Hardening Firfox

General Discussion (off topic) Anything and everyt
1

Sorry if this has been posted before, I searched and could not find anything.

For the Paranoid. Hardening Firefox is easy, at least for the firewall part.

Firewall settings

Open Comodo, Firewall Tab —> Network Security Policy —> Find Firefox.exe

You do not need to add DNS rules if you have the DNS Client running


http://i.imgur.com/jqaob.jpg

Click on the image for a larger size

Note: Replace 8.8.8.8 with your DNS server IP and if you you need to add more DNSs server just copy the the same rule with different DNS IPs

If you are using AVAST Web Shield, different rules.


http://i.imgur.com/IdE2X.jpg

Note: HTTPS (Port 443) connections are not redirected thought Avast Web Shield by default You can either add a rule for Firefox or modify Avast options to redirect port 443 thought Avast Web Shield.

If you want Avast to redirect port 443 thought avast Web Shield. Open Avast, click on Settings then Troubleshooting → Redirection Setting → HTTP ports → add [,443].


http://i.imgur.com/UgdVE.jpg

If you do not want Avast to redirect port 443. Add a new rule for Firefox, Allow TCP OUT to any IP on Port 443.

Do as you like

Def + Settings

Custom Firefox settings, its not hard

Open Comodo —> Defense + tab —> Computer Security Policy

Click on Firefox —> click on “Use Custom Policy” —> Click on Customize

" Run an executable" —> Tick Allow

" Processes’ Termination" —> Tick Allow

[i] If your Paranoid and do not mind sacrificing something for higher restrictions [i] *Run an executable" and "Processes' Termination" ---> Tick Block and exclude

Firefox.exe
Plugin-container.exe
Crashreporter.exe

Doing this, you wont be able to open any downloaded file directly from firefox. You can click “Open containing folder” and open the file.

“DNS Client Service” —> Tick Allow

Protected File/Folders —> Tick Block then Exclude

In the Allowed list Click on “Add” then Find Windows Socket Interface

Then Copy and past the rest

\Global??\FltMgrMsg
\Device\KsecDD
\Device\Afd\AsyncConnectHlp
\Device\NamedPipe\lsarpc

For Flash Player EDIT THIS
C:\Users(Add login user name)\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer*

If you are using Avast add

\Device\aswSP
\Device\aswSnx

Protected COM Interfaces —> Tick Block then click exclude

In the Allow list add

\RPC Control\spoolss

Spoolss is for printer. If you don not have a printer, you can block it.

Protected Registry Key —> Tick Block and exclude

HKUS\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell

You can still block it. Firefox runs fine

“Interprocess Memory Accesses” → Tick block

NOTE: Firefox attempts to access system memory and explorer.exe . So far blocking them has no effect on Firefox. Everything works fine.

“Windows/WinEvent Hooks” —> Tick block

“Device Driver Installation” —> Tick block

“Physical Memory” —> Tick Block

“Computer Monitor” —> Tick block

“Disk” —> Tick block

“Keyboard” → Tick block

Plugin container

“Interprocess Memory Accesses” → Tick block and exclude
Firefox.exe

Protected COM Interfaces —> Tick Block then click exclude

In the Allow list add

C:\Program Files\Foxit Software\Foxit Reader\Foxit Reader.exe

\RPC Control\spoolss

Protected Registry Key —> Tick Block and exclude

HKUS\S-1-5-21-4010442249-2642201270-4137566514-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings*

Protected File/Folders —> Tick Block then Exclude
Their the same as for Firefox.exe

In the Allowed list Click on "Add" then Find Windows Socket Interface

Then Copy and past the rest

\Global??\FltMgrMsg
\Device\KsecDD
\Device\Afd\AsyncConnectHlp
\Device\NamedPipe\lsarpc

For Flash Player EDIT THIS
C:\Users(Add login user name)\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer*

If you are using Avast add

\Device\aswSP
\Device\aswSnx

Only Shockwave Flash and Foxit Reader have been tested. I havent tested QT, Silverlight ect.
If you find any issues or a conflict with other antivirus, please post It. If you know which COM, Reg, Files to add, then please post them.

Plugins

For ADs
Adblock Plus

Element Hider helper for Adblock
https://addons.mozilla.org/en-US/firefox/addon/elemhidehelper/

Cookies Monster

Flash cookies
Better Privacy
https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/
Or Vist
Adobe - Flash Player : Settings Manager - Global Storage Settings Panel

Untick both boxes ( LSO and Third party) and tick never ask again
Warning it might break stuff otherwirse just use Better Privacy to control LSO

Trackerblocker
https://addons.mozilla.org/en-US/firefox/addon/trackerblock/
Ghostery

Plugin Toggler
https://addons.mozilla.org/en-US/firefox/addon/plugins-toggler/

NoScript

Request Policy
https://addons.mozilla.org/en-US/firefox/addon/requestpolicy/

Learn how to use both. Most of the time you will just need to allow one site thought request policy and sites load fine.

Web of Trust

Certificate Patrol
https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/

Browser Protect
https://addons.mozilla.org/en-US/firefox/addon/browserprotect/

FoxyProxy

User-Agent
https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/

HTTP-Ref
https://addons.mozilla.org/en-US/firefox/addon/refcontrol/

Clean up
https://addons.mozilla.org/en-US/firefox/addon/ecleaner/
ShowIP
https://addons.mozilla.org/en-US/firefox/addon/showip/

2

A couple of points.

  1. If you’re not using Avast, you will need to allow a complete range of non-privileged ports for loopback.
  2. Unless you’ve disabled the DNS Client service, all DNS queries are handled by svchost.exe
  3. plugin-container.exe allows some types of plugin - flash, silverlight, QT etc - to run in a separate process, so if that plugin fails, it doesn’t terminate the whole browser. If you want to prevent this behaviour:

Open firefox, type about:config in the address bar and find dom.ipc.plugins.enabled.* and change the value to false.

  1. Not sure why you’ve included verclsid.exe?
3

Thanks for the Points

Not sure why you've included verclsid.exe?

Firefox lunches verclsid.exe when saving a webpage for the first time.

Disabling Firefox DNS Client Service and letting svhost handle DNS will slow down firefox.

Why would you need to allow a complete range of non-privilege ports? I thought Ports 80 and 8080(browsing), 443 for SSL were just required.

4

Verclsid.exe is used for class id instantiation and although there were some known issues running under XP, it’s a fairly inconsequential process.

Disabling Firefox DNS Client Service and letting svhost handle DNS will slow down firefox.

I think you missed the point. If the DNS Client service is running, which it is by default, firefox will never use it’s DNS rule, as svchost performs DNS resolution on behalf of all processes.

Why would you need to allow a complete range of non-privilege ports? I thought Ports 80 and 8080(browsing), 443 for SSL were just required.

I was referring to loopback.

5
Verclsid.exe is used for class id instantiation and although there were some known issues running under XP, it's a fairly inconsequential process.

Blocked, has no effect so far.

I think you missed the point. If the DNS Client service is running, which it is by default, firefox will never use it's DNS rule, as svchost performs DNS resolution on behalf of all processes.

I have always blocked Svhost, its evil. I disabled Windows DNS Client service. Is Firefox DNS caching better than the DNS client or are they both the same ?

6

Unfortunately, svchost is a necessary process for the majority, without this you won’t be able to use DHCP, so unless you have a static address, you won’t be able to connect to the Internet. You won’t be able to use windows updates or keep your clock synchronised. If you use UPnP for something like port forwarding, it will fail, if svchost is blocked, etc. etc.

The default firewall Application rules, allow svchost and a range of other services outbound connectivity, by default, so unless you’ve changed this behaviour, it’s still happening.

If you disable the DNS client service, you disable the local DNS cache. Essentially, this means that for every DNS request, a separate request will be made to you name server of choice. You will also need to ensure you have a DNS rule for every process that requires Network/Internet access.

Controlling svchost is not difficult, it just takes a little thought. For a long time now people have been requesting additional support for controlling this process, but even without this, rules can be created to limit it’s ability.