="V-223170" selected="true" /><select idref="V-223171" selected="true" /><select idref="V-223172" selected="true" /><select idref="V-223173" selected="true" /><select idref="V-223174" selected="true" /><select idref="V-223175" selected="true" /><select idref="V-223177" selected="true" /><select idref="V-223179" selected="true" /></Profile><Profile id="MAC-3_Public"><title>III - Administrative Public</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-223151" selected="true" /><select idref="V-223152" selected="true" /><select idref="V-223153" selected="true" /><select idref="V-223154" selected="true" /><select idref="V-223155" selected="true" /><select idref="V-223156" selected="true" /><select idref="V-223157" selected="true" /><select idref="V-223158" selected="true" /><select idref="V-223159" selected="true" /><select idref="V-223160" selected="true" /><select idref="V-223161" selected="true" /><select idref="V-223162" selected="true" /><select idref="V-223163" selected="true" /><select idref="V-223164" selected="true" /><select idref="V-223165" selected="true" /><select idref="V-223166" selected="true" /><select idref="V-223167" selected="true" /><select idref="V-223168" selected="true" /><select idref="V-223169" selected="true" /><select idref="V-223170" selected="true" /><select idref="V-223171" selected="true" /><select idref="V-223172" selected="true" /><select idref="V-223173" selected="true" /><select idref="V-223174" selected="true" /><select idref="V-223175" selected="true" /><select idref="V-223177" selected="true" /><select idref="V-223179" selected="true" /></Profile><Profile id="MAC-3_Sensitive"><title>III - Administrative Sensitive</title><description>&lt;ProfileDescription&gt;&lt;/ProfileDescription&gt;</description><select idref="V-223151" selected="true" /><select idref="V-223152" selected="true" /><select idref="V-223153" selected="true" /><select idref="V-223154" selected="true" /><select idref="V-223155" selected="true" /><select idref="V-223156" selected="true" /><select idref="V-223157" selected="true" /><select idref="V-223158" selected="true" /><select idref="V-223159" selected="true" /><select idref="V-223160" selected="true" /><select idref="V-223161" selected="true" /><select idref="V-223162" selected="true" /><select idref="V-223163" selected="true" /><select idref="V-223164" selected="true" /><select idref="V-223165" selected="true" /><select idref="V-223166" selected="true" /><select idref="V-223167" selected="true" /><select idref="V-223168" selected="true" /><select idref="V-223169" selected="true" /><select idref="V-223170" selected="true" /><select idref="V-223171" selected="true" /><select idref="V-223172" selected="true" /><select idref="V-223173" selected="true" /><select idref="V-223174" selected="true" /><select idref="V-223175" selected="true" /><select idref="V-223177" selected="true" /><select idref="V-223179" selected="true" /></Profile><Group id="V-223151"><title>SRG-APP-000516</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223151r612236_rule" weight="10.0" severity="high"><version>DTBF003</version><title>Installed version of Firefox unsupported.</title><description>&lt;VulnDiscussion&gt;Use of versions of an application which are not supported by the vendor are not permitted. Vendors respond to security flaws with updates and patches. These updates are not available for unsupported version which can leave the application vulnerable to attack.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-19509</ident><ident system="http://cyber.mil/legacy">V-17988</ident><ident system="http://cyber.mil/cci">CCI-000366</ident><fixtext fixref="F-24812r531271_fix">Upgrade the version of the browser to an approved version by obtaining software from the vendor or other trusted source.</fixtext><fix id="F-24812r531271_fix" /><check system="C-24824r531270_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Method 1: View the following registry key:
HKLM\Software\Mozilla\Mozilla Firefox\CurrentVersion
 
Method 2: Run Firefox. Click the ellipsis button &gt;&gt; Help &gt;&gt; About Firefox, and view the version number.
 
Criteria: If the Firefox version is not a supported version, this is a finding.</check-content></check></Rule></Group><Group id="V-223152"><title>SRG-APP-000560</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223152r612236_rule" weight="10.0" severity="medium"><version>DTBF030</version><title>Firefox must be configured to allow only TLS.</title><description>&lt;VulnDiscussion&gt;Use of versions prior to TLS 1.1 are not permitted. SSL 2.0 and SSL 3.0 contain a number of security flaws. These versions must be disabled in compliance with the Network Infrastructure and Secure Remote Computing STIGs.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-16925</ident><ident system="http://cyber.mil/legacy">V-15983</ident><ident system="http://cyber.mil/cci">CCI-001453</ident><fixtext fixref="F-24813r531274_fix">Configure the following parameters using the Mozilla.cfg file:
 
LockPref "security.tls.version.min" is set to "2".
LockPref "security.tls.version.max" is set to "4".</fixtext><fix id="F-24813r531274_fix" /><check system="C-24825r531273_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Open a browser window, type "about:config" in the address bar.
 
Verify Preference Name "security.tls.version.min" is set to the value "2" and locked.
Verify Preference Name "security.tls.version.max" is set to the value "4" and locked.
 
Criteria: If the parameters are set incorrectly, this is a finding.
 
If the settings are not locked, this is a finding.</check-content></check></Rule></Group><Group id="V-223153"><title>SRG-APP-000177</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223153r612236_rule" weight="10.0" severity="medium"><version>DTBF050</version><title>FireFox is configured to ask which certificate to present to a web site when a certificate is required.</title><description>&lt;VulnDiscussion&gt;When a web site asks for a certificate for user authentication, Firefox must be configured to have the user choose which certificate to present. Websites within DOD require user authentication for access which increases security for DoD information. Access will be denied to the user if certificate management is not configured.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-16707</ident><ident system="http://cyber.mil/legacy">V-15768</ident><ident system="http://cyber.mil/cci">CCI-000187</ident><fixtext fixref="F-24814r531277_fix">Set the value of "security.default_personal_cert" to "Ask Every Time". Use the Mozilla.cfg file to lock the preference so users cannot change it.
 
</fixtext><fix id="F-24814r531277_fix" /><check system="C-24826r531276_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the browser address bar. Verify Preference Name "security.default_personal_cert" is set to "Ask Every Time" and is locked to prevent the user from altering.
 
Criteria: If the value of "security.default_personal_cert" is set incorrectly or is not locked, then this is a finding.
</check-content></check></Rule></Group><Group id="V-223154"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223154r612236_rule" weight="10.0" severity="medium"><version>DTBF085</version><title>Firefox automatically checks for updated version of installed Search plugins.</title><description>&lt;VulnDiscussion&gt;Updates need to be controlled and installed from authorized and trusted servers. This setting overrides a number of other settings which may direct the application to access external URLs.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-21890</ident><ident system="http://cyber.mil/legacy">V-19744</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24815r531280_fix">Ensure the preference "browser.search.update" is set and locked to the value of “False”.</fixtext><fix id="F-24815r531280_fix" /><check system="C-24827r531279_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the browser window. Verify the preference "browser.search.update” is set to "false" and locked.
 
Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.
</check-content></check></Rule></Group><Group id="V-223155"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223155r612236_rule" weight="10.0" severity="medium"><version>DTBF090</version><title>Firefox automatically updates installed add-ons and plugins.</title><description>&lt;VulnDiscussion&gt;Set this to false to disable checking for updated versions of the Extensions/Themes. Automatic updates from untrusted sites puts the enclave at risk of attack and may override security settings.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-59603</ident><ident system="http://cyber.mil/legacy">V-19742</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24816r531283_fix">Set the preference “extensions.update.enabled” value to "false" and lock using the Mozilla.cfg file.
</fixtext><fix id="F-24816r531283_fix" /><check system="C-24828r531282_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the browser window. Verify the preference “extensions.update.enabled” is set to "false" and locked.
 
Criteria: If the parameter is set incorrectly, then this is a finding. If this setting is not locked, then this is a finding.
</check-content></check></Rule></Group><Group id="V-223156"><title>SRG-APP-000278</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223156r612236_rule" weight="10.0" severity="medium"><version>DTBF100</version><title>Firefox automatically executes or downloads MIME types which are not authorized for auto-download.</title><description>&lt;VulnDiscussion&gt;The default action for file types for which a plugin is installed is to automatically download and execute the file using the associated plugin. Firefox allows you to change the specified download action so that the file is opened with a selected external application or saved to disk instead. View the list of installed browser plugins and related MIME types by entering about:plugins in the address bar.
 
When you click a link to download a file, the MIME type determines what action Firefox will take. You may already have a plugin installed that will automatically handle the download, such as Windows Media Player or QuickTime. Other times, you may see a dialog asking whether you want to save the file or open it with a specific application. When you tell Firefox to open or save the file and also check the option to "Do this automatically for files like this from now on", an entry appears for that type of file in the Firefox Applications panel, shown below.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-16709</ident><ident system="http://cyber.mil/legacy">V-15770</ident><ident system="http://cyber.mil/cci">CCI-001242</ident><fixtext fixref="F-24817r531286_fix">Remove any unauthorized extensions from the autodownload list. </fixtext><fix id="F-24817r531286_fix" /><check system="C-24829r531285_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Use Method 1 or 2 to check if the following extensions are listed in the browser configuration: HTA, JSE, JS, MOCHA, SHS, VBE, VBS, SCT, WSC. By default, most of these extensions will not show up on the Firefox listing.
 
Criteria:
 
Method 1: In about:plugins, Installed plug-in, inspect the entries in the Suffixes column.
 
If any of the prohibited extensions are found, then for each of them, verify that it is not associated with an application that executes code. However, applications such as Notepad.exe that do not execute code may be associated with the extension. If the extension is associated with an unauthorized application, then this is a finding.
 
If the extension exists but is not associated with an application, then this is a finding.
 
Method 2:
Use the Options User Interface Applications menu to search for the prohibited extensions in the Content column of the table.
 
If an extension that is not approved for automatic execution exists and the entry in the Action column is associated with an application that does not execute the code (e.g., Notepad), then do not mark this as a finding.
 
If the entry exists and the "Action" is 'Save File' or 'Always Ask', then this is not a finding.
  
If an extension exists and the entry in the Action column is associated with an application that does/can execute the code, then this is a finding.
</check-content></check></Rule></Group><Group id="V-223157"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223157r612236_rule" weight="10.0" severity="medium"><version>DTBF105</version><title>Network shell protocol is enabled in FireFox.</title><description>&lt;VulnDiscussion&gt;Although current versions of Firefox have this set to disabled by default, use of this option can be harmful. This would allow the browser to access the Windows shell. This could allow access to the
underlying system. This check verifies that the default setting has not been changed.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-16710</ident><ident system="http://cyber.mil/legacy">V-15771</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24818r531289_fix">Procedure: Set the value of "network.protocol-handler.external.shell" to "false" and lock using the Mozilla.cfg file.</fixtext><fix id="F-24818r531289_fix" /><check system="C-24830r531288_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Procedure: Open a browser window, type "about:config" in the address bar.
 
Criteria: If the value of "network.protocol-handler.external.shell" is not "false" or is not locked, then this is a finding. </check-content></check></Rule></Group><Group id="V-223158"><title>SRG-APP-000279</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223158r612236_rule" weight="10.0" severity="medium"><version>DTBF110</version><title>Firefox is not configured to prompt a user before downloading and opening required file types.</title><description>&lt;VulnDiscussion&gt;New file types cannot be added directly to the helper applications or plugins listing. Files with these extensions will not be allowed to use Firefox publicly available plugins and extensions to open. The application will be configured to open these files using external applications only. After a helper application or save to disk download action has been set, that action will be taken automatically for those types of files. When the user receives a dialog box asking if you want to save the file or open it with a specified application, this indicates that a plugin does not exist. The user has not previously selected a download action or helper application to automatically use for that type of file. When prompted, if the user checks the option to Do this automatically for files like this from now on, then an entry will appear for that type of file in the plugins listing and this file type is automatically opened in the future. This can be a security issue. New file types cannot be added directly to the Application plugin listing. &lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-16711</ident><ident system="http://cyber.mil/legacy">V-15772</ident><ident system="http://cyber.mil/cci">CCI-001243</ident><fixtext fixref="F-24819r531292_fix">Ensure the following extensions are not automatically opened by Firefox without user confirmation. Do not use plugins and add-ons to open these files.
Use the "plugin.disable_full_page_plugin_for_types" preference to set and lock the following extensions so that an external application, rather than an add-on or plugin, will not be used:
PDF, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, XLK, XLS, XLT, POT, PPS, PPT, DOS, DOT, WKS, BAT, PS, EPS, WCH, WCM, WB1, WB3, RTF, DOC, MDB, MDE, WBK, WB1, WCH, WCM, AD, ADP.</fixtext><fix id="F-24819r531292_fix" /><check system="C-24831r531291_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Open a browser window, type "about:config" in the address bar.
Criteria: If the “plugin.disable_full_page_plugin_for_types” value is not set to include the following external extensions and not locked, this is a finding:
PDF, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, XLK, XLS, XLT, POT, PPS, PPT, DOS, DOT, WKS, BAT, PS, EPS, WCH, WCM, WB1, WB3, RTF, DOC, MDB, MDE, WBK, WB1, WCH, WCM, AD, ADP.</check-content></check></Rule></Group><Group id="V-223159"><title>SRG-APP-000210</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223159r612236_rule" weight="10.0" severity="medium"><version>DTBF120</version><title>FireFox plug-in for ActiveX controls is installed.</title><description>&lt;VulnDiscussion&gt;When an ActiveX control is referenced in an HTML document, MS Windows checks to see if
the control already resides on the client machine. If not, the control can be downloaded from a
remote web site. This provides an automated delivery method for mobile code.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-16712</ident><ident system="http://cyber.mil/legacy">V-15773</ident><ident system="http://cyber.mil/cci">CCI-001170</ident><fixtext fixref="F-24820r531295_fix">Remove/uninstall the Mozilla ActiveX plugin </fixtext><fix id="F-24820r531295_fix" /><check system="C-24832r531294_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Open a browser window, type "about:plugins" in the address bar.
 
Criteria: If the Mozilla ActiveX control and plugin support is present and enabled, then this is a finding.
</check-content></check></Rule></Group><Group id="V-223160"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223160r612236_rule" weight="10.0" severity="medium"><version>DTBF140</version><title>Firefox formfill assistance option is disabled.</title><description>&lt;VulnDiscussion&gt;In order to protect privacy and sensitive data, Firefox provides the ability to configure Firefox such that data entered into forms is not saved. This mitigates the risk of a website gleaning private information from prefilled information.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-16713</ident><ident system="http://cyber.mil/legacy">V-15774</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24821r531298_fix">Ensure the preference “browser.formfill.enable" is set and locked to the value of “false”.</fixtext><fix id="F-24821r531298_fix" /><check system="C-24833r531297_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the address bar, verify that the preference name “browser.formfill.enable" is set to “false” and locked.
 
Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.
</check-content></check></Rule></Group><Group id="V-223161"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223161r612236_rule" weight="10.0" severity="medium"><version>DTBF150</version><title>Firefox is configured to autofill passwords.</title><description>&lt;VulnDiscussion&gt;While on the internet, it may be possible for an attacker to view the saved password files and gain access to the user's accounts on various hosts. &lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-16714</ident><ident system="http://cyber.mil/legacy">V-15775</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24822r531301_fix">Ensure the preference "signon.autofillForms" is set and locked to the value of “false”.</fixtext><fix id="F-24822r531301_fix" /><check system="C-24834r531300_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>In About:Config, verify that the preference name “signon.autofillForms“ is set to “false” and locked.
Criteria: If the parameter is set incorrectly, this is a finding.
If the setting is not locked, this is a finding.</check-content></check></Rule></Group><Group id="V-223162"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223162r612236_rule" weight="10.0" severity="medium"><version>DTBF160</version><title>FireFox is configured to use a password store with or without a master password.</title><description>&lt;VulnDiscussion&gt;Firefox can be set to store passwords for sites visited by the user. These individual passwords are stored in a file and can be protected by a master password. Autofill of the password can then be enabled when the site is visited. This feature could also be used to autofill the certificate pin which could lead to compromise of DoD information.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-16715</ident><ident system="http://cyber.mil/legacy">V-15776</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24823r531304_fix">Ensure the preference “signon.rememberSignons“ is set and locked to the value of “false”.</fixtext><fix id="F-24823r531304_fix" /><check system="C-24835r531303_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the browser window. Verify that the preference name “signon.rememberSignons" is set and locked to “false”.
 
Criteria: If the parameter is set incorrectly, then this is a finding.
 
If the setting is not locked, then this is a finding.</check-content></check></Rule></Group><Group id="V-223163"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223163r612236_rule" weight="10.0" severity="medium"><version>DTBF180</version><title>FireFox is not configured to block pop-up windows.</title><description>&lt;VulnDiscussion&gt;Popup windows may be used to launch an attack within a new browser window with altered settings. This setting blocks popup windows created while the page is loading.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-16717</ident><ident system="http://cyber.mil/legacy">V-15778</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24824r531307_fix">Ensure the preference "dom.disable_window_open_feature.status " is set and locked to the value of “true”.</fixtext><fix id="F-24824r531307_fix" /><check system="C-24836r531306_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>In About:Config, verify that the preference name “dom.disable_window_open_feature.status " is set to “true” and locked.
 
Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.
</check-content></check></Rule></Group><Group id="V-223164"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223164r612236_rule" weight="10.0" severity="medium"><version>DTBF181</version><title>FireFox is configured to allow JavaScript to move or resize windows.
</title><description>&lt;VulnDiscussion&gt;JavaScript can make changes to the browser’s appearance. This activity can help disguise an attack taking place in a minimized background window. Set browser setting to prevent scripts on visited websites from moving and resizing browser windows. &lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-16718</ident><ident system="http://cyber.mil/legacy">V-15779</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24825r531310_fix">Ensure the preference "dom.disable_window_move_resize" is set and locked to the value of “true”.</fixtext><fix id="F-24825r531310_fix" /><check system="C-24837r531309_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>In About:Config, verify that the preference name “dom.disable_window_move_resize" is set and locked to “true”.
 
Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.
</check-content></check></Rule></Group><Group id="V-223165"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223165r612236_rule" weight="10.0" severity="medium"><version>DTBF182</version><title>Firefox is configured to allow JavaScript to raise or lower windows.</title><description>&lt;VulnDiscussion&gt;JavaScript can make changes to the browser’s appearance. Allowing a website to use JavaScript to raise and lower browser windows may disguise an attack. Browser windows may not be set as active via JavaScript.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-16927</ident><ident system="http://cyber.mil/legacy">V-15985</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24826r531313_fix">Ensure the preference "dom.disable_window_flip" is set and locked to the value of “true”.</fixtext><fix id="F-24826r531313_fix" /><check system="C-24838r531312_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>In About:Config, verify that the preference name “dom.disable_window_flip" is set and locked to “true”.
 
Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.</check-content></check></Rule></Group><Group id="V-223166"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223166r612236_rule" weight="10.0" severity="medium"><version>DTBF183</version><title>Firefox is configured to allow JavaScript to disable or replace context menus.</title><description>&lt;VulnDiscussion&gt;A context menu (also known as a pop-up menu) is often used in a graphical user interface (GUI) and appears upon user interaction (e.g., a right mouse click). A context menu offers a limited set of choices that are available in the current state, or context, of the operating system or application. A website may execute JavaScript that can make changes to these context menus. This can help disguise an attack. Set this preference to "false" so that webpages will not be able to affect the context menu event.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-16928</ident><ident system="http://cyber.mil/legacy">V-15986</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24827r531316_fix">Ensure the preferences "dom.event.contextmenu.enabled" is set and locked to "false".</fixtext><fix id="F-24827r531316_fix" /><check system="C-24839r531315_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the address bar of the browser.
 
Verify that the preferences "dom.event.contextmenu.enabled" is set and locked to "false".
 
Criteria: If the parameter is set incorrectly, then this is a finding.
 
If the setting is not locked, this is a finding.</check-content></check></Rule></Group><Group id="V-223167"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223167r754409_rule" weight="10.0" severity="medium"><version>DTBF186</version><title>Extensions install must be disabled.</title><description>&lt;VulnDiscussion&gt;A browser extension is a program that has been installed into the browser which adds functionality to it. Where a plug-in interacts only with a web page and usually a third party external application (Flash, Adobe Reader) an extension interacts with the browser program itself. Extensions are not embedded in web pages and must be downloaded and installed in order to work. Extensions allow browsers to avoid restrictions which apply to web pages. For example, an extension can be written to combine data from multiple domains and present it when a certain page is accessed which can be considered Cross Site Scripting. If a browser is configured to allow unrestricted use of extension then plug-ins can be loaded and installed from malicious sources and used on the browser.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-79381</ident><ident system="http://cyber.mil/legacy">V-64891</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24828r531319_fix">Set the preference “xpinstall.enabled” to “false” and lock using the “mozilla.cfg” file. The “mozilla.cfg” file may need to be created if it does not already exist.</fixtext><fix id="F-24828r531319_fix" /><check system="C-24840r754408_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Open a browser window, type "about:config" in the address bar, then navigate to the setting for Preference Name "xpinstall.enabled" and set the value to “false” and locked.
 
Criteria: If the value of “xpinstall.enabled” is “false”, this is not a finding.
 
If the value is locked, this is not a finding.
 
If the SA can show that “DisableSystemAddonUpdate” policy is used instead, and set to “1”, this is not a finding.
</check-content></check></Rule></Group><Group id="V-223168"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223168r612236_rule" weight="10.0" severity="medium"><version>DTBF190</version><title>Background submission of information to Mozilla must be disabled.</title><description>&lt;VulnDiscussion&gt;There should be no background submission of technical and other information from DoD computers to Mozilla with portions posted publically.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-93759</ident><ident system="http://cyber.mil/legacy">V-79053</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24829r531322_fix">Ensure the preferences "datareporting.policy.dataSubmissionEnabled" is set and locked to "false".</fixtext><fix id="F-24829r531322_fix" /><check system="C-24841r531321_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the address bar of the browser.
Verify that the preference "datareporting.policy.dataSubmissionEnabled" is set and locked to "false". Otherwise, this is a finding.</check-content></check></Rule></Group><Group id="V-223169"><title>SRG-APP-000266</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223169r754411_rule" weight="10.0" severity="low"><version>DTBF195</version><title>Firefox Development Tools Must Be Disabled.</title><description>&lt;VulnDiscussion&gt;While the risk associated with browser development tools is more related to the proper design of a web application, a risk vector remains within the browser. The developer tools allow end users and application developers to view and edit all types of web application related data via the browser. Page elements, source code, javascript, API calls, application data, etc. may all be viewed and potentially manipulated. Manipulation could be useful for troubleshooting legitimate issues, and this may be performed in a development environment. Manipulation could also be malicious and must be addressed.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-106633</ident><ident system="http://cyber.mil/legacy">V-97529</ident><ident system="http://cyber.mil/cci">CCI-001312</ident><fixtext fixref="F-24830r754410_fix">Set the value of "devtools.policy.disabled" to "true" using the Mozilla.cfg file. </fixtext><fix id="F-24830r754410_fix" /><check system="C-24842r531324_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Procedure: Open a browser window, type "about:config" in the address bar.
 
Criteria: If the value of "devtools.policy.disabled" is not "true", then this is a finding.</check-content></check></Rule></Group><Group id="V-223170"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223170r612236_rule" weight="10.0" severity="medium"><version>DTBF200</version><title>Telemetry must be disabled.</title><description>&lt;VulnDiscussion&gt;The Telemetry feature provides this capability by sending performance and usage info to Mozilla. As you use Firefox, Telemetry measures and collects non-personal information, such as performance, hardware, usage and customizations. It then sends this information to Mozilla on a daily basis and we use it to improve Firefox.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-111837</ident><ident system="http://cyber.mil/legacy">V-102875</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24831r531328_fix">Ensure the preference “toolkit.telemetry.enabled" is set and locked to the value of “false”.</fixtext><fix id="F-24831r531328_fix" /><check system="C-24843r531327_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the address bar, verify that the preference name “toolkit.telemetry.enabled" is set to “false” and locked.
 
Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.</check-content></check></Rule></Group><Group id="V-223171"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223171r612236_rule" weight="10.0" severity="medium"><version>DTBF205</version><title>Telemetry archive must be disabled.</title><description>&lt;VulnDiscussion&gt;The Telemetry feature provides this capability by sending performance and usage info to Mozilla. As you use Firefox, Telemetry measures and collects non-personal information, such as performance, hardware, usage and customizations. It then sends this information to Mozilla on a daily basis and we use it to improve Firefox.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-111839</ident><ident system="http://cyber.mil/legacy">V-102877</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24832r531331_fix">Ensure the preference “toolkit.telemetry.archive.enabled" is set and locked to the value of “false”.</fixtext><fix id="F-24832r531331_fix" /><check system="C-24844r531330_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the address bar, verify that the preference name “toolkit.telemetry.archive.enabled" is set to “false” and locked.
 
Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.</check-content></check></Rule></Group><Group id="V-223172"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223172r612236_rule" weight="10.0" severity="medium"><version>DTBF210</version><title>Fingerprinting protection must be enabled.</title><description>&lt;VulnDiscussion&gt;The Content Blocking/Tracking Protection feature stops Firefox from loading content from malicious sites. The content might be a script or an image, for example. If a site is on one of the tracker lists you set Firefox to use, then the fingerprinting script (or other tracking script/image) will not be loaded from that site.
 
Fingerprinting scripts collect information about your browser and device configuration, such as your operating system, screen resolution, and other settings. By compiling these pieces of data, fingerprinters create a unique profile of you that can be used to track you around the Web.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-111841</ident><ident system="http://cyber.mil/legacy">V-102879</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24833r531334_fix">Ensure the preference “privacy.trackingprotection.fingerprinting.enabled" is set and locked to the value of “true”.</fixtext><fix id="F-24833r531334_fix" /><check system="C-24845r531333_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the address bar, verify that the preference name “privacy.trackingprotection.fingerprinting.enabled" is set to “true” and locked.
 
Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.</check-content></check></Rule></Group><Group id="V-223173"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223173r612236_rule" weight="10.0" severity="medium"><version>DTBF215</version><title>Cryptomining protection must be enabled.</title><description>&lt;VulnDiscussion&gt;The Content Blocking/Tracking Protection feature stops Firefox from loading content from malicious sites. The content might be a script or an image, for example. If a site is on one of the tracker lists you set Firefox to use, then the fingerprinting script (or other tracking script/image) will not be loaded from that site.
 
Cryptomining scripts use your computer’s central processing unit (CPU) to invisibly mine cryptocurrency.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-111843</ident><ident system="http://cyber.mil/legacy">V-102881</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24834r531337_fix">Ensure the preference “privacy.trackingprotection.cryptomining.enabled" is set and locked to the value of “true”.</fixtext><fix id="F-24834r531337_fix" /><check system="C-24846r531336_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the address bar, verify that the preference name “privacy.trackingprotection.cryptomining.enabled" is set to “true” and locked.
 
Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.</check-content></check></Rule></Group><Group id="V-223174"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223174r612236_rule" weight="10.0" severity="medium"><version>DTBF220</version><title>Enhanced Tracking Protection must be enabled.</title><description>&lt;VulnDiscussion&gt;Tracking generally refers to content, cookies, or scripts that can collect your browsing data across multiple sites.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-111845</ident><ident system="http://cyber.mil/legacy">V-102883</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24835r531340_fix">Ensure the preference “browser.contentblocking.category" is set and locked to the value of “strict”.</fixtext><fix id="F-24835r531340_fix" /><check system="C-24847r531339_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the address bar, verify that the preference name “browser.contentblocking.category" is set to “strict” and locked.
 
Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.</check-content></check></Rule></Group><Group id="V-223175"><title>SRG-APP-000141</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223175r612236_rule" weight="10.0" severity="medium"><version>DTBF225</version><title>Extension recommendations must be disabled.</title><description>&lt;VulnDiscussion&gt;The Recommended Extensions program will make it easier for users to discover extensions that have been reviewed for security, functionality, and user experience.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-111847</ident><ident system="http://cyber.mil/legacy">V-102885</ident><ident system="http://cyber.mil/cci">CCI-000381</ident><fixtext fixref="F-24836r531343_fix">Ensure the preference “extensions.htmlaboutaddons.recommendations.enabled" is set and locked to the value of “false”.</fixtext><fix id="F-24836r531343_fix" /><check system="C-24848r531342_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the address bar, verify that the preference name “extensions.htmlaboutaddons.recommendations.enabled" is set to “false” and locked.
 
Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.</check-content></check></Rule></Group><Group id="V-223177"><title>SRG-APP-000560</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223177r612236_rule" weight="10.0" severity="medium"><version>DTBF235</version><title>Deprecated ciphers must be disabled.</title><description>&lt;VulnDiscussion&gt;A weak cipher is defined as an encryption/decryption algorithm that uses a key of insufficient length. Using an insufficient length for a key in an encryption/decryption algorithm opens up the possibility (or probability) that the encryption scheme could be broken.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-111851</ident><ident system="http://cyber.mil/legacy">V-102889</ident><ident system="http://cyber.mil/cci">CCI-001453</ident><fixtext fixref="F-24838r531349_fix">Ensure the preference “security.ssl3.rsa_des_ede3_sha" is set and locked to the value of “false”.</fixtext><fix id="F-24838r531349_fix" /><check system="C-24850r531348_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Type "about:config" in the address bar, verify that the preference name “security.ssl3.rsa_des_ede3_sha" is set to “false” and locked.
 
Criteria: If the parameter is set incorrectly, then this is a finding. If the setting is not locked, then this is a finding.</check-content></check></Rule></Group><Group id="V-223179"><title>SRG-APP-000175</title><description>&lt;GroupDescription&gt;&lt;/GroupDescription&gt;</description><Rule id="SV-223179r612236_rule" weight="10.0" severity="medium"><version>DTBG010</version><title>The DOD Root Certificate is not installed.</title><description>&lt;VulnDiscussion&gt;The DOD root certificate will ensure that the trust chain is established for server certificate issued from the DOD CA.&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</description><reference><dc:title>DPMS Target Mozilla Firefox</dc:title><dc:publisher>DISA</dc:publisher><dc:type>DPMS Target</dc:type><dc:subject>Mozilla Firefox</dc:subject><dc:identifier>4097</dc:identifier></reference><ident system="http://cyber.mil/legacy">SV-33373</ident><ident system="http://cyber.mil/legacy">V-6318</ident><ident system="http://cyber.mil/cci">CCI-000185</ident><fixtext fixref="F-24840r531354_fix">Install the DOD root certificates.</fixtext><fix id="F-24840r531354_fix" /><check system="C-24852r531353_chk"><check-content-ref href="Mozilla_Firefox_STIG.xml" name="M" /><check-content>Navigate to Tools &gt;&gt; Options &gt;&gt; Advanced &gt;&gt; Certificates tab &gt;&gt; View Certificates button. On the Certificate Manager window, select the "Authorities" tab. Scroll through the Certificate Name list to the U.S. Government heading. Look for the entries for DoD Root CA 2, DoD Root CA 3, and DoD Root CA 4.
 
If there are entries for DoD Root CA 2, DoD Root CA 3, and DoD Root CA 4, select them individually.
 
Click the "View" button.
 
Verify the publishing organization is "US Government."
 
If there are no entries for the DoD Root CA 2, DoD Root CA 3, and DoD Root CA 4, this is a finding.
 
Note: In a Windows environment, use of policy setting "security.enterprise_roots.enabled=true" will point Firefox to the Windows Trusted Root Certification Authority Store, this is not a finding.</check-content></check></Rule></Group></Benchmark>