ranpage
asked on
Would like to Block Firefox!!!
I would like to Block users from Downloading and installing Firefox. Users also ran firefox off USB drives so I had to disable USB jump drives. Is there a way to block Firefox using the Windows Firewall or can this be done with a Cisco Firewall? I have also tested Group Policy and Setup only run certain process however that doesn't work that well seeing as someone could rename the firefox.exe... Any help or suggestions would be greatly appreciated...
Thanks!!!
Thanks!!!
grblades
The only way I can think of you doing it effectivly is to force everyone to use a proxy server for web access and then configure the proxy server to deny if it sees firefox is connecting. Each browser gives information about itself when it requests a page so you should be able to block access based on it.
Or don't give admin rights to anybody.
ASKER
I do have a proxy server however i configure the setting within IE can i apply these setting on the workstation level so all browsers use the proxy?
Unless you restrict there installation priviledges - you cannot really stop them from installing.
You would have to make sure that the users do not have access to the folders that are required to install it - i.e. C:\Program Files\Mozilla Firefox and C:\Documents and Settings\<username>\Local Settings\Application Data\Mozilla\Firefox (by setting NTFS permissions)
This would mean creating the folder structure - by script - but then the user wouldn;t be able to install the software.
You would have to make sure that the users do not have access to the folders that are required to install it - i.e. C:\Program Files\Mozilla Firefox and C:\Documents and Settings\<username>\Local Settings\Application Data\Mozilla\Firefox (by setting NTFS permissions)
This would mean creating the folder structure - by script - but then the user wouldn;t be able to install the software.
You would need to create an edited prefs.js file for each user - then copy them into each profile in the correct place - and then use NTFS permissions so that they cannot be changed.
Specifically:
user_pref("network.proxy.h
user_pref("network.proxy.h
user_pref("network.proxy.h
user_pref("network.proxy.h
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Not in Cisco Firewall or Windows Firewall.
Also the proxy server solution would not work as 'User Agent Switch' plug in for Firefox can report that Firefox is Internet Explorer.
Our office used LAN Desk to block application launches by monitoring metadata but I hacked the metadata using 'XN Resource Editor'
Here's the thing: if you have a diligent user, you cannot block firefox. One of our sys admins and I had a friendly contest on trying. He would set up a rule, I would hack around it, he would set up another rule, I would hack around that one, etc...
Finally he gave up.
The real question might be "why"? Why block firefox?
If the answer is "it doesn't auto update", then force it to update.
If the answer is "it isn't as secure", then patch it.
If the answer is "i hate firefox and everyone must agree with me", then get a life.
If the answer is "it's corporate policy", then write up/fire users who violate policy.
The alternative is a rather administratively intense, draconian solution. Use group policy to block all programs from running except those that you permit. Allow word.exe, excel.exe, or whatever. Do not allow setup.exe.
However, even then, I could rename the setup.exe to word.exe (or whatever), install it, and I'm back in business.
One last solution MIGHT be to create a virus signature for your corporate antivirus solution that identifies firefox as a virus. Then the name wouldn't matter. But depending on the AV you have, this might be difficult to say the least.
Also the proxy server solution would not work as 'User Agent Switch' plug in for Firefox can report that Firefox is Internet Explorer.
Our office used LAN Desk to block application launches by monitoring metadata but I hacked the metadata using 'XN Resource Editor'
Here's the thing: if you have a diligent user, you cannot block firefox. One of our sys admins and I had a friendly contest on trying. He would set up a rule, I would hack around it, he would set up another rule, I would hack around that one, etc...
Finally he gave up.
The real question might be "why"? Why block firefox?
If the answer is "it doesn't auto update", then force it to update.
If the answer is "it isn't as secure", then patch it.
If the answer is "i hate firefox and everyone must agree with me", then get a life.
If the answer is "it's corporate policy", then write up/fire users who violate policy.
The alternative is a rather administratively intense, draconian solution. Use group policy to block all programs from running except those that you permit. Allow word.exe, excel.exe, or whatever. Do not allow setup.exe.
However, even then, I could rename the setup.exe to word.exe (or whatever), install it, and I'm back in business.
One last solution MIGHT be to create a virus signature for your corporate antivirus solution that identifies firefox as a virus. Then the name wouldn't matter. But depending on the AV you have, this might be difficult to say the least.
It is possible to use Software Restriction policies to whitelist software by hash or certificate so that just changing the filename doesn't work. However this is a major pain to implement and maintain.
http://technet.microsoft.com/en-us/library/bb457006.aspx
http://technet.microsoft.com/en-us/library/bb457006.aspx
ASKER
I was thinking of using the Firewall on our Cisco router to Block all traffic on port 80 except from the Proxy server. This wouldn't block user from installing Firefox but it wouldn't work if they did? Let me know if i'm correct in this?
Thanks
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks!!! I don't care if they install FF and use our proxy server as long as they're being filtered...