security.ssl3.dhe_rsa_aes_128_sha false for all users

How do I set this for ALL USERS on a citrix server - its a user specific setting to toggle in about.config on firefox

thanks - OS = windows 2008 32 bit Firefox browser version = 41.0.1
LVL 1
philb19Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
http://kb.mozillazine.org/Locking_preferences

aes128 is still secure des_ede3 not so ....
btanExec ConsultantCommented:
you can do it in default configuration by creating a file with the extension of .js in the defaults/preferences directory and adding the line (e.g. pref("security.ssl3.dhe_rsa_aes_128_sha", false);) into the file. But do note this
All of these preferences are stored in JavaScript files. Your customized settings are stored in a file called prefs.js in your profile directory. The default preferences are stored in various files like all.js or firefox.js. It is not recommended that you modify these files directly (and you can't easily, because they are stored in the file omni.ja[r]). You can, however, create your own Javascript files and place them in a location so that Firefox reads them as default preferences. That location is the defaults/preferences directory in the same location where the Firefox executable is placed. Files in this location will be used for all Firefox users (they are not profile specific).
So using a default preference file is good if all you want to change is the default value for a few preferences. It doesn't let you lock preferences and it doesn't let you change the homepage. Otherwise to really make sure it effects for all user, another mean is using all.js e.g. in the example trying to set the proxy across all user - https://thommck.wordpress.com/2011/03/08/configuring-firefox-proxy-settings-for-all-users/

agree with gheist too to go for more robust cipher suite
advise you to disable the following settings starting from the bottom:
security.ssl3.rsa_rc4_128_md5;false
security.ssl3.rsa_camellia_256_sha;false
security.ssl3.rsa_camellia_128_sha;false
security.ssl3.ecdhe_rsa_rc4_128_sha;false
security.ssl3.ecdhe_rsa_des_ede3_sha;false
security.ssl3.ecdhe_ecdsa_rc4_128_sha;false
security.ssl3.dhe_rsa_des_ede3_sha;false
security.ssl3.dhe_rsa_camellia_256_sha;false
security.ssl3.dhe_rsa_camellia_128_sha;false
security.ssl3.dhe_dss_aes_256_sha;false
security.ssl3.dhe_dss_aes_128_sha;false
Some will be disabled by default.
https://yuridejager.wordpress.com/2015/01/06/securing-your-browsers-firefox/
gheistCommented:
https://tools.ietf.org/html/bcp195#section-4

Can you provide any respectable reference why would one disable camellia?
i know DES bad RC4 bad, but other stuff is just unfounded.
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

btanExec ConsultantCommented:
Camellia is good but rare use. But i believe the author in that article, has that disabled more from the use of sslv3 with dhe and sha where the both has been reported weak. ecdh and sha2 family are preferred
gheistCommented:
In couple of months problem will go away by itself:
https://blog.mozilla.org/security/2015/09/11/deprecating-the-rc4-cipher/
btanExec ConsultantCommented:
yap for the MS server 2K8, the below update disable RC4 (not disable by default) or consider using iiscrypto to check and enable the registry needed. Below is the specific registry
The RC4 cipher can be completely disabled on Windows platforms by setting the "Enabled" (REG_DWORD) entry to value 00000000 in the following registry locations: • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128 • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128 • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128
https://support.microsoft.com/en-us/kb/2868725
philb19Author Commented:
Thanks all for help

btan - how do i create - default preference file - a java script file yes ( but where do i start?)
philb19Author Commented:
btanExec ConsultantCommented:
Thanks it goes to depth aligning with what I shared earlier for FF pref js files. Good info and apologies for replying earlier. Indeed similar to what I like to share also for locking pref
http://kb.mozillazine.org/Locking_preferences#Creating_the_lock_file

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Browsers

From novice to tech pro — start learning today.