CIS Benchmarks & Browser Hardening

CIS Benchmarks & Browser Hardening

Introduction

To begin you will need to download the appropriate benchmark PDF from CIS (Center for Internet Security), the first link at the bottom of this blog post. The Center for Internet Security develops and releases these free security benchmarks to security researchers and I.T. professionals in order to harden systems.

The following guide is incomplete, but was originally split up into 4 parts as LinkedIn posts. Additionally, the wording in the benchmark guide is intended for organizations and not necessarily individuals, however this is a great way to practice system hardening in a home-lab environment in order to understand how to gradually secure systems. The CIS website also has downloads for pre-built images of hardened operating systems (such as Windows & Linux). With that being said, manually hardening software & operating systems is great practice.

In the later parts of this blog post, I will be discussing the pros & cons of using Mozilla Firefox as opposed to the other popular browsers (Chrome, Edge, Brave & Safari), as well as the legitimacy of privacy-oriented browser extensions like uBlock Origin and Privacy Badger.

Other Preliminary Information

Level 1 (L1) Items in this writeup intend to: -be the starting baseline for most organizations; -be practical and prudent; -provide a clear security benefit; -not be a complete set of steps for remediation, but as a partial guide to security hardening; -not inhibit the utility of the technology beyond acceptable means.

This writeup describes how to enable locked preferences for Firefox. The files outlined in this section are used to configure most of the other recommendations listed in this benchmark. For this exercise we will be using Ubuntu 22.04.3 inside of a VM (Virtual Machine) using VirtualBox.

If you haven’t already downloaded the Mozilla Firefox browser you should do so. When Mozilla Firefox ESR is installed, the default directory for Ubuntu will be /usr/lib/firefox-esr. In Windows 11 the default directory will be C:\Program Files\Mozilla Firefox.

1.1 (L1) Create local-settings.js file

Description: The local-settings.js file is used by Firefox to reference and load the mozilla.cfg file which contains all the locked preferences.

Rationale: Loading a custom configuration file is a primary mechanism for setting and enforcing security requirements within Firefox.

Impact: None.

Audit: Perform the following procedure:

1. Type about:config in the address bar
2. Type app.update in the filter
3. Ensure the preferences listed are set to the values specified below: general.config.obscure_value=0 general.config.filename=mozilla.cfg

Remediation: Perform the following procedure:

1. Navigate to the defaults/pref directory inside the Firefox installation directory and create a file called local-settings.js.
2. Include the following lines in local-settings.js: pref("general.config.obscure_value", 0); pref("general.config.filename", "mozilla.cfg");

1.2 (L1)Create mozilla.cfg file

Description: The mozilla.cfg file is used by Firefox to configure all the locked preferences.

Rationale: Loading a custom configuration file is a primary mechanism for setting and enforcing security requirements in Firefox.

Impact: None.

Audit: Perform the following procedure:

1. Navigate to the Firefox installation directory and ensure there is a file called mozilla.cfg.
2. Ensure the first line of the file is a comment: //

Remediation: Perform the following procedure:

1. Navigate to the Firefox installation directory and create a file called mozilla.cfg.
2. The first line of the file must be a comment: //

1.3 (L1) Protect Firefox Binaries

Description: Ensure that Firefox is installed and owned by an administrative account in order to protect the binaries and to prevent users from circumventing security settings.

Rationale: When Firefox is installed by an ordinary user, the software is installed into the user's profile / home directory. This avoids the requirement for administrative access during installation and upgrades, but also allows users to circumvent security settings defined in settings.js and mozilla.cfg files. Having the installation owned by an administrative user can also protect binary and configuration files from malware that is executed in an ordinary user's browser. Impact: Ordinary users will not be able to update or patch Firefox; only Administrators can perform upgrades.

Audit: Confirm that Firefox is not installed in any individual user profiles or home directories.

Remediation: Install Firefox into a shared location that can be accessed by users but modified only by Administrators.

1.4 (L1) Set permissions on local-settings.js

Description: Set permissions on local-settings.js so that it can only be modified or deleted by an Administrator. Rationale: Any users with the ability to modify the local-settings.js file can bypass all security configurations by changing the file or deleting it. Impact: Non-administrative users will not be able to write to the local-settings.js.

Audit: Ensure non-administrators do not possess the ability to write to local-settings.js.

Remediation: Deny non-administrators the ability to write to local-settings.js.

1.5 (L1) Set permissions on mozilla.cfg

Description: Set permissions on mozilla.cfg so that it can only be modified or deleted by an Administrator.

Rationale: Any users with the ability to modify the mozilla.cfg file can bypass all security configurations by changing the file or deleting it.

Impact: Non-administrative users will not be able to write to the mozilla.cfg file.

Audit: Ensure non-administrators do not possess the ability to write to mozilla.cfg.

Remediation: Deny non-administrators the ability to write to mozilla.cfg.

2.1 (L1) Enable Automatic Updates

Description: This setting configures Firefox to automatically download and install updates as they are made available.

Rationale: Security updates ensure that users are safe from known software bugs and vulnerabilities.

Impact: None - This is the default behavior.

Audit: Ensure that the following values are set to true:

• app.update.enabled
• app.update.auto
• app.update.staging.enabled
• Type about:config in the address bar
• Type app.update.enabled in the filter
• Ensure the setting is set as prescribed.
• Type app.update.auto in the filter
• Ensure the setting is set as prescribed.
• Type app.update.staging.enabled in the filter
• Ensure the setting is set as prescribed.

Remediation: To establish the recommended configuration, set the following values to true:

• app.update.enabled
• app.update.auto
• app.update.staging.enabled
• Type about:config in the address bar
• Type app.update.enabled in the filter
• Configure the setting as prescribed.
• Type app.update.auto in the filter
• Configure the setting as prescribed.
• Type app.update.staging.enabled in the filter
• Configure the setting as prescribed. OR
• Open the mozilla.cfg file in the installation directory with a text editor
• Add the following lines to mozilla.cfg: lockPref("app.update.enabled", true); lockPref("app.update.auto", true); lockPref("app.update.staging.enabled", true);

2.2 (L1) Set Search Provider Update Behavior

Description: This setting dictates whether Firefox will update installed search providers. Search providers allow the user to search directly from the "Search bar" which is adjacent to the URL bar.

Rationale: Software updates help ensure that users are safe from known software bugs and vulnerabilities.

Impact: None - This is the default behavior.

Audit: Ensure that browser.search.update is set to true:

1. Type about:config in the address bar
2. Type browser.search.update in the filter
3. Configure the setting as prescribed.

Remediation: To establish the recommended configuration, set browser.search.update to true:

1. Type about:config in the address bar
2. Type browser.search.update in the filter
3. Configure the setting as prescribed. OR
4. Open the mozilla.cfg file in the installation directory with a text editor
5. Add the following lines to mozilla.cfg: lockPref("browser.search.update", true);

2.3 (L1) Set Update Interval Time Checks

Description: This setting configures the amount of time the system waits in between each check for Updates.

Rationale: Frequent checks for updates will help mitigate vulnerabilities. Impact: app.update.enabled must be set to true for this preference to take effect.

Audit: Ensure that app.update.interval is set to 43200:

1. Type about:config in the address bar
2. Type app.update.interval in the filter
3. Configure the setting as prescribed.

Remediation: To establish the recommended configuration, set app.update.interval to 43200:

1. Type about:config in the address bar
2. Type app.update.interval in the filter
3. Configure the setting as prescribed. OR
4. Open the mozilla.cfg file in the installation directory with a text editor
5. Add the following lines to mozilla.cfg: lockPref("app.update.interval", 43200);

2.4 (L1) Set Update Wait Time Prompt

Description: This setting determines the amount of time, in seconds, which the system will wait before displaying the Software Update dialogue box (after an unobtrusive alert has already been shown).

Rationale: Encouraging the user to update software as soon as possible mitigates the risk that a system will be left vulnerable.

Impact: For this preference to have an effect app.update.enabled must be true.

Audit: Ensure that app.update.promptWaitTime is set to 172800:

1. Type about:config in the address bar
2. Type app.update.promptWaitTime in the filter
3. Configure the setting as prescribed.

Remediation: To establish the recommended configuration, set app.update.promptWaitTime to

1. 1. Type about:config in the address bar
2. 2. Type app.update.promptWaitTime in the filter
3. 3. Configure the setting as prescribed. OR
4. 1. Open the mozilla.cfg file in the installation directory a text editor
5. 2. Add the following lines to mozilla.cfg: lockPref("app.update.promptWaitTime");

Privacy Badger & uBlock Origin

Following security disclosures from Google's Security Team in 2020 regarding vulnerabilities in its local learning function - including a serious security flaw that could allow attackers to extract first-party cookie values and manipulate blocking behavior - Privacy Badger disabled local learning by default and now comes preloaded with tracker data from Badger Sett, an automated web crawler that visits thousands of popular sites in order to pretrain the browser extension.

uBlock Origin functions as a comprehensive content filtering extension that blocks network requests before they reach remote servers, using multiple filter lists that can be tuned according to user preference. Filter lists can be auto-updated in the settings, and users can also whitelist trusted websites that are exempt from content blocking. In my personal experience, I don’t think that I could ever use the internet without uBlock Origin. Most news websites are a horrifying mess without ads blocked, which also includes Youtube ads if you manage to set up auto updating for filter lists. Installing this extension is also a great idea for elderly and technologically inexperienced clients if you have freelance IT clients in need of hardened security without any of the useless, expensive and redundant bloatware that is being pushed on consumers (Antivirus and VPNs namely).

Academic research from Princeton University and the University of Chicago, published at The Web Conference 2020, independently verified that privacy-focused extensions like uBlock Origin not only improve user privacy but also enhance browsing performance by reducing page-load times, data transferred, and processor time. Data from the study contradicted false claims that blocking extensions like uBlock degraded browser performance.

Links:

CIS Benchmarks

Can you trust uBlock Origin?

Privacy Badger turns ‘local learning’ off by default following Google security warnings