Lexmark MS610dn Administrator's Manual
  1. Manuals
  2. Brands
  3. Lexmark Manuals
  4. Printer
  5. MS610dn
  6. Administrator's manual

Lexmark MS610dn Administrator's Manual

Embedded web server-security: administrator's guide
Hide thumbs Also See for MS610dn:
Table of Contents

Advertisement

Quick Links

See also: Driver Manual , Service Manual
Embedded Web Server — Security
Administrator's Guide
October 2013
www.lexmark.com

Advertisement

Table of Contents
loading

Related Manuals for Lexmark MS610dn

Summary of Contents for Lexmark MS610dn

  • Page 1 Embedded Web Server — Security Administrator's Guide October 2013 www.lexmark.com...

  • Page 2: Table Of Contents

    Contents Contents Security devices covered in this guide............4 Simple security devices..........................4 Advanced security devices........................4 Using security features in the Embedded Web Server........5 Understanding the basics..........................5 Authentication and Authorization ........................5 Groups ................................7 Access Controls ..............................7 Security Templates .............................7 Limiting access with Basic Security Setup......................8 Configuring building blocks........................8 Creating a password for advanced security setup ....................8 Creating a password through Web Page Password Protect ................9...
  • Page 3 Contents Configuring the TCP/IP port access setting.......................32 Configuring IPsec settings..........................32 Enabling the security reset jumper........................33 Securing the hard disk and other installed memory................33 Statement of Volatility............................33 Erasing volatile memory ...........................34 Erasing non‑volatile memory..........................34 Configuring Out of Service Erase ........................35 Completely erasing printer hard disk memory ....................36 Configuring printer hard disk encryption......................36 Scenarios..............................38 Scenario: Printer in a public place ........................38...

  • Page 4: Security Devices Covered In This Guide

    “Authentication and Authorization” on page Simple security devices CS310n/dn, CS410n/dn, CS410dtn, CX310n/dn, M1140, M1145, M3150dn, M5163dn, MS310d/dn, MS410d/dn, MS510dn, MS610dn, MS610dtn, MS810n/dn, MS810dtn, MS811n/dn, MS811dtn, MS812dn, MS812dtn, MX310dn Advanced security devices CS510de, CS510dte, CX410de, CX410e/dte, CX510de, CX510dhe/dthe, M3150, M5155, M5163, M5170, XM1140,...

  • Page 5: Using Security Features In The Embedded Web Server

    Using security features in the Embedded Web Server Lexmark Embedded Web Server represents an evolution in keeping document outputs safe and confidential in today's busy environments. With traditional components such as authentication and group permissions, administrators can use Embedded Web Server Security Templates to control access to the devices that produce, store, and transmit sensitive documents.
  • Page 6 Using security features in the Embedded Web Server = Supported X = Not supported Function Simple security devices Advanced security devices Panel PIN Protect PIN Protection Web Page Password Protect Password Protection Internal Accounts (Username and Username/Password) Groups (internal) LDAP LDAP+GSSAPI Kerberos 5 Active Directory...

  • Page 7: Groups

    Using security features in the Embedded Web Server Groups Administrators can designate up to 32 groups to be used in association with either the Internal accounts or LDAP/LDAP +GSSAPI building blocks. For the purposes of Embedded Web Server security, groups are used to identify sets of users needing access to similar functions.

  • Page 8: Limiting Access With Basic Security Setup

    Using security features in the Embedded Web Server Limiting access with Basic Security Setup Use Basic Security Setup to limit access to the Embedded Web Server security settings and the configuration menus on the printer control panel. This selection allows the definition of simple internal device security authentication methods.

  • Page 9: Creating A Password Through Web Page Password Protect

    Using security features in the Embedded Web Server Under Manage Passwords, select Add a Password. Type a name for the password in the Setup Name box. Note: Each password must have a unique name containing up to 128 UTF‑8 characters (example: “Copy Lockout Password”).

  • Page 10: Creating A Pin Through Panel Pin Protect

    Using security features in the Embedded Web Server Type the name of the PIN configuration in the Setup Name box. Note: Each PIN must have a unique name containing up to 128 UTF‑8 characters (example: “Copy Lockout PIN”). Enter a PIN in the appropriate box, and then reenter the PIN to confirm it. To change the default PIN length: Click Settings >...

  • Page 11: Connecting Your Printer To An Active Directory Domain

    Using security features in the Embedded Web Server Type the group name. Note: Group names can contain up to 128 UTF‑8 characters. Click Add. Repeat steps 3 through 4 to add more user groups. Note: When creating groups, make a list of all users first, and then determine which device functions are needed by all users and which functions are needed only by certain users.
  • Page 12 Using security features in the Embedded Web Server • If you do not select HTTPS, then you will not be able to set up Active Directory. Open a Web browser, and then type the IP address or host name of the printer. Note: A warning with a message associated to your printer IP address or host name will appear.

  • Page 13: Using Ldap

    Using security features in the Embedded Web Server Change some of the building block settings depending on your environment, including the following: • Server Port‑‑The standard port for LDAP is 389. Another common port is 3268, but this is used only for Global Catalog servers in Active Directory.
  • Page 14 Using security features in the Embedded Web Server Click Add an LDAP Setup. The LDAP Server Setup dialog is divided into four parts: General Information • Setup Name—This name is used to identify each particular LDAP Server Setup when creating security templates. •...

  • Page 15: Using Ldap+Gssapi

    Using security features in the Embedded Web Server To edit an existing LDAP setup From the Embedded Web Server, click Settings > Security > Security Setup. Under Advanced Security Setup, click LDAP. Click a setup from the list. Make any needed changes in the LDAP Configuration dialog. Click Modify to save the changes, or click Cancel to return to previous values.
  • Page 16 Using security features in the Embedded Web Server To add a new LDAP+GSSAPI setup From the Embedded Web Server, click Settings > Security > Security Setup. Under Advanced Security Setup, click LDAP+GSSAPI. Click Add an LDAP+GSSAPI Setup. The setup dialog is divided into four parts: General Information •...

  • Page 17: Configuring Kerberos 5 For Use With Ldap+Gssapi

    Using security features in the Embedded Web Server To edit an existing LDAP+GSSAPI setup From the Embedded Web Server, click Settings > Security > Security Setup. Under Advanced Security Setup, click LDAP+GSSAPI. Select a setup from the list. Make any needed changes in the LDAP Configuration dialog. Click Modify to save the changes, or Cancel to return to previous values.
  • Page 18 Using security features in the Embedded Web Server Type the realm (or domain) used by the Kerberos server in the Realm field. Click Submit to save the information as a krb5.conf file on the selected device, or Reset Form to reset the fields and start again.

  • Page 19: Setting Up A Ca Certificate Monitor

    Using security features in the Embedded Web Server Setting up a CA certificate monitor Note: This is available only in select printer models. When joined to an Active Directory environment, automatic updates of CA (Certificate Authority) certificates is necessary. The certificate monitor, when enabled, performs this function. From the Embedded Web Server, click Settings >...

  • Page 20: Setting Login Restrictions

    Using security features in the Embedded Web Server Select the Use Backup Password check box, and then type and retype the password. Click Submit. Setting login restrictions Note: This is available only in select printer models. Many organizations establish login restrictions for information assets such as workstations and servers. Embedded Web Server administrators should verify that printer login restrictions also comply with organizational security policies.
  • Page 21 Using security features in the Embedded Web Server From the Authentication Setup list, select a method for authenticating users. Note: The Authentication Setup list is populated with the authentication building blocks that have been configured on the device. To use authorization, click Add authorization, and then select a building block from the Authorization Setup list. Note: The Authorization Setup list is populated with the authorization building blocks available on the device.

  • Page 22: Managing Certificates And Other Settings

    Using security features in the Embedded Web Server • You can delete a security template only if it is not in use; however, security templates currently in use can be edited. Managing certificates and other settings Note: This is available only in select printer models. The Certificate Management menu is used for configuring printers to utilize certificates for establishing SSL, PSec, and 802.1x connections.

  • Page 23: Configuring The Device For Certificate Information

    Using security features in the Embedded Web Server Configuring the device for certificate information Note: This is available only in select printer models. The printer has a self‑generated certificate. For some operations (e.g. 802.1x, IPSec, etc.), the printer certificate needs to be upgraded to a certificate that has been signed by a certificate authority.

  • Page 24: Creating A New Certificate

    Using security features in the Embedded Web Server Click Browse, and then select the CA Signed Device Certificate file that was created in step 8. Click Submit. Note: This completes the process of creating and installing a signed printer certificate. The printer can now present a valid certificate to systems to which it attempts to negotiate an SSL or IPSec connection.

  • Page 25: Setting Certificate Defaults

    Using security features in the Embedded Web Server Setting certificate defaults Administrators can set default values for certificates generated for a supported device. The values entered here will be present in all new certificates generated in the Certificate Management task, even though those fields will remain blank on the screen.

  • Page 26: Enabling And Disabling Usb Devices

    Using security features in the Embedded Web Server Confidential Job Expiration Set a limit on how long the printer stores confidential print jobs. Notes: 1 hour • If the “Confidential Job Expiration” setting is changed while confidential print jobs 4 hours reside in the printer memory or printer hard disk, then the expiration time for those 24 hours print jobs does not change to the new default value.

  • Page 27: Erasing Temporary Data Files From The Hard Disk

    Using security features in the Embedded Web Server From the Day(s) menu, select which day or days the schedule should run (example: “Weekdays (Mon‑Fri)”). Click Add to save the action to the schedule. Notes: • Use of USB devices is enabled by default. •...
  • Page 28 Using security features in the Embedded Web Server From the Remote Syslog Method menu, select one of the following: • Normal UDP—To send log messages and events using a lower‑priority transmission protocol. • Stunnel—If implemented on the destination server. From the Remote Syslog Facility menu, select a facility code for events to be logged to on the destination server. All events sent from the device will be tagged with the same facility code to aid in sorting and filtering by network monitoring or intrusion detection software.

  • Page 29: Connecting The Printer To A Wireless Network Using The Embedded Web Server

    Using security features in the Embedded Web Server From the Use SSL/TLS list, select Disabled, Negotiate, or Required to specify whether e-mail will be sent using an encrypted link. If your SMTP server requires user credentials, then select an authentication method from the SMTP Server Authentication list.
  • Page 30 Using security features in the Embedded Web Server Though normally associated with wireless devices and connectivity, 802.1x authentication supports both wired and wireless environments. 802.1x is located within the wireless menu when wireless is enabled on the device. The following network authentication mechanisms can be included in the 802.1x protocol negotiation: •...

  • Page 31: Setting Up Snmp

    Using security features in the Embedded Web Server From the TTLS Authentication Method list, select the authentication method to accept through the secure tunnel created between the authentication server and the printer. Click Submit to save the changes, or Reset Form to restore the default settings. Note: Changes made to settings marked with an asterisk (*) will cause the print server to reset.

  • Page 32: Configuring The Tcp/Ip Port Access Setting

    Using security features in the Embedded Web Server Under Trap Destination, enter the IP address of the network management server or monitoring station, and then click the check box next to each condition that should generate an alert. Click Submit to save the changes, or click Reset Form to clear all fields. Configuring the TCP/IP port access setting Note: This is available only in select printer models.

  • Page 33: Enabling The Security Reset Jumper

    Using security features in the Embedded Web Server Setting Description Settings To specify your printer’s encryption and authentication methods, select an option for each setting. DH Group Encryption Authentication Certificate Validation Validate Peer Certificate Select Device Certificate This is the factory default setting. Click Submit to save the changes, or click Reset Form to restore the default values.

  • Page 34: Erasing Volatile Memory

    Using security features in the Embedded Web Server • Hard disk memory—Some devices have a hard disk drive installed. The printer hard disk is designed for device‑specific functionality and cannot be used for long term storage for data that is not print‑related. The hard disk does not provide the capability for users to extract information, create folders, create disk or network file shares, or FTP information directly from a client device.

  • Page 35: Configuring Out Of Service Erase

    Using security features in the Embedded Web Server • Fax data—If your printer does not contain a hard disk, or if you have chosen NAND for fax storage, then you can erase fax settings and data by resetting the NVRAM using the printer Config menu. Note: If your printer has a hard disk that has been partitioned for fax storage, then you must reformat that partition to erase fax data and settings.

  • Page 36: Completely Erasing Printer Hard Disk Memory

    Using security features in the Embedded Web Server Completely erasing printer hard disk memory Notes: • Some printer models may not have a printer hard disk installed. • Access to the configuration menu might be restricted or disabled by the Configuration Menu function access control.
  • Page 37 Using security features in the Embedded Web Server Notes: • View the printer IP address on the printer home screen. The IP address appears as four sets of numbers separated by periods, such as 123.123.123.123. • If you are using a proxy server, then temporarily disable it to load the Web page correctly. Click Settings >...

  • Page 38: Scenarios

    Using security features in the Embedded Web Server Scenarios Scenario: Printer in a public place If your printer is located in a public space such as a lobby, and you want to prevent the general public from using it, then a password or PIN can provide simple protection right at the device. Administrators can assign a single password or PIN for all authorized users of the device, or separate codes to protect individual functions.

  • Page 39: Scenario: Standalone Or Small Office

    Using security features in the Embedded Web Server Scenario: Standalone or small office Note: This is available only in select printer models. If your printer is not connected to a network, or you do not use an authentication server to grant users access to devices, then internal accounts can be created and stored within the Embedded Web Server for authentication, authorization, or both.
  • Page 40 Using security features in the Embedded Web Server On networks running Active Directory, administrators can use the LDAP+GSSAPI capabilities of the Embedded Web Server to take advantage of authentication and authorization services already deployed on the network. User credentials and group designations can be pulled from the existing network, making access to the printer as seamless as other network services.

  • Page 41: Appendix

    Appendix Appendix Appendix A: CA file creation Note: This example of generation of a CA file for the Certificate Authority assumes usage of a Windows Certificate Authority server. Point the browser window to the CA. Make sure to use the URL, http//<CA’s address>/CertSrv, where CA’s address is the IP address or host name of the CA server.
  • Page 42 Appendix For this application to function, the device must be joined to an Active Directory environment and a Certificate Enrollment Web Services (Server Role) application needs to be installed on the customer’s network. Note: The example usage instructions given below assume the Certificate Enrollment Web Services is installed on a Windows 2008 R2 server.

  • Page 43: Administrative Menus

    Appendix To specify that certificates that are about to expire are automatically renewed, in the Configure tab on the “Settings > Apps > App Management” Web page for the Automatic Enrollment application, select the check box for Automatically Update Certificates, specify the number of days before expiration for the Auto Renewal Threshold setting, and then click Apply.
  • Page 44 Appendix Management Function access control What it does Firmware Updates This controls the ability to update firmware from any source other than a flash drive. Firmware files that are received through FTP, the Embedded Web Server, etc., will be ignored (flushed) when this function is protected. Operator Panel Lock This protects access to the locking function of the printer control panel.
  • Page 45 Appendix Function access control What it does Allow Flash Drive Access This controls the ability to access the flash drive. Flash Drive Print This controls the ability to print from a flash drive. Flash Drive Scan This controls the ability to scan documents to a flash drive. FTP Function This controls access to the Scan to FTP function.

  • Page 46: Notices

    ©2013 Lexmark International, Inc. All rights reserved. Trademarks Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or other countries. All other trademarks are the property of their respective owners. GOVERNMENT END USERS The Software Program and any related documentation are "Commercial Items,"...
  • Page 47 Notices GifEncoder GifEncoder - writes out an image as a GIF. Transparency handling and variable bit size courtesy of Jack Palevich. Copyright (C) 1996 by Jef Poskanzer * <jef@acme.com>. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.
  • Page 48 Notices "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object"...
  • Page 49 Notices purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions...

  • Page 50: Glossary Of Security Terms

    Glossary of Security Terms Glossary of Security Terms Access Controls Settings that control whether individual device menus, functions, and settings are available, and to whom. Also referred to as Function Access Controls on some devices. Authentication A method for securely ientifying a user. Authorization A method for specifying which functions are available to a user, i.e.

  • Page 51: Index

    Index Index limiting access 8 connecting to a wireless network Numerics modifying or removing access 8 using the Embedded Web 802.1x authentication 29 building blocks Server 29 adding to security templates 20 creating internal accounts 10 certificate 24 access controls Kerberos 5 17 creating a new certificate 24 list of 43...
  • Page 52 Index creating or editing 8 security menu password, creating Erase Temporary Data Files 27 installing security 9 security reset jumper Certificate Authority certificate 22 Web Page Password Protect 9 enabling 33 Installing a Certificate Authority personal identification number security templates certificate on the device 22 (PIN) 9, 10 understanding 7...

This manual is also suitable for:

Ms810nMs812dnCs310Cs410Cs510Cx310 ... Show all

Table of Contents