Embedded Web Server — Security Administrator's Guide May 2016
Contents 2 Contents Change history.............................................................................................. 4 Overview........................................................................................................ 5 Supported printers.............................................................................................................................................. 5 Securing network connections...................................................................
Contents 3 Managing other access functions............................................................ 25 Scheduling access to USB devices.............................................................................................................. 25 Setting login restrictions..................................................................................................................................25 Configuring confidential printing....................................................................
Change history Change history January 2016 • Initial document release for multifunction products with a tablet-like touch‑screen display 4
Overview 5 Overview Use this document to secure the printer using the Embedded Web Server. To secure the printer, combine login methods and access controls to define users who are allowed to use the printer, and the functions they can use. Using the Embedded Web Server you can configure the printer to reach Common Criteria Evaluation Assurance Level 2 (EAL 2). For more information, see the Common Criteria Installation Supplement and Administrator Guide.
Securing network connections 6 Securing network connections Accessing the Embedded Web Server 1 Obtain the printer IP address. Do either of the following: • Locate the IP address on the top of the printer home screen. • From the printer home screen, touch Settings > Network/Ports > Network Overview. 2 Open a Web browser, and then type the printer IP address.
Securing network connections 7 • Proposed Authentication Method • IPSec Device Certificate 4 Do one or more of the following: • From the Pre‑Shared Key Authenticated Connections section, type the IP address of the client printer that you want to connect to the printer. • From the Certificate Authenticated Connections section, type the IP address of the client printer that you want to connect to the printer. 5 Click Save. Notes: • If there are no CA certificates added, then the default certificate is used.
Securing network connections 8 4 In the TTLS Authentication Method menu, select the authentication method to use. 5 Click Save. Setting the restricted server list You can configure printers to connect only from a list of specified TCP/IP addresses. This action blocks all TCP connections from other addresses, protecting the printer against unauthorized printing and configuring. 1 From the Embedded Web Server, click Settings > Network/Ports > TCP/IP.
Managing devices remotely 9 Managing devices remotely Using HTTPS for printer management To restrict the access of the printer Embedded Web Server to HTTPS only, turn off the HTTP port, leaving the HTTPS port (443) active. This action ensures that all communication with the printer using the Embedded Web Server is encrypted. 1 From the Embedded Web Server, click Settings > Network/Ports > TCP/IP > TCP/IP Port Access. 2 Clear TCP 8000 (HTTP) and TCP 80 (HTTP). 3 Click Save.
Managing devices remotely 10 Configuring SNMP traps After configuring SNMP settings, you can customize which alerts are sent to the network management system by designating events (SNMP traps) that trigger an alert message. 1 From the Embedded Web Server, click Settings > Network/Ports > SNMP > Set SNMP Traps. 2 In one of the IP Address fields, type the IP address of the network management server or monitoring station. 3 Select the conditions for which you want to generate an alert. 4 Click Save.
Managing devices remotely 11 Configure e‑mail notification Before you begin, make sure that the printer settings have been configured properly for e‑mail. a In the Admin’s E‑mail Address field, type one or more e‑mail addresses, separated by commas. b Configure the notification settings. • E‑mail Log Cleared Alert—Send a notification when the Delete Log button is clicked. • E‑mail Log Wrapped Alert—Send a notification when the log becomes full and begins to overwrite the oldest entries.
Managing login methods 12 Managing login methods Restricting public access to functions, applications, printer management, and security options The guest account can use the printer without logging in. To control the access of guest account users, restrict the functions, applications, printer management, and security options for the guest account. 1 From the Embedded Web Server, click Settings > Security > Login Methods. 2 From the Public section, click Manage Permissions.
Managing login methods 4 Do either of the following: • To edit the user account, update the user information, and then click Save. • To delete the user account, click Delete User. Note: To delete multiple user accounts, select the account, and then click Delete. Creating local account groups Use groups to customize users’ access to applications and printer functions. 1 From the Embedded Web Server, click Settings > Security > Login Methods.
Managing login methods 14 Using LDAP or LDAP+GSSAPI LDAP is a standards‑based, cross‑platform, extensible protocol that runs directly on top of the TCP/IP layer. It is used to access information stored in a specially organized information directory. It can interact with many different kinds of databases without special integration, making it more flexible than other authentication methods. LDAP+GSSAPI is used when you want your transmission to be always secure.
Managing login methods 15 Device Credentials • Anonymous LDAP Bind—Bind the printer with the LDAP server anonymously. This option is applicable only if your LDAP server allows anonymous binding. Enabling this option does not require you to provide authentication credentials. This setting is available only in the LDAP setup. • Use Active Directory Device Credentials—Use user credentials and group designations that are pulled from the existing network comparable to other network services.
Managing login methods 16 • Search Attributes—Select LDAP attributes used as search filters. • Custom Attributes—Type LDAP custom attributes used as search filters. 5 Click Save and Verify. Editing or deleting LDAP or LDAP+GSSAPI login methods 1 From the Embedded Web Server, click Settings > Security > Login Methods. 2 From the Network Accounts section, click the LDAP or LDAP+GSSAPI login method.
Managing login methods 17 4 If necessary, from the Miscellaneous Settings section, configure the following settings: • Character Encoding—Select the character encoding used for the configuration file. • Disable Reverse IP Lookups 5 Click Save and Verify. Setting the date and time When using Kerberos authentication, make sure that the time difference between the printer and the domain controller does not exceed five minutes.
Managing login methods 18 Using Active Directory You can use this login method by itself or in conjunction with the LDAP+GSSAPI login method. Notes: • Only one Kerberos configuration file can be saved on the printer memory. This configuration file can apply to multiple realms and Kerberos Domain Controllers. • Administrators must anticipate the different types of authentication requests the Kerberos server might receive, and configure the configuration file to handle the requests.
Managing login methods 19 • Require—Use only Windows operating system authentication credentials. Device Credentials – Use Active Directory Device Credentials—Use user credentials and group designations that are pulled from the existing network comparable to other network services. – If Use Active Directory Device Credentials is disabled, then provide the authentication credentials used to bind the printer with the Active Directory server.
Managing login methods 20 Creating LDAP, LDAP+GSSAPI, or Active Directory groups Use groups to customize user access to applications and printer functions. 1 From the Embedded Web Server, click Settings > Security > Login Methods. 2 From the Network Account section, click the LDAP, LDAP+GSSAPI, or Active Directory login method. 3 Click Manage Groups > Add Group.
Managing login methods 21 • For more information on access controls, see “Understanding access controls” on page 21. Understanding access controls Access controls let you limit users’ access to functions, applications, and printer management. Note: Some access controls are available only on some printer models.
Managing login methods • • • • 22 SE Menu—View diagnostic logs. Manage Shortcuts—Manage shortcuts available on the printer. Address Book—Manage the address book. Device Menu—Configure the printer firmware settings. Device Management The following access controls allow users to use printer management options: • • • • Remote Management—Access the printer remotely. Firmware Updates Apps Configuration—Configure the installed applications.
Managing certificates 23 Managing certificates Certificates are used when you want the printer to establish an SSL, IPSec, and 802.1x connection and to identify securely other devices on the network. Printers can also use these certificates for LDAP over SSL authentication and address book look-ups. Certificate Authorities (CA) are trusted locations established on the network that are required in secure environments. Otherwise, the default printer certificate is used to identify devices on the network.
Managing certificates 24 Installing certificates manually Note: To download the CA certificate automatically, see “Installing certificates automatically” on page 24. Before configuring Kerberos or domain controller settings, make sure to install the CA certificate used for domain controller validation. If you want to use chain validation for the domain controller certificate, then make sure to install the entire certificate chain. Each certificate must be in a separate PEM (.cer) file.
Managing other access functions 25 Managing other access functions Scheduling access to USB devices In secure environments, devices can be configured to limit or disable the capabilities of USB host ports. You can disable the front USB port using access control restrictions. Devices also have a rear USB port designed for card readers and human interface devices, such as a keyboard. 1 From the Embedded Web Server, click Settings > Security > Schedule USB Devices.
Managing other access functions 26 Notes: – When the limit is reached, the print jobs for that user name and PIN are deleted. – This setting appears only when a formatted, working printer hard disk is installed. – To turn off this setting, enter 0. • Confidential Job Expiration—Specify how long the printer stores confidential print jobs. Notes: – Changes in this setting do not affect the expiration time for confidential print jobs that are already in the printer memory or hard disk.
Managing other access functions 27 3 Click Save. Enabling the security reset jumper If the device is locked down due to a forgotten administrator password or lost network connectivity, then you can recover the device by resetting it. Access the controller board and move the reset jumper to cover the middle and unexposed prongs. Using a cable lock to secure access to the controller board ensures that the device is not maliciously reset.
Securing data 28 Securing data Erasing printer memory To erase volatile memory or buffered data in your printer, turn off the printer. To erase non‑volatile memory or individual settings, printer and network settings, security settings, and embedded solutions, do the following: 1 From the Embedded Web Server, click Settings > Device > Maintenance. 2 From the Erase Printer Memory section, select Sanitize all information on nonvolatile memory.
Securing data 29 Statement of Volatility Your printer contains various types of memory that can store printer and network settings and user data. Type of memory Description Volatile memory Your printer uses standard random access memory (RAM) to buffer user data temporarily during simple print jobs. Non-volatile memory Your printer may use two forms of non-volatile memory: EEPROM and NAND (flash memory).
Troubleshooting Troubleshooting User is locked out Try one or more of the following: Update the allowed number of login failures and lockout time Note: This solution is applicable only in some printer models. The user may have reached the allowed number of login failures. 1 From the Embedded Web Server, click Settings > Security > Login Restrictions. 2 Update the allowed number of login failures and the lockout time. 3 Click Save.
Troubleshooting 31 Domain controller certificate is not installed Make sure that the correct certificate is installed on the printer For more information, see “Managing certificates” on page 23. KDC is not responding within the required time Try one or more of the following: Make sure that the IP address or host name of the KDC is correct Make sure that the KDC is available in the configuration file You can add multiple KDCs in the configuration file.
Notices 32 Notices Edition notice May 2016 The following paragraph does not apply to any country where such provisions are inconsistent with local law: THIS PUBLICATION IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you.
Notices 33 Agustín Delgado (Servinform S.A.), Aitor Almeida (University of Deusto), Alasdair Mackintosh (Google), Alexander Martin (Haase & Martin GmbH), Andreas Pillath, Andrew Walbran (Google), Andrey Sitnik, Androida.hu / http://www.androida.hu/, Antonio Manuel Benjumea (Servinform S.A.), Brian Brown (Google), Chang Hyun Park, Christian Brunschen (Google), crowdin.
Notices 34 verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution.
Notices 35 6 Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7 Disclaimer of Warranty.
Index 36 Index Numerics 802.
Index Kerberos creating login method 16 L LDAP creating groups 20 creating login method 14 deleting groups 20 deleting login method 16 editing groups 20 LDAP lookups fail 31 LDAP+GSSAPI creating groups 20 creating login method 14 deleting groups 20 deleting login method 16 editing groups 20 local accounts creating groups 13 creating password 12 creating PIN 12 creating user name 12 creating user name and password 12 deleting groups 13 deleting password 12 deleting PIN 12 deleting user name 12 deleting use
Index unexpected logout 30 user cannot access applications or functions 30 user is locked out 30 user is logged out automatically 30 U understanding access controls 21 unexpected logout 30 updating firmware 11 USB devices scheduling access 25 USB ports disabling 25 enabling 25 user cannot access applications or functions 30 user is locked out 30 user is logged out automatically 30 V viewing a certificate 24 volatile memory 29 erasing 28 volatility statement of 29 38