StigData/Processed/FireFox-All-6.5.xml
<DISASTIG version="6" classification="UNCLASSIFIED" customname="" stigid="MOZ_Firefox_STIG" description="This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil." filename="U_MOZ_Firefox_STIG_V6R5_Manual-xccdf.xml" releaseinfo="Release: 5 Benchmark Date: 26 Jul 2023 3.4.0.34222 1.10.0" title="Mozilla Firefox Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="6.5" created="1/10/2024">
<ManualRule dscresourcemodule="None"> <Rule id="V-251545" severity="high" conversionstatus="pass" title="SRG-APP-000456" dscresource="None"> <Description><VulnDiscussion>Using versions of an application that are not supported by the vendor is not permitted. Vendors respond to security flaws with updates and patches. These updates are not available for unsupported versions, which can leave the application vulnerable to attack.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Run Firefox. Click the ellipsis button >> Help >> About Firefox, and view the version number. If the Firefox version is not a supported version, this is a finding.</RawString> </Rule> <Rule id="V-251547" severity="medium" conversionstatus="pass" title="SRG-APP-000177" dscresource="None"> <Description><VulnDiscussion>When a website asks for a certificate for user authentication, Firefox must be configured to have the user choose which certificate to present. Websites within DoD require user authentication for access, which increases security for DoD information. Access will be denied to the user if certificate management is not configured.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "security.default_personal_cert" is not displayed with a value of "Ask Every Time", this is a finding.</RawString> </Rule> <Rule id="V-251548" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="None"> <Description><VulnDiscussion>Updates must be controlled and installed from authorized and trusted servers. This setting overrides a number of other settings that may direct the application to access external URLs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "browser.search.update" is not displayed with a value of "false", this is a finding.</RawString> </Rule> <Rule id="V-251550" severity="medium" conversionstatus="pass" title="SRG-APP-000278" dscresource="None"> <Description><VulnDiscussion>Some files can be downloaded or execute without user interaction. This setting ensures these files are not downloaded and executed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:preferences" in the browser address bar. Type "Applications" in the Find bar in the upper-right corner. Determine if any of the following file extensions are listed: HTA, JSE, JS, MOCHA, SHS, VBE, VBS, SCT, WSC, FDF, XFDF, LSL, LSO, LSS, IQY, RQY, DOS, BAT, PS, EPS, WCH, WCM, WB1, WB3, WCH, WCM, AD. If the entry exists and the "Action" is "Save File" or "Always Ask", this is not a finding. If an extension exists and the entry in the Action column is associated with an application that does/can execute the code, this is a finding.</RawString> </Rule> <Rule id="V-251554" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="None"> <Description><VulnDiscussion>JavaScript can make changes to the browser's appearance. This activity can help disguise an attack taking place in a minimized background window. Configure the browser setting to prevent scripts on visited websites from moving and resizing browser windows.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "dom.disable_window_move_resize" is not displayed with a value of "true", this is a finding.</RawString> </Rule> <Rule id="V-251555" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="None"> <Description><VulnDiscussion>JavaScript can raise and lower browser windows to cause improper input. Configure the browser setting to prevent scripts on visited websites from raising and lowering browser windows.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "dom.disable_window_flip" is not displayed with a value of "true", this is a finding.</RawString> </Rule> <Rule id="V-251569" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="None"> <Description><VulnDiscussion>Tracking generally refers to content, cookies, or scripts that can collect browsing data across multiple sites. It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include but are not limited to advertising software or browser plug-ins that are not related to requirements or provide a wide array of functionality not required for every mission but that cannot be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "browser.contentblocking.category" is not displayed with a value of "strict", this is a finding.</RawString> </Rule> <Rule id="V-251570" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="None"> <Description><VulnDiscussion>The Recommended Extensions program makes it easier for users to discover extensions that have been reviewed for security, functionality, and user experience. Allowed extensions are to be centrally managed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <IsNullOrEmpty>False</IsNullOrEmpty> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "extensions.htmlaboutaddons.recommendations.enabled" is not displayed with a value of "false", this is a finding.</RawString> </Rule> </ManualRule> <RegistryRule dscresourcemodule="PSDscResources"> <Rule id="V-251546" severity="high" conversionstatus="pass" title="SRG-APP-000560" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>Use of versions prior to TLS 1.2 are not permitted. SSL 2.0 and SSL 3.0 contain a number of security flaws. These versions must be disabled in compliance with the Network Infrastructure and Secure Remote Computing STIGs.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser window. If "SSLVersionMin" is not displayed under Policy Name or the Policy Value is not "tls1.2" or "tls1.3", this is a finding.</RawString> <ValueData>tls1.2</ValueData> <ValueName>SSLVersionMin</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-251549" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>Set this to false to disable checking for updated versions of the Extensions/Themes. Automatic updates from untrusted sites puts the enclave at risk of attack and may override security settings.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser window. If "ExtensionUpdate" is not displayed under Policy Name or the Policy Value is not "false", this is a finding.</RawString> <ValueData>0</ValueData> <ValueName>ExtensionUpdate</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251551" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>To protect privacy and sensitive data, Firefox provides the ability to configure the program so that data entered into forms is not saved. This mitigates the risk of a website gleaning private information from prefilled information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser window. If "DisableFormHistory" is not displayed under Policy Name or the Policy Value is not "true", this is a finding.</RawString> <ValueData>1</ValueData> <ValueName>DisableFormHistory</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251552" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>Firefox can be set to store passwords for sites visited by the user. These individual passwords are stored in a file and can be protected by a master password. Autofill of the password can then be enabled when the site is visited. This feature could also be used to autofill the certificate PIN, which could lead to compromise of DoD information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser window. If "PasswordManagerEnabled" is not displayed under Policy Name or the Policy Value is not "false", this is a finding.</RawString> <ValueData>0</ValueData> <ValueName>PasswordManagerEnabled</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251553.a" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>Pop-up windows may be used to launch an attack within a new browser window with altered settings. This setting blocks pop-up windows created while the page is loading.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\PopupBlocking</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "PopupBlocking" is not displayed under Policy Name or the Policy Value is not "Default" "true", this is a finding. If "PopupBlocking" is not displayed under Policy Name or the Policy Value is not "Locked" "true", this is a finding. "PopupBlocking" "Enabled" may be used to specify an allowlist of sites where pop-ups are desired, this is optional.</RawString> <ValueData>1</ValueData> <ValueName>Default</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251553.b" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>Pop-up windows may be used to launch an attack within a new browser window with altered settings. This setting blocks pop-up windows created while the page is loading.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\PopupBlocking</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "PopupBlocking" is not displayed under Policy Name or the Policy Value is not "Default" "true", this is a finding. If "PopupBlocking" is not displayed under Policy Name or the Policy Value is not "Locked" "true", this is a finding. "PopupBlocking" "Enabled" may be used to specify an allowlist of sites where pop-ups are desired, this is optional.</RawString> <ValueData>1</ValueData> <ValueName>Locked</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251557" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>A browser extension is a program that has been installed into the browser to add functionality. Where a plug-in interacts only with a web page and usually a third-party external application (e.g., Flash, Adobe Reader), an extension interacts with the browser program itself. Extensions are not embedded in web pages and must be downloaded and installed in order to work. Extensions allow browsers to avoid restrictions that apply to web pages. For example, an extension can be written to combine data from multiple domains and present it when a certain page is accessed, which can be considered cross-site scripting. If a browser is configured to allow unrestricted use of extensions, plug-ins can be loaded and installed from malicious sources and used on the browser.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\InstallAddonsPermission</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "InstallAddonsPermission" is not displayed under Policy Name or the Policy Value is not "Default" "false", this is a finding.</RawString> <ValueData>0</ValueData> <ValueName>Default</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251558" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>Firefox by default sends information about Firefox to Mozilla servers. There should be no background submission of technical and other information from DoD computers to Mozilla with portions posted publicly.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser window. If "DisableTelemetry" is not displayed under Policy Name or the Policy Value is not "true", this is a finding.</RawString> <ValueData>1</ValueData> <ValueName>DisableTelemetry</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251559" severity="low" conversionstatus="pass" title="SRG-APP-000266" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>Information needed by an attacker to begin looking for possible vulnerabilities in a web browser includes any information about the web browser and plug-ins or modules being used. When debugging or trace information is enabled in a production web browser, information about the web browser, such as web browser type, version, patches installed, plug-ins and modules installed, type of code being used by the hosted application, and any back ends being used for data storage may be displayed. Because this information may be placed in logs and general messages during normal operation of the web browser, an attacker does not have to cause an error condition to gain this information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser window. If "DisableDeveloperTools" is not displayed under Policy Name or the Policy Value is not "true", this is a finding.</RawString> <ValueData>1</ValueData> <ValueName>DisableDeveloperTools</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251560" severity="medium" conversionstatus="pass" title="SRG-APP-000175" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>The DOD root certificates will ensure that the trust chain is established for server certificates issued from the DOD Certificate Authority (CA).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\Certificates</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:preferences#privacy" in the browser window. Scroll down to the bottom and select "View Certificates...". In the Certificate Manager window, select the "Authorities" tab. Scroll through the Certificate Name list to the U.S. Government heading. Look for the entries for DOD Root CA 2, DOD Root CA 3, DOD Root CA 4, and DOD Root CA 5. If there are entries for DOD Root CA 2, DOD Root CA 3, DOD Root CA 4, and DOD Root CA 5, select them individually. Click the "View" button. Verify the publishing organization is "US Government". If there are no entries for the appropriate DOD root certificates, this is a finding. If other AO-approved certificates are used, this is not a finding. If SIPRNet-specific certificates are used, this is not a finding. Note: In a Windows environment, use of policy setting "security.enterprise_roots.enabled=true" will point Firefox to the Windows Trusted Root Certification Authority Store. This is not a finding. It may also be set via the policy Certificates >> ImportEnterpriseRoots, which can be verified via "about:policies".</RawString> <ValueData>1</ValueData> <ValueName>ImportEnterpriseRoots</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251562" severity="medium" conversionstatus="pass" title="SRG-APP-000326" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>There should not be an option for a user to "forget" work they have done. This is required to meet non-repudiation controls.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "DisableForgetButton" is not displayed under Policy Name or the Policy Value is not "true", this is a finding.</RawString> <ValueData>1</ValueData> <ValueName>DisableForgetButton</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251563" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>Private browsing allows the user to browse the internet without recording their browsing history/activity. From a forensics perspective, this is unacceptable. Best practice requires that browser history is retained.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser window. If "DisablePrivateBrowsing" is not displayed under Policy Name or the Policy Value is not "true", this is a finding.</RawString> <ValueData>1</ValueData> <ValueName>DisablePrivateBrowsing</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251564" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>Search suggestions must be disabled as this could lead to searches being conducted that were never intended to be made.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser window. If "SearchSuggestEnabled" is not displayed under Policy Name or the Policy Value is not "false", this is a finding.</RawString> <ValueData>0</ValueData> <ValueName>SearchSuggestEnabled</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251565" severity="low" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>Autoplay allows the user to control whether videos can play automatically (without user consent) with audio content. The user must be able to select content that is run within the browser window.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\Permissions\Autoplay</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "Permissions" is not displayed under Policy Name or the Policy Value is not "Autoplay" with a value of "Default" and "Block-audio-video", this is a finding.</RawString> <ValueData>block-audio-video</ValueData> <ValueName>Default</ValueName> <ValueType>String</ValueType> </Rule> <Rule id="V-251566" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>If network prediction is enabled, requests to URLs are made without user consent. The browser should always make a direct DNS request without prefetching occurring.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser window. If "NetworkPrediction" is not displayed under Policy Name or the Policy Value is not "false", this is a finding.</RawString> <ValueData>0</ValueData> <ValueName>NetworkPrediction</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251567" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>The Content Blocking/Tracking Protection feature stops Firefox from loading content from malicious sites. The content might be a script or an image, for example. If a site is on one of the tracker lists that Firefox is set to use, the fingerprinting script (or other tracking script/image) will not be loaded from that site. Fingerprinting scripts collect information about browser and device configuration, such as operating system, screen resolution, and other settings. By compiling these pieces of data, fingerprinters create a unique profile that can be used to track the user around the web.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\EnableTrackingProtection</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "EnableTrackingProtection" is not displayed under Policy Name or the Policy Value is not "Fingerprinting" with a value of "true", this is a finding.</RawString> <ValueData>1</ValueData> <ValueName>Fingerprinting</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251568" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>The Content Blocking/Tracking Protection feature stops Firefox from loading content from malicious sites. The content might be a script or an image, for example. If a site is on one of the tracker lists that Firefox is set to use, the fingerprinting script (or other tracking script/image) will not be loaded from that site. Cryptomining scripts use a computer's central processing unit to invisibly mine cryptocurrency.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\EnableTrackingProtection</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "EnableTrackingProtection" is not displayed under Policy Name or the Policy Value is not "Cryptomining" with a value of "true", this is a finding.</RawString> <ValueData>1</ValueData> <ValueName>Cryptomining</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251571" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>A weak cipher is defined as an encryption/decryption algorithm that uses a key of insufficient length. Using an insufficient length for a key in an encryption/decryption algorithm opens up the possibility (or probability) that the encryption scheme could be broken.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\DisabledCiphers</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "DisabledCiphers" is not displayed under Policy Name or the Policy Value is not "TLS_RSA_WITH_3DES_EDE_CBC_SHA" with a value of "true", this is a finding.</RawString> <ValueData>1</ValueData> <ValueName>TLS_RSA_WITH_3DES_EDE_CBC_SHA</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251572" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>The Recommended Extensions program recommends extensions to users as they surf the web. The user must not be encouraged to install extensions from the websites they visit. Allowed extensions are to be centrally managed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\UserMessaging</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "UserMessaging" is not displayed under Policy Name or the Policy Value is not "ExtensionRecommendations" with a value of "false", this is a finding.</RawString> <ValueData>0</ValueData> <ValueName>ExtensionRecommendations</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251573.a" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>The New Tab page by default shows a list of built-in top sites, as well as the top sites the user has visited. It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include but are not limited to advertising software or browser plug-ins that are not related to requirements or provide a wide array of functionality not required for every mission but that cannot be disabled. The new tab page must not actively show user activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\FirefoxHome</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Search" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "TopSites" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "SponsoredTopSites" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Pocket" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "SponsoredPocket" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Highlights" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Snippets" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Locked" with a value of "true", this is a finding.</RawString> <ValueData>0</ValueData> <ValueName>Highlights</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251573.b" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>The New Tab page by default shows a list of built-in top sites, as well as the top sites the user has visited. It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include but are not limited to advertising software or browser plug-ins that are not related to requirements or provide a wide array of functionality not required for every mission but that cannot be disabled. The new tab page must not actively show user activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\FirefoxHome</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Search" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "TopSites" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "SponsoredTopSites" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Pocket" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "SponsoredPocket" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Highlights" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Snippets" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Locked" with a value of "true", this is a finding.</RawString> <ValueData>1</ValueData> <ValueName>Locked</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251573.c" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>The New Tab page by default shows a list of built-in top sites, as well as the top sites the user has visited. It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include but are not limited to advertising software or browser plug-ins that are not related to requirements or provide a wide array of functionality not required for every mission but that cannot be disabled. The new tab page must not actively show user activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\FirefoxHome</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Search" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "TopSites" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "SponsoredTopSites" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Pocket" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "SponsoredPocket" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Highlights" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Snippets" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Locked" with a value of "true", this is a finding.</RawString> <ValueData>0</ValueData> <ValueName>Pocket</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251573.d" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>The New Tab page by default shows a list of built-in top sites, as well as the top sites the user has visited. It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include but are not limited to advertising software or browser plug-ins that are not related to requirements or provide a wide array of functionality not required for every mission but that cannot be disabled. The new tab page must not actively show user activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\FirefoxHome</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Search" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "TopSites" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "SponsoredTopSites" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Pocket" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "SponsoredPocket" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Highlights" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Snippets" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Locked" with a value of "true", this is a finding.</RawString> <ValueData>0</ValueData> <ValueName>Search</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251573.e" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>The New Tab page by default shows a list of built-in top sites, as well as the top sites the user has visited. It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include but are not limited to advertising software or browser plug-ins that are not related to requirements or provide a wide array of functionality not required for every mission but that cannot be disabled. The new tab page must not actively show user activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\FirefoxHome</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Search" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "TopSites" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "SponsoredTopSites" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Pocket" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "SponsoredPocket" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Highlights" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Snippets" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Locked" with a value of "true", this is a finding.</RawString> <ValueData>0</ValueData> <ValueName>Snippets</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251573.f" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>The New Tab page by default shows a list of built-in top sites, as well as the top sites the user has visited. It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include but are not limited to advertising software or browser plug-ins that are not related to requirements or provide a wide array of functionality not required for every mission but that cannot be disabled. The new tab page must not actively show user activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\FirefoxHome</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Search" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "TopSites" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "SponsoredTopSites" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Pocket" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "SponsoredPocket" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Highlights" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Snippets" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Locked" with a value of "true", this is a finding.</RawString> <ValueData>0</ValueData> <ValueName>SponsoredPocket</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251573.g" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>The New Tab page by default shows a list of built-in top sites, as well as the top sites the user has visited. It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include but are not limited to advertising software or browser plug-ins that are not related to requirements or provide a wide array of functionality not required for every mission but that cannot be disabled. The new tab page must not actively show user activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\FirefoxHome</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Search" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "TopSites" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "SponsoredTopSites" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Pocket" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "SponsoredPocket" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Highlights" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Snippets" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Locked" with a value of "true", this is a finding.</RawString> <ValueData>0</ValueData> <ValueName>SponsoredTopSites</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251573.h" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>The New Tab page by default shows a list of built-in top sites, as well as the top sites the user has visited. It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include but are not limited to advertising software or browser plug-ins that are not related to requirements or provide a wide array of functionality not required for every mission but that cannot be disabled. The new tab page must not actively show user activity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\FirefoxHome</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Search" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "TopSites" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "SponsoredTopSites" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Pocket" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "SponsoredPocket" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Highlights" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Snippets" with a value of "false", this is a finding. If "FirefoxHome" is not displayed under Policy Name or the Policy Value does not have "Locked" with a value of "true", this is a finding.</RawString> <ValueData>0</ValueData> <ValueName>TopSites</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251577" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>DNS over HTTPS has generally not been adopted in the DoD. DNS is tightly controlled. It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include, but are not limited to, advertising software or browser plug-ins not related to requirements or providing a wide array of functionality not required for every mission, but cannot be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "DNSOverHTTPS" is not displayed under Policy Name or the Policy Value does not have "Enabled" with a value of "false", this is a finding.</RawString> <ValueData>0</ValueData> <ValueName>Enabled</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251578" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>Disable Firefox Accounts integration (Sync). It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include but are not limited to advertising software or browser plug-ins that are not related to requirements or provide a wide array of functionality not required for every mission but that cannot be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "DisableFirefoxAccounts" is not displayed under Policy Name or the Policy Value is not "true", this is a finding.</RawString> <ValueData>1</ValueData> <ValueName>DisableFirefoxAccounts</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251580" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>Disable the menus for reporting sites (Submit Feedback, Report Deceptive Site). It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include but are not limited to advertising software or browser plug-ins that are not related to requirements or provide a wide array of functionality not required for every mission but that cannot be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "DisableFeedbackCommands" is not displayed under Policy Name or the Policy Value is not "true", this is a finding.</RawString> <ValueData>1</ValueData> <ValueName>DisableFeedbackCommands</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251581.a" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>Enable or disable Encrypted Media Extensions and optionally lock it. If "Enabled" is set to "false", Firefox does not download encrypted media extensions (such as Widevine) unless the user consents to installing them. If "Locked" is set to "true" and "Enabled" is set to "false", Firefox will not download encrypted media extensions (such as Widevine) or ask the user to install them. It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include but are not limited to advertising software or browser plug-ins that are not related to requirements or provide a wide array of functionality not required for every mission but that cannot be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\EncryptedMediaExtensions</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "EncryptedMediaExtensions" is not displayed under Policy Name or the Policy Value does not have "Enabled" set to "false" or the Policy Value does not have "Locked" set to "true", this is a finding.</RawString> <ValueData>0</ValueData> <ValueName>Enabled</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-251581.b" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>Enable or disable Encrypted Media Extensions and optionally lock it. If "Enabled" is set to "false", Firefox does not download encrypted media extensions (such as Widevine) unless the user consents to installing them. If "Locked" is set to "true" and "Enabled" is set to "false", Firefox will not download encrypted media extensions (such as Widevine) or ask the user to install them. It is detrimental for applications to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors. Applications are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Examples of non-essential capabilities include but are not limited to advertising software or browser plug-ins that are not related to requirements or provide a wide array of functionality not required for every mission but that cannot be disabled.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\EncryptedMediaExtensions</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "EncryptedMediaExtensions" is not displayed under Policy Name or the Policy Value does not have "Enabled" set to "false" or the Policy Value does not have "Locked" set to "true", this is a finding.</RawString> <ValueData>1</ValueData> <ValueName>Locked</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-252881.a" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>For diagnostic purposes, data must remain behind when the browser is closed. This is required to meet non-repudiation controls.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\SanitizeOnShutdown</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "SanitizeOnShutdown" is not displayed under Policy Name or the Policy Value does not have {"Cache":false,"Cookies":false,"Downloads":false,"FormData":false,"Sessions":false,"History":false,"OfflineApps":false,"SiteSettings":false,"Locked":true}, this is a finding.</RawString> <ValueData>0</ValueData> <ValueName>Cache</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-252881.b" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>For diagnostic purposes, data must remain behind when the browser is closed. This is required to meet non-repudiation controls.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\SanitizeOnShutdown</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "SanitizeOnShutdown" is not displayed under Policy Name or the Policy Value does not have {"Cache":false,"Cookies":false,"Downloads":false,"FormData":false,"Sessions":false,"History":false,"OfflineApps":false,"SiteSettings":false,"Locked":true}, this is a finding.</RawString> <ValueData>0</ValueData> <ValueName>Cookies</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-252881.c" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>For diagnostic purposes, data must remain behind when the browser is closed. This is required to meet non-repudiation controls.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\SanitizeOnShutdown</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "SanitizeOnShutdown" is not displayed under Policy Name or the Policy Value does not have {"Cache":false,"Cookies":false,"Downloads":false,"FormData":false,"Sessions":false,"History":false,"OfflineApps":false,"SiteSettings":false,"Locked":true}, this is a finding.</RawString> <ValueData>0</ValueData> <ValueName>Downloads</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-252881.d" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>For diagnostic purposes, data must remain behind when the browser is closed. This is required to meet non-repudiation controls.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\SanitizeOnShutdown</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "SanitizeOnShutdown" is not displayed under Policy Name or the Policy Value does not have {"Cache":false,"Cookies":false,"Downloads":false,"FormData":false,"Sessions":false,"History":false,"OfflineApps":false,"SiteSettings":false,"Locked":true}, this is a finding.</RawString> <ValueData>0</ValueData> <ValueName>FormData</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-252881.e" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>For diagnostic purposes, data must remain behind when the browser is closed. This is required to meet non-repudiation controls.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\SanitizeOnShutdown</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "SanitizeOnShutdown" is not displayed under Policy Name or the Policy Value does not have {"Cache":false,"Cookies":false,"Downloads":false,"FormData":false,"Sessions":false,"History":false,"OfflineApps":false,"SiteSettings":false,"Locked":true}, this is a finding.</RawString> <ValueData>0</ValueData> <ValueName>History</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-252881.f" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>For diagnostic purposes, data must remain behind when the browser is closed. This is required to meet non-repudiation controls.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\SanitizeOnShutdown</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "SanitizeOnShutdown" is not displayed under Policy Name or the Policy Value does not have {"Cache":false,"Cookies":false,"Downloads":false,"FormData":false,"Sessions":false,"History":false,"OfflineApps":false,"SiteSettings":false,"Locked":true}, this is a finding.</RawString> <ValueData>1</ValueData> <ValueName>Locked</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-252881.g" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>For diagnostic purposes, data must remain behind when the browser is closed. This is required to meet non-repudiation controls.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\SanitizeOnShutdown</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "SanitizeOnShutdown" is not displayed under Policy Name or the Policy Value does not have {"Cache":false,"Cookies":false,"Downloads":false,"FormData":false,"Sessions":false,"History":false,"OfflineApps":false,"SiteSettings":false,"Locked":true}, this is a finding.</RawString> <ValueData>0</ValueData> <ValueName>OfflineApps</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-252881.h" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>For diagnostic purposes, data must remain behind when the browser is closed. This is required to meet non-repudiation controls.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\SanitizeOnShutdown</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "SanitizeOnShutdown" is not displayed under Policy Name or the Policy Value does not have {"Cache":false,"Cookies":false,"Downloads":false,"FormData":false,"Sessions":false,"History":false,"OfflineApps":false,"SiteSettings":false,"Locked":true}, this is a finding.</RawString> <ValueData>0</ValueData> <ValueName>Sessions</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-252881.i" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>For diagnostic purposes, data must remain behind when the browser is closed. This is required to meet non-repudiation controls.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\SanitizeOnShutdown</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "SanitizeOnShutdown" is not displayed under Policy Name or the Policy Value does not have {"Cache":false,"Cookies":false,"Downloads":false,"FormData":false,"Sessions":false,"History":false,"OfflineApps":false,"SiteSettings":false,"Locked":true}, this is a finding.</RawString> <ValueData>0</ValueData> <ValueName>SiteSettings</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-252908" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>Pocket, previously known as Read It Later, is a social bookmarking service for storing, sharing, and discovering web bookmarks. Data gathering cloud services such as this are generally disabled in the DoD.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "DisablePocket" is not displayed under Policy Name or the Policy Value does not have a value of "true", this is a finding.</RawString> <ValueData>1</ValueData> <ValueName>DisablePocket</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-252909" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile"> <Description><VulnDiscussion>Studies try out different features and ideas before they are released to all Firefox users. Testing beta software is not in the DoD user's mission.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls></Description> <DuplicateOf /> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox</Key> <LegacyId> </LegacyId> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Type "about:policies" in the browser address bar. If "DisableFirefoxStudies" is not displayed under Policy Name or the Policy Value does not have a value of "true", this is a finding.</RawString> <ValueData>1</ValueData> <ValueName>DisableFirefoxStudies</ValueName> <ValueType>Dword</ValueType> </Rule> </RegistryRule> </DISASTIG> |