Posts Tagged ‘Firefox’

Preventing Windows 7 users from accessing the internet

Sunday, July 29th, 2012

I was recently asked to help out by implementing a method of preventing users from accessing the internet on AD-joined Windows 7 workstations using any installed software.

The problem is that in many applications under the Help you’ll find a URL which opens in the default browser. So it’s clearly not enough to deactivate keyboard combinations or to remove shortcuts.

The limitations were:
-Solution must be simple to implement and simple to undo
-I don’t have administrative access to the company firewall
-The users have a generic local profile (as compared to a personal user profile) and no administrative access
-It’s only for a limited time e.g. a couple of hours

I played around with the following ideas and tried to implement them:
-Activating parental controls on Windows 7 via GPO
-Put basically all URLs in the restricted sites zone in the Internet Options via GPO
-Replacing the DNS servers in network settings and implementing a customized hosts file
-Reconfiguring the Windows firewall
-Implementing a third party DNS-blocking tool or proxy server

All these methods were either difficult to implement (DNS-blocking tool or proxy server), difficult to configure (parental control, restricted sites zone), basically put the system in an unworkable condition (replacing the DNS servers) or were simply not meant to be (using the Windows firewall to prevent internet access).
For example, replacing the DHCP-assigned DNS servers with and adding two or three entries in a host file, Windows would boot and reboot again when starting the computer. Also, the computer was not reachable anymore in our deployment tool.

In the end, the easiest method was to remove read and execute permissions for users on the installed browsers and similar executables. In our managed environment, that would be Internet Explorer (iexplore.exe), Firefox (firefox.exe) and ftp.exe.

Implemented on the command line, it’s quite simple. takeown.exe can change the owner of a file or folder to you or the administrators group. With icacls, you can change permissions on a file or folder.

Make Mozilla Firefox a non-executable:

REM # gives ownership to the administrators group
takeown /F “\Program Files\Mozilla Firefox\firefox.exe” /A

REM # remove all rights for “Users”
icacls “\Program Files\Mozilla Firefox\firefox.exe” /deny “BUILTIN\Users”:RX

Make Mozilla Firefox executable again:

REM # grant rights again
icacls “\Program Files\Mozilla Firefox\firefox.exe” /grant “BUILTIN\Users”:RX

The same lines of code can be used with ftp.exe, which lives in the System32 folder. Instead of “\Program Files”, you could of course also use environment variables such as %ProgramFiles% or %WinDir%\System32

This seemed to work with Firefox. With Internet Explorer, there was an additional problem: TrustedInstaller, a Windows system account that protects critical files and folders against manipulation. Or as I came to call it: Making life hard for no reason.
If you try to undo the changes with the above lines of code, all you will get is access denied. You have to take some additional steps to make Internet Explorer executable again:

REM # remove rights for TrustedInstaller from executable
icacls “\Program Files\Internet Explorer\iexplore.exe” /remove:g “NT Service\TrustedInstaller”

REM # grant rights for users again
icacls “\Program Files\Internet Explorer\iexplore.exe” /grant “BUILTIN\Users”:RX

REM # grant rights for TrustedInstaller again
icacls “\Program Files\Internet Explorer\iexplore.exe” /grant “NT Service\TrustedInstaller”:F

REM # grant full rights to administrators group
icacls “\Program Files\Internet Explorer\iexplore.exe” /grant “BUILTIN\Administrators”:F

REM # setowner to TrustedInstaller again
icacls “\Program Files\Internet Explorer\iexplore.exe” /setowner “NT Service\TrustedInstaller” /C

REM # reset rights of administrators to RX again
icacls “\Program Files\Internet Explorer\iexplore.exe” /grant:r “BUILTIN\Administrators”:RX

In our deployment tool, I can simply assign a batch file to make ff, ie and ftp unreadable to the users and assign another batch file to return the system back to normal.

I’m not saying this method is fool-proof and perfect. There are probably ways to work around these limitations but I’m confident this is raising the bar high enough to prevent users in a managed computer environment to access the internet when they have only very limited time while being supervised.

Password problems with Firefox Sync

Friday, March 30th, 2012

Although Firefox has sported a Sync option for quite some time, I only recently decided to make use of it.
I’m working on several different OS on several different pcs in several different locations and having my bookmark collection always up to date is a real time/lifesaver.

Unfortunately, every once in a while Sync reports “could not sync within the last 7 days” due to a password problem. (The screenshot was taken on a Ubuntu installation)

The offered options are to change your password, to unlink the device or to reset.

This happened to me on Win7 x86_64 with Firefox 10 and on a Win7 x86_64 with Firefox 11, both workstations joined to a domain and again on Ubuntu 11.10 x86_64 with Firefox 11.
I usually try to re-enter my password first and it’s always “incorrect” for some reasons.

I’ve solved plenty of user problems with passwords to know all the tricks’n’traps (keyboard settings, numeral keypard etc,) and I *know* I enter the correct password (although that’s what the users say as well). In the end, I usually unlink the device, delete the firefox profile and set up Sync again. You need to have your recovery key ready for this but as I store all passwords in KeePass files and sync them using Ubuntu One, I’m good with that.

Of course, when I set up Sync again and enter the same password as before, it’s deemed “correct” and my synced settings are restored within seconds.

You won’t find any information about this in Event Viewer but have a look at C:\Users\<username>\Application Data\Mozilla\Firefox\Profiles\<random_name>.default\weave\logs (on Linux: .mozilla/firefox/<random_name>.default\weave\logs ).
The next couple of lines will refer to the Linux version, your mileage may vary on Windows but should be similar.

The log files contain a timestamp in Unix time (online converter here), warnings and debug messages such as “401: login failed”. It will also display your encrypted (?) username. Quite useful information but no hints to what the actual problem is. Previous post in the Mozilla support forum report that intermittent server failures could be the cause but from a user’s point of the view there’s no way you can verify this.

What are experiences with Firefox Sync? As a tool I like quite like it but this password issue is a bit annoying. Do you have any hints? Let me know…

Maybe thrashing your Firefox profile is an overkill. Simply try restarting Firefox first. Whilst writing this very post, Firefox complained about an incorrect sync password (that’s why I was able to take screenshots ^_^) but closing Firefox, adding a new bookmark on a different pc and starting Firefox again, the new bookmark was synched without problem.

And another thought:
If you use the NoScript extension, make sure you allow – don’t know if it helps but it can’t get worse.

頑張れ! Fix your favourite add-on for Firefox yourself!

Wednesday, August 17th, 2011

Probably my favourite add-on for Firefox is called “Link Extractor”:  When you right-click a link, it gives you the possibility to open all embedded urls in separate tabs or windows.

Unfortunately, the developer of said add-on hasn’t had time to update this add-on and the last officially supported version of Firefox is 3.x whereas today Firefox 6 was released on Ubuntu 11.04

If you really need this add-on (I couldn’t find one that provides similar features), you can fix it yourself:

1) Download the xpi from the official homepage

2) Open the xpi file with an archive manager such as file roller

3) Extract “install.rdf” to /some/folder

4) Delete install.rdf from the xpi file

5) Edit the extracted install.rdf with your favourite editor and change the line

6) Save the file, put it back into the xpi

7) Install the add-on via the menu Tools -> Add-ons, click on the toolset, select “Install Add-0n from File”, browse to the modified xpi and restart Firefox to activate the changes.

With this add-on, this works nicely. There certainly are add-ons where this simple tweak does not work but it’s worth a try, anyway.