Lexmark C4352 Security White Paper - Page 32

Login Restrictions, Control Panel Lock, Details, Overview, Benefits

Get Lexmark C4352 PDF manuals and user guides View all Lexmark C4352 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 32 highlights

Secure Access 32 Details Auto-insertion of e-mail addresses is a form of nonrepudiation by automatically querying the authenticated user's information and inserting his or her e-mail address in the From field of an outgoing e-mail. Lexmark devices can use a variety of protocols to validate and look up user information: LDAP, LDAP over TLS, LDAP +GSSAPI, or Active Directory. Using any of these authentication protocols enables devices to not only authenticate but also to query that same user information in the directory server. If the device locates the user's e-mail address, it populates the From field with the user's e-mail address. The user can then use the "Scan to E-mail" function. If the device cannot locate the user's e-mail address, the device does not allow the user to proceed with the function. Login Restrictions Overview Lexmark devices can restrict the number of failed attempts that a malicious user can use to try to gain access to a device with a false password. This capability can help reduce the risk associated with password attacks on user accounts. In addition to restricting the number of invalid login attempts, the device can be configured to require a set period of time before allowing users to retry access attempts. These tools are especially useful if the customer environment does not have an identity management service capable of locking down user accounts after multiple failed attempts. Benefits • Mitigates risks associated with brute-force attacks on user passwords by reducing the number of login attempts • Specifies a minimum time before any additional password entries may be accepted Details You can inhibit password attacks by restricting the number of failed login attempts within a specific time frame. Also, imposing a lockout time before additional logins are permitted after login failures further inhibits attacks. Additionally, after a valid user is logged in to the device, inactivity timers are enforced to ensure that users are logged out in a timely manner. In conjunction with restricting login attempts and lockout time, the device can be set up to utilize the audit capabilities to track what user account is being attacked, the time and date of the attack, the frequency of the attack, and the devices where the attacks occurred. Control Panel Lock Overview With the control panel lock feature, you can place a Lexmark device into a locked state so that the control panel cannot be used for any user operations or configuration. It cannot copy or scan jobs. It cannot be reconfigured with the control panel, and incoming jobs do not sit exposed in the output bin. If the device has a hard disk, incoming print and fax jobs are stored in the hard disk instead of being printed. The device can be unlocked by entering authorized user credentials, at which time the held jobs are printed and the device resumes its normal operation.

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
Details
Auto-insertion of e-mail addresses is a form of nonrepudiation by automatically querying the authenticated
user’s information and inserting his or her e-mail address in the From field of an outgoing e-mail. Lexmark
devices can use a variety of protocols to validate and look up user information: LDAP, LDAP over TLS, LDAP
+GSSAPI, or Active Directory. Using any of these authentication protocols enables devices to not only
authenticate but also to query that same user information in the directory server. If the device locates the user’s
e-mail address, it populates the From field with the user’s e-mail address. The user can then use the “Scan to
E-mail” function. If the device cannot locate the user’s e-mail address, the device does not allow the user to
proceed with the function.
Login Restrictions
Overview
Lexmark devices can restrict the number of failed attempts that a malicious user can use to try to gain access
to a device with a false password. This capability can help reduce the risk associated with password attacks
on user accounts. In addition to restricting the number of invalid login attempts, the device can be configured
to require a set period of time before allowing users to retry access attempts. These tools are especially useful
if the customer environment does not have an identity management service capable of locking down user
accounts after multiple failed attempts.
Benefits
Mitigates risks associated with brute-force attacks on user passwords by reducing the number of login
attempts
Specifies a minimum time before any additional password entries may be accepted
Details
You can inhibit password attacks by restricting the number of failed login attempts within a specific time frame.
Also, imposing a lockout time before additional logins are permitted after login failures further inhibits attacks.
Additionally, after a valid user is logged in to the device, inactivity timers are enforced to ensure that users are
logged out in a timely manner. In conjunction with restricting login attempts and lockout time, the device can
be set up to utilize the audit capabilities to track what user account is being attacked, the time and date of the
attack, the frequency of the attack, and the devices where the attacks occurred.
Control Panel Lock
Overview
With the control panel lock feature, you can place a Lexmark device into a locked state so that the control panel
cannot be used for any user operations or configuration. It cannot copy or scan jobs. It cannot be reconfigured
with the control panel, and incoming jobs do not sit exposed in the output bin. If the device has a hard disk,
incoming print and fax jobs are stored in the hard disk instead of being printed. The device can be unlocked
by entering authorized user credentials, at which time the held jobs are printed and the device resumes its
normal operation.
Secure Access
32