Table of Contents
Advertisement
®
Xerox
Security Guide
Light Production Mono Class
Copier/Printers
Legacy
Legacy
D-Series®
Printers
Copier/Printers
Copier/Printers
4110, 4112/4127,
4110, 4112/4127,
D95/D110/D125/D136
4590 Enterprise
4590 Copier/Printer
Copier/Printer
Printing System
Xerox® Application Security Guide and Information Assurance Disclosure
Advertisement
Table of Contents
Related Manuals for Xerox Legacy Series
Summarization of Contents
Introduction to Xerox Security Guide
Purpose and Target Audience
Explains the document's aim and identifies the intended readers for Xerox security information.
Document Disclaimer
States information accuracy and liability limitations for the security guide.
Product Overview
Introduces the Xerox Light Production Mono Class Copier/Printer products.
Physical Components and Architecture
Physical Components of Copier/Printers
Details input document handler, scanner, marking engine, controller, and user interface.
Product Architecture
Mentions shared architecture for Legacy and D-Series products.
User Interface and Scanner Functionality
User Interface Features and Controls
Describes the GUI/LUI, administrative privileges, and Role Based Access Control (RBAC).
Scanner Functionality and Limitations
Explains document conversion and the absence of a scanner control processor.
Controller Details and Memory Devices
Marking Engine Operation and Security
Covers paper feeding, marking, fusing, finishing, and inter-chip communication.
Controller Details and Memory Devices
Details processing, network functions, I/O, and memory devices (DRAM, Flash ROM, NVRAM).
Controller Storage and External Interfaces
Controller Hard Disk Storage and Encryption
Lists user data, logs, fonts, file system, and overwrite/encryption features.
Controller External Interfaces: USB and Ethernet
Details Front Panel USB, Ethernet, and Rear USB ports and their functions.
Optional Equipment and Interfaces
Optional Equipment and Interfaces
Covers RJ-11 Fax, Wireless Network Connector, NFC Reader, Smart Card, and Foreign Product Interface.
User Data Protection Methods
Data Protection Within the Product
Security controls for data residing within the product, including encryption and sanitization.
Encryption Standards Used
Details AES-256 encryption for data processing and storage.
Media Sanitization and Overwrite Techniques
Explains NIST 800-88 compliance and overwriting methods for secure data erasure.
Immediate and On-Demand Overwrite Features
Describes overwriting temporary files and entire partitions for secure data erasure.
Data Protection in Transit
Data Protection in Transit
Covers protections for data submitted to or sent from the product.
Inbound Data: Secure Print Job Submission
Details IPPS (TLS), HTTPS (TLS), and Xerox Print Stream Encryption.
Outbound Data: Scanning to Network Services
Lists supported protocols for scanning to external locations.
USB Storage and Third-Party App Integration
Scanning to User Local USB Storage
Discusses direct transfer of scan data to USB products.
Third-Party App Integration Security
Mentions Xerox App Gallery and third-party app security.
Network Security Features
TCP/IP Ports and Services Overview
Presents inbound and outbound communications and supported protocols.
Listening Services (Inbound Ports) Summary
Summarizes potentially open ports on the product that can be enabled/disabled.
TCP/IP Port and Service Details
TCP/IP Ports and Services Details (Ports 20-524)
Details specific TCP/IP ports and their associated services and functions.
TCP/IP Port and Service Details (Continued)
TCP/IP Ports and Services Details (Ports 53-80)
Details specific TCP/IP ports (DNS, DHCP, HTTP) and their functions.
TCP/IP Port and Service Details (HTTP and Kerberos)
TCP/IP Ports and Services Details (Ports 80-88)
Details specific TCP/IP ports (HTTP variants, Kerberos) and their functions.
TCP/IP Port and Service Details (POP3 to SLP)
TCP/IP Ports and Services Details (Ports 110-427)
Details specific TCP/IP ports (POP3, SNTP, NETBIOS, SNMP, LDAP, SLP).
TCP/IP Port and Service Details (HTTPS and NCP)
TCP/IP Ports and Services Details (Ports 443-524)
Details specific TCP/IP ports (HTTPS, SMTPS, ISAKMP, LPR, NetWare NCP).
TCP/IP Port and Service Details (DHCPv6 to Raw IP)
TCP/IP Ports and Services Details (Ports 546-9100)
Details specific TCP/IP ports (DHCPv6, IPP, LDAPS, HTTPS, SSDP, WSD, mDNS, raw IP).
Network Encryption and TLS Support
Port 15000: Loopback Port
Explains the loopback port for SMTP server control.
Network Encryption: IPSec Support
Details IPSec support for IPv4 and IPv6 protocols and its configurations.
Wireless Security and TLS Protocol Support
Wireless Security (WPA) Status
States products do not offer a wireless connector option.
TLS Protocol Support
Details supported TLS versions for product interfaces and printing.
Public Key Encryption (PKI) and Certificates
Digital Certificate Components and Types
Defines digital certificates and their components and types.
Device Certificate Management
Covers CA signed and self-signed certificates and their supported lengths.
Trusted Certificates Import and Validation
Trusted Certificates Import and Validation
Explains importing public certificates for validation and key length restrictions.
Certificate Validation, S/MIME, and SNMPv3
Certificate Validation Procedures
Details certificate validation checks like OSCP and CRL.
Email Signing and Encryption (S/MIME)
Describes S/MIME for email authentication, integrity, and encryption.
SNMPv3 Security Features Explained
Outlines SNMPv3's message integrity, authentication, and encryption features.
Network Access Control Methods
802.1x Authentication Process
Explains 802.1X authentication process and supported methods.
Cisco Identity Services Engine (ISE) Integration
Describes ISE's role in security policy enforcement and product profiling.
Endpoint Connection Management and Compliance
Cisco ISE Policy Enforcement Capabilities
Details ISE's controls for provisioning, authorization, and reporting of Xerox products.
Contextual Endpoint Connection Management
Discusses managing endpoints via Cisco TrustSec and SGTs.
FIPS 140-2 Compliance Validation
Explains product validation for cryptographic modules and FIPS compliance.
Endpoint Firewall and IP Whitelisting
Endpoint Firewall Options: Stateful and IP Whitelist
Details Stateful Firewall and IP Whitelist features.
IP Whitelisting (IP Address Filtering)
Discusses IP address filtering for IPv4 and IPv6.
Device Security: BIOS, Firmware, and OS Controls
Pre-Boot BIOS Protection Mechanisms
Covers BIOS inaccessibility, digital signature verification, and fail-secure behavior.
Embedded Encryption for Data Security
Details AES encryption for configuration settings and user data.
Boot Process Integrity and Verification
Explains firmware integrity verification and digital signatures.
Event Monitoring and Audit Log
Mentions the Audit Log feature for security-related events.
Continuous Operational Security Measures
Continuous Operational Security Measures
Covers firmware installation controls and CSE restrictions.
Fail Secure vs. Fail Safe Behavior
Explains the product's design to fail secure in security-compromised scenarios.
Pre-Boot Security and BIOS Integrity
Re-iterates BIOS inaccessibility and firmware update protection.
Embedded Encryption Details
Details AES encryption for system, user data, and configuration.
Boot Process Security and Audit Logging
Boot Process Security: Firmware Integrity
Discusses digitally signed firmware and its validation.
Audit Log Contents and Export
Details the information captured in the Audit Log.
Operational Security: Firmware Update Controls
Lists supported firmware delivery methods and access controls.
Service Access, Backup, and EIP Applications
Service Technician (CSE) Access Restriction
Explains CSE access with an independent password.
Backup and Restore (Cloning) Functionality
Covers capturing and applying system settings via clone files.
Extensible Interface Platform (EIP) Applications
Discusses Xerox Extensible Interface Platform (EIP) and third-party app installation.
Configuration and Security Policy Management Solutions
Centralized Management Tools: Device Manager and CentreWare Web
Mentions Xerox Device Manager and CentreWare Web for managing devices.
Identification, Authentication, and Authorization
Authentication Options Overview
Discusses single and multi-factor authentication and RBAC.
Local Authentication and User Database
Explains local user database for credentials, authentication, and authorization.
Password Policy Configuration Options
Details configurable password attributes like minimum/maximum length and complexity.
Network and Device Authentication Methods
Network Authentication Providers Supported
Lists supported network authentication providers like Kerberos, SMB, LDAP.
Device Authentication Methods: 802.1X
Explains 802.1X authentication process and supported methods (MD5, MS-CHAPv2, PEAP).
Smart Card, Convenience, and Simple Authentication
Smart Card Authentication Methods
Details two-factor security using smart cards and supported solutions.
Convenience Authentication Solutions
Covers third-party solutions for identification card or key fob access.
Simple Authentication (Non-Secure)
Mentions simple authentication for environments where it's not required.
Authorization: Role Based Access Controls (RBAC)
User Permissions and Workflow Customization
Explains granular control of user permissions and security-related workflows.
Remote Access Controls and Information Visibility
Discusses viewing basic information and restricting access to device pages.
Local Access Controls and Settings Visibility
Covers viewing basic information and restricting access to device settings.
Authentication Methods: Kerberos and SMB
Kerberos Authentication Steps Explained
Details the authentication steps involved in Kerberos.
SMB Authentication Methods Detailed
Explains NTLMv2, NTLMv1, LM, and PLAIN authentication methods.
LDAP Authentication Modes and Secure Access
LDAP Authentication Modes: Direct and Search Login
Details Direct Login and Search & Login modes for LDAP authentication.
Secure Access Authentication Sequence
Describes the authentication sequence for Secure Access card readers.
Additional Information and Resources
Security @ Xerox® Portal
Provides a link to Xerox's public web page for security information.
Vulnerability Management and Disclosure Policy
Links to a document detailing Xerox's vulnerability management policy.
Useful Security Resources and Links
Lists links to FAQs, certifications, release notes, and advisories.
Appendix A: Product Security Profiles
Detailed Product Security Information
States this appendix describes specific details for Legacy and D-Series products.
Legacy Printers: 4110, 4112/4127, 4590 EPS
Physical Overview and Security Interfaces
Shows physical components and lists security-related interfaces like Ethernet and USB.
Encryption and Overwrite Features
Details AES-256 encryption and media sanitization for these printers.
Controller Storage for Legacy Printers
Controller Non-Volatile Storage Details
Lists IC, HDD, SSD, SD Card usage and encryption support.
Controller Non-Volatile Memory Types
Details SDRAM and other memory types, their usage, and volatility.
Controller Volatile Memory and Marking Engine Storage
Controller Volatile Memory Details
Details volatile memory types, usage, and clearing mechanisms.
Marking Engine Storage Overview
States that the marking engine has no non-volatile or volatile storage for user data.
Legacy Copier/Printers: 4110, 4112/4127, 4590
Physical Overview and Security Interfaces
Shows physical components and lists security-related interfaces like Ethernet and USB.
Encryption and Overwrite Features
Details AES-256 encryption and media sanitization for these copier/printers.
Controller Storage for Legacy Copier/Printers
Controller Non-Volatile Storage Details
Lists IC, HDD, SSD, SD Card usage and encryption support.
Controller Non-Volatile Memory Types
Details Flash, EEPROM, and SD Card memory types and their usage.
Controller Volatile Memory and Marking Engine Storage
Controller Volatile Memory Details
Details volatile memory types, usage, and clearing mechanisms.
Marking Engine Storage Overview
States that the marking engine has no non-volatile or volatile storage for user data.
D-Series Copier/Printers: D95A/D110/D125/D136
Physical Overview and Security Interfaces
Shows physical components and lists security-related interfaces like Ethernet and USB.
Encryption and Overwrite Features
Details AES-256 encryption and media sanitization for these D-Series products.
Controller Storage for D-Series Copier/Printers
Controller Non-Volatile Storage Details
Lists HDD usage, encryption support, and NIST 800-171 overwrite support.
Controller Hard Disk Table and Partitions
Details hard disk partitions, their size, function, and clearing methods.
Controller Hard Disk and Volatile Memory
Controller Hard Disk Partition Details
Provides additional information on hard disk partition encryption and overwrite.
Controller Volatile Memory Usage
Details volatile memory types and their usage.
Controller Memory Details
Controller Volatile Memory Details
Details volatile memory types, usage, and clearing mechanisms.
Controller Non-Volatile Memory Types
Details non-volatile memory types and their usage.
Additional Controller Non-Volatile Memory Details
Additional Controller Non-Volatile Memory Details
Lists additional non-volatile memory types and their usage.
Appendix B: Security Events
Xerox Legacy® Security Events (ID 1-9)
Lists system startup, shutdown, ODIO, print, scan, fax, and email job events.
Xerox Legacy® Security Events (ID 10-23)
Xerox Legacy® Security Events (ID 10-23)
Lists audit log, copy, efax, lan fax, data encryption, ODIO, scan, and delete events.
Xerox Legacy® Security Events (ID 24-35)
Xerox Legacy® Security Events (ID 24-35)
Lists scan, copy store, PagePack, password, login, audit log, and IIO events.
Xerox Legacy® Security Events (ID 36-49)
Xerox Legacy® Security Events (ID 36-49)
Lists audit log, SSL, certificate, IP sec, SNMPv3, IP filtering, network auth, and clock events.
Xerox Legacy® Security Events (ID 50-63)
Xerox Legacy® Security Events (ID 50-63)
Lists process termination, ODIO, CPSR backup/restore, session timer, feature access, device clock, and smartcard events.
Xerox Legacy® Security Events (ID 64-75)
Xerox Legacy® Security Events (ID 64-75)
Lists 802.1x, local auth, web UI auth, FIPS mode, secure access, print/USB, scan/USB, and log download events.
Xerox Legacy® Security Events (ID 76-87)
Xerox Legacy® Security Events (ID 76-87)
Lists remote UI, scan features, SMTP encryption, email filtering, self-tests, and McAfee events.
Xerox Legacy® Security Events (ID 88-99)
Xerox Legacy® Security Events (ID 88-99)
Lists certificate import, password change, passcode, folder password, Efax, FTP/SFTP, EIP, and network connectivity events.
Xerox Legacy® Security Events (ID 100-114)
Xerox Legacy® Security Events (ID 100-114)
Lists address book, SW upgrade, supplies plan, plan conversion, IPv4, admin PIN, authentication, and cloning events.
Xerox Legacy® Security Events (ID 115-119)
Xerox Legacy® Security Events (ID 115-119)
Lists reprint job, web UI access, system log push, and scan to WebDAV events.
Xerox Legacy® Security Events (ID 120-131)
Xerox Legacy® Security Events (ID 120-131)
Lists Mopria print, PoS API, login attempts, device info display, lockout expiry, erase data, SFTP, and remote software download events.
Xerox Legacy® Security Events (ID 132-143)
Xerox Legacy® Security Events (ID 132-143)
Lists Airprint/Mopria scanning/jobs, remote services, backup-restore, and Google Cloud events.
Xerox Legacy® Security Events (ID 144-155)
Xerox Legacy® Security Events (ID 144-155)
Lists user/group roles, admin password policy, restricted login, session logout, IPP, HTTP proxy, and EIP installation events.
Xerox Legacy® Security Events (ID 159-171)
Xerox Legacy® Security Events (ID 159-171)
Lists engineering logs, clone files, troubleshooting, SMB browse, and job data removal events.
Xerox Legacy® Security Events (ID 172-181)
Xerox Legacy® Security Events (ID 172-181)
Lists app export, device file distribution, configuration watchdog, ThinPrint, and iBeacon discovery events.
Xerox Legacy® Security Events (ID 182-184)
Xerox Legacy® Security Events (ID 182-184)
Lists POP3, FTP, and SFTP browse events.
D-Series® Security Events
D-Series® Boot, Shutdown, and Login Events
Covers boot events, shutdown, image overwriting, self-test, login, logout, and audit log.
D-Series® Print Job Events
Details user, job, accounting, and action information for print events.
D-Series® Job Processing and Settings Events
D-Series® Job Processing Events
Details copy, scan, fax, mailbox, and print reports events.
D-Series® User and Security Settings Events
Covers user management, authentication mode, and security setting changes.
D-Series® Security Settings and Certificate Management
D-Series® Security Settings and Certificate Management
Details security settings view, contract type, activation code, job settings, certificate management.
D-Series® Address Book and Cloning Operations
D-Series® Address Book and Cloning Operations
Covers address book operations and cloning data import/export.
Need help?
Do you have a question about the Legacy Series and is the answer not in the manual?
Questions and answers