Page 1: Operating Instructions
Operating Instructions Security Reference Getting Started Configuring Administrator Authentication Configuring User Authentication Protecting Data from Information Leaks Securing Information Sent over the Network or Stored on Hard Disk Managing Access to the Machine Enhanced Network Security Specifying the Extended Security Functions Troubleshooting 10 Appendix Read this manual carefully before you use this machine and keep it handy for future reference.
Page 3: Table Of Contents
TABLE OF CONTENTS Manuals for This Machine..........................7 Notice..................................9 Important.................................9 How to Read This Manual..........................10 Symbols................................10 IP Address..............................10 Notes................................10 1. Getting Started Before Using the Security Functions........................11 Setting up the Machine............................12 Enhanced Security............................15 Glossary................................16 Security Measures Provided by this Machine....................18 Using Authentication and Managing Users....................18 Ensuring Information Security........................18 Limiting and Controlling Access........................20 Enhancing Network Security........................20...
Page 4 3. Configuring User Authentication Users..................................37 About User Authentication..........................38 Configuring User Authentication........................39 Enabling User Authentication..........................40 User Code Authentication..........................41 Specifying User Code Authentication......................41 Basic Authentication............................45 Specifying Basic Authentication........................45 Authentication Information Stored in the Address Book................47 Specifying Login User Names and Passwords..................48 Specifying Login Details..........................50 Windows Authentication..........................52 Specifying Windows Authentication......................53 Installing Internet Information Services (IIS) and Certificate Services............61...
Page 5 Printing a Locked Print File...........................90 Deleting Locked Print Files...........................91 Changing the Password of a Locked Print File...................92 Unlocking a Locked Print File........................93 Configuring Access Permissions for Stored Files....................95 Specifying User and Access Permissions for Stored Files.................96 Changing the Owner of a Document......................99 Specifying Access Permissions for Files Stored Using the Scanner Function..........99 Specifying User and Access Permissions for Files Stored by a Particular User........103 Specifying Passwords for Stored Files.....................104...
Page 6 Disabling Menu Protect..........................139 Specifying Menu Protect...........................139 Limiting Available Functions..........................143 Specifying Which Functions are Available.....................143 Managing Log Files............................145 Using the Control Panel to Specify Log File Settings................145 Using Remote Communication Gate S to Manage Log Files..............147 Using Web Image Monitor to Manage Log Files...................147 Logs That Can Be Managed Using Web Image Monitor..............155 7.
Page 7 8. Specifying the Extended Security Functions Specifying the Extended Security Functions....................221 Changing the Extended Security Functions.....................221 Extended Security Settings........................222 Other Security Functions..........................226 Scanner Function............................226 System Status.............................226 Limiting Machine Operations to Customers Only..................227 Settings...............................227 Additional Information for Enhanced Security....................230 Settings You Can Configure Using the Control Panel................230 Settings You Can Configure Using Web Image Monitor...............232 Settings You Can Configure When IPsec Is Available/Unavailable............234 9.
Page 8 Extended Feature Settings........................271 Settings via Web Image Monitor......................271 Network Administrator Settings........................275 System Settings............................275 Scanner Features............................276 Extended Feature Settings........................276 Settings via Web Image Monitor......................276 File Administrator Settings..........................279 System Settings............................279 Printer Features............................279 Extended Feature Settings........................280 Settings via Web Image Monitor......................280 Document Server File Permissions........................281 The Privilege for User Account Settings in the Address Book..............283 User Settings - Control Panel Settings......................286 System Settings...............................287...
Page 9: Manuals For This Machine
Manuals for This Machine Read this manual carefully before you use this machine. Refer to the manuals that are relevant to what you want to do with the machine. • Media differ according to manual. • The printed and electronic versions of a manual have the same contents. •...
Page 10 Security Reference This manual is for administrators of the machine. It explains security functions that you can use to prevent unauthorized use of the machine, data tampering, or information leakage. Be sure to read this manual when setting the enhanced security functions, or user and administrator authentication. VM Card Extended Feature Settings Device Reference Explains how to set up the extended features settings with the machine.
Page 11: Notice
Notice Important In no event will the company be liable for direct, indirect, special, incidental, or consequential damages as a result of handling or operating the machine. For good copy quality, the manufacturer recommends that you use genuine toner from the manufacturer. The manufacturer shall not be responsible for any damage or expense that might result from the use of parts other than genuine parts from the manufacturer with your office products.
Page 12: How To Read This Manual
How to Read This Manual Symbols This manual uses the following symbols: Indicates points to pay attention to when using the machine, and explanations of likely causes of paper misfeeds, damage to originals, or loss of data. Be sure to read these explanations. Indicates supplementary explanations of the machine's functions, and instructions on resolving user errors.
Page 13: Getting Started
1. Getting Started This chapter describes the machine's security features and how to specify initial security settings. Before Using the Security Functions • If the security settings are not configured, the data in the machine is vulnerable to attack. 1. To prevent this machine being stolen or willfully damaged, etc., install it in a secure location. 2.
Page 14: Setting Up The Machine
1. Getting Started Setting up the Machine This section explains how to enable encryption of transmitted data and configure the administrator account. If you want a high level of security, make the following setting before using the machine. Enabling security Turn the machine on.
Page 15 Setting up the Machine Specify IPv4 Address. For details on how to specify the IPv4 address, see "Interface Settings", Network and System Settings Reference. Be sure to connect this machine to a network that only administrators can access. Start Web Image Monitor, and then log in to the machine as the administrator. For details about logging in to Web Image Monitor as an administrator, see "Using Web Image Monitor to Configure Administrator Authentication".
Page 16 1. Getting Started Press [Administrator Tools]. Press [Extended Security]. If you are not using [@Remote Service], set [@Remote Service] to [Prohibit]. For details about "Update Firmware", see the following "Firmware Update Cautions". Press [OK]. Press the [User Tools/Counter] key. Disconnect this machine from the administrator-only access network, and then connect it to the general usage network environment.
Page 17: Enhanced Security
Enhanced Security Enhanced Security This machine's security functions can be enhanced by managing the machine and its users using the improved authentication functions. By specifying access limits for the machine's functions and the documents and data stored in the machine, information leaks and unauthorized access can be prevented.
Page 18: Glossary
1. Getting Started Glossary Administrator There are four types of administrators according to administrative function: machine administrator, network administrator, file administrator, and user administrator. We recommend a different person for each administrator role. In this way, you can spread the workload and limit unauthorized operation by a single administrator. Basically, administrators make machine settings and manage the machine;...
Page 19 Glossary Logout This action is required with administrator and user authentication. This action is required when you have finished using the machine or changing the settings.
Page 20: Security Measures Provided By This Machine
1. Getting Started Security Measures Provided by this Machine Using Authentication and Managing Users Enabling Authentication To control administrators' and users' access to the machine, perform administrator authentication and user authentication using login user names and login passwords. To perform authentication, the authentication function must be enabled.
Page 21 Security Measures Provided by this Machine For details about protecting stored files from theft, see "Configuring Access Permissions for Stored Files". Preventing Data Leaks Due to Unauthorized Transmission You can specify in the Address Book which users are allowed to send files using the scanner function. You can also limit the direct entry of destinations to prevent files from being sent to destinations not registered in the Address Book.
Page 22: Limiting And Controlling Access
1. Getting Started • p.145 "Managing Log Files" • p.121 "Encrypting Data on the Hard Disk" • p.127 "Deleting Data on the Hard Disk" Limiting and Controlling Access Preventing Modification or Deletion of Stored Data You can allow selected users to access stored scan files and files stored in Document Server. You can permit selected users who are allowed to access stored files to modify or delete the files.
Page 23 Security Measures Provided by this Machine Safer Communication Using SSL, SNMPv3 and IPsec You can encrypt this machine's transmissions using SSL, SNMPv3, and IPsec. By encrypting transmitted data and safeguarding the transmission route, you can prevent sent data from being intercepted, analyzed, and tampered with.
Page 24 1. Getting Started...
Page 25: Configuring Administrator Authentication
2. Configuring Administrator Authentication This chapter describes what an administrator can do, how to register an administrator, how to specify administrator authentication, and how to log in to and out from the machine as an administrator. Administrators Administrators manage user access to the machine and various other important functions and settings. When an administrator controls limited access and settings, first select the machine's administrator and enable the authentication function before using the machine.
Page 26: Machine Administrator
2. Configuring Administrator Authentication Machine Administrator This is the administrator who mainly manages the machine's default settings. You can set the machine so that the default for each function can only be specified by the machine administrator. By making this setting, you can prevent unauthorized people from changing the settings and allow the machine to be used securely by its many users.
Page 27: About Administrator Authentication
About Administrator Authentication About Administrator Authentication There are four types of administrators: user administrator, machine administrator, network administrator, and file administrator. For details about each administrator, see "Administrators". BZM004 1. User Administrator This administrator manages personal information in the Address Book. You can register/delete users in the Address Book or change users' personal information.
Page 28 2. Configuring Administrator Authentication • p.23 "Administrators"...
Page 29: Enabling Administrator Authentication
Enabling Administrator Authentication Enabling Administrator Authentication To control administrators' access to the machine, perform administrator authentication using login user names and passwords. When registering an administrator, you cannot use a login user name already registered in the Address Book. Administrators are handled differently from the users registered in the Address Book.
Page 30 2. Configuring Administrator Authentication • If you have enabled "Administrator Authentication Management", make sure not to forget the administrator login user name and login password. If an administrator login user name or login password is forgotten, a new password must be specified using the supervisor's authority. For instructions on registering the supervisor, see "Supervisor Operations".
Page 31 Enabling Administrator Authentication Press [User Management], [Machine Management], [Network Management], or [File Management] to select which settings to manage. Set "Admin. Authentication" to [On]. "Available Settings" appears. Select the settings to manage from "Available Settings". The selected settings will be unavailable to users. "Available Settings"...
Page 32: Registering The Administrator
2. Configuring Administrator Authentication • p.261 "Supervisor Operations" • p.33 "Logging in Using Administrator Authentication" • p.34 "Logging out Using Administrator Authentication" • p.143 "Limiting Available Functions" Registering the Administrator If administrator authentication has been specified, we recommend only one person take each administrator role.
Page 33 Enabling Administrator Authentication In the line for the administrator whose authority you want to specify, press [Administrator 1], [Administrator 2], [Administrator 3] or [Administrator 4], and then press [Change]. If you allocate each administrator's authority to a different person, the screen appears as follows: Press [Change] for the login user name.
Page 34 2. Configuring Administrator Authentication Press [Change] for the login password. Enter the login password, and then press [OK]. Follow the password policy to make the login password more secure. For details about the password policy and how to specify it, see "Specifying the Extended Security Functions".
Page 35: Logging In Using Administrator Authentication
Enabling Administrator Authentication Logging in Using Administrator Authentication If administrator authentication has been specified, log in using an administrator's user name and password. This section describes how to log in. When you log in with a user name that has multiple administrator privileges, one of the administrator privileges associated with that name is displayed.
Page 36: Logging Out Using Administrator Authentication
2. Configuring Administrator Authentication • If you log in using administrator authority, the name of the administrator logging on appears. • If you try to log in from an operating screen, "You do not have the privileges to use this function. You can only change setting(s) as an administrator."...
Page 37: Using Web Image Monitor To Configure Administrator Authentication
Enabling Administrator Authentication • Administrator privileges cannot be revoked by any single administrator. • p.33 "Logging in Using Administrator Authentication" • p.34 "Logging out Using Administrator Authentication" Using Web Image Monitor to Configure Administrator Authentication Using Web Image Monitor, you can log in to the machine and change the administrator settings. This section describes how to access Web Image Monitor.
Page 38 2. Configuring Administrator Authentication Click the link to the administrator's page in the header area on the upper-right hand of the screen. To change administrative settings (GL/2 & TIFF Initial Configuration), click To collect system logs, click Enter the administrator password, and then click [OK]. Make settings as desired.
Page 39: Configuring User Authentication
3. Configuring User Authentication This chapter describes what a user can do, how to specify user authentication, and how to log into and out from the machine as a user. Users A user performs normal operations on the machine, such as copying and printing. Users are managed using the personal information in the machine's Address Book, and can use only the functions they are permitted to access by administrators.
Page 40: About User Authentication
3. Configuring User Authentication About User Authentication This machine has an authentication function to prevent unauthorized access. By using login user name and login password, you can specify access limits for individual users and groups of users. BZM005 1. User A user performs normal operations on the machine, such as copying and printing.
Page 41: Configuring User Authentication
Configuring User Authentication Configuring User Authentication Specify administrator authentication and user authentication according to the following chart: Administrator authentication Specify administrator privileges. Register administrators. User authentication Specify user authentication. Five types of user authentication are available: • User Code Authentication •...
Page 42: Enabling User Authentication
3. Configuring User Authentication Enabling User Authentication To control users' access to the machine, perform user authentication using login user names and passwords. There are five types of user authentication methods: User Code authentication, Basic authentication, Windows authentication, LDAP authentication, and Integration Server authentication. To use user authentication, select an authentication method on the control panel, and then make the required settings for the authentication.
Page 43: User Code Authentication
User Code Authentication User Code Authentication This is an authentication method for limiting access to functions according to a user code. The same user code can be used by more than one user. For details about specifying user codes, see "Authentication Information", Network and System Settings Reference.
Page 44 3. Configuring User Authentication Select which of the machine's functions you want to limit. The selected settings will be unavailable to users. For details about limiting available functions for individuals or groups, see "Limiting Available Functions". Select the "Printer Job Authentication" level. If this item is not visible, press [ Next] to display more settings.
Page 45 User Code Authentication Selecting Entire or Simple (All) If you select [Entire], you cannot print using a printer driver or a device that does not support authentication. To print under an environment that does not support authentication, select [Simple (All)] or [Simple (Limitation)].
Page 46 3. Configuring User Authentication Press [Change]. Specify the range in which [Simple (Limitation)] is applied to "Printer Job Authentication". You can specify the IPv4 address range to which this setting is applied, and whether or not to apply the setting to the USB interface. Press [Exit].
Page 47: Basic Authentication
Basic Authentication Basic Authentication Specify this authentication method when using the machine's Address Book to authenticate each user. Using Basic authentication, you can not only manage the machine's available functions but also limit access to stored files and to the personal data in the Address Book. Under Basic authentication, the administrator must specify the functions available to each user registered in the Address Book.
Page 48 3. Configuring User Authentication For details about specifying available functions for individuals or groups, see "Limiting Available Functions". Select the "Printer Job Authentication" level. If you select [Entire] or [Simple (All)], proceed to "Selecting Entire or Simple (All)". If you select [Simple (Limitation)], proceed to "Selecting Simple (Limitation)". For a description of the printer job authentication levels, see "Printer Job Authentication".
Page 49: Authentication Information Stored In The Address Book
Basic Authentication If you press [Yes], you will be automatically logged out. Press the [User Tools/Counter] key. Selecting Simple (Limitation) If you select [Simple (Limitation)], you can specify clients for which printer job authentication is not required. Specify [USB: Simple] and the clients' IPv4 address range in which printer job authentication is not required. Specify this setting if you want to print using unauthenticated printer drivers or without any printer driver.
Page 50: Specifying Login User Names And Passwords
3. Configuring User Authentication For details about logging in and logging out with administrator authentication, see "Logging in Using Administrator Authentication" and "Logging out Using Administrator Authentication". If you have enabled user authentication, you can specify access limits and usage limits to the machine's functions for each user or group of users.
Page 51 Basic Authentication Select the user. Press [Auth. Info]. Press [Change] for "Login User Name". Enter a login user name, and then press [OK].
Page 52: Specifying Login Details
3. Configuring User Authentication Press [Change] for "Login Password". Enter a login password, and then press [OK]. If a password reentry screen appears, enter the login password, and then press [OK]. Press [OK]. Press [Exit] twice. Press the [User Tools/Counter] key. •...
Page 53 Basic Authentication For details about specifying login user name and login password, see "Specifying Login User Names and Passwords". • When using "Use Auth. Info at Login" for "SMTP Authentication", "Folder Authentication", or "LDAP Authentication", a user name other than "other", "admin", "supervisor" or "HIDE***" must be specified.
Page 54: Windows Authentication
3. Configuring User Authentication Windows Authentication Specify this authentication when using the Windows domain controller to authenticate users who have their accounts on the directory server. Users cannot be authenticated if they do not have their accounts in the directory server. Under Windows authentication, you can specify the access limit for each group registered in the directory server.
Page 55: Specifying Windows Authentication
Windows Authentication • During Windows Authentication, data registered in the directory server, such as the user's e-mail address, is automatically registered in the machine. If user information on the server is changed, information registered in the machine may be overwritten when authentication is performed. •...
Page 56 3. Configuring User Authentication Press [Administrator Tools]. Press [User Authentication Management]. If this item is not visible, press [ Next] to display more settings. Select [Windows Auth.]. If you do not want to use user authentication management, select [Off]. If you want to use Kerberos authentication, press [On]. If you want to use NTLM authentication, press [Off] and proceed to step 8.
Page 57 Windows Authentication Press [Change] for "Domain Name", enter the name of the domain controller to be authenticated, and then press [OK]. Select the "Printer Job Authentication" level. If this item is not visible, press [ Next] to display more settings. If you select [Entire] or [Simple (All)], proceed to "Selecting Entire or Simple (All)".
Page 58 3. Configuring User Authentication If you select [Simple (All)], you can print even with unauthenticated printer drivers or devices. Specify this setting if you want to print with a printer driver or device that cannot be identified by the machine or if you do not require authentication for printing.
Page 59 Windows Authentication Under "Group Name", press [Change], and then enter the group name. Press [OK]. Select which of the machine's functions you want to permit. Windows Authentication will be applied to the selected functions. Users can use the selected functions only. For details about specifying available functions for individuals or groups, see "Limiting Available Functions".
Page 60 3. Configuring User Authentication • p.143 "Limiting Available Functions" Selecting Simple (Limitation) If you select [Simple (Limitation)], you can specify clients for which printer job authentication is not required. Specify [USB: Simple] and the clients' IPv4 address range in which printer job authentication is not required. Specify this setting if you want to print using unauthenticated printer drivers or without any printer driver.
Page 61 Windows Authentication Press [On] for "Use Secure Connection (SSL)". If you are not using secure sockets layer (SSL) for authentication, press [Off]. If global groups have been registered under Windows server, you can limit the use of functions for each global group. You need to create global groups in the Windows server in advance and register in each group the users to be authenticated.
Page 62 3. Configuring User Authentication Under "Group Name", press [Change], and then enter the group name. Press [OK]. Select which of the machine's functions you want to permit. Windows Authentication will be applied to the selected functions. Users can use the selected functions only. For details about specifying available functions for individuals or groups, see "Limiting Available Functions".
Page 63: Installing Internet Information Services (Iis) And Certificate Services
Windows Authentication • p.143 "Limiting Available Functions" Installing Internet Information Services (IIS) and Certificate Services Specify this setting if you want the machine to automatically obtain e-mail addresses registered in Active Directory. We recommend you install Internet Information Services (IIS) and Certificate services as the Windows components.
Page 64: Creating The Server Certificate
3. Configuring User Authentication Creating the Server Certificate After installing Internet Information Services (IIS) and Certificate services Windows components, create the Server Certificate as follows: Windows Server 2008 R2 is used to illustrate the procedure. On the [Start] menu, point to [Administrator Tools], and then click [Internet Information Services (IIS) Manager].
Page 65 Windows Authentication Enter the contents of the device certificate. In the certificate box, enter the contents of the device certificate issued by the certificate authority. For details about the displayed items and selectable items, see Web Image Monitor Help. Click [OK]. Wait a moment for the device to restart, and then click [OK].
Page 66: Ldap Authentication
3. Configuring User Authentication LDAP Authentication Specify this authentication method when using the LDAP server to authenticate users who have their accounts on the LDAP server. Users cannot be authenticated if they do not have their accounts on the LDAP server. The Address Book stored in the LDAP server can be registered to the machine, enabling user authentication without first using the machine to register individual settings in the Address Book.
Page 67: Specifying Ldap Authentication
LDAP Authentication Select either Kerberos, DIGEST, or Cleartext authentication. • User Name You do not have to enter the user name if the LDAP server supports "Anonymous Authentication". • Password You do not have to enter the password if the LDAP server supports "Anonymous Authentication".
Page 68 3. Configuring User Authentication Press the [User Tools/Counter] key. Press [System Settings]. Press [Administrator Tools]. Press [User Authentication Management]. If this item is not visible, press [ Next] to display more settings. Select [LDAP Auth.]. If you do not want to use user authentication management, select [Off]. Select the LDAP server to be used for LDAP authentication.
Page 69 LDAP Authentication If you select [Entire] or [Simple (All)], proceed to "Selecting Entire or Simple (All)". If you select [Simple (Limitation)], proceed to "Selecting Simple (Limitation)". For a description of the printer job authentication levels, see "Printer Job Authentication". • p.33 "Logging in Using Administrator Authentication" •...
Page 70 3. Configuring User Authentication Press [Change] for "Login Name Attribute". Enter the login name attribute, and then press [OK]. Use the login name attribute as a search criterion to obtain information about an authenticated user. You can create a search filter based on the Login Name Attribute, select a user, and then retrieve the user information from the LDAP server so it is transferred to the machine's Address Book.
Page 71 LDAP Authentication Press [OK]. Press the [User Tools/Counter] key. A confirmation message appears. If you press [Yes], you will be automatically logged out. • p.143 "Limiting Available Functions" Selecting Simple (Limitation) If you select [Simple (Limitation)], you can specify clients for which printer job authentication is not required. Specify [USB: Simple] and the clients' IPv4 address range in which printer job authentication is not required.
Page 72 3. Configuring User Authentication Specify the range in which [Simple (Limitation)] is applied to "Printer Job Authentication". You can specify the IPv4 address range to which this setting is applied, and whether or not to apply the setting to the USB interface. Press [Exit].
Page 73 LDAP Authentication can enter an attribute such as "serialNumber" or "uid". Additionally, you can enter "cn" or "employeeNumber", provided it is unique. If you do not specify the Unique Attribute, an account with the same user information but with a different login user name will be created in the machine. Press [OK].
Page 74: Integration Server Authentication
3. Configuring User Authentication Integration Server Authentication To use Integration Server authentication, you need a server on which ScanRouter software that supports authentication is installed. For external authentication, the Integration Server authentication collectively authenticates users accessing the server over the network, providing a server-independent, centralized user authentication system that is safe and convenient.
Page 75 Integration Server Authentication Select [Integration Svr. Auth.]. If you do not want to use User Authentication Management, select [Off]. Press [Change] for "Server Name". Specify the name of the server for external authentication. Enter the server name, and then press [OK]. Enter the IPv4 address or host name.
Page 76 3. Configuring User Authentication Enter the domain name, and then press [OK]. You cannot specify a domain name under an authentication system that does not support domain login. Press [Obtain URL]. The machine obtains the URL of the server specified in "Server Name". If "Server Name"...
Page 77 Integration Server Authentication Under "Group Name", press [Change], and then enter the group name. Press [OK]. Select which of the machine's functions you want to permit. Authentication will be applied to the selected functions. Users can use the selected functions only. For details about specifying available functions for individuals or groups, see "Limiting Available Functions".
Page 78 3. Configuring User Authentication If you select [Simple (Limitation)], proceed to "Selecting Simple (Limitation)". For a description of the printer job authentication levels, see "Printer Job Authentication". • p.33 "Logging in Using Administrator Authentication" • p.34 "Logging out Using Administrator Authentication" •...
Page 79 Integration Server Authentication Selecting Simple (Limitation) If you select [Simple (Limitation)], you can specify clients for which printer job authentication is not required. Specify [USB: Simple] and the clients' IPv4 address range in which printer job authentication is not required. Specify this setting if you want to print using unauthenticated printer drivers or without any printer driver.
Page 80 3. Configuring User Authentication Press [On] for "Use Secure Connection (SSL)", and then press [OK]. To not use secure sockets layer (SSL) for authentication, press [Off]. Press the [User Tools/Counter] key. A confirmation message appears. If you press [Yes], you will be automatically logged out.
Page 81: Printer Job Authentication
Printer Job Authentication Printer Job Authentication This section explains the relationship between printer job authentication levels and printer job types. Depending on the combination of printer job authentication level and printer job type, the machine may not print properly. Set an appropriate combination according to the operating environment. When user authentication is disabled, printing is possible for all job types.
Page 82 3. Configuring User Authentication Printer Job Types 1. The printer job contains user code information. Personal authentication information is not added to the printer job but the user code information is. This also applies to recovery/parallel printing using a PCL printer driver that does not support authentication. 2.
Page 83: If User Authentication Is Specified
If User Authentication is Specified If User Authentication is Specified When user authentication (User Code Authentication, Basic Authentication, Windows Authentication, LDAP Authentication, or Integration Server Authentication) is set, the authentication screen is displayed. To use the machine's security functions, each user must enter a valid user name and password. Log in to operate the machine, and log out when you are finished operations.
Page 84: If Basic, Windows, Ldap Or Integration Server Authentication Is Specified
3. Configuring User Authentication • To log out, do one of the following: • Press the operation switch. • Press the [Energy Saver] key after jobs are completed. • Press the [Clear/Stop] key and the [Clear Modes] key at the same time. Logging in Using the Printer Driver When User Code Authentication is set, specify a user code in the printer driver's printing preferences dialog box.
Page 85: Logging In Using Web Image Monitor
If User Authentication is Specified Logging out Using the Control Panel Follow the procedure below to log out when Basic Authentication, Windows Authentication, LDAP Authentication, or Integration Server Authentication is set. Press the [Login/Logout] key. Press [Yes]. The message, "Logging out... Please wait." appears. •...
Page 86 3. Configuring User Authentication Lockout setting items The lockout function settings can be made using Web Image Monitor. Setting Item Description Setting Values Default Setting Specify whether or not • Active Lockout to enable the lockout • Inactive • Inactive function.
Page 87 If User Authentication is Specified The top page of Web Image Monitor appears. Click [Login]. The machine administrator can log in. Enter the login user name and login password. Click [Configuration], and then click [User Lockout Policy] under "Security". The User Lockout Policy page appears. Set "Lockout"...
Page 88: Auto Logout
3. Configuring User Authentication • You can cancel the administrator and supervisor password lockout by turning the power off and then turning it back on again, or by canceling the setting in [Program/Change Administrator] under [Configuration] in Web Image Monitor. Auto Logout This can be specified by the machine administrator.
Page 89 If User Authentication is Specified Select [On]. If you do not want to specify [Auto Logout Timer], select [Off]. Enter "60" to "999" (seconds) using the number keys, and then press [ ]. Press the [User Tools/Counter] key. A confirmation message appears. If you press [Yes], you will be automatically logged out.
Page 90: Authentication Using An External Device
3. Configuring User Authentication Authentication Using an External Device To authenticate using an external device, see the device manual. For details, contact your sales representative.
Page 91: Protecting Data From Information Leaks
4. Protecting Data from Information Leaks This chapter describes how to protect document data. Printing a Confidential Document Depending on the location of the machine, it is difficult to prevent unauthorized persons from viewing prints lying in the machine's output trays. When printing confidential documents, use the Locked Print function. Locked Print •...
Page 92: Printing A Locked Print File
4. Protecting Data from Information Leaks Print the locked document. Printing a Locked Print File To print a Locked Print file, you must be at the machine and print the file using the control panel. To print Locked Print files, the password is required. If you do not enter the correct password, you cannot print the files.
Page 93: Deleting Locked Print Files
Printing a Confidential Document Press [Print]. Enter the password for the stored file, and then press [OK]. Enter the password specified in step 4 of "Specifying a Locked Print File". Press [Yes]. • For details about logging in and logging out with user authentication, see "If User Authentication is Specified".
Page 94: Changing The Password Of A Locked Print File
4. Protecting Data from Information Leaks Select the file. Press [Delete]. Enter the password of the Locked Print file, and then press [OK]. The password entry screen does not appear if the file administrator is logged in. Press [Yes]. • You can configure this machine to delete stored files automatically by setting the "Auto Delete Temporary Print Jobs"...
Page 95: Unlocking A Locked Print File
Printing a Confidential Document Press [Change Password]. Enter the password for the stored file, and then press [OK]. The password entry screen will not appear if the file administrator is logged in. Enter the new password for the stored file, and then press [OK]. If a password reentry screen appears, enter the login password, and then press [OK].
Page 96 4. Protecting Data from Information Leaks "Enhance File Protection" is one of the extended security functions. For details about this and other extended security functions, see "Specifying the Extended Security Functions". Only the file administrator can unlock files. For details about logging in and logging out with administrator authentication, see "Logging in Using Administrator Authentication"...
Page 97: Configuring Access Permissions For Stored Files
Configuring Access Permissions for Stored Files Configuring Access Permissions for Stored Files This section describes how to specify access permissions for stored files. You can specify who is allowed to access stored scan files and files stored in Document Server. This can prevent activities such as printing or sending of stored files by unauthorized users.
Page 98: Specifying User And Access Permissions For Stored Files
4. Protecting Data from Information Leaks • p.104 "Specifying Passwords for Stored Files" Specifying User and Access Permissions for Stored Files This can be specified by the file creator (owner) or file administrator. For details about logging in and logging out with administrator authentication, see "Logging in Using Administrator Authentication" and "Logging out Using Administrator Authentication".
Page 99 Configuring Access Permissions for Stored Files Press [File Management]. Press [Change Access Priv.]. Press [Program/Change/Delete].
Page 100 4. Protecting Data from Information Leaks Press [New Program]. Select the users or groups to whom you want to assign access permission. You can select more than one user. By pressing [All Users], you can select all the users. Press [Exit]. Select the user to whom you want to assign access permission, and then select the permission.
Page 101: Changing The Owner Of A Document
Configuring Access Permissions for Stored Files • The "Edit", "Edit / Delete", and "Full Control" access permissions allow a user to perform high level operations that could result in loss of or changes to sensitive information. We recommend you grant only the "Read-only"...
Page 102 4. Protecting Data from Information Leaks Press [Store File]. Press [Access Privileges]. Press [New Program]. Select the users or groups to whom you want to assign permission. You can select more than one user. By pressing [All Users], you can select all the users. Press [Exit].
Page 103 Configuring Access Permissions for Stored Files Press [OK]. Store files in Document Server. Specifying Access Permissions for Stored Files This section explains how to change access privileges for a file stored in Document Server under the scanner function. Press [Select Stored File]. Select the file.
Page 104 4. Protecting Data from Information Leaks Press [Change Access Priv.]. Press [Program/Change/Delete]. Press [New Program]. Select the users or groups to whom you want to assign permission. You can select more than one user. By pressing [All Users], you can select all the users. Press [Exit].
Page 105: Specifying User And Access Permissions For Files Stored By A Particular User
Configuring Access Permissions for Stored Files Press [OK]. • The "Edit", "Edit / Delete", and "Full Control" access permissions allow a user to perform high level operations that could result in loss of or changes to sensitive information. We recommend you grant only the "Read-only"...
Page 106: Specifying Passwords For Stored Files
4. Protecting Data from Information Leaks Press [New Program]. Select the users or groups to register. You can select more than one user. By pressing [All Users], you can select all the users. Press [Exit]. Select the user to whom you want to assign access permission, and then select the permission.
Page 107: Unlocking Files
Configuring Access Permissions for Stored Files Press the [Document Server] key. Select the file. Press [File Management]. Press [Change Password]. Enter the password using the number keys. You can use 4 to 8 numbers as the password for the stored file. Press [OK].
Page 108 4. Protecting Data from Information Leaks "Enhance File Protection" is one of the extended security functions. For details about this and other extended security functions, see "Specifying the Extended Security Functions". Only the file administrator can unlock files. For details about logging in and logging out with administrator authentication, see "Logging in Using Administrator Authentication"...
Page 109: Securing Information Sent Over The Network Or Stored On Hard Disk
5. Securing Information Sent over the Network or Stored on Hard Disk This chapter describes how to protect information transmitted through the network or stored on the hard disk from unauthorized viewing and modification. Preventing Information Leakage Due to Unauthorized Transmission This section describes Preventing Data Leaks Due to Unauthorized Transmission.
Page 110 5. Securing Information Sent over the Network or Stored on Hard Disk For details about logging in and logging out with administrator authentication, see "Logging in Using Administrator Authentication" and "Logging out Using Administrator Authentication". Press the [User Tools/Counter] key. Press [System Settings].
Page 111: Using S/Mime To Protect E-Mail Transmission
Using S/MIME to Protect E-mail Transmission Using S/MIME to Protect E-mail Transmission By registering a user certificate in the Address Book, you can send e-mail that is encrypted with a public key which prevents its content from being altered during transmission. You can also prevent sender impersonation (spoofing) by installing a device certificate on the machine, and attaching an electronic signature created with a private key.
Page 112 5. Securing Information Sent over the Network or Stored on Hard Disk 4. Using the shared key, encrypt the e-mail message. 5. The shared key is encrypted using the user's public key. 6. The encrypted e-mail is sent. 7. The receiver decrypts the shared key using a secret key that corresponds to the public key. 8.
Page 113: Attaching An Electronic Signature
Using S/MIME to Protect E-mail Transmission Specifying the Encryption Algorithm This can be specified by the network administrator. Open a Web browser. Enter "http://(the machine's IP address or host name)/" in the address bar. When entering an IPv4 address, do not begin segments with zeros. For example: If the address is "192.168.001.010", you must enter it as "192.168.1.10"...
Page 114 5. Securing Information Sent over the Network or Stored on Hard Disk Configuration flow (self-signed certificate) 1. Create and install the device certificate using Web Image Monitor. 2. Make settings for the certificate to be used for S/MIME using Web Image Monitor. 3.
Page 115 Using S/MIME to Protect E-mail Transmission Check the details, and then click [OK]. "Installed" appears under "Certificate Status" to show that a device certificate for the printer has been installed. Click [Logout]. • Click [Delete] to delete the device certificate from the machine. Creating the Device Certificate (Issued by a Certificate Authority) This can be specified by the network administrator.
Page 116 5. Securing Information Sent over the Network or Stored on Hard Disk • The issuing location may not be displayed if you request two certificates at the same time. When you install a certificate, be sure to check the certificate destination and installation procedure. •...
Page 117 Using S/MIME to Protect E-mail Transmission Click [Logout]. • If a certificate authority issues a certificate that must be authenticated by an intermediate certificate authority, and the certificate is installed on this machine, an intermediate certificate must be installed on the client computer. Otherwise, validation by the certificate authority will not be performed correctly.
Page 118 5. Securing Information Sent over the Network or Stored on Hard Disk After installing the device certificate on the machine, configure the electronic signature using Web Image Monitor. The configuration procedure is the same regardless of whether you are using a self-signed certificate or a certificate issued by a certificate authority.
Page 119: Protecting The Address Book
Protecting the Address Book Protecting the Address Book If user authentication is specified, the user who has logged in will be designated as the sender to prevent data from being sent by an unauthorized person masquerading as the user. To protect the data from unauthorized reading, you can also encrypt the data in the Address Book. Configuring Address Book Access Permissions This can be specified by the registered user.
Page 120: Encrypting Data In The Address Book
5. Securing Information Sent over the Network or Stored on Hard Disk Press [Exit]. Select the user to whom you want to assign access permission, and then select the permission. Select the permission, from [Read-only], [Edit], [Edit / Delete], or [Full Control]. Press [Exit].
Page 121 Protecting the Address Book Press [On] for "Encrypt Address Book". Press [Change] for "Encryption Key". Enter the encryption key, and then press [OK]. Enter the encryption key using up to 32 alphanumeric characters. Press [Encrypt / Decrypt]. Press [Yes]. Do not switch the main power off during encryption, as doing so may corrupt the data. Encrypting the data in the Address Book may take a long time.
Page 122 5. Securing Information Sent over the Network or Stored on Hard Disk If you press [Stop] during encryption, the data is not encrypted. If you press [Stop] during decryption, the data stays encrypted. Press [Exit]. Press [OK]. Press the [User Tools/Counter] key. •...
Page 123: Encrypting Data On The Hard Disk
Encrypting Data on the Hard Disk Encrypting Data on the Hard Disk This can be specified by the machine administrator. For details about logging in and logging out with administrator authentication, see "Logging in Using Administrator Authentication" and "Logging out Using Administrator Authentication". Prevent information leakage by encrypting the Address Book, authentication information, and stored documents as the data is written.
Page 124 5. Securing Information Sent over the Network or Stored on Hard Disk erase-by-overwrite function and the encryption function are specified, encryption begins after the data that is stored on the hard disk has been overwritten and the machine has been rebooted with the turning off and on of the main power switch.
Page 125: Printing The Encryption Key
Encrypting Data on the Hard Disk Press the [Start] key. The encryption key for backup data is printed. Press [OK]. Press [Exit]. Press [Exit]. Press the [User Tools/Counter] key. Turn off the power and the main power switch, and then turn the main power switch back For details about turning off the power, see "Turning On/Off the Power", About This Machine.
Page 126: Updating The Encryption Key
5. Securing Information Sent over the Network or Stored on Hard Disk • The encryption key is required for data recovery if the machine malfunctions. Be sure to store the encryption key safely for retrieving backup data. • If the encryption key update was not completed, the printed encryption key will not be valid. Press the [User Tools/Counter] key.
Page 127 Encrypting Data on the Hard Disk • The encryption key is required for recovery if the machine malfunctions. Be sure to store the encryption key safely for retrieving backup data. • When the encryption key is updated, encryption is performed using the new key. After completing the procedure on the machine's control panel, turn off the power and restart the machine to enable the new settings.
Page 128: Canceling Data Encryption
5. Securing Information Sent over the Network or Stored on Hard Disk Press the [User Tools/Counter] key. Turn off the power and the main power switch, and then turn the main power switch back For details about turning off the power, see "Turning On/Off the Power", About This Machine. Canceling Data Encryption Use the following procedure to cancel the encryption settings when encryption is no longer necessary.
Page 129: Deleting Data On The Hard Disk
Deleting Data on the Hard Disk Deleting Data on the Hard Disk This can be specified by the machine administrator. The machine's hard disk stores all document data from the copier, printer and scanner functions. It also stores the data of users' Document Server and code counters, and the Address Book. To prevent data on the hard disk being leaked before disposing of the machine, you can overwrite all data stored on the hard disk.
Page 130: Auto Erase Memory
5. Securing Information Sent over the Network or Stored on Hard Disk Auto Erase Memory A document scanned in copier, or scanner mode, or print data sent from a printer driver is temporarily stored on the machine's hard disk. Even after the job is completed, it remains in the hard disk as temporary data.
Page 131 Deleting Data on the Hard Disk Methods of Overwriting You can select a method of overwriting from the following: • NSA Temporary data is overwritten twice with random numbers and once with zeros. • DoD Temporary data is overwritten with a fixed value, the fixed value's complement, and random numbers. When completed, the overwriting is then verified.
Page 132 5. Securing Information Sent over the Network or Stored on Hard Disk Press [Auto Erase Memory Setting]. Press [On]. Select the method of overwriting. If you select [NSA] or [DoD], proceed to step 9. If you select [Random Numbers], proceed to step 7. For details about the methods of overwriting, see "Methods of Overwriting".
Page 133 Deleting Data on the Hard Disk • If you specify to both overwrite and encrypt the data, the data will all be encrypted. • p.33 "Logging in Using Administrator Authentication" • p.34 "Logging out Using Administrator Authentication" • p.129 "Methods of Overwriting" Canceling Auto Erase Memory This can be specified by the machine administrator.
Page 134: Erase All Memory
5. Securing Information Sent over the Network or Stored on Hard Disk • PDF Direct Print data Scanner • Scanned files sent by e-mail • Files sent by Scan to Folder • Documents sent using DeskTopBinder, the ScanRouter delivery software or Web Image Monitor Data scanned with network TWAIN scanner will not be overwritten by Auto Erase Memory.
Page 135 Deleting Data on the Hard Disk • Other than pausing, no operations are possible during the "Erase All Memory" process. If [Random Numbers] is specified and the number of overwrites set to "3", the erase process will take about two hours.
Page 136 5. Securing Information Sent over the Network or Stored on Hard Disk Enter the number of times that you want to overwrite using the number keys, and then press [ ]. Press [Erase]. Press [Yes]. When overwriting is completed, press [Exit], and then turn off the main power. Before turning the power off, see "Turning On the Power", About This Machine.
Page 137 Deleting Data on the Hard Disk • Erase All Memory cannot be canceled. Press [Suspend] while Erase All Memory is in progress. Press [Yes]. Erase All Memory is suspended. Turn off the main power. Before turning the power off, see "Turning On the Power", About This Machine. •...
Page 138 5. Securing Information Sent over the Network or Stored on Hard Disk...
Page 139: Managing Access To The Machine
6. Managing Access to the Machine This chapter describes how to prevent unauthorized access to and modification of the machine's settings. Preventing Changes to Machine Settings This section describes preventing modification of machine settings. The administrator type determines which machine settings can be modified. Users cannot change the administrator settings.
Page 140 6. Managing Access to the Machine • p.23 "Administrators" • p.30 "Registering the Administrator" • p.265 "User Administrator Settings" • p.267 "Machine Administrator Settings" • p.275 "Network Administrator Settings" • p.279 "File Administrator Settings" • p.286 "User Settings - Control Panel Settings" •...
Page 141: Menu Protect
Menu Protect Menu Protect The administrator can also limit users' access permission to the machine's settings. The machine's "System Settings" menu and the printer's regular menus can be locked so they cannot be changed. This function is also effective when management is not based on user authentication. For a list of settings that users can specify according to the Menu Protect level, see "User Settings - Control Panel Settings", or "User Settings - Web Image Monitor Settings".
Page 142 6. Managing Access to the Machine Copy Function To specify "Menu Protect" in "Copier / Document Server Features", set "Machine Management" to [On] in "Administrator Authentication Management" in "Administrator Tools" in "System Settings". Press the [User Tools/Counter] key. Press [Copier / Document Server Features]. Press [Administrator Tools].
Page 143 Menu Protect Printer Function To specify "Menu Protect" in "Printer Features", set "Machine Management" to [On] in "Administrator Authentication Management" in "Administrator Tools" in "System Settings". Press the [User Tools/Counter] key. Press [Printer Features]. Press [Maintenance]. Press [Menu Protect]. Select the menu protect level, and then press [OK]. Press the [User Tools/Counter] key.
Page 144 6. Managing Access to the Machine Scanner Function To specify "Menu Protect" in "Scanner Features", set "Machine Management" to [On] in "Administrator Authentication Management" in "Administrator Tools" in "System Settings". Press the [User Tools/Counter] key. Press [Scanner Features]. Press [Initial Settings]. Press [Menu Protect].
Page 145: Limiting Available Functions
Limiting Available Functions Limiting Available Functions To prevent unauthorized operation, you can specify who is allowed to access each of the machine's functions. Available Functions Specify the available functions from the copier, Document Server, scanner, and printer functions. Specifying Which Functions are Available This can be specified by the user administrator.
Page 146 6. Managing Access to the Machine • p.33 "Logging in Using Administrator Authentication" • p.34 "Logging out Using Administrator Authentication"...
Page 147: Managing Log Files
Managing Log Files Managing Log Files The logs created by this machine allow you to track access to the machine, identities of users, and usage of the machine's various functions. For security, you can encrypt the logs. This prevents users who do not have the encryption key from accessing log information.
Page 148 6. Managing Access to the Machine Disabling log transfer to Remote Communication Gate S Use the following procedure to disable log transfer from the machine to Remote Communication Gate S. Note that you can change the log transfer setting to [Off] only if it is already set to [On]. For details about Remote Communication Gate S, contact your sales representative.
Page 149: Using Remote Communication Gate S To Manage Log Files
Managing Log Files Press [Exit]. Press the [User Tools/Counter] key. Using Remote Communication Gate S to Manage Log Files For details about using Remote Communication Gate S to manage Log Files, see the manual supplied with Remote Communication Gate S. Using Web Image Monitor to Manage Log Files This can be specified by the machine administrator.
Page 150 6. Managing Access to the Machine Click [Login]. The machine administrator can log in using the appropriate login user name and login password. Click [Configuration], and then click [Logs] under "Device Settings". Select "Collect Job Logs" to specify Job Log settings, or select "Collect Access Logs" to specify Access Log settings, and then select [Active].
Page 151 Managing Log Files Open a Web browser. Enter " http://(the machine's IP address or host name)/" in the address bar. When entering an IPv4 address, do not begin segments with zeros. For example: If the address is "192.168.001.010", you must enter it as "192.168.1.10" to connect to the machine. The top page of Web Image Monitor appears.
Page 152: Downloading Logs
6. Managing Access to the Machine Click [Back]. All job logs and device access log records are cleared. Click [Logout]. • On this page, "Delete All Logs" does not appear if either "Collect Job Logs" or "Collect Access Logs" are not set to [Active]. Downloading logs Use the following procedure to convert the logs stored in the machine into a CSV file for simultaneous batch download.
Page 153 Managing Log Files • To collect logs, set "Collect Job Logs" and "Collect Access Logs" to [Active]. This setting can be specified in [Logs] under [Configuration] in Web Image Monitor. • For details about the items contained in the logs, see "Attributes of logs you can download". •...
Page 154 6. Managing Access to the Machine • During log downloads, do not perform operations that will create log entries, as logs that are in the process of downloading cannot be updated with new entries. • Batch deletion of logs can be performed from the control panel or through Web Image Monitor. Notes on operation when the number of log entries reaches maximum The machine reads the number of access and job logs and begins overwriting the oldest log entries to make space for the new logs as they arrive.
Page 155 Managing Log Files 4. Downloaded logs If logs are downloaded during overwriting CAW003S 1. Access log 2. Job log 3. Download 4. Downloaded logs 5. Overwriting 6. Deleted by overwriting To determine whether or not overwriting occurred while the logs were downloading, check the message in the last line of the downloaded logs.
Page 156 6. Managing Access to the Machine • Examine logs following "Log ID xxxx". Detailed explanation of print job-related log entries Print Log entries are made before the login entry is made in the Access Log. Details of series of jobs (including reception, processing, and output of the jobs' data) are combined into single entries.
Page 157: Logs That Can Be Managed Using Web Image Monitor
Managing Log Files 7. Authentication (login) data is recorded as an entry in the Access Log. 8. Information about the processing of the print job is recorded as an entry in the Job Log (using the same ID). 9. Information about the outputting of the print job is recorded as an entry in the Job Log (using the same ID).
Page 158 6. Managing Access to the Machine Job Log Item Log Type Attribute Content Scanner: Sending and Scanner: Sending and Details of scan files stored in Document Server Storing Storing that were also sent at the time of storage. Scanner: Storing Scanner: Storing Details of scan files stored in Document Server.
Page 159 Managing Log Files Job Log Item Log Type Attribute Content Printer: Store and Printer: Store and Details of Stored Print files that were printed at Normal Print Normal Print the time of storage (when "Job Type:" was set to "Store and Print" in printer properties). Printer: Stored File Printer: Stored File Details of Stored Print files printed from the...
Page 160 6. Managing Access to the Machine Access Log Item Log Type Attribute Content Access Violation Access Violation Details of failed access attempts. Lockout Lockout Details of lockout activation. Firmware: Update Firmware: Update Details of firmware updates. Firmware: Structure Firmware: Structure Details of structure changes that occurred when Change Change...
Page 161: Attributes Of Logs You Can Download
Managing Log Files • If "Job Log Collect Level" is set to "Level 1", all job logs are collected. • If "Access Log Collect Level" is set to "Level 1", the following information items are recorded in the access log: •...
Page 162 6. Managing Access to the Machine CAW008S 1. All Each item in the list is displayed on a separate line. 2. Source Displays details of the job log entry and the "Result" and "Status" of each item. If there are multiple sources, multiple lines are displayed. 3.
Page 163 Managing Log Files Item Content Result Indicates the result of an operation or event: • If "Succeeded" is displayed for a job log entry, the operation completed successfully; "Failed" indicates the operation was unsuccessful. If the operation is still in progress, this will be blank.
Page 164 6. Managing Access to the Machine Item Content User Entry ID Indicates the user's entry ID. This is a hexadecimal ID that identifies users who performed job or access log-related operations: For supervisors, only 0xffffff86 is available; for administrators, 0xffffff87, 0xffffff88, 0xffffff89, and 0xffffff8a are available. For general users, any value between 0x00000001 and 0xfffffeff is available.
Page 165 Managing Log Files Stored File Sending", "Printer: Stored File Printing", and "File Storing" and "Stored File Deletion" (Access logs). Access log information items Item Content Access Log Type Indicates the type of access: "Authentication" indicates a user authentication access. "System" indicates a system access. "Stored File"...
Page 166 6. Managing Access to the Machine Item Content Login User Type Indicates the type of login user: "User" indicates the logged in user was a registered general user. "Guest" indicates the logged in user was a guest user. "File Administrator" indicates the logged in user was a registered file administrator.
Page 167 Managing Log Files Item Content File Location Region of all file deletion. "Document Server" indicates a deletion of all files from the machine's hard disk. Collect Job Logs Indicates the status of the job log collection setting: "Active" indicates job log collection is enabled. "Inactive"...
Page 168 6. Managing Access to the Machine Item Content Log Collect Level Indicates the level of log collection: "Level 1", "Level 2", or "User Settings". Encryption/Cleartext Indicates whether communication encryption is enabled or disabled: "Encryption Communication" indicates encryption is enabled; "Cleartext Communication" indicates encryption is not disabled. Machine Port No.
Page 169 Managing Log Files Item Content Network Attack Status Indicates the attack status of the network: "Violation Detected" indicates an attack on the network was detected. "Recovered from Violation" indicates the network recovered from an attack. "Max. Host Capacity Reached" indicates the machine became inoperable due to the volume of incoming data reaching the maximum host capacity.
Page 170 6. Managing Access to the Machine Item Content Parts Number Firmware module part number. Version Firmware version. Machine Data Encryption Key Indicates the type of encryption key operation performed: Operation "Back Up Machine Data Encryption Key" indicates an encryption key backup was performed. "Restore Machine Data Encryption Key"...
Page 171 Managing Log Files Item Content End Date/Time Dates and times "Scan File", "Received File" and "Printer" operations ended. This is Item 53 of the CSV file. Stored File Name Names of "Stored File" files. Stored File ID Indicates the ID of data that is output as a stored file. This is a decimal ID that identifies the stored file.
Page 172 6. Managing Access to the Machine...
Page 173: Enhanced Network Security
7. Enhanced Network Security This chapter describes how to increase security over the network using the machine's functions. Preventing Unauthorized Access You can limit IP addresses, disable ports and protocols, or use Web Image Monitor to specify the network security level to prevent unauthorized access over the network and protect the Address Book, stored files, and default settings.
Page 174: Enabling And Disabling Protocols
7. Enhanced Network Security Click [OK]. Access control is set. Click [OK]. Click [Logout]. Enabling and Disabling Protocols This can be specified by the network administrator. Specify whether to enable or disable the function for each protocol. By making this setting, you can specify which protocols are available and so prevent unauthorized access over the network.
Page 175 Preventing Unauthorized Access Protocol Port Setting Method When Disabled • Control Panel • Web Image Monitor Encrypted transmission IPsec • telnet using IPsec is disabled. • SmartDeviceMonitor for Admin Functions that require FTP cannot be used. • Web Image Monitor You can restrict •...
Page 176 7. Enhanced Network Security Protocol Port Setting Method When Disabled • Web Image Monitor Functions that require HTTP cannot be used. • telnet HTTP TCP:80 Cannot print using IPP • SmartDeviceMonitor on port 80. for Admin Functions that require HTTPS cannot be used. @Remote cannot be •...
Page 177 Preventing Unauthorized Access Protocol Port Setting Method When Disabled Functions that require SNMPv3 cannot be used. • Web Image Monitor You can also make • telnet settings to require • SmartDeviceMonitor SNMPv3 encrypted SNMPv3 UDP:161 for Admin transmission and restrict the use of other •...
Page 178 7. Enhanced Network Security Protocol Port Setting Method When Disabled • Web Image Monitor • telnet IPP functions cannot be • SmartDeviceMonitor TCP:631 used. for Admin • Remote Communication Gate S • Web Image Monitor Device discovery using • telnet SSDP UDP:1900 UPnP from Windows...
Page 179 Preventing Unauthorized Access Protocol Port Setting Method When Disabled • Control Panel • Web Image Monitor Cannot print with • telnet NetWare. NetWare (IPX/SPX) • SmartDeviceMonitor SNMP over IPX cannot for Admin be used. • Remote Communication Gate S • Web Image Monitor •...
Page 180 7. Enhanced Network Security Enabling and Disabling Protocols Using the Control Panel Press the [User Tools/Counter] key. Press [System Settings]. Press [Interface Settings]. Press [Effective Protocol]. Press [Inactive] for the protocol you want to disable. Press [OK]. Press the [User Tools/Counter] key. Enabling and Disabling Protocols Using Web Image Monitor Open a Web browser.
Page 181: Specifying Network Security Level
Preventing Unauthorized Access Click [Configuration], and then click [Network Security] under "Security". Set the desired protocols to active/inactive (or open/close). Click [OK]. Click [OK]. Click [Logout]. Specifying Network Security Level This can be specified by the network administrator. This setting lets you change the security level to limit unauthorized access. You can make network security level settings on the control panel, as well as Web Image Monitor.
Page 182 7. Enhanced Network Security Press [Network Security Level]. If the setting you want to specify does not appear, press [ Next] to scroll down to other settings. Select the network security level. Select [Level 0], [Level 1], or [Level 2]. Press [OK].
Page 183 Preventing Unauthorized Access Select the network security level in "Security Level". Click [OK]. Click [OK]. Click [Logout]. Status of Functions under Each Network Security Level Tab Name:TCP/IP Function Level 0 Level 1 Level 2 TCP/IP Active Active Active HTTP> Port 80 Open Open Open...
Page 184 7. Enhanced Network Security Function Level 0 Level 1 Level 2 WSD (Printer) Active Active Inactive The same settings are applied to IPv4 and IPv6. Tab Name:NetWare Function Level 0 Level 1 Level 2 NetWare Active Active Inactive If NetWare is not used on your network, the above settings are not applicable. Tab Name:SNMP Function Level 0...
Page 185: Encrypting Transmitted Passwords
Encrypting Transmitted Passwords Encrypting Transmitted Passwords We recommend you use one or more of the following security protocols: IPsec, SNMPv3, and SSL. Using these protocols can enhance your machine's security to make login and IPP authentication passwords harder to break. Also, encrypt the login password for administrator authentication and user authentication.
Page 186: Specifying An Ipp Authentication Password
7. Enhanced Network Security For "Driver Encryption Key", press [Change]. "Driver Encryption Key" is one of the extended security functions. For details about this and other security functions, see "Specifying the Extended Security Functions". Enter the driver encryption key, and then press [OK]. Enter the driver encryption key using up to 32 alphanumeric characters.
Page 187 Encrypting Transmitted Passwords Click [Login]. The network administrator can log in. Enter the login user name and login password. Click [Configuration], and then click [IPP Authentication] under "Security". The IPP Authentication page appears. Select [DIGEST] from the "Authentication" list. Enter the user name in the "User Name" box. Enter the password in the "Password"...
Page 188: Protection Using Encryption
7. Enhanced Network Security Protection Using Encryption Establish encrypted transmission on this machine using SSL, SNMPv3, and IPsec. By encrypting transmitted data and safeguarding the transmission route, you can prevent sent data from being intercepted, analyzed, and tampered with. SSL (Secure Sockets Layer) Encryption This can be specified by the network administrator.
Page 189 Protection Using Encryption 2. The device certificate and public key are sent from the machine to the user's computer. 3. The shared key created with the computer is encrypted using the public key, sent to the machine, and then decrypted using the private key in the machine. 4.
Page 190 7. Enhanced Network Security Click [Login]. The network administrator can log in. Enter the login user name and login password. Click [Configuration], and then click [Device Certificate] under "Security". The Device Certificate page appears. Click [Certificate1]. Click [Create]. Make the necessary settings. Click [OK].
Page 191 Protection Using Encryption Click [Certificate1]. Click [Request]. Make the necessary settings. Click [OK]. The setting is changed. Click [OK]. "Requesting" appears for "Certificate Status". Click [Logout]. Apply to the certificate authority for the device certificate. The application procedure depends on the certificate authority. For details, contact the certificate authority.
Page 192 7. Enhanced Network Security Enter the login user name and login password. Click [Configuration], and then click [Device Certificate] under "Security". The Device Certificate page appears. Click [Certificate1]. Click [Install]. Enter the contents of the device certificate. In the certificate box, enter the details of the device certificate issued by the certificate authority. For details about the displayed items and selectable items, see Web Image Monitor Help.
Page 193: User Settings For Ssl (Secure Sockets Layer)
Protection Using Encryption Click [Configuration], and then click [SSL/TLS] under "Security". The SSL/TLS page appears. Click [Active] for the protocol version used in "SSL/TLS". Select the encryption communication mode for "Permit SSL/TLS Communication". Click [OK]. The SSL setting is enabled. Click [OK].
Page 194 7. Enhanced Network Security Encrypted Communication Mode Using the encrypted communication mode, you can specify encrypted communication. Allows encrypted communication only. Ciphertext Only If encryption is not possible, the machine does not communicate. Performs encrypted communication if encryption is possible. Ciphertext Priority If encryption is not possible, the machine communicates without it.
Page 195: Snmpv3 Encryption
Protection Using Encryption Select the encrypted communication mode. Select [Ciphertext Only], [Ciphertext Priority], or [Ciphertext / Cleartext] as the encrypted communication mode. Press [OK]. Press the [User Tools/Counter] key. • The SSL/TLS encrypted communication mode can also be specified using Web Image Monitor. For details, see Web Image Monitor Help.
Page 196 7. Enhanced Network Security Press [Encryption Only]. Press [OK]. Press the [User Tools/Counter] key. • To use SmartDeviceMonitor for Admin for encrypting the data for specifying settings, you need to specify the network administrator's [Encryption Password] setting and [Encryption Password] in [SNMP Authentication Information] in SmartDeviceMonitor for Admin, in addition to specifying [Permit SNMPv3 Communication] on the machine.
Page 197: Transmission Using Ipsec
Transmission Using IPsec Transmission Using IPsec This can be specified by the network administrator. For communication security, this machine supports IPsec. IPsec transmits secure data packets at the IP protocol level using the shared key encryption method, where both the sender and receiver retain the same key.
Page 198: Encryption Key Auto Exchange Settings And Encryption Key Manual Settings
7. Enhanced Network Security • For successful authentication, the sender and receiver must specify the same authentication algorithm and authentication key. If you use the encryption key auto exchange method, the authentication algorithm and authentication key are specified automatically. AH Protocol The AH protocol provides secure transmission through authentication of packets only, including headers.
Page 199: Ipsec Settings
Transmission Using IPsec Settings 1-4 and Default Setting Using either the manual or auto exchange method, you can configure four separate sets of SA details (such as different shared keys and IPsec algorithms). In the default settings of these sets, you can include settings that the fields of sets 1 to 4 cannot contain.
Page 200 7. Enhanced Network Security Security Level Security Level Features Select this level if you want to authenticate the transmission partner and prevent unauthorized data tampering, but not perform data packet encryption. Authentication Only Since the data is sent in cleartext, data packets are vulnerable to eavesdropping attacks.
Page 201 Transmission Using IPsec Authentication and Low Authentication and High Setting Authentication Only Level Encryption Level Encryption Phase 2 Security Protocol Phase 2 HMAC-MD5-96/ HMAC-MD5-96/ Authentication HMAC-SHA1-96 HMAC-SHA1-96 HMAC-SHA1-96 Algorithm DES/3DES/ Phase 2 Encryption Cleartext (NULL 3DES/AES-128/ AES-128/AES-192/ Algorithm encryption) AES-192/AES-256 AES-256 Phase 2 PFS Inactive...
Page 202 7. Enhanced Network Security Setting Description Setting Value The IPsec transmission partner's IPv4 or IPv6 address. Specify the address of the IPsec If you are not setting an address Remote Address transmission partner. You can range, enter 32 after an IPv4 also specify an address range.
Page 203 Transmission Using IPsec Setting Description Setting Value • PSK • Certificate If you specify "PSK", you must then set the PSK text (using Specify the method for ASCII characters). authenticating transmission If you are using "PSK", specify Authentication Method partners. a PSK password using up to 32 (auto setting) ASCII characters.
Page 204 7. Enhanced Network Security Setting Description Setting Value Specify the security protocol to be used in Phase 2. To apply both encryption and • ESP Phase 2 authentication to sent data, • AH specify "ESP" or "ESP+AH". Security Protocol • ESP+AH To apply authentication data only, specify "AH".
Page 205 Transmission Using IPsec Encryption Key Manual Settings Items Setting Description Setting Value • Inactive • IPv4 Specify the address type for Address Type which IPsec transmission is • IPv6 used. • IPv4/IPv6 (Default Settings only) The machine's IPv4 or IPv6 address.
Page 206 7. Enhanced Network Security Setting Description Setting Value Specify the same value as your Any number between 256 and SPI (Input) transmission partner's SPI 4095 output value. To apply both encryption and • ESP authentication to sent data, specify "ESP" or "ESP+AH". Security Protocol •...
Page 207: Encryption Key Auto Exchange Settings Configuration Flow
Transmission Using IPsec Setting Description Setting Value Specify a value within the ranges shown below, according to the encryption algorithm. hexadecimal value 0-9, a-f, A-F • DES, set 16 digits • 3DES, set 48 digits • AES-128, set 32 digits •...
Page 208 7. Enhanced Network Security BZM007 • To use a certificate to authenticate the transmission partner in encryption key auto exchange settings, a device certificate must be installed. • After configuring IPsec, you can use "Ping" command to check if the connection is established correctly. However, you cannot use "Ping"...
Page 209 Transmission Using IPsec Click [Edit] under "Encryption Key Auto Exchange Settings". Make encryption key auto exchange settings in [Settings 1]. If you want to make multiple settings, select the settings number and add settings. Click [OK]. Select [Active] for "IPsec" in "IPsec". Set "Exclude HTTPS Communication"...
Page 210 7. Enhanced Network Security Click [OK]. The certificate for IPsec is specified. Click [OK]. Click [Logout]. Specifying IPsec Settings on the Computer Specify exactly the same settings for IPsec SA settings on your computer as are specified by the machine's security level on the machine.
Page 211 Transmission Using IPsec Select the authentication method, and then click [Next]. If you select "Certificate" for authentication method in Encryption Key Auto Exchange Settings on the machine, specify the device certificate. If you select "PSK", enter the same PSK text specified on the machine with the pre-shared key.
Page 212: Encryption Key Manual Settings Configuration Flow
7. Enhanced Network Security Select the security policy that was just created, right click, and then click [Assign]. IPsec settings on the computer are enabled. • To disable the computer's IPsec settings, select the security policy, right click, and then click [Un- assign].
Page 213: Telnet Setting Commands
Transmission Using IPsec because the response is slow during initial key exchange, it may take some time to confirm that transmission has been established. Specifying Encryption Key Manual Settings This can be specified using Web Image Monitor. Open a Web browser. Enter "http://(the machine's IP address or host name)/"...
Page 214 7. Enhanced Network Security • If you are using a certificate as the authentication method in encryption key auto exchange settings (IKE), install the certificate using Web Image Monitor. A certificate cannot be installed using telnet. ipsec To display IPsec related settings information, use the "ipsec" command. Display current settings msh>...
Page 215 Transmission Using IPsec Specify protocols to exclude msh> ipsec exclude {https|dns|dhcp|wins|all} {on|off} • Specify the protocol, and then enter [on] to exclude it, or [off] to include it for IPsec transmission. Entering [all] specifies all protocols collectively. ipsec manual To display or specify the encryption key manual settings, use the "ipsec manual" command. Display current settings msh>...
Page 216 7. Enhanced Network Security • Enter the separate setting number [1-4] or [default] and specify the SPI input and output values. • Specify a decimal number between 256-4095, for both the SPI input and output values. Encapsulation mode setting msh> ipsec manual {1|2|3|4|default} mode {transport|tunnel} •...
Page 217 Transmission Using IPsec • Enter the separate setting number [1-4] or [default] and reset the specified setting. Specifying [all] resets all of the settings, including default. ipsec ike To display or specify the encryption key auto exchange settings, use the "ipsec ike" command. Display current settings msh>...
Page 218 7. Enhanced Network Security Security protocol setting msh> ipsec ike {1|2|3|4|default} proto {ah|esp|dual} • Enter the separate setting number [1-4] or [default] and specify the security protocol. • To specify AH, enter [ah]. To specify ESP, enter [esp]. To specify AH and ESP, enter [dual]. •...
Page 219 Transmission Using IPsec • If you select PSK as the authentication method, enter the separate setting number [1-4] or [default] and specify the PSK character string. • Specify the character string in ASCII characters. There can be no abbreviations. ISAKMP SA (phase 1) hash algorithm setting msh>...
Page 220 7. Enhanced Network Security IPsec SA (phase 2) encryption algorithm setting msh> ipsec ike {1|2|3|4|default} ph2 encrypt {null|des|3des|aes128|aes192| aes256} • Enter the separate setting number [1-4] or [default] and specify the IPsec SA (phase 2) encryption algorithm. • Separate multiple encryption algorithm entries with a comma (,). The current setting values are displayed in order of highest priority.
Page 221: Authentication By Telnet
Authentication by telnet Authentication by telnet This section explains Authentication by telnet. When using telnet, the default login name for administrator login is "admin" and the password is blank. For details on how to login to telnet, see "Using telnet", Network and System Settings Reference.
Page 222: Authentication By Ieee802.1X
7. Enhanced Network Security Authentication by IEEE802.1X IEEE802.1X enables authentication in an Ethernet or wireless LAN environment. For details, see "Configuring IEEE 802.1X", Network and System Settings Reference.
Page 223: Specifying The Extended Security Functions
8. Specifying the Extended Security Functions This chapter describes the machine's extended security features and how to specify them. Specifying the Extended Security Functions In addition to providing basic security through user authentication and administrator specified access limits on the machine, security can also be increased by encrypting transmitted data and data in the Address Book.
Page 224: Extended Security Settings
8. Specifying the Extended Security Functions Press the [User Tools/Counter] key. • p.33 "Logging in Using Administrator Authentication" • p.34 "Logging out Using Administrator Authentication" Extended Security Settings Driver Encryption Key This can be specified by the network administrator. Encrypt the password transmitted when specifying user authentication.
Page 225 Specifying the Extended Security Functions Restrict Display of User Information This can be specified by the machine administrator. This can be specified if user authentication is specified. When the job history is checked using a network connection for which authentication is not available, all personal information can be displayed as "********".
Page 226 8. Specifying the Extended Security Functions If you select [Login Privilege], authorized users and the machine administrator can operate the machine. When this is selected, authentication is not required for users who logged in to the machine before [Login Privilege] was selected. If you select [Access Privilege], users who canceled a copy or print job in progress and the machine administrator can operate the machine.
Page 227 Specifying the Extended Security Functions If you select [Do not Prohibit], there are no restrictions on firmware updates. Default: [Do not Prohibit] Change Firmware Structure This can be specified by the machine administrator. Specify whether to prevent changes in the machine's firmware structure. The Change Firmware Structure function detects when the SD card is inserted, removed or replaced.
Page 228: Other Security Functions
8. Specifying the Extended Security Functions Other Security Functions This section explains settings for preventing information leaks, and functions that you can restrict to further increase security. Scanner Function Print & Delete Scanner Journal When user authentication is enabled, "Print & Delete Scanner Journal" is automatically set to [Do not Print: Disable Send] in order to prevent personal information in transmission/delivery history from being automatically printed.
Page 229: Limiting Machine Operations To Customers Only
Limiting Machine Operations to Customers Only Limiting Machine Operations to Customers Only The machine can be set so that operation is impossible without administrator authentication. The machine can be set to prohibit operation without administrator authentication and also prohibit remote registration in the Address Book by a service representative.
Page 230 8. Specifying the Extended Security Functions Press [Service Mode Lock]. If this item is not visible, press [ Next] to display more settings. Press [On], and then press [OK]. A confirmation message appears. Press [Yes]. Press the [User Tools/Counter] key. Canceling Service Mode Lock Before the service representative can carry out an inspection or repair in service mode, the machine administrator must first log in to the machine, release the service mode lock, and then call the service...
Page 231 Limiting Machine Operations to Customers Only Press the [User Tools/Counter] key. Press [System Settings]. Press [Administrator Tools]. Press [Service Mode Lock]. If this item is not visible, press [ Next] to display more settings. Press [Off], and then press [OK]. Press the [User Tools/Counter] key.
Page 232: Additional Information For Enhanced Security
8. Specifying the Extended Security Functions Additional Information for Enhanced Security This section explains the settings that you can configure to enhance the machine's security. Settings You Can Configure Using the Control Panel Use the control panel to configure the security settings shown in the following table. Menu Item Setting...
Page 233 Additional Information for Enhanced Security Menu Item Setting System Administrator Administrator Select [On], and then select Settings Tools Authentication [Administrator Tools] for "Available Management/File Settings". Management See "Enabling Administrator Authentication". System Administrator Extended Security/ Prohibit Settings Tools Settings by SNMPv1, See "Specifying the Extended Security Functions".
Page 234: Settings You Can Configure Using Web Image Monitor
8. Specifying the Extended Security Functions Menu Item Setting System Administrator Machine Data Select [Encrypt], and then select [All Data] Settings Tools Encryption Settings for "Carry over all data or file system data only (without formatting), or format all data" If [Encrypt] is already selected, further encryption settings are not necessary.
Page 235 Additional Information for Enhanced Security Category Item Setting Device Settings/ Collect Access Logs Active Logs Security/User Lockout Active Lockout Policy Security/User Number of Attempts before 5 times or less. Lockout Policy Lockout See "User Lockout Function". Security/User Lockout Release Timer Set to Active or Inactive.
Page 236: Settings You Can Configure When Ipsec Is Available/Unavailable
8. Specifying the Extended Security Functions • p.83 "User Lockout Function" • p.109 "Using S/MIME to Protect E-mail Transmission" Settings You Can Configure When IPsec Is Available/Unavailable All communication to and from machines on which IPsec is enabled is encrypted. If your network supports IPsec, we recommend you enable it.
Page 237 Additional Information for Enhanced Security Settings you can configure when IPsec is unavailable If IPsec is not available, configure the settings shown in the following table to enhance the security of the data traveling on your network. Control panel settings Menu Item Setting...
Page 238 8. Specifying the Extended Security Functions • p.186 "Protection Using Encryption" • p.191 "Setting the SSL/TLS Encryption Mode" • p.195 "Transmission Using IPsec"...
Page 239: Troubleshooting
9. Troubleshooting This chapter describes what to do if the machine does not function properly. If Authentication Fails This section explains what to do if a user cannot operate the machine because of a problem related to user authentication. Refer to this section if a user comes to you with such a problem. If a Message is Displayed This section explains how to deal with problems if a message appears on the screen during user authentication.
Page 240 9. Troubleshooting Messages Cause Solutions "Failed to obtain URL." The machine cannot connect to Make sure the server's settings, the server or cannot establish such as the IP address and host communication. name, are specified correctly on the machine. Make sure the host name of the UA Server is specified correctly.
Page 241: If An Error Code Is Displayed
If Authentication Fails Messages Cause Solutions "Administrator Authentication for User administrator privileges To specify Basic Authentication, User Management must be set to have not been enabled in Windows Authentication, LDAP on before this selection can be Administrator Authentication Authentication, or Integration made."...
Page 242 9. Troubleshooting 1. error code An error code appears. Basic Authentication Error Code Cause Solution Make sure no other user is A TWAIN operation occurred B0103-000 logged on to the machine, and during authentication. then try again. 1. A password error occurred. Make sure the password is entered correctly.
Page 243 If Authentication Fails Error Code Cause Solution Recreate the account if the account name contains any of An authentication error these prohibited characters. occurred because the user B0206-003 name contains a space, colon If the account name was (:), or quotation mark ("). entered incorrectly, enter it correctly and log in again.
Page 244 9. Troubleshooting Error Code Cause Solution A login user name was not Set the DeskTopBinder login W0105-000 specified but a DeskTopBinder user name correctly. operation was performed. The user attempted Only the administrator has authentication from an login privileges on this screen. application on the "System W0206-002 Settings"...
Page 245 If Authentication Fails Error Code Cause Solution Make sure that connection to the authentication server is 1. Cannot connect to the W0406-104 possible. authentication server. Use the PING Command to check the connection. Make sure that the user is 2. A login name or password registered on the server.
Page 246 9. Troubleshooting Error Code Cause Solution Specify the IP address in the domain name and confirm that authentication is successful. If authentication was unsuccessful: 1. Make sure that Restrict LM/ NTLM is not set in either "Domain Controller Security Policy" or "Domain Security Policy".
Page 247 If Authentication Fails Error Code Cause Solution 1. Kerberos authentication settings are not correctly configured. Make sure the realm name, KDC (Key Distribution Center) name and corresponding domain name are specified correctly. 2. The KDC and machine timing do not match. Authentication will fail if the difference between the KDC and machine timing is more...
Page 248 9. Troubleshooting Error Code Cause Solution The user group cannot be obtained if the UserPrincipleName 1. The UserPrincipleName (user@domainname.xxx.com) (user@domainname.xxx.com) W0400-105 form is used. form is being used for the login Use "sAMAccountName user name. (user)" to log in, because this account allows you to obtain the user group.
Page 249 If Authentication Fails Error Code Cause Solution 1. The SSL settings on the Make sure the SSL settings on W0400-202 authentication server and the the authentication server and machine do not match. the machine match. If a user enters sAMAccountName as the login 2.
Page 250 9. Troubleshooting Error Code Cause Solution Authentication failed because no more users can be Ask the user administrator to W0612-005 registered. (The number of delete unused user accounts in users registered in the Address the Address Book. Book has reached capacity.) An authentication error occurred because the Address Wait a few minutes and then try...
Page 251 If Authentication Fails Error Code Cause Solution A user attempted Only the administrator has authentication from an login privileges on this screen. application on the "System L0206-002 Settings" screen, where only Log in as a general user from the administrator has the application's login screen.
Page 252 9. Troubleshooting Error Code Cause Solution 1. Make sure that a connection test is successful with the current LDAP server configuration. If connection is not successful, there might be an error in the network settings. Check the domain name or DNS settings in "Interface 1.
Page 253 If Authentication Fails Error Code Cause Solution 1. Authentication will fail if the password is left blank in simple authentication mode. To allow blank passwords, contact your service representative. 2. In simple authentication mode, the DN of the login user L0406-202 3.
Page 254 9. Troubleshooting Error Code Cause Solution The login attribute's search criteria might not be specified Failed to obtain user or the specified search L0400-210 information in LDAP search. information is unobtainable. Make sure the login name attribute is specified correctly. Recreate the account if the An authentication error account name contains any of...
Page 255 If Authentication Fails Error Code Cause Solution An authentication error occurred because the Address Wait a few minutes and then try L0707-001 Book is being used at another again. location. Integration Server Authentication Error Code Cause Solution Make sure no other user is A TWAIN operation occurred I0103-000 logged in to the machine, and...
Page 256 9. Troubleshooting Error Code Cause Solution Recreate the account if the account name contains any of An authentication error these prohibited characters. occurred because the user I0206-003 name contains a space, colon If the account name was (:), or quotation mark ("). entered incorrectly, enter it correctly and log in again.
Page 257: If The Machine Cannot Be Operated
If Authentication Fails Error Code Cause Solution The authentication server login 1. Delete the old, duplicated name is the same as a user name or change the login name already registered on the name. I0511-000 machine. (Names are 2. If the authentication server distinguished by the unique has just been changed, delete attribute specified in the LDAP...
Page 258 9. Troubleshooting Condition Cause Solution Cannot connect with the TWAIN User authentication has been Confirm the user name and login driver. rejected. name with the administrator of the network in use if using Windows authentication, LDAP authentication, or Integration Server authentication. Confirm with the user administrator if using Basic authentication.
Page 259 If Authentication Fails Condition Cause Solution Cannot log in to the machine "Restrict Use of Simple Set "Restrict Use of Simple using [Document Server (MFP): Encryption" is not set correctly. Encryption" to [On]. Authentication/Encryption] in Alternatively, "SSL/TLS" has Alternatively, enable "SSL/TLS", DeskTopBinder.
Page 260 9. Troubleshooting Condition Cause Solution User authentication is disabled, User authentication might have Re-enable user authentication, yet stored files do not appear. been disabled without "All Users" and select [All Users] as the being selected for user access to access permission setting of the stored files.
Page 261 If Authentication Fails • p.95 "Configuring Access Permissions for Stored Files" • p.117 "Protecting the Address Book" • p.79 "Printer Job Authentication"...
Page 262 9. Troubleshooting...
Page 263: 10. Appendix
10. Appendix Supervisor Operations The supervisor can delete an administrator's password and specify a new one. If any of the administrators forgets their password or if any of the administrators changes, the supervisor can assign a new password. If logged in using the supervisor's user name and password, you cannot use normal functions or specify defaults.
Page 264: Logging Out As The Supervisor
10. Appendix Enter a login user name, and then press [OK]. When you assign the administrator for the first time, enter "supervisor". Enter a login password, and then press [OK]. When the supervisor is making settings for the first time, a password is not required; the supervisor can simply press [OK] to proceed.
Page 265: Resetting The Administrator's Password
Supervisor Operations Under "Supervisor", press [Change]. Press [Change] for the login user name. Enter the login user name, and then press [OK]. Press [Change] for the login password. Enter the login password, and then press [OK]. If a password reentry screen appears, enter the login password, and then press [OK]. Press [OK] twice.
Page 266 10. Appendix Press the [User Tools/Counter] key. Press the [Login/Logout] key. Log in as the supervisor. You can log in the same way as an administrator. Press [System Settings]. Press [Administrator Tools]. Press [Program / Change Administrator]. If this item is not visible, press [ Next] to display more settings. Press [Change] for the administrator you wish to reset.
Page 267: User Administrator Settings
User Administrator Settings User Administrator Settings The user administrator settings that can be specified are as follows: System Settings The following settings can be specified. Administrator Tools • Address Book Management • Address Book: Program / Change / Delete Group •...
Page 268: Extended Feature Settings
10. Appendix Extended Feature Settings The following settings can be specified. GL/2 & TIFF All the settings can be specified. Settings via Web Image Monitor The following settings can be specified. Address Book All the settings can be specified. Device Settings •...
Page 269: Machine Administrator Settings
Machine Administrator Settings Machine Administrator Settings The machine administrator settings that can be specified are as follows: System Settings The following settings can be specified. General Features All the settings can be specified. Tray Paper Settings All the settings can be specified. Timer Settings All the settings can be specified.
Page 270 10. Appendix • Address Book: Program / Change / Delete Group Search Switch Title • Display / Print Counter Print Counter List • Display / Clear / Print Counter per User All Users: Print Counter List Per User: Print Counter List •...
Page 271: Copier / Document Server Features
Machine Administrator Settings • Auto Erase Memory Setting • Erase All Memory • Delete All Logs • Transfer Log Setting This setting can be changed only when it is set to [On]. • Fixed USB Port • Program / Change / Delete Realm •...
Page 272: Scanner Features
10. Appendix System The following settings can be specified. • Print Error Report • Auto Continue • Memory Overflow • Rotate by 180 Degrees • Initial Print Job List • Memory Usage • Copies • Blank Page Print • Reserved Job Waiting Time •...
Page 273: Extended Feature Settings
Machine Administrator Settings • Compression (Black & White) • Compression (Grey Scale / Full Colour) • Insert Additional E-mail Info • No. of Digits for Single Page Files • Stored File E-mail Method • Default E-mail Subject Initial Settings All the settings can be specified. Extended Feature Settings The following settings can be specified.
Page 274 10. Appendix • Paper All the settings can be specified. • Date/Time All the settings can be specified. • Timer All the settings can be specified. • Logs All the settings can be specified. The "Transfer Logs" setting can be changed only when it is set to [Active]. •...
Page 275 Machine Administrator Settings All the settings can be specified. Printer • System All the settings can be specified except the following. Auto Delete Temporary Print Jobs Auto Delete Stored Print Jobs • Host Interface All the settings can be specified. •...
Page 276 10. Appendix Network • SNMPv3 Access Type(Machine Administrator) Security • User Lockout Policy All the settings can be specified. RC Gate All the settings can be specified. Webpage • Webpage Download Help File Extended Feature Settings • All the settings can be specified.
Page 277: Network Administrator Settings
Network Administrator Settings Network Administrator Settings The network administrator settings that can be specified are as follows: System Settings The following settings can be specified. Interface Settings If DHCP is enabled, the settings that are automatically obtained via DHCP cannot be specified. •...
Page 278: Scanner Features
10. Appendix Network Administrator • Extended Security Driver Encryption Key Settings by SNMPv1, v2 Restrict Use of Simple Encryption • Network Security Level Scanner Features The following settings can be specified. Send Settings • Max. E-mail Size • Divide & Send E-mail Extended Feature Settings The following settings can be specified.
Page 279 Network Administrator Settings You can specify the following administrator settings for the network administrator. Login User Name Login Password Encryption Password Scanner • Send Settings Max. E-mail Size Divide & Send E-mail Interface • Interface Settings LAN Type Ethernet Security Ethernet Speed •...
Page 280 10. Appendix All the settings can be specified. • SNMP All the settings can be specified. • SNMPv3 All the settings can be specified. • SSDP All the settings can be specified. • Bonjour All the settings can be specified. Security •...
Page 281: File Administrator Settings
File Administrator Settings File Administrator Settings The file administrator settings that can be specified are as follows: System Settings The following settings can be specified. Interface Settings • DNS Configuration Connection Test Administrator Tools • Address Book Management Search Switch Title •...
Page 282: Extended Feature Settings
10. Appendix • Auto Delete Stored Print Jobs Extended Feature Settings The following settings can be specified. GL/2 & TIFF All the settings can be specified. Settings via Web Image Monitor The following settings can be specified. Document Server All the settings can be specified. Printer: Print Jobs The file administrator can edit/delete "Print Job List"...
Page 283: Document Server File Permissions
Document Server File Permissions Document Server File Permissions The authorities for using the files stored in Document Server are as follows. The authority designations in the list indicate users with the following authorities. • Read-only This is a user assigned "Read-only" authority. •...
Page 284 10. Appendix Full File Settings Read-only Edit Edit / Delete Owner Control Admin. Unlocking Files Changing Owner *1 The owner can change the authorities for these settings as necessary.
Page 285: The Privilege For User Account Settings In The Address Book
The Privilege for User Account Settings in the Address Book The Privilege for User Account Settings in the Address Book The authorities for using the Address Book are as follows: The authority designations in the list indicate users with the following authorities. •...
Page 286 10. Appendix Read- Edit / Edit Full Registere User only Delete Settings Control d User Admin. (User) (User) (User) Login User Name Login Password SMTP Authentication Folder Authentication LDAP Authentication Available Functions *1 The password for "Login Password", "SMTP Authentication", or "LDAP Authentication" can be entered or changed but not displayed.
Page 287 The Privilege for User Account Settings in the Address Book Tab Name: E-mail Read- Edit / Edit Full Registere only Delete Settings User Admin. Control d User (User) (User) (User) E-mail Address Tab Name: Folder Read- Edit / Edit Full Register only Delete...
Page 288: User Settings - Control Panel Settings
10. Appendix User Settings - Control Panel Settings This section explains which functions and system settings are available to users when administrator authentication is specified. The administrator's configuration of Menu Protect and Available Settings determines which functions and system settings are available to users. If user authentication is specified, system settings and functions are available to authorized users only, who must log in to access them.
Page 289: System Settings
System Settings System Settings When administrator authentication is enabled, the administrator's configuration of Available Settings determines which system settings are available to users. If user authentication is specified, no settings are accessible to unauthorized users or authorized users before logging in. User privileges are as follows: •...
Page 290 10. Appendix Settings Specified Specified Feed Start Method Original Feed Delay 2 Original Feed Delay 1 Fine Ratio Adjustment: Copier Fine Ratio Adjustment: Printer Adjust Scan Position Preview Area Settings Print Image Priority Tray Paper Settings Settings Specified Specified Paper Tray Priority: Copier Paper Tray Priority: Printer Tray Paper Size: Tray 1-3 Printer Bypass Paper Size...
Page 291 System Settings Settings Specified Specified Energy Saver Timer Panel Off Timer System Auto Reset Timer Copier / Document Server Auto Reset Timer Printer Auto Reset Timer Scanner Auto Reset Timer Set Date Set Time Auto Logout Timer Interface Settings Settings Specified Specified Print List...
Page 292 10. Appendix Settings Specified Specified Domain Name WINS Configuration Effective Protocol NCP Delivery Protocol NW Frame Type SMB Computer Name SMB Work Group Ethernet Speed LAN Type Ping Command Permit SNMPv3 Communication Permit SSL / TLS Communication Host Name Machine Name IEEE 802.1X Authentication for Ethernet Restore IEEE 802.1X Authentication to Defaults If you set "Machine IPv4 Address", "Machine IPv6 Address", "DNS Configuration", "Domain Name",...
Page 293 System Settings Settings Specified Specified Restore Factory Defaults File Transfer Settings Specified Specified Delivery Option Capture Server IPv4 Address SMTP Server SMTP Authentication POP before SMTP Reception Protocol POP3 / IMAP4 Settings Administrator's E-mail Address E-mail Communication Port E-mail Reception Interval Max.
Page 294 10. Appendix Administrator Tools Settings Specified Specified Address Book Management Address Book: Program / Change / Delete Group Address Book: Change Order Print Address Book: Destination List Address Book: Edit Title Address Book: Switch Title Back Up / Restore Address Book Data Carry-over Setting for Address Book Auto-program Display / Print Counter Display / Clear / Print Counter per User...
Page 295 System Settings Settings Specified Specified Capture: Owner Defaults Program / Change / Delete LDAP Server LDAP Search Service Mode Lock Auto Erase Memory Setting Erase All Memory Delete All Logs Transfer Log Setting Fixed USB Port Program / Change / Delete Realm Some settings under "Extended Security"...
Page 296: Copier / Document Server Features
10. Appendix Copier / Document Server Features When administrator authentication is enabled, the administrator's configuration of Menu Protect determines which functions and settings are available to users. User privileges are as follows: • Abbreviations in the table columns R/W (Read and Write) = Both reading and modifying the setting are available. R (Read) = Reading only.
Page 297 Copier / Document Server Features Edit Settings Level 1 Level 2 Adjust Position Erase Border Width Erase Original Shadow in Combine Image Repeat Separation Line Double Copies Separation Line Separation Line in Combine Copy Order in Combine Program / Delete Format Margin Adjustment Priority Partial Copy Size Stamp...
Page 298 10. Appendix Settings Level 1 Level 2 Stamp Format: PRELIMINARY Stamp Format: For Internal Use Only Stamp Format: CONFIDENTIAL Stamp Format: DRAFT If you select [Level 1] in "Stamp Format", you can only specify "Adjust Stamp Position". User Stamp Settings Level 1 Level 2 Program / Delete Stamp...
Page 299 Copier / Document Server Features Settings Level 1 Level 2 Stamp Position:1/5,2/5... Stamp Position:-1-,-2-... Stamp Position:P.1,P.2... Stamp Position:1,2... Stamp Position:1-1,1-2... Superimpose Page Numbering Initial Letter If you select [Level 1] in "Stamp Position", you can only specify "Adjust Stamp Position". Input / Output Settings Level 1...
Page 300: Printer Functions
10. Appendix Printer Functions When administrator authentication is enabled, the administrator's configuration of Menu Protect determines which functions and settings are available to users. User privileges are as follows: • Abbreviations in the table columns R/W (Read and Write) = Both reading and modifying the setting are available. R (Read) = Reading only.
Page 301: Printer Features
Printer Features Printer Features When administrator authentication is enabled, the administrator's configuration of Menu Protect determines which functions and settings are available to users. User privileges are as follows: • Abbreviations in the table columns R/W (Read and Write) = Both reading and modifying the setting are available. R (Read) = Reading only.
Page 302 10. Appendix Settings Level 1 Level 2 Auto Delete Temporary Print Jobs Auto Delete Stored Print Jobs Initial Print Job List Memory Usage Copies Blank Page Print Reserved Job Waiting Time Printer Language Sub Paper Size Tray Setting Priority Edge to Edge Print Default Printer Language Tray Switching Extended Auto Tray Switching...
Page 303 Printer Features Settings Level 1 Level 2 Orientation Auto Detect PDF Menu Settings Level 1 Level 2 Change PDF Password Reverse Order Printing Resolution Orientation Auto Detect...
Page 304: Scanner Features
10. Appendix Scanner Features When administrator authentication is enabled, the administrator's configuration of Menu Protect determines which functions and settings are available to users. User privileges are as follows: • Abbreviations in the table columns R/W (Read and Write) = Both reading and modifying the setting are available. R (Read) = Reading only.
Page 305 Scanner Features Send Settings Settings Level 1 Level 2 Compression (Black & White) Compression (Grey Scale / Full Colour) Insert Additional E-mail Info No. of Digits for Single Page Files Stored File E-mail Method Default E-mail Subject...
Page 306: User Settings - Web Image Monitor Settings
10. Appendix User Settings - Web Image Monitor Settings This section displays the user settings that can be specified on Web Image Monitor when user authentication is specified. Settings that can be specified by the user vary according to the menu protect level and available settings specifications.
Page 307: Device Settings
Device Settings Device Settings The settings available to the user depend on whether or not administrator authentication is enabled. If administrator authentication is enabled, the settings available to the user depend on whether or not "Available Settings" has been specified. User privileges are as follows: •...
Page 308 10. Appendix Paper Settings Specified Specified Tray 1 : Paper Size Tray 1 : Paper Type Tray 1: Apply Auto Paper Select Tray 2: Paper Size Tray 2: Paper Type Tray 2: Apply Auto Paper Select Tray 3: Paper Size Tray 3: Paper Type Tray 3: Apply Auto Paper Select Bypass Tray : Paper Size...
Page 309 Device Settings Timer Settings Specified Specified Auto Off Timer Energy Saver Timer Panel Off Timer System Auto Reset Timer Copier/Document Server Auto Reset Timer Scanner Auto Reset Timer Printer Auto Reset Timer Auto Logout Timer Logs Settings Specified Specified Collect Job Logs Job Log Collect Level Collect Access Logs Access Log Collect Level...
Page 310 10. Appendix E-mail Settings Specified Specified Administrator E-mail Address Reception Protocol E-mail Reception Interval Max. Reception E-mail Size E-mail Storage in Server SMTP Server Name SMTP Port No. SMTP Authentication SMTP Auth. E-mail Address SMTP Auth. User Name SMTP Auth. Password SMTP Auth.
Page 311 Device Settings Settings Specified Specified E-mail Notification User Name E-mail Notification Password The passwords for "SMTP Auth. Password" and "POP Password" can only be entered but not changed. File Transfer Settings Specified Specified SMB User Name SMB Password FTP User Name FTP Password NCP User Name NCP Password...
Page 312 10. Appendix Settings Specified Specified Windows Authentication - Group Settings for Windows Authentication LDAP Authentication - Printer Job Authentication Settings LDAP Authentication - LDAP Authentication Settings Integration Server Authentication - Printer Job Authentication Settings Integration Server Authentication - Integration Server Authentication Settings Integration Server Authentication - Group Settings for Integration Server Authentication...
Page 313: Printer
Printer Printer If you have enabled administrator authentication, the menu protection setting determines which functions and settings are available. User privileges are as follows: • Abbreviations in the table columns R/W (Read and Write) = Both reading and modifying the setting are available. R (Read) = Reading only.
Page 314 10. Appendix Settings Level 1 Level 2 Tray Setting Priority Edge to Edge Print Default Printer Language Tray Switching Extended Auto Tray Switching Host Interface Settings Level 1 Level 2 I/O Buffer I/O Timeout PS Menu Settings Level 1 Level 2 Job Timeout Wait Timeout Data Format...
Page 315 Printer PDF Temporary Password Settings Level 1 Level 2 PDF Temporary Password Confirm Password PDF Fixed Password Settings Level 1 Level 2 Current PDF Fixed Password New PDF Fixed Password Confirm Password...
Page 316: Scanner
10. Appendix Scanner If you have enabled administrator authentication, the menu protection setting determines which functions and settings are available. User privileges are as follows: • Abbreviations in the table columns R/W (Read and Write) = Both reading and modifying the setting are available. R (Read) = Reading only.
Page 317 Scanner Settings Level 1 Level 2 Insert Additional E-mail Info No. of Digits for Single Page Files Stored File E-mail Method Default E-mail Subject Default Settings for Normal Screens on Device Settings Level 1 Level 2 Store File Preview Original Type Resolution Auto Density Send File Type...
Page 318: Interface
10. Appendix Interface The settings available to the user depend on whether or not administrator authentication is enabled. If administrator authentication is enabled, the settings available to the user depend on whether or not "Available Settings" has been specified. User privileges are as follows: •...
Page 319 Interface Settings Specified Specified Security Method WEP Authentication WEP Key Number WEP Key WPA Encryption Method WPA Authentication Method WPA-PSK/WPA2-PSK...
Page 320: Network
10. Appendix Network The settings available to the user depend on whether or not administrator authentication is enabled. If administrator authentication is enabled, the settings available to the user depend on whether or not "Available Settings" has been specified. User privileges are as follows: •...
Page 321 Network Settings Not Specified Specified DNS Server RSH/RCP DIPRINT sftp WSD (Device) WSD (Printer) WSD (Printer)/IPP Timeout IPv6 Settings Specified Specified IPv6 Host Name Domain Name Stateless Address Manual Configuration Address DHCPv6-lite DDNS Default Gateway Address DNS Server RSH/RCP...
Page 322 10. Appendix Settings Specified Specified DIPRINT sftp WSD (Device) WSD (Printer) WSD (Printer)/IPP Timeout NetWare Settings Specified Specified NetWare Print Server Name Logon Mode File Server Name NDS Tree NDS Context Name Operation Mode Remote Printer No. Job Timeout Frame Type Print Server Protocol NCP Delivery Protocol...
Page 323 Network Settings Specified Specified Workgroup Name Computer Name Comment Notify Print Completion Bonjour Settings Specified Specified Bonjour Computer Name Location DIPRINT...
Page 324: Webpage
10. Appendix Webpage The settings available to the user depend on whether or not administrator authentication is enabled. If administrator authentication is enabled, the settings available to the user depend on whether or not "Available Settings" has been specified. User privileges are as follows: •...
Page 325: Trademarks
Trademarks Trademarks Adobe, Acrobat, Acrobat Reader, PostScript, and Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. Apple, Bonjour, Macintosh, and Mac OS are trademarks of Apple Inc., registered in the U.S. and other countries.
Page 326 10. Appendix ® ® Microsoft Windows 7 Home Premium ® ® Microsoft Windows 7 Professional ® ® Microsoft Windows 7 Ultimate ® ® Microsoft Windows 7 Enterprise • The product names of Windows Server 2003 are as follows: ® ® Microsoft Windows Server 2003 Standard Edition...
Page 327: Index
INDEX Encryption key............. Encryption Key Auto Exchange Settings..197, Access Control............. Access permission for stored files......Encryption Key Manual Settings....197, 210 Address Book access permission....... Enhance File Protection........Address Book privileges........Erase All Memory..........Administrator........... 16, 23 Error code............Administrator authentication....
Page 328 Logout..............Security for the scanner function......Security function cautions........Security measures provided by this machine..Machine administrator.......... Self-signed certificate......... 112, 187 Machine administrator settings......Service Mode Lock..........Manuals for this machine........Settings by SNMPv1, v2........Menu Protect..........137, 139 SNMPv3.............. SSL (Secure Sockets Layer)........
Page 329 MEMO...
Page 330 MEMO D094...
Page 332 D094-7530...

Ricoh Aficio MP W3601 Operating Instructions Manual

1 Getting Started

2 Configuring Administrator Authentication

3 Configuring User Authentication

4 Protecting Data from Information Leaks

5 Securing Information Sent over the Network or Stored on Hard Disk

6 Managing Access to the Machine

7 Enhanced Network Security

8 Specifying the Extended Security Functions

9 Troubleshooting

10 Appendix

Quick Links

Operating Instructions

Related Manuals for Ricoh Aficio MP W3601

Summary of Contents for Ricoh Aficio MP W3601

Table of Contents