Despite its recent spate of security vulnerabilities, the Mozilla-based Firefox browser appears to be as popular as ever. While the browser's growth has somewhat slowed, Firefox continues to gain on Microsoft's Internet Explorer.
Firefox's default installation is actually pretty secure. However, the number of Firefox users continues to increase, and such popularity often spells more attention from attackers. With so many people using Firefox, it's a good idea to add a standard layer of security to better protect your organization's users.
Let's walk through Firefox's Options window (which you can access by going to Tools | Options) and look at some tweaks you can make to boost the security of the browser. Keep in mind that all of these suggested settings assume that the user login is for a single user and not shared among multiple users.
The Options window has five sections: General, Privacy, Web Features, Downloads, and Advanced. Because the General section focuses more on the browser's look and feel, we'll skip this one.
- History: This setting is self-explanatory. All you need to do is set it to a reasonable number of days. The default is nine days.
- Saved Form Information: This is a handy feature for all single-user profiles; it lets the browser remember what you've typed in the past and automatically make suggestions. It's safe to enable the feature.
- Saved Passwords: This setting is more of a gray area. You tell users to remember passwords—should you allow their browsers to remember passwords as well? I recommend allowing this feature and setting the master password for workstations that don't leave your company area. If the system is a laptop, deselect the Remember Passwords option. That way, if someone steals the machine and accesses the account, the thief won't have access to every saved password a user has stored.
- Download Manager History: There's no need to keep track of all of your downloads, so I suggest setting it to Remove Files From The Download Manager When Firefox Exits.
- Cookies: This is a hotly debated subject. I recommend selecting Allow Sites To Set Cookies and choosing For The Originating Web Site Only. In addition, select the Until I Close Firefox option for how long the browser should store the cookies. With this last option, cookies only help you browse while you're using the machine, but they don't provide endless browsing habit information to cookie vendors.
- Cache: For this setting, decide on a reasonable amount of disk space.
- Block Popup Windows: I suggest selecting this check box—it's a feature every browser should have.
- Allow Web Sites To Install Software: Go ahead and select this check box. When you allow a site to install software, Firefox will add it to the Allowed Sites list.
- Load Images: Select both this check box and the For The Originating Web Site Only check box. You can always go back and specifically allow or block individual sites.
- Enable Java: Select this check box.
- Download Folder: I suggest creating a Downloads folder for storing all of your downloads. This makes it easier to scan your downloads once you're finished.
- Download Manager: I recommend selecting both check boxes: Show Download Manager Window When A Download Begins and Close The Download Manager When All Downloads Are Complete.
- File Types: I wouldn't allow any Microsoft product to perform any action automatically—that's likely one of the reasons you're using the Firefox browser.
- Accessibility, Browsing, and Tabbed Browsing: All three areas are functional and involve no security issues.
- Software Update: Select the Firefox check box, which allows the browser to update itself. I recommend not selecting the My Extensions And Themes check box to allow for updates.
- Security: To provide maximum cross-site functionality, I suggest selecting all three check boxes: Use SSL 2.0, Use SSL 3.0, and Use TLS 1.0.
- Certificates: Under Client Certificate Selection, select the Ask Every Time check box, which focuses user attention to the start of a secure session.
- Validation: Under OCSP (Online Certificate Status Protocol), select the Use OCSP To Validate Only Certificates That Specify An OCSP Service URL option.
After running through all of these various Firefox settings, you might be wondering how to deal with security zones, browser helper objects (BHOs), and ActiveX. Don't worry: These are Microsoft inventions that support Microsoft products. As long as you use Firefox, they won't bother you anymore.
Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.
Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.