How can I stop admin users from changing Firefox configuration files.
I need to configure Firefox in an enterprise environment. Other that using 3rd part group policy templates which I do not want to do, the only option I have found to lock it down is using preference files. This will lock down Firefox but I need a way to stop an admin user from manually editing the configuration files.
I thought of using a group policy preference to copy the preference files on every GP refresh but it can take up to 90 minutes for the policy to apply. Is there a better way to lock down the files themselves?
Solução escolhida
Thank you everyone. I think the best thing is to use group policy preferences to copy the configuration files. They can still be changed but at least they will be replaced every 90 minutes.
I will mark this a resolved.
Ler esta resposta no contexto 👍 0Todas as respostas (9)
An administrator has the ability to bypass any kind of block. However, what you could do is to copy those files you don't want to be changed to a thumb drive and keep it in your pocket.
There is also; http://portableapps.com/apps/internet/firefox_portable Mozilla Firefox, Portable Edition
A fully functional package of Firefox optimized for use on a USB key drive. A specialized launcher will allow most favorite extensions to work as you switch computers.
Firefox Portable is a 3rd-party build. Support is available here: http://portableapps.com/forums/support/firefox_portable
Thank you but I am not trying to stop someone from messing with my configuration files. I am trying to stop users from messing with the configuration files on their computers when they have been given admin access.
You may want to ask on the EWG mailing list. See: https://wiki.mozilla.org/Enterprise
Thank you. I will do that.
disaak said
Thank you but I am not trying to stop someone from messing with my configuration files. I am trying to stop users from messing with the configuration files on their computers when they have been given admin access.
This is where you don't give them Admin permission you create in case of W7 and later "Limited" User accounts. They shouldn't need admin access at all. This is where you will run into trouble as you found out. User will do damage regardless and not giving them Admin is the first part not to do. And question begs why should they have Admin to start with.
Just a thought
Would making the config files and folders ‘Read Only’ work
WestEnd, you are preaching to the choir. Unfortunately I don't make the decision on whether users do or don't get local admin. It would take a major culture change to get rid of local admin that people above me are not willing to make.
As far as admins getting around anything that might be put in place, that doesn't mean you can't make it as difficult as possible for them.
chrisjw37, that might help a bit but is easily reversible.
Thank you
Maybe the only thing that would work is to use a CMD file to launch Firefox and make sure that the configuration files are correct or just replace them.
Solução escolhida
Thank you everyone. I think the best thing is to use group policy preferences to copy the configuration files. They can still be changed but at least they will be replaced every 90 minutes.
I will mark this a resolved.