Page 2
This software and any accompanying documentation provided under this agreement are commercial computer software and documentation developed exclusively at private expense. Trademarks Lexmark, Lexmark with diamond design, and MarkVision are trademarks of Lexmark International, Inc., registered in the United States and/or other countries. All other trademarks are the property of their respective owners.
Contents Using security features in the Embedded Web Server....5 Understanding the basics..............................5 Authentication and Authorization ..............................5 Groups ........................................6 Access Controls....................................6 Security Templates....................................6 Configuring building blocks..............................7 Creating a password ..................................7 Creating a PIN......................................7 Setting up internal accounts .................................8 Using LDAP ......................................9 Using LDAP+GSSAPI ..................................
Page 4
Appendix....................29 Notices....................32 Glossary of Security Terms.............39 Index....................40 Contents...
Using security features in the Embedded Web Server The latest suite of security features available in the Lexmark Embedded Web Server represents an evolution in keeping document outputs safe and confidential in today's busy environments. Incorporating traditional components such as authentication and group permissions, administrators can use Embedded Web Server Security Templates to control access to the devices that produce, store, and transmit sensitive documents.
Groups Administrators can designate up to 32 groups to be used in association with either the Internal accounts or LDAP/LDAP+GSSAPI building blocks. For the purposes of Embedded Web Server security, groups are used to identify sets of users needing access to similar functions. For example, in Company A, employees in the warehouse do not need to print in color, but those in sales and marketing use color every day.
Configuring building blocks Creating a password The Embedded Web Server can store a combined total of 250 user-level and administrator-level passwords on each supported device. To create a password From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. Under Edit Building Blocks, select Password.
Select Admin PIN if the PIN will be used as the Administrator PIN. Note: If an activity is secured by a specific Administrator PIN, then only that PIN will grant access to it. Click Submit. Setting up internal accounts Embedded Web Server administrators can configure one internal account building block per supported device. Each internal account building block can include a maximum of 250 user accounts, and 32 user groups.
Specifying settings for internal accounts Settings selected in the Internal Accounts Settings section will determine the information an administrator must submit when creating a new internal account, as well as the information a user must submit when authenticating. Require e-mail address—Select this box to make the E-mail address a required field when creating new internal •...
Page 10
Search Timeout—Enter a value of from 5 to 30 seconds. • Required User Input—Select either User ID and Password or User ID to specify which credentials a user • must provide when attempting to access a function protected by the LDAP building block. Device Credentials Anonymous LDAP Bind—If selected, the Embedded Web Server will bind with the LDAP server anonymously, •...
To validate an existing LDAP setup From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. Under Edit Building Blocks, select LDAP. Click Test LDAP Authentication Setup next to the setup you want to test. Using LDAP+GSSAPI Some administrators prefer authenticating to an LDAP server using Generic Security Services Application Programming Interface (GSSAPI) instead of simple LDAP authentication because the transmission is always secure.
Page 12
Search Timeout—Enter a value of from 5 to 30 seconds. • Required User Input—Select either User ID and Password or User ID to specify which credentials a user • must provide when attempting to access a function protected by the LDAP building block. Device Credentials MFP Kerberos Username—Enter the distinguished name of the print server(s).
Configuring Kerberos 5 for use with LDAP+GSSAPI Though it can be used by itself for user authentication, Kerberos 5 is most often used in conjunction with the LDAP +GSSAPI building block. While only one Kerberos configuration file (krb5.conf) can be stored on a supported device, that krb5.conf file can apply to multiple realms and Kerberos Domain Controllers (KDCs).
Setting date and time Because Kerberos servers require that key requests bear a recent timestamp (usually within 300 seconds), the printer clock must be in sync or closely aligned with the KDC system clock. Printer clock settings can be updated manually, or set to use Network Time Protocol (NTP), to automatically sync with a trusted clock—typically the same one used by the Kerberos server.
Specifying the default user domain for the NTLM server Open the Embedded Web Server home screen using the secure version of the page (with the URL beginning “https://”), rather than an unsecured browsing window. Note: If you do not connect to the Embedded Web Server using HTTPS, you will not be able to register your device with an NT domain.
Setting login restrictions Many organizations establish login restrictions for information assets such as workstations and servers. Embedded Web Server administrators should verify that printer login restrictions also comply with organizational security policies. From the Embedded Web Server Home screen, browse to Settings ª Security ª Miscellaneous Security Settings.
Page 17
Step 2: Create a security template Once configured, one or two building blocks can be combined with a unique name of up to 128 characters to create a security template. Each device can support up to 140 security templates. Though the names of security templates must be different from one another, building blocks and security templates can share a name.
Notes: Clicking Delete List will delete all security templates on the device, regardless of which one is selected. To delete • an individual security template, select it from the list, and then click Delete Entry in the Settings screen for that template.
Step 2: Create a security template From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. Under Edit Security Templates, select Security Templates. Under Manage Security Templates, select Add a Security Template. In the Security Templates Name field, type a unique name containing up to 128 characters. It can be helpful to use a descriptive name, such as ”Administrator _ Only”, or “Common _ Functions _ Template.”...
Page 20
LDAP server information The IP address or hostname of the LDAP server • The LDAP server port (the default is 389) • A list of up to three object classes stored on the LDAP server, which will be searched for user credentials during •...
For each function you want to protect, select the newly created security template from the drop-down list next to the name of that function. Click Submit to save changes, or Reset Form to cancel all changes. Users will now be required to enter the appropriate credentials in order to gain access to any function controlled by the security template.
From here, you can: Delete—Remove a previously stored certificate. • Download to File—Download or save the certificate as a .pem file. • Download Signing Request—Download or save the signing request as a .csr file. • Install Signed Certificate—Upload a previously signed certificate. •...
Select an option for Job Expiration: Select Off to allow unprinted confidential print jobs to remain in the print queue indefinitely. • Select a value of 1 hour, 4 hours, 24 hours, or 1 week to specify the amount of time that an unprinted •...
If you have enabled Manual mode and wish to set up a schedule for disk wiping, select Scheduled Disk Wiping. Use the Time and Day(s) lists to designate when disk wiping should occur, and then click Add. Repeat as needed to schedule additional times for disk wiping.
The printer will power-on reset, and then return to normal operating mode. Configuring security audit log settings The security audit log allows administrators to monitor security-related events on a device including, among others, user authorization failures, successful administrator authentication, or Kerberos files being uploaded to a device. By default, security logs are stored on the device, but may also be transmitted to a network syslog server for further processing or storage.
Type the Primary SMTP Gateway Port number of the destination server. The default value is port 25. If using a secondary or backup SMTP server, enter the IP address/hostname and SMTP port for that server. For SMTP Timeout, type the number of seconds (5-30) the device will wait for a response from the SMTP server before timing out.
From the TTLS Authentication Method list, choose which authentication method will be accepted through the secure tunnel created between the authentication server and the printer. Click Submit to save the changes, or Reset Form to restore the default settings. Note: Changes made to settings marked with an asterisk (*) will cause the print server to reset. Setting up SNMP Simple Network Management Protocol (SNMP) is used in network management systems to monitor network-attached devices for conditions that warrant administrative attention.
Under Trap Destination, type the IP address of the network management server or monitoring station, and then click the check box next to each condition that should generate an alert. Click Submit to save changes, or Reset Form to clear all fields. Enabling the security reset jumper The Security Reset Jumper is a hardware jumper located on the motherboard.
Appendix Menu of Access Controls Depending on device type and installed options, some Access Controls (referred to on some devices as Function Access Controls) may not be available for your printer. Function Access Control What it does Address Book Controls the ability to perform address book searches in the Scan to Fax and Scan to Email functions Change Language from Home Controls access to the Change Language feature from the printer control panel...
Page 30
Function Access Control What it does Network Ports/Menu at the Device Protects access to the Network/Ports section of the Settings menu from the printer control panel Network Ports/Menu Remotely Protects access to the Network/Ports section of the Settings menu from the Embedded Web Server NPA Network Adapter Setting When disabled, all network adaptor NPA settings change commands are ignored...
Page 31
Function Access Control What it does Supplies Menu at the Device Protects access to the Supplies menu from the printer control panel Supplies Menu Remotely Protects access to the Supplies menu from the Embedded Web Server User Profiles Controls access to Profiles, such as scanning shortcuts, workflows, or eSF applications Web Import/Export Settings Controls the ability to import and export printer settings files (UCF files) from the...
Notices This product includes software developed by the Apache Software Foundation (http://www.apache.org). The Apache Software License, Version 1.1 Copyright (c) 2000-2002 The Apache Software Foundation. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Page 33
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity"...
Page 34
Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files;...
International, Inc. ("Lexmark") that, to the extent your Lexmark product or Software Program is not otherwise subject to a written software license agreement between you and Lexmark or its suppliers, governs your use of any Software Program installed on or provided by Lexmark for use in connection with your Lexmark product. The term "Software Program"...
Page 36
Lexmark that cannot be excluded or modified. If any such provisions apply, then to the extent Lexmark is able, Lexmark hereby limits its liability for breach of those provisions to one of the following: replacement of the Software Program or reimbursement of the price paid for the Software Program.
Page 37
UPGRADES. To Use a Software Program identified as an upgrade, you must first be licensed to the original Software Program identified by Lexmark as eligible for the upgrade. After upgrading, you may no longer use the original Software Program that formed the basis for your upgrade eligibility.
Page 38
Software Program and requested by you. Lexmark agrees not to use this information in a form that personally identifies you except to the extent necessary to provide such services.
Glossary of Security Terms Access Controls Settings that control whether individual device menus, functions, and settings are available, and to whom. Also referred to as Function Access Controls on some devices. Authentication A method for securely ientifying a user. Authorization A method for specifying which functions are available to a user, i.e.
Index Numerics 802.1x 26 encrypting the hard disk 24 Scenario Active Directory networks 19 printer in a public place 18 standalone or small office 18 Access Controls Function Access Controls 6 using passwords and PINs 18 list of 29 list of 29 security managing with PIN or 802.1x authentication 26...