Download Print this page

Xerox DocuPrint 100MX Security Manual

Xerox docuprint 100mx: supplementary guide
Hide thumbs


Version 6.0, January 2007
Xerox FreeFlow® Print Server

Security Guide



  Related Manuals for Xerox DocuPrint 100MX

  Summary of Contents for Xerox DocuPrint 100MX

  • Page 1: Security Guide

    Version 6.0, January 2007 701P46740 Xerox FreeFlow® Print Server Security Guide...
  • Page 2 Printed in the United States of America. XEROX® and all Xerox product names mentioned in this publication are trademarks of XEROX CORPORATION. Other company trademarks are also acknowledged.
  • Page 3: Table Of Contents

    Remote CDE login disabled ..... . . 2-12 Xerox FreeFlow Print Server router capabilities disabled . 2-12 Security warning banners ......2-13 Disabling LP anonymous printing .
  • Page 4 Roles and responsibilities ......2-30 Xerox responsibilities ......2-30 Customer Responsibilities .
  • Page 5: About This Guide

    Xerox FreeFlow® Print Server. This guide is intended for network and system administrators responsible for setting up and maintaining Xerox printers with Xerox FreeFlow Print Server software. System administrators should have an understanding of the Sun workstation, a familiarity with Solaris, and with basic UNIX commands.
  • Page 6: Security Guide

    Customer support To place a customer service call, dial the direct TTY number for assistance. The number is 1-800-735-2988. For additional assistance, dial the following numbers: • Service and software support: 1-800-821-2797 • Xerox documentation and software services: 1-800-327-9753 Security Guide...
  • Page 7: System Supplied Security Profiles

    It outlines the characteristics of each profile and indicates how each can be customized to create user- defined profiles. The enhanced security features in the Xerox FreeFlow Print Server protect the system against unauthorized access and modification.
  • Page 8 Profile Characteristics FTP is enabled. Telnet, rsh is disabled. NFS client is enabled. AutoFS is enabled. Walkup users can reprint from “Saved Jobs” and CD-ROM. Terminal window is password protected. Auto-login is enabled. Medium FTP is disabled. telnet, rsh is disabled. NFS client is disabled.
  • Page 9: Enable And Disable Services

    + will be removed from host.equiv. IMPORTANT NOTE: Removing the + from the hosts.equiv file will prevent the use of the Xerox command line client print from remote clients. An alternative would be to remove the + and add the name of each trusted host that requires this functionality.
  • Page 10 Enable security warning banners to be displayed when a user logins Banners or telnets into the Xerox FreeFlow Print Server. The warning message explains that only authorized users should be using the system and that any others face the possibility of being monitored by law enforcement officials.
  • Page 11 RC2 Service uucp RC3 Service S15NFS.SERVER NFS Server. Disable ability to export Xerox FreeFlow Print Server file systems. This service is enabled if legacy DigiPath/FreeFlow® and Decomposition Services (NetAgent) are enabled. S17HCLNFS.DAEMON S25openssh.server OpenSSH server. S17BWNFS.DAEMON Secure mounted file systems. There are two shared file systems that are exported by the Xerox FreeFlow Print Server.
  • Page 12 FreeFlow Print Server. Echoes back any character sent to it. Sometimes used in packet debugging and can be used for denial of service attacks. Not used by the Xerox FreeFlow Print Server. Used by rexec(1) command. Potentially dangerous— passwords and subsequent session is clear text (not encrypted).
  • Page 13 Description in.tnamed is a server that supports the DARPA Name Server Protoco. Seldom used anymore. Not used by Xerox FreeFlow Print Server. The OCF server, ocfserv, is a per-host daemon that acts as the central point of communications with all smartcards connected to the host.
  • Page 14: User Level Changes

    Not used by the Xerox FreeFlow Print Server. UNIX to UNIX system copy over networks. UUCP is not securely set up and can be exploited in many ways. Not used by the Xerox FreeFlow Print Server. The following user-level changes are made: •...
  • Page 15: Solaris File Permissions

    Multicast routing disabled OS and host information hidden Security Guide Secure File Permission options can be enabled or disabled through the Xerox FreeFlow Print Server interface. Fix-modes include: • fixmodes-xerox: fix file permissions for all packages to make them more secure. Available under the System tab under the “Secure File Permissions”...
  • Page 16: Sendmail Daemon Secured

    Note that with the high security setting, NFS is disabled; however if the service is re-enabled manually, the port restriction will still apply. The Remote CDE login is disabled. The Xerox FreeFlow Print Server router capabilities is disabled (empty/etc/notrouter file created). Security Guide...
  • Page 17: Security Warning Banners

    Server controller /etc/hosts table are authorized to submit LP requests. Answer “y” for yes to disable this printing option. If you are using the legacy Xerox print command line client (the software is not distributed with this release), you will need to use the remote shell internet service to transfer files to the Xerox FreeFlow Print Server controller.
  • Page 18: Creating User-Defined Profiles

    Default Profile. Specifying a profile as default does not enable the profile, but indicates that it will be the profile setting across Xerox FreeFlow Print Server upgrades. By clicking the Restore Default Profile, the Default profile can be selected as the Current profile (this operation will take several minutes to complete).
  • Page 19: Default User Groups And User Accounts

    User accounts are organized into groups. Each user account is a member of only one group. The Xerox FreeFlow Print Server provides three default user groups: Users, Operators, and System Administrators. It also supplies four default user accounts: User, Operator, SA and CSE.
  • Page 20: Creating User Accounts

    Operations(Acc ept Jobs, Release Jobs, …etc) The Xerox FreeFlow Print Server user interface enables the Administrator to manage accounts easily by selecting [Setup], [Users & Groups], and the [Users] tab. When the administrator selects the Users tab, a pop-up window...
  • Page 21 Function Users Reprint Enabled Management Printer Manager(Finish ing, Image Quality …etc) Resource Management(L Resources, PDL Fonts, Forms, ….etc) Accounting, Billing System Preferences Setup (System configuration, Gateways) Setup (Feature licenses, Network configuration) Security Guide Administrat Changeable Operators ors (sa and via GUI...
  • Page 22: Auto-Logon

    Automatic Logon. For example, if Automatic Logon is enabled and the user account is Administrators, then the Xerox FreeFlow Print Server will be open and all access to the Xerox FreeFlow Print Server will be granted. Comment...
  • Page 23: Default Screen/Auto-Logoff (Nuvera Only)

    If auto-logon is disabled, a user will be forced to log in again before the Xerox FreeFlow Print Server UI is displayed. When the system is installed, the Change System Password dialog box appears and prompts users to establish all System Default Accounts with new passwords.
  • Page 24: Strong Passwords

    NOTE: The strong password requirements cannot be modified. A strong password cannot be set for root or any other Solaris user accounts that are not created by the Xerox FreeFlow Print Server. NOTE: Remote Network Server: If running NIS+ name service, strong passwords would be enforced via the NIS + server.
  • Page 25: Audit Logs

    Password Expiration Audit Logs GUI Logging Security Guide function will only apply to failed login attempts via the Xerox FreeFlow Print Server UI and does not apply to the root (su) user. • From the Setup menu select [Users and Groups] •...
  • Page 26: User Activity On The System

    Additionally, the administrator must access the [ADS Groups] tab through [Users and Groups Management] and specify or edit the mapping of the ADS groups to the Xerox FreeFlow Print Server user groups having permission to log on to the printer.
  • Page 27: Limiting Access

    2. Select the ADS tab, and enter in the fully qualified domain name of the ADS domain. 3. Click “Join…” button to join the Xerox FreeFlow Print Server to the ADS domain specified. NOTE: If DNS is not enabled, the “Join...” button will not be available.
  • Page 28: Remote Workflow

    Refer to online help for detailed descriptions of IP Filtering property tabs such as: General tab, System tab, INIT tab, INETD tab, RPC tab. Remote Workflow allows for a remote connection to the Xerox FreeFlow Print Server controller. The administrator can limit access through the Xerox FreeFlow Print Server interface [Setup >...
  • Page 29: Creating And Using A Self-Signed Certificate

    To guarantee a secure connection with Xerox FreeFlow Print Server, do one of the following: • Enable SSL optionally via the GUI and connect to the Xerox FreeFlow Print Server via https:// • Require SSL as mandatory via the GUI and connect to the ISGW –...
  • Page 30: Using An Existing Signed Certificate From A Certificate Author

    Using an Existing Signed Certificate from a Certificate Authority NOTE: During steps 2-5, the user may go back and correct any mistakes made in previous steps. – Click on the 'Enable SSL/TLS' checkbox at the top of the SSL/ TLS window. –...
  • Page 31: Digital Certificates

    This section addresses Network Protocol, name service changes and the changes that occur when security is invoked. The table below addresses the list of Network Protocols that are used by the Xerox FreeFlow Print Server software or Xerox client operations. Table 2-7...
  • Page 32 Connections can also be filtered using the IP Filter feature under Setup -> IP Filter. NOTE: When SSL is disabled (off) other web-based logins provided by the Xerox FreeFlow Print Server may not be secure. Use the HTTPs qualifier to guarantee a secure interaction.
  • Page 33: Secure Print

    Filter feature under Setup -> IP Filter. Necessary when using NFS mounted directories. This service is disabled when Xerox FreeFlow Print Server security is set to high. Connections can also be filtered using the IP Filter feature under Setup -> Security Profiles -> <Any Profile> -> RPC tab.
  • Page 34: Prevent Unauthorized Queue Changes

    Xerox will make every effort to assist the administrator in ensuring that the customer environment is secure. Xerox is committed to providing a level of security which will allow the Xerox FreeFlow Print Server controller to be a good network citizen in response to current security intrusions.
  • Page 35: Customer Responsibilities

    Any security patch that is determined to have a negative impact to Xerox FreeFlow Print Server operation will not be added. Customer Responsibilities The administrator has the primary responsibility for maintaining the security of the network within the customer's site. It is...
  • Page 36: Virus Scan

    Virus Scan Online Help for security The Xerox FreeFlow Print Server runs on the Solaris 10 Operating System (OS). This OS makes the Xerox FreeFlow Print Server less susceptible to virus and worms. A great deal of helpful security information can be found in Online Help.