Lexmark XC4342 Security White Paper - Page 40

No support for network interaction with USB-attached devices

Get Lexmark XC4342 PDF manuals and user guides View all Lexmark XC4342 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 40 highlights

Secure Access 40 No support for network interaction with USB-attached devices A USB-attached device cannot exchange data in any way with the network to which the device is attached. There is no facility for passing data from the USB-attached device to the network or from the network to the USB-attached device. The only exception is cases where the printer or MFP provides authentication capabilities through an HID, such as a card reader for card-based authentication. In this instance, an embedded application is installed through the Lexmark eSF on the printer or MFP. This application creates the ability for the device to interface solely with a directory server to validate the identity of a user, pull information associated with the authenticated user (for example, e-mail address and home directory information) and identify privileges associated with that user. Limited text character input from standard USB keyboards is permitted with the HID interface, but this input is routed and used only as a substitute for the on-screen keyboard as supported for devices with touch screens. No support for adding additional drivers or functionality The functions with USB-attached devices that are permitted are controlled by the device's firmware, which is not customizable or extensible by the end user. The device's firmware does not permit the addition of arbitrary executable code of any sort. Firmware updates-which are supported through the USB device port on the back of the printer or MFP and through the network interface-must include multiple digital signatures. This ensures that the printer or MFP accepts only code that is produced and provided by Lexmark. There is no support for adding additional USB drivers to the printer to alter the function of the device. USB host port can be disabled In some environments, controlling the submission of print jobs (including image files) is important, and all uncontrolled avenues by which jobs can be submitted are undesirable. For example, in a college library, there might be a system by which users can submit print jobs over the network and then be charged for the pages they print. In such a case, it is unacceptable to let users walk up and submit jobs to the printer from a USB flash drive. You have two options for disabling the function of the USB host port entirely. The first is for Lexmark to disable the port during the manufacturing process. In that case, the port is permanently disabled and cannot be reactivated by the device administrator or end user under any circumstances. On recent devices, the device administrator can disable the port through the security access controls menu on the device's Embedded Web Server. In this case, the port can be enabled again, at a later time, if required. The function of disabling or enabling the port can be restricted so that end users cannot re-enable the port. Lexmark devices support portable USB memory devices (flash drives) to be used for scan-to-USB or print-fromUSB tasks. Printer or MFP configurations cannot be set or recorded with USB devices. The ability to scan-to or print-from USB devices can be controlled separately by a particular authentication building block and security template, or set independently to any of the following states: • No Security-The functions are active and no authentication is required. This is appropriate for environments where no control or tracking is necessary. • Disabled-The device does not permit print-from or scan-to USB devices. Note: For some devices, you can stipulate that no USB memory device can be used with the "Allow Flash Drive Access" access control selection.

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
No support for network interaction with USB-attached devices
A USB-attached device cannot exchange data in any way with the network to which the device is attached.
There is no facility for passing data from the USB-attached device to the network or from the network to the
USB-attached device.
The only exception is cases where the printer or MFP provides authentication capabilities through an HID, such
as a card reader for card-based authentication. In this instance, an embedded application is installed through
the Lexmark eSF on the printer or MFP. This application creates the ability for the device to interface solely with
a directory server to validate the identity of a user, pull information associated with the authenticated user (for
example, e-mail address and home directory information) and identify privileges associated with that user.
Limited text character input from standard USB keyboards is permitted with the HID interface, but this input is
routed and used only as a substitute for the on-screen keyboard as supported for devices with touch screens.
No support for adding additional drivers or functionality
The functions with USB-attached devices that are permitted are controlled by the device’s firmware, which is
not customizable or extensible by the end user. The device’s firmware does not permit the addition of arbitrary
executable code of any sort.
Firmware updates—which are supported through the USB device port on the back of the printer or MFP and
through the network interface—must include multiple digital signatures. This ensures that the printer or MFP
accepts only code that is produced and provided by Lexmark. There is no support for adding additional USB
drivers to the printer to alter the function of the device.
USB host port can be disabled
In some environments, controlling the submission of print jobs (including image files) is important, and all
uncontrolled avenues by which jobs can be submitted are undesirable. For example, in a college library, there
might be a system by which users can submit print jobs over the network and then be charged for the pages
they print. In such a case, it is unacceptable to let users walk up and submit jobs to the printer from a USB flash
drive.
You have two options for disabling the function of the USB host port entirely. The first is for Lexmark to disable
the port during the manufacturing process. In that case, the port is permanently disabled and cannot be
reactivated by the device administrator or end user under any circumstances.
On recent devices, the device administrator can disable the port through the security access controls menu on
the device’s Embedded Web Server. In this case, the port can be enabled again, at a later time, if required. The
function of disabling or enabling the port can be restricted so that end users cannot re-enable the port.
Lexmark devices support portable USB memory devices (flash drives) to be used for scan-to-USB or print-from-
USB tasks. Printer or MFP configurations cannot be set or recorded with USB devices. The ability to scan-to or
print-from USB devices can be controlled separately by a particular authentication building block and security
template, or set independently to any of the following states:
No Security—The functions are active and no authentication is required. This is appropriate for environments
where no control or tracking is necessary.
Disabled—The device does not permit print-from or scan-to USB devices.
Note:
For some devices, you can stipulate that no USB memory device can be used with the “Allow Flash
Drive Access” access control selection.
Secure Access
40