4
ii. Set the permission for all Non-Logged In Users Roles
(see “User Roles” in Section 4 of the SAG) to be
Not Allowed
,
Not Allowed & Hidden
or
Never
, as appropriate, for the following: (1) all print permission
categories (by following the “Editing Print Permissions for the Non-Logged In Users Role” under
“Configuring Authorization Settings” in Section 4 of the SAG) and (2) all services and tools (by following
the “Editing Services and Tools Permissions for the Non-Logged In Users Role” under “Configuring
Authorization Settings” in Section 4 of the SAG). Also set the
Network Authorization
i.
Establish remote authorization using LDAP by following the “Configuring Network Authorization Settings”
and “Configuring Network Authorization Server Settings” instructions in Section 4 of the SAG. Make sure
to follow only the instructions pertaining to setting up an LDAP Server.
Network Authorization using an SMB server is not part of the evaluated configuration and should not be
used.
4.
Personalization
:
Enable personalization by following the instructions for “Specifying the Method the Printer
Uses to Acquire Email Address of Users” under “Configuring Smart Card Authentication Settings” under
“Configuring Authentication Settings” in Section 4 of the SAG. Configure personalization by following the
instructions for “Configuring User Mappings” under “LDAP” in Section 3 of the SAG.
5.
Immediate Image Overwrite
: Follow the instructi
ons under ‘Enabling Immediate Image Overwrite at the
Control Panel’ or ‘Enabling Immediate Image Overwrite’ in Section 4 of the SAG to enable Immediate Image
Overwrite from the Control Panel or the Web UI, respectively.
Both Immediate Image Overwrite and On Demand Image Overwrite are enabled by default at the factory when
the device is first delivered.
6.
Security Certificates
: Install a digital certificate on the device before enabling SSL by following the appropriate
instructions under “Security Certificates” in in Section 4 of the SAG for installing the any one of the digital
certificates (Device Certificate, CA Certificate or Trusted Certificate) the device supports.
Note that a Xerox self-signed certificate is installed by default on the device. If a CA certificate is desired a
Certificate Signing Request (CSR) will have to be sent to a Certificate Authority to obtain the CA Certificate
before it can be installed on the device. F
ollow the instructions for “Creating a Certificate Signing Request”
under “Security Certificates” in in Section 4 of the SAG to create the CSR.
7.
Transport Layer Security (TLS)/Secure Sockets Layer (SSL)
:
i.
Follow the instructions under ‘Enabling DND/DDNS Settings the Control Panel’ or ‘”DNS” (under
“Configuring IP Settings in CentreWare Internet Services”) in Section 3 of the SAG for entering the host
and domain names, to assign the machine a valid, fully qualified machine name and domain from the
Control Panel or the Web UI, respectively (required for SSL to work properly).
ii. If a self-signed certificate is to be used download the generic Xerox root CA certificate from the device by
following the instructions for saving the certificate file under “Viewing, Saving or Deleting a Certificate” in
Section 4 of the SAG and then installing the saved certificate in the certificate store of the System
Administrator's browser.
iii. Enable HTTPS by following the instructions
for “Enabling HTTPS (SSL)” under “Secure HTTP (SSL)” in
Section 4 of the SAG.
Set the ‘Force Traffic over SSL’ option to be
Yes (all HTTP requests will be
switched to HTTPS)
.
iv. Disable SSLv3.0 in favor of TLS v1.x to avoid vulnerabilities associated with downgrading from TLS to
SSLv3.0.
8.
FIPS 140-2 Mode
: Encryption of transmitted and stored data by the device must meet the FIPS 140-2 Standard.
Enable the use of encryption in “FIPS 140 mode” and check for compliance of certificates stored on the device
to the FIPS 140-
2 Standard by follow the instructions for “Enabling FIPS 140 Mode and Checking for
Compliance” in Section 4 of the SAG.
Since Kerberos and SFTP are not FIPS compliant secure protocols, make sure when enabling FIPS mode that
you set up the proper exceptions for both Kerberos and SFTP.
9.
Data Encryption
: Enable data
encryption by following the instructions under “Enabling Encryption of Stored
Data” in Section 4 of the SAG; data encryption is enabled by default at the factory when the device is first
delivered. Before enabling disk encryption, ensure that the WorkCentre 5845/5855/5865/5875/5890,
