X
Tap here to go to the mobile version of the site.

Support Forum

How can I stop admin users from changing Firefox configuration files.

Posted

I need to configure Firefox in an enterprise environment. Other that using 3rd part group policy templates which I do not want to do, the only option I have found to lock it down is using preference files. This will lock down Firefox but I need a way to stop an admin user from manually editing the configuration files.

I thought of using a group policy preference to copy the preference files on every GP refresh but it can take up to 90 minutes for the policy to apply. Is there a better way to lock down the files themselves?

I need to configure Firefox in an enterprise environment. Other that using 3rd part group policy templates which I do not want to do, the only option I have found to lock it down is using preference files. This will lock down Firefox but I need a way to stop an admin user from manually editing the configuration files. I thought of using a group policy preference to copy the preference files on every GP refresh but it can take up to 90 minutes for the policy to apply. Is there a better way to lock down the files themselves?

Chosen solution

Thank you everyone. I think the best thing is to use group policy preferences to copy the configuration files. They can still be changed but at least they will be replaced every 90 minutes.

I will mark this a resolved.

Read this answer in context 0

Additional System Details

Installed Plug-ins

None

Application

  • User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36

More Information

FredMcD
  • Top 10 Contributor
4300 solutions 60393 answers

Helpful Reply

An administrator has the ability to bypass any kind of block. However, what you could do is to copy those files you don't want to be changed to a thumb drive and keep it in your pocket.

There is also; http://portableapps.com/apps/internet/firefox_portable Mozilla Firefox, Portable Edition

A fully functional package of Firefox optimized for use on a USB key drive. A specialized launcher will allow most favorite extensions to work as you switch computers.

Firefox Portable is a 3rd-party build. Support is available here: http://portableapps.com/forums/support/firefox_portable

An administrator has the ability to bypass any kind of block. However, what you could do is to copy those files you don't want to be changed to a thumb drive and keep it in your pocket. There is also; http://portableapps.com/apps/internet/firefox_portable '''Mozilla Firefox, Portable Edition''' A fully functional package of Firefox optimized for use on a USB key drive. A specialized launcher will allow most favorite extensions to work as you switch computers. Firefox Portable is a 3rd-party build. Support is available here: http://portableapps.com/forums/support/firefox_portable

Question owner

Thank you but I am not trying to stop someone from messing with my configuration files. I am trying to stop users from messing with the configuration files on their computers when they have been given admin access.

Thank you but I am not trying to stop someone from messing with my configuration files. I am trying to stop users from messing with the configuration files on their computers when they have been given admin access.
jscher2000
  • Top 10 Contributor
8837 solutions 72222 answers

You may want to ask on the EWG mailing list. See: https://wiki.mozilla.org/Enterprise

You may want to ask on the EWG mailing list. See: https://wiki.mozilla.org/Enterprise

Question owner

Thank you. I will do that.

Thank you. I will do that.
WestEnd 60 solutions 5387 answers

disaak said

Thank you but I am not trying to stop someone from messing with my configuration files. I am trying to stop users from messing with the configuration files on their computers when they have been given admin access.

This is where you don't give them Admin permission you create in case of W7 and later "Limited" User accounts. They shouldn't need admin access at all. This is where you will run into trouble as you found out. User will do damage regardless and not giving them Admin is the first part not to do. And question begs why should they have Admin to start with.

''disaak [[#answer-1067025|said]]'' <blockquote> Thank you but I am not trying to stop someone from messing with my configuration files. I am trying to stop users from messing with the configuration files on their computers when they have been given admin access. </blockquote> This is where you don't give them Admin permission you create in case of W7 and later "Limited" User accounts. They shouldn't need admin access at all. This is where you will run into trouble as you found out. User will do damage regardless and not giving them Admin is the first part not to do. And question begs why should they have Admin to start with.
chrisjw37 0 solutions 16 answers

Just a thought

Would making the config files and folders ‘Read Only’ work

Just a thought Would making the config files and folders ‘Read Only’ work

Question owner

WestEnd, you are preaching to the choir. Unfortunately I don't make the decision on whether users do or don't get local admin. It would take a major culture change to get rid of local admin that people above me are not willing to make.

As far as admins getting around anything that might be put in place, that doesn't mean you can't make it as difficult as possible for them.

chrisjw37, that might help a bit but is easily reversible.

Thank you

WestEnd, you are preaching to the choir. Unfortunately I don't make the decision on whether users do or don't get local admin. It would take a major culture change to get rid of local admin that people above me are not willing to make. As far as admins getting around anything that might be put in place, that doesn't mean you can't make it as difficult as possible for them. chrisjw37, that might help a bit but is easily reversible. Thank you
cor-el
  • Top 10 Contributor
  • Moderator
17670 solutions 159841 answers

Maybe the only thing that would work is to use a CMD file to launch Firefox and make sure that the configuration files are correct or just replace them.

Maybe the only thing that would work is to use a CMD file to launch Firefox and make sure that the configuration files are correct or just replace them.

Chosen Solution

Thank you everyone. I think the best thing is to use group policy preferences to copy the configuration files. They can still be changed but at least they will be replaced every 90 minutes.

I will mark this a resolved.

Thank you everyone. I think the best thing is to use group policy preferences to copy the configuration files. They can still be changed but at least they will be replaced every 90 minutes. I will mark this a resolved.