Lexmark MX931 Security White Paper

Lexmark MX931 Manual

Get Lexmark MX931 PDF manuals and user guides View all Lexmark MX931 manuals
Add to My Manuals
Save this manual to your list of manuals

Lexmark MX931 manual content summary:

  • Lexmark MX931 | Security White Paper - Page 1
    Secure by Design: Lexmark Print Devices Security White Paper October 2022 www.lexmark.com
  • Lexmark MX931 | Security White Paper - Page 2
    Secure Software Development Lifecycle (SSDL 7 Importance of firmware updates 9 Importance of firmware updates...9 Lexmark Secure by Default 11 Lexmark Secure by Default...11 Secure Remote Management 13 Device and Settings Access...13 Audit Logging...14 Digitally Signed Firmware Updates...15
  • Lexmark MX931 | Security White Paper - Page 3
    Erasure ...45 Out of Service Wiping ...46 Physical Lock Support ...46 Solutions...48 Support 53 CAC/PIV and SIPRNet Card (Authentication 54 Lexmark Contact Authentication Device...55 Lexmark Contactless Authentication Device 56 Lexmark Secure Document Monitor...57 Information sent to Lexmark
  • Lexmark MX931 | Security White Paper - Page 4
    Contents 4 Two Levels of Security...61 Notices...62 Index...64
  • Lexmark MX931 | Security White Paper - Page 5
    customers that have specific security needs or requirements, Lexmark security services are designed to ensure customers print devices and security server configuration (ports and drivers), authentication, and physical document controls. In conclusion, when configuring Lexmark devices, it is important
  • Lexmark MX931 | Security White Paper - Page 6
    's security strategies support zero-trust infrastructures today with our advanced device management and conformance tools, on-device runtime and firmware protections, and security analysis and analytics services. Lexmark uses a layered approach to provide the protections when considering the many
  • Lexmark MX931 | Security White Paper - Page 7
    important- supporting customers, protecting critical assets, and moving their business forward. As defined by our SSDL, Lexmark's security staff and experts monitor multiple channels for the identification of new security vulnerabilities including internal review, customer service
  • Lexmark MX931 | Security White Paper - Page 8
    and an updated code is provided through a patch process. 5 If the CVSS score warrants, Lexmark issues a security advisory for the products affected. For Lexmark security advisories, go to https://support.lexmark.com/alerts To submit a potential vulnerability or concern to the team, an e-mail is sent
  • Lexmark MX931 | Security White Paper - Page 9
    rmware? Firmware is a set of instructions that make the hardware work and Lexmark recommends that you keep your Lexmark devices at the latest firmware level, as provided on https://support.lexmark.com. Helpful links 1 For the latest firmware, go to https://support.lexmark.com. 2 For the latest Lexmark
  • Lexmark MX931 | Security White Paper - Page 10
    Importance of firmware updates 10 3 For more information on MVE, go to https://www.lexmark.com/en_us/solutions/print-solutions/markvision-enterprise.html. If you need assistance, please contact the Lexmark Customer Support Center at 1-800-539-6275.
  • Lexmark MX931 | Security White Paper - Page 11
    in the "Access controls" on page 28 section. During the initial setup wizard (ISW), the user is given the ability to "opt in" to the Lexmark Secure by Default configuration. During the ISW, there is an option to create an account called "Admin" which is a member of the Admin group
  • Lexmark MX931 | Security White Paper - Page 12
    Lexmark Secure by Default 12 Restricted Ports TCP 79 (Finger) TCP 21 out) Operator Panel Lock x x x x Import/Export All Settings x x Out of Service Erase x Additional security settings can be adjusted as usual after completing the account setup in Administrator's Guide for the product.
  • Lexmark MX931 | Security White Paper - Page 13
    mechanisms and the backup password. This keeps unauthorized users from altering the device's settings, including security settings. Lexmark devices support user authentication and authorization functions so that device administrators can select individual users and appropriate groups to make changes
  • Lexmark MX931 | Security White Paper - Page 14
    who are authorized to modify the corresponding device's security settings. Audit Logging When you select Security Audit Log from the Security menu, Lexmark devices can track security-related events and device-setting changes. These actions can be exported to detailed logs that describe system user
  • Lexmark MX931 | Security White Paper - Page 15
    administrators • Exported through the device web page Logs can also be digitally signed for security. Digitally Signed Firmware Updates Overview Lexmark devices support a firmware download mechanism that enables the firmware that controls the device's behavior to be updated. This is a common feature
  • Lexmark MX931 | Security White Paper - Page 16
    signed certificate serves as a credential to validate the identity of the entity which allows other relying parties to verify and trust the entity. Lexmark devices ship with a digital self-signed certificate which identifies the device on the network, however relying parties will not be able to
  • Lexmark MX931 | Security White Paper - Page 17
    can detect the network traffic used in the web session and determine the device's password. To address this concern, Lexmark devices support HTTPS. Through a recent firmware update, Lexmark has extended the capabilities of our devices' handling of HTTPS. This new capability allows a redirect from the
  • Lexmark MX931 | Security White Paper - Page 18
    detected while on the network, or more accurately, the detected data is useless because it is encrypted. Details Lexmark solutions-capable devices support SNMPv3. This protocol features extensive security capabilities, including the authentication and data encryption components for the secure remote
  • Lexmark MX931 | Security White Paper - Page 19
    Secure Remote Management 19 Details The security reset feature requires the device administrator to set up the action of the security reset jumper. This setting can be found in the Security menu under Miscellaneous. There are two options that can be set on the security reset jumper: • No Effect-If
  • Lexmark MX931 | Security White Paper - Page 20
    as whitelisting. This mechanism blocks all TCP connections from other addresses, protecting the device against unauthorized printing and configuration. Lexmark devices support TCP connection filtering with the Restricted Server List field. By using this option, the device accepts only previously speci
  • Lexmark MX931 | Security White Paper - Page 21
    , SNMP, Telnet, and many others can be disabled. Port filtering on Lexmark devices acts as a granular filter, which you can use to disable network (WS-Discovery) • TCP 65002 (WSD Print Service) • TCP 65003 (WS-Eventing) • TCP 65004 (WSD Scan Service) • TCP 9198 (PrintCryptionTM) Note: The settings are based
  • Lexmark MX931 | Security White Paper - Page 22
    Telnet on all Lexmark devices. Lexmark devices have flood protection capabilities to help limit device downtime associated with Denial‑of‑Service (DoS) attacks. 802.1X, and Lexmark devices support the 802.1X protocol for device authentication. Benefits • Enable the Lexmark device to authenticate
  • Lexmark MX931 | Security White Paper - Page 23
    protocols and can be configured to include or exclude each protocol in the 802.1X protocol negotiation. IPsec Overview IPsec is supported on Lexmark devices. This network protocol is an extremely important mechanism because it allows the device to establish a secure connection to other network nodes
  • Lexmark MX931 | Security White Paper - Page 24
    . Benefits Secure NTP provides the capability for devices on the network to obtain their time from an authenticated, secured source. Details Lexmark devices support the use of Secure NTP, which is used for clock synchronization of various devices on the network. Secure NTP complements audit logging
  • Lexmark MX931 | Security White Paper - Page 25
    automatically involve any such mechanism. For the device to allow such interaction, the support must be built in and intentionally provided. Lexmark products do not include or allow this kind of control. No Lexmark device allows any sort of configuration through the phone line. No diagnostic modes
  • Lexmark MX931 | Security White Paper - Page 26
    types of transmissions. For these reasons, the PS Fax capability is not supported on Lexmark MFPs. Phone lines do not provide way to update firmware Because line because it is connected to the outside world. The nature of the Lexmark firmware and the fax operation of the modem, however, is to accept
  • Lexmark MX931 | Security White Paper - Page 27
    before proceeding. This limits device access to valid users only and enables the MFP to identify who is performing the function. Lexmark devices support not only user authentication, but authorization as well. This feature allows device administrators to grant individual users and appropriate groups
  • Lexmark MX931 | Security White Paper - Page 28
    of a permission for that respective access control. For more information regarding access controls, please see, Embedded Web Server - Security Guide for your particular device, at https://support.lexmark.com. Examples of Function Access that can be controlled are: • Copy Function • E-mail Function
  • Lexmark MX931 | Security White Paper - Page 29
    all settings • Out of services erase. Apps can also be restricted with access controls. Examples of App settings that can be controlled are: • New Apps • Scan Center Active Directory Overview Microsoft Active Directory support is provided on solution-enabled Lexmark devices (those with touch-screen
  • Lexmark MX931 | Security White Paper - Page 30
    the Active Directory domain controller. The enhanced Active Directory support sets up the device using computer credentials, which creates further simplified so that you can select automatic setup of additional security services from the Active Directory joining screen. • If the LDAP address book is
  • Lexmark MX931 | Security White Paper - Page 31
    you can select the recipient's e-mail address or fax number rather than manually typing it. This important convenience is made possible through LDAP. With LDAP your standard security practices. Details All LDAP traffic to and from Lexmark devices can be secured with TLS to preserve its confidentiality
  • Lexmark MX931 | Security White Paper - Page 32
    if the customer environment does not have an identity management service capable of locking down user accounts after multiple failed Control Panel Lock Overview With the control panel lock feature, you can place a Lexmark device into a locked state so that the control panel cannot be used for
  • Lexmark MX931 | Security White Paper - Page 33
    that jobs are only printed when the authorized recipient is at the device • Operates whether or not the device is equipped with a hard disk Details Lexmark device drivers can be directed to submit confidential print jobs by specifying a confidential four-digit print PIN. This is a standard feature on
  • Lexmark MX931 | Security White Paper - Page 34
    rather than immediately print them. These held faxes are secured until the designated release time has elapsed or proper credentials have been entered on the Lexmark device. This ensures the fax output is not being exposed to unauthorized persons during off hours. Benefits • Determines when faxes are
  • Lexmark MX931 | Security White Paper - Page 35
    . The kernel, which is a central part of the Linux operating system, is obtained directly from the Linux distribution site and not from a third party. Lexmark makes modifications to the Linux kernel so that the operating system can better meet the needs of hard copy devices. This approach provides
  • Lexmark MX931 | Security White Paper - Page 36
    device. • Internal device drivers and executable code are designed contain its own SMTP server or service. • The device hard disks PDF, PNG, TIF, and TIFF are recognized as print-related data. eSF Application Security Overview Lexmark devices can be extended with the Lexmark eSF. Included in Lexmark
  • Lexmark MX931 | Security White Paper - Page 37
    in their capabilities. The USB host ports on Lexmark devices provide the following: • Detect an inserted USB mass storage device (such as a flash drive) and display, by name, the image files and/or flash files that are stored in the device. • Select a supported image file for printing or select a valid
  • Lexmark MX931 | Security White Paper - Page 38
    Details In general, USB support on Lexmark devices is not unlike USB support on personal computers. Personal computers typically support a wide array of activities through firmware updates for technicians. The supported image file formats are BMP, DCX, GIF, JPG, PCX, PDF, PNG, TIF, and TIFF. The device
  • Lexmark MX931 | Security White Paper - Page 39
    device you might expect to use with Lexmark devices. These devices are widespread today and are generally supported by printers and MFPs. Devices that are the printer by storing it in a file called, for example, HarmlessJob.pdf. Image files are treated internally, just as if they were submitted to the
  • Lexmark MX931 | Security White Paper - Page 40
    multiple digital signatures. This ensures that the printer or MFP accepts only code that is produced and provided by Lexmark. There is no support for adding additional USB drivers to the printer to alter the function of the device. USB host port can be disabled In some environments, controlling
  • Lexmark MX931 | Security White Paper - Page 41
    Print or Print and Hold feature, which is enabled through the printer driver. These devices feature controls that help secure data when it is stored system, and if so, is it less protected than it should be? Lexmark devices use hard disk drives for a variety of purposes, including buffering scanned
  • Lexmark MX931 | Security White Paper - Page 42
    disk itself. So, if the hard disk is removed and placed in another Lexmark device with hard disk encryption enabled, the hard disk attempts to verify its also included in the Out of Service Wiping (Out of Service Erase) function, which is described in "Out of Service Wiping" later in this section.
  • Lexmark MX931 | Security White Paper - Page 43
    original ship configuration is maintained. Trusted Platform Module Overview Lexmark security features help keep information safe-in the document, on processed so that no residual data can be read. "Complete," "Out of Service," or "Sanitize all information on hard disk" disk erasure, which is explained
  • Lexmark MX931 | Security White Paper - Page 44
    disk and, theoretically, can be recovered with substantial effort. Lexmark devices support an additional mechanism for protecting residual data-hard disk file settings available for hard disk file wiping are Automatic, Scheduled, and Manual. Off or Do Not Start Now is the default setting. Disk wiping
  • Lexmark MX931 | Security White Paper - Page 45
    Web Server for all devices that support a hard drive or the device's with automatic, scheduled, or manual mode, is currently defined Lexmark device, including when the device is: • Decommissioned • Having its hard disk replaced • Being moved to a different department or location • Being serviced
  • Lexmark MX931 | Security White Paper - Page 46
    No Security). In later firmware update releases this function (called Out of Service Erase) is updated and included on both the Configuration Menu and the device displayed while erasure is in progress. Physical Lock Support Overview Lexmark devices support cabled computer locks, which you can use to
  • Lexmark MX931 | Security White Paper - Page 47
    In addition to buffering data, hard disk drives (and optional flash memory) can be used to store fonts, forms, fax data, and so on. Lexmark devices can protect this data with wiping and encryption technologies. Adding a physical lock to a device gives the device administrator added confidence, knowing
  • Lexmark MX931 | Security White Paper - Page 48
    for Chinese, Japanese, Korean, Arabic, and Hebrew. • Includes forms, formsmerge and prescribe support, and magnetic ink character recognition (MICR) as a standard feature with ISD. Lockable Tray Various Lexmark models support an optional lockable tray that can be used to secure sensitive media.
  • Lexmark MX931 | Security White Paper - Page 49
    Solutions 49 Removable Hard Disk Enclosure Kit Various Lexmark models support a Removable Hard Disk Enclosure Kit that can remove the hard disk from the device for secure storage overnight.
  • Lexmark MX931 | Security White Paper - Page 50
    print jobs. PrintCryption The Lexmark PrintCryption solution brings strengthened also enables better compliance and supports multiple levels of AES encryption the following way. During the initial driver install and configuration, the print driver retrieves the printer's public key. When
  • Lexmark MX931 | Security White Paper - Page 51
    for Message Authentication Code) keys) Solution Reference Lexmark UPD (Universal Print Driver) v3.0.0.0 and later Specifically for Microsoft deploy certificates on systems and devices than manually communicating the required information. MVE supports the following EST authentication modes: - Client
  • Lexmark MX931 | Security White Paper - Page 52
    templates-Creating device certificates manually can be time-consuming. Markvision supports the following protocol for managing certificates using Microsoft CA through Microsoft Certificate Enrollment Web Services print environment is a key priority, Lexmark offers Markvision Enterprise at no cost to
  • Lexmark MX931 | Security White Paper - Page 53
    with card reader driver application solutions. The card reader driver solutions provide card ID data to other solutions that manage workflows or access to device functions. For details, refer to the individual application solution descriptions. Lexmark devices support several different card readers
  • Lexmark MX931 | Security White Paper - Page 54
    Lexmark MFPs in federal government operations. The solution also supports SIPR tokens to provide access over the Secret Internet Protocol Router Network. Lexmark a service account. Outgoing e-mail is addressed with the user's account information, eliminating anonymous e-mail. S or MIME support is
  • Lexmark MX931 | Security White Paper - Page 55
    of the device enhance security and prevent unauthorized users from gaining access to sensitive information. With a single touch, administrators can use the Lexmark Contact Authentication Device to manage access to devices and authorize access to specific functions including e-mail, fax, copy, or scan
  • Lexmark MX931 | Security White Paper - Page 56
    the front of the printer or MFP and instantly provides a more secure environment for your users and your organization. Administrators can use Lexmark Contactless Authentication Device to manage access to devices and authorize access to specific functions including e-mail, fax, copy, or scan-all with
  • Lexmark MX931 | Security White Paper - Page 57
    it possible to investigate, protect, and prevent costly breaches. LSDM can help fill the hardcopy monitoring gap. It resides on an organization's Lexmark MFPs to capture content and user data automatically and discreetly from every document that passes through. It allows for capture that is happening
  • Lexmark MX931 | Security White Paper - Page 58
    of every document that passes through the supported Lexmark devices. This file includes print jobs as the number of pages and toner levels. This information helps Lexmark better understand how customers use our helps Lexmark understand device performance and enable a higher level of service. (
  • Lexmark MX931 | Security White Paper - Page 59
    le associated with the Common Criteria Evaluation and Validation Scheme (CCEVS). Lexmark will have devices cross listed on the National Information Assurance Partnership the device. Adding these other validated devices gives Lexmark customers more options when selecting the appropriate device that
  • Lexmark MX931 | Security White Paper - Page 60
    above. ISO 27001 - Information Security Management System Certification Overview Lexmark has obtained the ISO 27001 certification for its worldwide Managed Print Services, Predictive Services and Cloud Configurations Services. ISO 27001 is an information security management system (ISMS) international
  • Lexmark MX931 | Security White Paper - Page 61
    and external authentication and authorization, as well as additional restriction capabilities for management, function, and solution access. Advanced security is supported for those devices that permit the installation of additional solutions (applications) to the device. In general, if the device
  • Lexmark MX931 | Security White Paper - Page 62
    of operation in conjunction with other products, programs, or services, except those expressly designated by the manufacturer, are the user's responsibility. For Lexmark technical support, go to http://support.lexmark.com. For information on Lexmark's privacy policy governing the use of this product
  • Lexmark MX931 | Security White Paper - Page 63
    Notices 63 PostScript is either a registered trademark or trademark of Adobe Systems Incorporated in the United States and/or other countries. Wi-Fi® is a registered trademark of Wi-Fi Alliance®. All other trademarks are the property of their respective owners.
  • Lexmark MX931 | Security White Paper - Page 64
    System Certification 60 L lexmark secure software development life cycle 7 lexmark secure by default 11 lexmark secure software development lifecycle 7 M memory wipe 42 N NIAP/CCEVS Certification 59 non volatile memory wipe 42 O out of service wiping 46 P physical lock support 46 S secure access 27
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
Secure by Design: Lexmark Print
Devices
Security White Paper
October 2022
www.lexmark.com