background image

Notes:

If using digital certificates to establish a secure connection to the authentication server, configure the
certificates on the printer before changing 802.1X authentication settings. For more information, see

“Managing certificates and other settings” on page 24

.

Server certificate validation is integral to TLS (Transport Layer Security), PEAP (Protected Extensible
Authentication Protocol), and TTLS (Tunneled Transport Security Layer).

d

Select 

Enable Event Logging

 to log activities related to 802.1X authentication activity.

Warning—Potential Damage: 

To reduce flash part wear, use this feature only when necessary.

e

From the 802.1x Device Certificate list, select the digital certificate that you want to use. If only one certificate
is installed, then 

default

 is the only choice that appears.

3

Under Allowable Authentication Mechanisms, select the authentication protocols that the printer will recognize by
clicking the check box next to each applicable protocol.

4

From the TTLS Authentication Method list, select the authentication method to accept through the secure tunnel
created between the authentication server and the printer.

5

Apply the changes.

Note: 

The print server resets when changes are made to settings marked with an asterisk (*) on the Embedded Web

Server.

Configuring IP security settings

Note: 

This setting is available only in some printer models.

Apply IPsec between the device and the workstation or server to secure traffic between the systems with a strong
encryption. The devices support IPsec with preshared keys and certificates. Both modes can be used simultaneously.

In preshared key mode, devices are configured to establish a secure IPsec connection with up to five other systems.
Devices and the systems are configured with a pass phrase that is used to authenticate the systems and to encrypt the
data.

In certificate mode, devices are configured to establish a secure IPsec connection with up to five systems or subnets.
Devices exchange data securely with a large number of systems, and the process is integrated with a PKI or CA
infrastructure. Certificates provide a robust and scalable solution, without configuring or managing keys and pass
phrases.

1

From the Embedded Web Server, click 

Settings

 > 

Network/Ports

 > 

IPSec

.

2

Configure the following settings:

Setting

Description

IPSec Enable

On

*

Off

Enables or disables the IP security settings of the printer.

*

 This is the factory default setting.

Securing network connections

39

Summary of Contents for X65X series

Page 1: ...Server Security Administrator s Guide September 2014 www lexmark com Model s C54x C73x C746 C748 C792 C925 C950 E260 E360 E46x T65x W850 X264 X36x X46x X543 X544 X546 X548 X65x X73x X74x X792 X796 X8...

Page 2: ...iguring the device for certificate information 24 Managing devices remotely 28 Using HTTPS for device management 28 Setting a backup password 28 Setting up SNMP 29 Configuring security audit log setti...

Page 3: ...Authentication 52 Smart Card authentication 52 Security scenarios 54 Scenario Printer in a public place 54 Scenario Standalone or small office 55 Scenario Network running Active Directory 56 Scenario...

Page 4: ...ication and authorization on page 5 Simple security devices C540 C543 C544 C546 C746 E260d E260dn E360d E360dn X264dn X363dn X364dn X364dw X543 X544 X546dtn Advanced security devices C73x C748 C792 C9...

Page 5: ...cation and authorization methods More advanced security permits internal and external authentication and authorization as well as additional restriction capability for management function and solution...

Page 6: ...Internal Accounts LDAP LDAP GSSAPI Kerberos 5 used only with LDAP GSSAPI and the Smart Card Authentication application Active Directory available only in some printer models To provide simple security...

Page 7: ...rotected access to common device functions while others require tighter security and role based restrictions Individually building blocks groups and access controls may not meet the needs of a complex...

Page 8: ...on your printer do either of the following Under Basic Security Setup Create User Password type a password in the appropriate field retype the password to confirm it and then click Modify Select Creat...

Page 9: ...ictions a Under Basic Security Setup Create User PIN enter a PIN in the appropriate field and then reenter the PIN to confirm it b Under Basic Security Setup Create Admin PIN enter a PIN in the approp...

Page 10: ...3 Click Apply Basic Security Setup Note Applying this setup may overwrite a previous configuration The new settings are submitted The next time you access Security Setup you will be required to enter...

Page 11: ...d by a user level password can be accessed using any administrator level password 7 Click Submit Notes To edit a password select a password from the list and then modify the settings To delete a passw...

Page 12: ...tions needed for all users and for specific users Note When a security template is assigned to a group a role is created Users can be assigned to more than one group or role Using the Embedded Web Ser...

Page 13: ...dit Building Blocks Internal Accounts General Settings 3 Set Required User Credentials to User ID and password and then touch Submit 4 Select Manage Internal Accounts Add Entry 5 Type the user account...

Page 14: ...message appears if the configuration is not successful 4 Click Manage Security Templates to use the Active Directory information to complete your security setup If you want to review or make some smal...

Page 15: ...ecially organized information directory It can interact with many different kinds of databases without special integration making it more flexible than other authentication methods Notes Supported dev...

Page 16: ...d make the Distinguished Name and MFP Password fields unavailable Distinguished Name Type the distinguished name of the print server or servers MFP s Password Type the password for the print servers S...

Page 17: ...nning Active Directory Notes LDAP GSSAPI requires Kerberos 5 to be configured Supported devices can store a maximum of five unique LDAP GSSAPI configurations Each configuration must have a unique name...

Page 18: ...ct classes Person Allow the person object class to be searched Custom Object Class Allow the custom search object class to be searched You can define up to three custom search object classes LDAP Grou...

Page 19: ...be able to access protected device functions To help prevent unauthorized access log out from the printer after each session Creating a simple Kerberos configuration file 1 From the Embedded Web Serv...

Page 20: ...If you select UTC user Custom from the Time Zone list then you need to configure more settings under Custom Time Zone Setup 3 If daylight saving time DST is observed in your area then select Automatic...

Page 21: ...ate 5 From the Authentication Setup list select a building block method for authenticating users Note The Authentication Setup list is populated with the authentication building blocks that have been...

Page 22: ...cel all changes Notes To help prevent unauthorized access log out from the printer after each session For a list of individual access controls see Appendix C Access controls on page 66 Using the contr...

Page 23: ...h a touch screen display 1 Navigate to the menu screen 2 Touch Security Edit Security Setups Edit Security Templates 3 Do one of the following To remove all security templates touch Delete List To rem...

Page 24: ...o print servers The Certificate Authority CA certificate is needed so that the printer can trust and validate the credentials of another system on the network Without a CA certificate the printer cann...

Page 25: ...ificates select New to open a Certificate Generation Parameters page For more information see Creating a new device certificate on page 26 5 Click Download Signing Request and then save and open the c...

Page 26: ...want to use the host name for the device Organization Name Type the name of the company or organization issuing the certificate 128 character maximum UnitName Typethenameoftheunitwithinthecompanyoror...

Page 27: ...Leave this field blank to use the domain name for the device Organization Name Type the name of the company or organization issuing the certificate Unit Name Type the name of the unit within the compa...

Page 28: ...icies prohibit the use of a backup password Consult your organization s policies before deploying any security method that might compromise those policies The backup password is not associated with an...

Page 29: ...allow remote installation and configuration changes and device monitoring type login information in the SNMPv3 Read Write User and SNMPv3 Read Write Password fields 4 To allow device monitoring only...

Page 30: ...same facility code to aid in sorting and filtering by network monitoring or intrusion detection software Note step 3 on page 30 through step 6 and step 8 are valid only if Remote Syslog is enabled 7...

Page 31: ...Use SSL TLS list select Disabled Negotiate or Required to specify whether e mail will be sent using an encrypted link 8 If your SMTP server requires user credentials then select an authentication met...

Page 32: ...at is known only to Lexmark However the strongest security measure comes from requiring all firmware packages to include multiple digital 2048 bit RSA signatures from Lexmark If these signatures are n...

Page 33: ...2 and 10 to specify the number of times users can enter an incorrect PIN before being locked out When the limit is reached the print jobs for that user name and PIN is deleted Confidential Job Expirat...

Page 34: ...time Specify how long the lockout lasts Panel Login Timeout Specify how long a user may be logged in before being automatically logged out Remote Login Timeout Specify how long a user may be logged in...

Page 35: ...e action b Add the entry Notes Use of USB devices is enabled by default For each Disable schedule entry create an Enable schedule entry to reactivate use of the USB devices Enabling the security reset...

Page 36: ...ntials are provided 1 From the Embedded Web Server click Settings Fax Settings Analog Fax Setup Holding Faxes 2 Select the appropriate help fax mode Always On Always holds the fax jobs Manual Lets use...

Page 37: ...ed jobs received during the locked period are printed Confidential print jobs received during the lock state are not printed but are available through the confidential print job menu on the control pa...

Page 38: ...TTLS Require a device login name and password and CA certificate PEAP PEAP MSCHAPV2 Require a device login name and password and CA certificate PEAP TLS Require a device login name and password CA ce...

Page 39: ...he printer 5 Apply the changes Note The print server resets when changes are made to settings marked with an asterisk on the Embedded Web Server Configuring IP security settings Note This setting is a...

Page 40: ...ertificate setting can be configured Address subnet You can type a maximum of 59 bytes of characters Settings DH Group DH Diffie Hellman Group Proposal modp768 1 modp1024 2 modp1536 5 modp2048 14 Encr...

Page 41: ...the Embedded Web Server click Settings Security TCP IP Port Access Note A list of TCP IP ports appears All ports except TCP 10000 Telnet are enabled by default 2 Click the check box of the TCP IP por...

Page 42: ...he critical and sensitive components of the device such as the controller board and hard disk These locks let you identify whether the physical components containing sensitive data on the devices have...

Page 43: ...ngs Security Disk Encryption Note Disk Encryption appears in the Security menu only when a formatted working hard disk is installed 2 From the Disk Encryption menu select either of the following Disab...

Page 44: ...ed solution applications various scanner settings and bookmark settings No user related print copy or scan data is stored in non volatile memory The user may erase selected groups of data or all data...

Page 45: ...the list select Restore Factory Defaults Restore Settings From the list select Factory Reset or Restore Factory Settings 4 Depending on your printer select one of the following settings Restore Printe...

Page 46: ...res or sending and receiving held fax jobs This data remains on the hard disk until you print or delete the job or until the document expires through the job expiration feature When a data file is del...

Page 47: ...he default setting In devices that support a hard disk you can access the diskwiping menu from thedeviceEmbedded WebServer In most devices themenu canalso beaccessed from the control panel If the disk...

Page 48: ...oning the device Replacing the hard disk Moving the device to a different department or location Preparing the device to be serviced by someone outside the organization Removing the device from the pr...

Page 49: ...Embedded Web Server 1 Click Settings Security Note Depending on your printer model click Restore Factory Defaults 2 Depending on your printer firmware version click Out of Service Erase or Out of Ser...

Page 50: ...ntains various types of memory that are capable of storing device and network settings information from embedded solutions and user data The types of memory along with the types of data stored by each...

Page 51: ...tings Erase individual printer settings using the control panel or the Embedded Web Server For more information see the printer User s Guide Device and network settings Erase device and network settin...

Page 52: ...r all DRAM memory used to store job data after a job is completed enable Clear Print Data under Advanced Settings For more information on how to configure and use the application see Secure Held Print...

Page 53: ...For more information on how to configure and use this application see Smart Card Authentication Administrator s Guide Security solutions 53...

Page 54: ...cess to the security settings For more information see Creating a Web page password and applying access control restrictions on page 8 Setting up advanced security devices 1 Create a building block pa...

Page 55: ...ounts 1 From the Embedded Web Server click Settings Security Security Setup 2 Under Advanced Security Setup click Internal Accounts and then configure it For more information on configuring individual...

Page 56: ...lowing Domain name User ID for the domain Password for the User ID For more information see Connecting your printer to an Active Directory domain on page 14 Create a security template 1 From the Embed...

Page 57: ...gs We recommend specifying an e mail address for the administrator and selectingn the events to be e mailed 6 Set up secure LDAP authentication and authorization For more information see Using LDAP on...

Page 58: ...ication Privacy 5 If necessary configure the audit logging For more information see Configuring security audit log settings on page 30 If necessary remote system log for events can be specified by ide...

Page 59: ...ut is not running then select the application name and then click Start If the authentication token does not appear in the list of installed solutions then contact the Solutions Help Desk for assistan...

Page 60: ...ROS FILE HAS BEEN UPLOADED 1 From the Embedded Web Server click Settings Device Solutions Solutions eSF PKI Authentication Configure 2 If you are using Simple Kerberos Setup then clear Use Device Kerb...

Page 61: ...erver click Settings Device Solutions Solutions eSF PKI Authentication Configure 2 From the Simple Kerberos Setup add the Windows Domain in lowercase to the Domain setting For example if the Domain se...

Page 62: ...eshooting on page 62 User is logged out automatically INCREASE THE PANEL LOGIN TIMEOUT INTERVAL 1 From the Embedded Web Server click Settings Security Miscellaneous Security Settings Login Restriction...

Page 63: ...Address Book Setup 2 If necessary modify the following settings Server Port Set this port to 636 Use SSL TLS Select SSL TLS LDAP Certificate Verification Select Never 3 Apply the changes NARROW THE LD...

Page 64: ...SURE THAT PKI AUTHENTICATION IS SET TO THE CORRECT USER ID 1 From the Embedded Web Server click Settings Device Solutions Solutions eSF PKI Authentication Configure 2 From the User Session and Access...

Page 65: ...BE HELD 1 From the Embedded Web Server click Settings Device Solutions Solutions eSF PKI Held Jobs Configure 2 From the Advanced Settings section enable Require All Jobs to be Held and Clear Print Dat...

Page 66: ...the Certificate Authority assumes usage of a Windows Certificate Authority server 1 Point the browser window to the CA Make sure to use the URL http CA s address CertSrv where CA s address is the IP...

Page 67: ...the Paper menu from the printer control panel Paper Menu Remotely This protects access to the Paper menu from the Embedded Web Server Remote Certificate Management When disabled it is no longer possib...

Page 68: ...o import and export printer settings files UCF files from the Embedded Web Server Function access control What it does Address Book Thiscontrols the ability to perform addressbook searchesin the Scan...

Page 69: ...s control for each solution is assigned in the creation or configuration of the application or profile Note Depending on the solutions you have installed additional solution specific access controls m...

Page 70: ...sponding field at the top of the screen The keyboard display may also contain other icons such as Next Submit Cancel and the home icon To type a single uppercase or shift character touch Shift and the...

Page 71: ...lly equivalent product program or service that does not infringe any existing intellectual property right may be used instead Evaluation and verification of operation in conjunction with other product...

Page 72: ...bs Java page for up to date versions of this and other fine Java utilities http www acme com java ZXing 1 7 This project consists of contributions from several people recognized here for convenience i...

Page 73: ...mmunication sent to the Licensor or its representatives including but not limited to communication on electronic mailing lists source code control systems and issue tracking systems that are managed b...

Page 74: ...the NOTICE file 7 Disclaimer of Warranty Unless required by applicable law or agreed to in writing Licensor provides the Work and each Contributor provides its Contributions on an AS IS BASIS WITHOUT...

Page 75: ...a copy of the License at http www apache org licenses LICENSE 2 0 Unless required by applicable law or agreed to in writing software distributed under the License is distributed on an AS IS BASIS WITH...

Page 76: ...or specifying which functions are available to a user i e what the user is allowed to do Building Block Authentication and Authorization tools used in the Embedded Web Server They include password PIN...

Page 77: ...realm 61 cannot use Held Jobs 63 Card Authentication 52 card authentication 52 CA Signed Device Certificate creation Appendix B 66 certificate creating 26 deleting 26 downloading 26 viewing 26 Certif...

Page 78: ...asing 51 non volatile memory erasure 44 not authorized to use Held Jobs 63 notices 71 O Operator Panel Lock enabling 36 out of service wiping configuring 49 P Panel PIN Protect 9 password advanced sec...

Page 79: ...4 KDC and MFP clocks out of sync 60 KDC does not respond within the required time 61 Kerberos file not uploaded 60 LDAP lookup failure 62 63 LDAP lookups take too long 62 login does not respond while...

Reviews: