Version 50.
Prepared by: Xerox Corporation Global Knowledge and Language Services 800 Philips Road Bldg. 845-17S Webster, New York 14580 USA ©2005 by Xerox Corporation. All rights reserved. Copyright protection claimed includes all forms and matters of copyrightable material and information now allowed by statutory judicial law or hereinafter granted, including without limitation, material generated from the software programs displayed on the screen such as icons, screen displays, or looks.
This product includes software developed by the Apache Software Foundation (http:// www.apache.org/).” SWOP® is a registered trademark of SWOP, Inc. DocuSP includes use of GNU source and object code, which is subject to the terms of the GNU GPL. Please review the GNU GPL terms and conditions to understand the restrictions under this license. For more information on GNU, please go to http:// www.gnu.org/licenses/gpl.txt.
Security Guide Security Guide
Table of Contents About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Customer support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ii S e c ur i t y G ui d e
Introduction The Security Guide provides the information needed to perform system administration tasks for maintaining the Xerox Document Services Platform (DocuSP) for printing systems. About this guide This guide is intended for network and system administrators responsible for setting up and maintaining Xerox printers with DocuSP software. System administrators should have an understanding of the Sun workstation, a familiarity with Solaris, and with basic UNIX commands.
• Angle brackets - Variable information that is displayed on your screen is enclosed within angle brackets; for example, “Unable to copy .” • Square brackets - Names of options you select are shown in square brackets; for example, [OK] and [Cancel]. • Notes are hints that help you perform a task or understand the text. Notes are found in the following format: NOTE: This is an example of a note. Customer support To place a customer service call, dial the direct TTY number for assistance.
Security This section describes the DocuSP system-supplied security profiles. It outlines the characteristics of each profile and indicates how each can be customized to create user- defined profiles. The enhanced security features in DocuSP protect the system against unauthorized access and modification. This section also addresses the options available to the administrator in setting up and managing user accounts.
Profile Characteristics Medium FTP is enabled. telnet, rsh is disabled. NFS client is disabled. AutoFS is disabled, e.g./ net/and home/ are not automatically mounted. NFS server is filtered via RPC tab. Walkup user can reprint from CD_ROM. Terminal window is password protected. Environments requiring high security but with a need to integrate DigiPath. Supports DigiPath workflow. Anonymous FTP is ready-only and restricted. To enable telnet, go to [Setup], [FTP/ Remote Diagnostics].
Table 2-2 “System” tab System Service Description Allow_host.equiv_plus Background: The /etc/hosts.equiv and /.rhosts files provide the remote authentication database for rlogin, rsh, rcp, and rexec. The files specify remote hosts and users that are considered to be trusted. Trusted users are allowed to access the local system without supplying a password. These files can be removed or modified to enhance security. DocuSP is provided with both of these files deleted entirely. The setting All_host.
RC2 Service Description S73cachefs.daemon Starts cachefs file systems S73NFS.CLIENT NFS client service. Disables the statd service which is only required if your system is an NFS server or a client. S74AUTOFS The automountd service is only required if your system uses NFS to automatically mount file systems. Stopping the autofs subsystem will kill the running automountd daemon and unmount any autofs file systems currently mounted.
INETD Service Description chargen Character Generator Protocol server Sends revolving pattern of ASCII characters. Sometimes used in packet debugging and can be used for denial of service attacks. Not used by DocuSP comsat Biff server comsat is the server process which listens for reports of incoming mail and notifies users who have requested to be told when mail arrives. Not used by DocuSP daytime Daytime Protocol server Displays the date and time. Used primarily for testing.
INETD Service 8 Description rpc.cmsd Calendar manager service daemon rpc.cmsd is a small database manager for appointment and resource-scheduling data. Its primary client is Calendar Manager. Not used by DocuSP rpc.rusersd network username server Gives intruder information about accounts. Not used by DocuSP. rpc.rwalld Network rwall server Server that handles rwall(1M) command requests. Can be used for spoofing attacks. Not used by DocuSP. rpc.
User level changes The following user-level changes are made: • all users for at, cron, and batch are disallowed • nuucp account is disabled • listen account is disabled • password entry locked for bin, sys, adm, uucp, nobody, noaccess, nobody4, and anonymous Solaris file permissions Secure File Permission options can be enabled or disabled through the DocuSP interface. Fix-modes include: • fixmodes-xerox: fix file permissions for all packages to make them more secure.
Multicast routing disabled Multicast is used to send data to many systems at the same time while using one address. OS and host information hidden The ftp, telnet and sendmail banners are set to null so that users in cannot see the hostname and OS level. NOTE: All of these services are prohibited with a 'high' security setting, but if they are re-enabled manually the hostname information will remain hidden. Sendmail daemon secured Sendmail is forced to perform only outgoing mail.
Remote CDE login disabled The Remote CDE login is disabled. DocuSP router capabilities disabled The DocuSP router capabilities is disabled (empty/etc/notrouter file created). Security warning banners Security warning banners are displayed when a user logs in or telnets into the DocuSP server. This message explains that only authorized users should be using the system and that any others face the possibility of being monitored by law enforcement officials.
enable-ftp and disable-ftp These options allow for enabling and disabling FTP alone. You must have FTP enabled when using a Continuous Feed system, or FreeFlow Production Print and NetAgent. FTP is also required for the Call for Assistance (CFA) feature. This uses FTP to push IOT logs and a DocuSP outload back to the DocuSP controller. NOTE: Temporarily enable FTP through the DocuSP Setup > FTP/Remote Diagnostics menu option.
Local users and groups Local user accounts are constructed based on the Solaris model, with its limitations and restrictions, using the [User & Group Management] selection on the DocuSP interface. • Each local user account has an associated user name between 2-8 characters in length and is case sensitive. • The user name is a string of characters from the set of alphabetic characters (a-z, A-Z), numeric characters (0-9), period (.
Creating user accounts The DocuSP user interface enables the Administrator to manage accounts easily by selecting [Setup], [Users & Groups], and the [Users] tab. When the administrator selects the Users tab, a pop-up window appears that enables the administrator to create, edit, or delete an account and indicate whether the account should be enabled or disabled. Group authorization Job Management and Customer Diagnostics are two functions of DocuSP that the administrator may choose to restrict.
Function Users Operators Administrat ors( sa and cse) Changeable via GUI Reprint Management Enabled Enabled Enabled No Printer Manager(Finish ing, Image Quality …etc) - - Enabled No Resource Managemen(L CDS Resources, PDL Fonts, Forms, ….
Function Users Operators Administrat ors( sa and cse) Changeable via GUI Customer Diagnostics Enabled Enabled Enabled Yes Backup / Restore - Enabled Enabled No Comment Password security When the system is installed, the Change System Password dialog box appears and prompts users to establish all System Default Accounts with new passwords. For security reasons, all system passwords must be changed. • root: has super user access to the workstation.
NOTE: Please be aware that Xerox Customer Support Personnel must have access to the new root password for service and support. It is the customer's responsibility to ensure that the root and system administrator passwords are available for them. Strong Passwords DocuSP provides additional security for users required to adhere to strict security guidelines. It provides a means in which a strong password policy can be enforced.
Login Attempts Allowed DocuSP has provided a means to lockout users after reaching the maximum number of consecutive attempts. Once this is done, the user will need to apply (reset) a security policy and reboot the system. The number of failed attempts and enable/disable is configurable via the Password Policy screen. When enabled, login attempts can be set from 1-6 attempts before the user is locked out.
Date/Time User Login/Logout This information is kept in the authlog and syslog in the /var/log directory. Login/Logout to DocuSP is tracked as well as Network Login/Logout. Changing individual passwords There are two ways to change passwords: Users can change their own passwords using the selection on the Logon menu and the administrator can change the password by double clicking on the user name in the User tab of [Users and Groups Management].
Map the ADS groups to the DocuSP user groups From the Setup menu, Users & Groups option, select the ADS Groups tab. A member of the System Administrators group can specify, view and edit the mapping of ADS Groups to the three DocuSP user groups (Administrators, Operator, Users) permitted to log on to the printer. Log on to the system with ADS user names From the Logon menu, select ADS for authentication, then log on to the system with your ADS user name and password.
Remote Workflow Remote Workflow allows for a remote connection to the DocuSP controller. The administrator can limit access through the DocuSP interface [Setup > System Preferences menu option]. Remote Workflow options include: Enable All Connections, Disable All Connections, Enable Specified Connections (by specific IP Address). NOTE: The default is Enable All Connections.
– If not already enabled, click the 'OK' button in the "Information" pop-up box – Click on the 'Add Certificate Button'. This will launch the "Add Certificate Wizard".
– Click 'Add Certificate' Step 1 - Select "Signed Certificate from a Certificate Authority" Step 2 - Select and enter either the server • Domain Name • IP Address • Other Step 3 - Enter the requested information: • Organization (required) • Organizational Unit (optional) • E-mail (optional) • Locality (optional) • State/Province (optional) • Country (required) Step 4 - Browse to the location of the signed certificate (.pem file). Step 5 - Verify information entered in previous steps.
NOTE: A self-signed certificate is not as secure as a certificate signed by a Certificate Authority. A self-signed certificate is the most convenient way to begin using SSL/TLS and does not require the use of a server functioning as a Certificate Authority or a third party Certificate Authority. Once the Digital Certificate has been installed, the Enable SSL/ TLS selection becomes available among the [Setup] options.
Network Protocol Required WINS Required when in an environment where connection to a WINS server is necessary. WINS service can be enabled/disabled under Setup -> Network Configuration -> WINS tab. Socket (Raw TCP/IP) Printing Required if jobs will be submitted via the socket gateway. The socket gateway can be enabled/disabled under Setup -> Gateways -> Socket. Connections can also be filtered using the IP Filter feature under Setup -> IP Filter.
Roles and responsibilities Xerox will make every effort to assist the administrator in ensuring that the customer environment is secure. Xerox responsibilities Xerox is committed to providing a level of security which will allow the DocuSP controller to be a good network citizen in response to current security intrusions. Additional security beyond this remains the responsibility of the customer. Xerox is constantly evaluating the security of the DocuSP controller and the Sun Solaris operating system.
the DocuSP. Not all scripts are public knowledge, only those that are public are defined in this document and these can be performed by the customer. Xerox DocuSP engineering will evaluate the latest Sun Security Alert Packs issued by Sun Microsystems and integrate these patches into the DocuSP releases. Local customer support will be responsible for loading the latest DocuSP software.
Online Help for security A great deal of helpful security information can be found in Online Help. Sun's security tools and blueprints may be found at: http://www.sun.com/solutions/blueprints/ Other security information, including alerts, may be found at: http://sunsolve.sun.com/pub-cgi/ show.pl?target=security/sec http://www.cert.org/nav/ index_main.html http://www.cve.mitre.org/.
