TickYouOff
Sign in
Back
🔒

Mozilla Firefox STIG Security Checklist

Medium 20 items · 2 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist distills the Mozilla Firefox STIG (Version 6, Rel 6) into practical steps for securing Firefox in managed Windows environments. It’s for IT admins, security engineers, and desktop support teams who need to apply, test, and maintain STIG-aligned Firefox configurations across an organization.

Source: https://ncp.nist.gov/checklist/356

Progress
0 / 20
  1. Download the official DISA Firefox STIG and SCAP 1.3 content — Get XCCDF/SCAP, GPO, Intune, and SCC resources from DISA before starting.
  2. Validate XCCDF/SCAP files and correct ID spacing issues — Replace spaces in XML id attributes with underscores to pass XCCDF validation.
  3. Test STIG settings in a representative lab environment — Verify functionality and compatibility before rolling changes to users.
  4. Apply the STIG using available automation (SCC, SCAP, GPO, Intune) — Choose the automation path that matches your environment and deploy policy packages.
  5. Enforce automatic updates and patch management — Configure Firefox enterprise policies, GPO, or Intune to keep builds current.
  6. Harden TLS and certificate validation
  7. Disable TLS 1.0 and TLS 1.1 — Ensure only modern protocol versions are allowed.
  8. Enable and prefer TLS 1.2 and TLS 1.3 — Verify cipher preferences and protocol negotiation are secure.
  9. Enable strict certificate revocation checks (OCSP/CRL) — Require revocation checking to reduce risk from compromised certs.
  10. Disable telemetry, data reporting, and health pings — Turn off telemetry and health-report features in enterprise policy.
  11. Disable telemetry collection features — Block data submission and studies in managed configuration.
  12. Disable Firefox Health Report and automated data uploads — Prevent periodic health data from leaving managed devices.
  13. Disable remote debugging and remote developer features — Turn off remote debugging, devtools remote connections, and related prefs.
  14. Restrict extensions to approved add-ons and block unsigned installs — Use policies to whitelist/extensions and prevent unapproved installs.
  15. Configure cookie and privacy settings to block third-party tracking — Set strict cookie policies and limit cross-site tracking.
  16. Disable password autofill and control password manager behavior — Force use of approved enterprise credential manager if required.
  17. Enable pop-up blocking and block mixed (HTTP/HTTPS) content — Prevent insecure mixed content and unwanted pop-ups by policy.
  18. Set homepage, new-tab, and search defaults to approved organizational values — Enforce approved start pages and search providers via enterprise policy.
  19. Document applied STIG changes and assign a point of contact — Record configurations, dates, and responsible admins for audits.
  20. Schedule regular audits and update STIG resources (GPOs, SCC, Intune) — Re-check configuration against DISA updates and apply revised resources.
Sign in to save
📝 My Notes