Mozilla Firefox policy errors

[ghost]

Describe the bug After running this script, Firefox reports errors for the applied policies.

Here is a screenshot of the policy errors:

[github-actions[bot]]

Message that will be displayed on users' first issue

[ghost]

Sorry, I totally forgot to mention which Windows version and Firefox version I'm running.

[simeononsecurity]

I'm curious to know if it is because of the locale of your browser. We will take a look. Thanks for reporting!

[simeononsecurity]

We believe we've identified the errors. We're testing now and should have a new update soon.

@BoxedLight

In the mean time, please run the following to clear your local gpo policies and then reboot your system.

Get-ChildItem -Path "HKLM:\SOFTWARE\Policies" -Recurse | Remove-Item -Force -Recurse
Get-ChildItem -Path "HKCU:\SOFTWARE\Policies" -Recurse | Remove-Item -Force -Recurse
Get-ChildItem -Path "$env:windir\System32\GroupPolicy" -Recurse | Remove-Item -Force -Recurse
gpupdate /force

Alternatively, you can restore to the system restore point that our script takes prior to making changes.

[ghost]

Ah, okay then. I was about to test your script on a different system with english as main language. Also i noticed that DNS over HTTPS keeps turning itself off after each firefox restart. I've looked into the policy registry and saw that your script sets the registry key at "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS" DWORD "Enabled" to "1".

I'm not sure if I'm interpreting it correctly. Is your script supposed to enable DoH or disable it? Because by looking at the registry key I assume it's supposed to enable DoH.

I guess i could fallback to Windows' network settings and add my own DNS there. I am just wondering why in Firefox DoH keeps turning off after restart.

[simeononsecurity]

Ah, okay then. I was about to test your script on a different system with english as main language. Also i noticed that DNS over HTTPS keeps turning itself off after each firefox restart. I've looked into the policy registry and saw that your script sets the registry key at "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\DNSOverHTTPS" DWORD "Enabled" to "1".

I'm not sure if I'm interpreting it correctly. Is your script supposed to enable DoH or disable it? Because by looking at the registry key I assume it's supposed to enable DoH.

I guess i could fallback to Windows' network settings and add my own DNS there. I am just wondering why in Firefox DoH keeps turning off after restart.

Yeah, the script implements enterprise guidelines. You should be using system dns and not browser. Additionally, we implement the DoD STIGs, which mandate that setting. If you want DNS/TLS or DNS/HTTPs, and you should, doing it in browser isn't suggested. For enterprises it's because they want to be able to see where you're going. But for everyone else, it's just better to have it run on a system level than just your browser.

[simeononsecurity]

Just finished testing the changes. I believe we've fixed them all. @BoxedLight Give us a little to update this repo and we'll @ you again when it's done. We have up update multiple repos with these changes.

[simeononsecurity]

@BoxedLight https://github.com/simeononsecurity/Windows-Optimize-Harden-Debloat/commit/411b18090d48085704aeba7cbcfaabed74e9197d Fixes have been made. Please run the script again.

[ghost]

i ran the powershell one-liner (iwr -useb 'https://simeononsecurity.ch/scripts/windowsoptimizeandharden.ps1'|iex).

This time I used a different system with english as main language and Windows 11 Enterprise edition.

Unfortunately, the errors regarding group policies still remain.

[ghost]

The other group polices work just fine in Firefox. So I don't know what happened there. On both Windows 11 Pro and Enterprise its a complete clean install. I ran your script as soon as Windows was done installing itself and the drivers.

[simeononsecurity]

Yeah @BoxedLight I've cleared out all of those urls in the policies already in the linked changes. So that means that you've still got some configurations in your firefox policies file.

Write-Host "Reversing the FireFox STIGs changes" -ForegroundColor Green

    # Remove the Firefox configuration files from Program Files directories
    $firefox64 = "C:\Program Files\Mozilla Firefox"
    $firefox32 = "C:\Program Files (x86)\Mozilla Firefox"

    If (Test-Path -Path $firefox64) {
        Remove-Item -Path "$firefox64\defaults" -Force -Recurse
        Remove-Item -Path "$firefox64\mozilla.cfg" -Force
        Remove-Item -Path "$firefox64\local-settings.js" -Force 
        Write-Host "Firefox 64-Bit Configurations Removed" -ForegroundColor Green
    }
    Else {
        Write-Host "FireFox 64-Bit Is Not Installed" -ForegroundColor Red
    }

    If (Test-Path -Path $firefox32) {
        Remove-Item -Path "$firefox32\defaults" -Force -Recurse
        Remove-Item -Path "$firefox32\mozilla.cfg" -Force
        Remove-Item -Path "$firefox32\local-settings.js" -Force 
        Write-Host "Firefox 32-Bit Configurations Removed" -ForegroundColor Green
    }
    Else {
        Write-Host "FireFox 32-Bit Is Not Installed" -ForegroundColor Red
    }

should clear it up but you may have to uninstall firefox and reinstall it as well.

[ghost]

Good to know then. I've looked into the browser extensions that your script was enforcing. HTTPS Everywhere seems to have been taken down from the Mozilla extension store. "https://addons.mozilla.org/firefox/downloads/file/3574076/https_everywhere-2020.5.20-an+fx.xpi" just points to a blank page.

With Cookie Autodelete and History Autodelete, I think the problem is the version number.

I edited the registry keys for both extensions to the most recent version number and after opening Firefox, it installed the 2 extensions without problems and the errors regarding the extensions were gone.

So for Cookie Autodelete and History Autodelete I think you have to update the version number in the XPI-URL. As for HTTPS Everywhere... well. The URL points to a blank page and searching for it on addons.mozilla.org returned nothing. I guess HTTPS Everywhere is gone for good then.

[simeononsecurity]

Yes @BoxedLight I've already handled that in the updates. Your box just didn't get it. Try the script I added above to clear those Firefox policies and rerun the script.

[simeononsecurity]

That stuff is handled in this file primarily

https://github.com/simeononsecurity/Windows-Optimize-Harden-Debloat/blob/master/Files/FireFox%20Configuration%20Files/distribution/policies.json

[simeononsecurity]

There is overlap with the gpos. But the way I understand it is that these config files overrule those options. But I did make the appropriate changes there as well.

[ghost]

I'm not sure if I'm doing something wrong. I did a complete clean re-install of Windows 11 Pro on my first system and ran the script.

4 errors with "cck" and the 3 errors about the extensions still remain.

Only "cck.config.disabledFormFill" and the 2 errors with "Not a valid origin" are gone now.

[ghost]

Just did the same on my Windows 11 Enterprise system. Complete clean re-install. Exactly the same result.

[simeononsecurity]

I think we got it this time. We usually import our gpos into a fresh domain controller for editiing. This time however, we used server 2022 and we ran into a weird bug where when we made the edits they didn't actually save when we closed the window. Uploading some changes momentarily that should work.

[simeononsecurity]

Actually that was not it. Seems we had those settings duplicated in another policy that they shouldn't have been in

[simeononsecurity]

@BoxedLight Ok should be fixed now. Try again

[ghost]

Very nice.

No more policy errors in Firefox. Also, I'm very impressed that you've managed to bring back HTTPS Everywhere. I couldn't find it on the Mozilla addons page. Anways. Issue's finally resolved.

Thank you for your efforts. I really apprechiate it.