Lexmark MS610dn Embedded Web Server-Security: Administrator's Guide
Lexmark MS610dn Manual
View all Lexmark MS610dn manuals
Add to My Manuals
Save this manual to your list of manuals |
Lexmark MS610dn manual content summary:
- Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 1
Embedded Web Server - Security Administrator's Guide October 2013 www.lexmark.com - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 2
Security devices covered in this guide 4 Simple security devices...4 ...10 Setting up internal accounts ...10 Connecting your printer to an Active Directory domain 11 Using LDAP...13 17 Setting up a CA certificate monitor...19 Downloading the CA certificates immediately 19 Securing access...19 - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 3
settings...32 Enabling the security reset jumper...33 Securing the hard disk and other installed memory 33 Statement of Volatility...33 Erasing volatile memory ...34 Erasing non‑volatile memory...34 Configuring Out of Service Erase ...35 Completely erasing printer hard disk memory 36 Configuring - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 4
devices covered in this guide 4 Security devices covered in this guide There are two levels of security supported based on the MS510dn, MS610dn, MS610dtn, MS810n/dn, MS810dtn, MS811n/dn, MS811dtn, MS812dn, MS812dtn, MX310dn Advanced security devices CS510de, CS510dte, CX410de, CX410e/dte, CX510de, - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 5
developed by Lexmark that administrators can use to build secure and flexible profiles, restricting sensitive printer functions or Web Page Password Protect" on page 9. Advanced level security devices support PIN and password restrictions in addition to the other authentication and authorization - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 6
features in the Embedded Web Server 6 = Supported X = Not supported Panel PIN Protect PIN Protection Function Simple security and Web Page Password Protect for some printer models, by simply limiting access to a printer-or specific functions of a printer-to anyone who knows the correct code. - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 7
that can be controlled varies depending on the type of device, but in some multifunction printers, over 40 individual menus and functions can be protected. Note: For a list of Each device can support up to 140 security templates, allowing administrators to create very specific profiles for each - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 8
password for advanced security setup Notes: • This is available only in select printer models. • The Embedded Web Server can store a combined total of 250 user‑level and administrator‑level passwords on each supported device. 1 From the Embedded Web Server, click Settings > Security > Security Setup - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 9
‑security printers. • The Embedded Web Server can store a combined total of 250 user‑level and administrator‑level passwords on each supported device. available only in select printer models. Typically, personal identification numbers (PINs) are used to control access to specific device menus or to - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 10
only in select printer models with low level security. Typically, personal identification numbers (PINs) are used to control access to specific device menus or in select printer models. Embedded Web Server administrators can configure one internal account building block per supported device. Each - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 11
either User ID or User ID and password to specify the information a user must submit when authenticating. Connecting your printer to an Active Directory domain Notes: • This is available only in select printer models. • Make sure to use HTTPS to protect the credentials that are used to join the - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 12
the printer. Note: A warning with a message associated to your printer IP • Organizational Unit‑‑Type the name of your organizational unit, but only review process. Note: Do not edit or copy the Kerberos Config file to use with older devices. This can cause issues with KDC Server Affinity Service - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 13
company,dc=com"). • Use Kerberos Service Ticket‑‑This setting is an advanced setup the device what container or organizational unit it needs to search and to validate Note: This is available only in select printer models. Lightweight Directory Access Protocol (LDAP Notes: • Supported devices can store - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 14
unit), o (organization), c (country), and dc (domain). • Search Timeout-Enter a value from 5 to 30 seconds or 5 to 300 seconds depending on your printer comparable to other network services. • Anonymous LDAP the password for the print servers. Search specific object classes • Person-If selected, then - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 15
in select printer models. Some administrators prefer authenticating to an LDAP server using Generic Security Services Application Programming Notes: • LDAP+GSSAPI requires that Kerberos 5 also be configured. • Supported devices can store a maximum of five unique LDAP+GSSAPI configurations. Each - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 16
by commas, such as cn (common name), ou (organizational unit), o (organization), c (country), and dc (domain). • Search Timeout-Enter a value from 5 to 30 seconds or 5 to 300 seconds depending on your printer model. • Use Kerberos Service Ticket-If selected, then a Kerberos ticket is presented to - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 17
Kerberos 5 for use with LDAP+GSSAPI Note: This is available only in select printer models. Though it can be used by itself for user authentication, Kerberos 5 one Kerberos configuration file (krb5.conf) can be stored on a supported device, that krb5.conf file can apply to multiple realms and - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 18
.conf file to verify that it is functional. Notes: • Click Reset Form to reset the field and search for a new configuration file. • Click Delete 300 seconds), the printer clock must be in sync or closely aligned with the KDC system clock. Printer clock settings can be updated manually, or set to - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 19
the Certificate Management page. 5 Click Certificate Authority Management to validate that the CA certificate chain was properly downloaded. Note: if you would like to do a more extensive review of the CA certificates, simply click on the CA certificate name you see under the "Certificate Authority - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 20
Reset Form to restore the default settings. Using a security template to control function access Note: This is available only in select printer For more information on configuring a specific type of building block, see a security template. Each device can support up to 140 security templates. Though - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 21
support separate authorization. • For simple authorization‑level security, in which individual users are not authenticated, administrators can control access to specific Submit to save the changes, or Reset Form to cancel all changes. by selecting Log out on the printer control panel. • For a list - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 22
"Appendix A: CA file creation" on page 41. 1 Open a Web browser, and then type the IP address or host name of the printer. 2 From the Embedded Web Server, click Settings > Security > Certificate Management > Certificate Authority Management. Notes: • This window allows the device administrator the - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 23
to a certificate that has been signed by a certificate authority. The printer includes a certificate signing request that can be viewed or downloaded, which greatly facilitates the process of obtaining the signed certificate for the printer. 1 Open a Web browser, and then type the IP address or - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 24
of creating and installing a signed printer certificate. The printer can now present a valid certificate to 128‑character maximum). • Unit Name-Type the name of the unit within the company or organization 4 Click Generate New Certificate. Viewing, downloading, and deleting a certificate 1 From the - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 25
certificates generated for a supported device. The values entered issuing the certificate. • Unit Name-Type the name of the unit within the company or entered. Notes: • This menu item appears only when a formatted, working printer hard disk is installed. • Enter 0 to allow users to enter an - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 26
Off 1 hour 4 hours 24 hours 1 week Set a limit on how long the printer stores print jobs for printing at a later time. Note: Off is the factory default setting. 3 Click Submit to save the changes, or click Reset Form to restore the default settings. Enabling and disabling USB devices Note: This - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 27
for securely erasing data from a hard disk. Note: Not all printers have a hard disk installed. If you do not see "Erase Temporary Data Files" in the main Security menu, then it is not supported on your device. 1 From the Embedded Web Server, click Settings > Security > Erase - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 28
Setup E-mail Server link to configure SMTP settings. 10 Click Submit to save the changes, or Reset Form to restore the default settings. E-mail server setup 1 From the Security Audit Log main responses to messages sent from the printer (in case of failed or bounced messages), type the Reply Address. - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 29
Device Credentials. 12 Click Submit to save the changes, or Reset Form to restore the default settings. Viewing or deleting the printer and working properly. For more information, see the instruction sheet that came with your wireless network adapter. 1 Open a Web browser, and then type the printer - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 30
EAP‑MD5 EAP‑TLS EAP‑TTLS PEAP (TLS) LEAP Needs on MFP or Printer Device login name and password Device login name and password, CA certificate, to make sure that all of the devices participating in the 802.1x process support the same EAP authentication type. 1 From the Embedded Web Server, click - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 31
community name is "public." 5 To facilitate the automatic installation of device drivers and other printing applications, select Enable PPM Mib (Printer Port Monitor MIB). 6 Click Submit to save the changes, or click Reset Form to restore the default values. SNMP Version 3 1 From the Embedded - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 32
each condition that should generate an alert. 5 Click Submit to save the changes, or click Reset Form to clear all fields. Configuring the TCP/IP port access setting Note: This is available only in select printer models. This feature allows you to set access settings on the different TCP/IP ports - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 33
security"-This removes security only from the function access controls. • Reset factory security defaults-This restores all security settings to the default , a service call will be required. Securing the hard disk and other installed memory Statement of Volatility Your printer contains various - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 34
devices have a hard disk drive installed. The printer hard disk is designed for device‑specific functionality and cannot be used for long term storage Guide. • Device and network settings-You can erase device and network settings and restore factory defaults by resetting the NVRAM using the printer - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 35
, then you can erase fax settings and data by resetting the NVRAM using the printer Config menu. Note: If your printer has a hard disk that has been partitioned for fax , or by restoring factory defaults using the printer Config menu. Configuring Out of Service Erase Notes: • This menu appears only - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 36
of standard home screen icons such as Copy and Fax. 3 Release the buttons when the screen with the progress bar appears. The printer undergoes a power-on reset, and then the Configuration menu appears. 4 Touch Wipe Disk, and then touch either of the following: • Wipe disk (fast)-This lets you - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 37
. • Enable-Use this to enable disk encryption. Notes: - Disable is the factory default setting. - Changing this setting will cause the printer to undergo a power‑on reset. Warning-Potential Damage: Changing the setting for disk encryption will erase the contents of the hard disk. 4 Click Submit to - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 38
access controls Note: This is available only in select printer models. 1 From the Embedded Web Server, click Settings > Security > Security Setup. 2 Under Advanced Security Setup, click Access Controls. 3 If necessary, click Expand All or click a specific folder to view a list of available functions - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 39
available only in select printer models. If your printer is not connected PINs and passwords) do not support separate authorization. 7 To use , click Expand All or click a specific folder to view a list of available Click Submit to save the changes, or Reset Form to cancel all changes. Users - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 40
from the existing network, making access to the printer as seamless as other network services. Before configuring the Embedded Web Server to integrate the name of that function. 4 Click Submit to save the changes, or Reset Form to cancel all changes. Users will now be required to enter the - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 41
presents a dialog window. 7 Select Base 64 encoded, and then click Download Certificate. Note: DER encoding is not supported. 8 Save the certificate that is offered in a file. The install the certificate. The previous manual process is replaced by a simple process with only limited initial setup - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 42
. Note: The example usage instructions given below assume the Certificate Enrollment Web Services is installed on a Windows 2008 R2 server. 1 Open a Web browser, and then type the IP address or host name of the printer in the address field. 2 From your printer Web page, click Settings > Security - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 43
to the Security menu from the Embedded Web Server. Service Engineer Menus at the Device This protects access to the Service Engineer menu from the printer control panel. Service Engineer Menus Remotely This protects access to the Service Engineer menu from the Embedded Web Server. Settings Menu - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 44
from any source other than a flash drive. Firmware files that are received through FTP, the Embedded Web Server, etc., will be ignored (flushed) when this function is protected. This protects access to the locking function of the printer control panel. If this is enabled, then users with appropriate - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 45
Applications Function access control New Apps App 1-10 What it does This controls the initial security profile of each application‑specific access control installed on the printer. The App 1 through App 10 access controls can be assigned to installed eSF applications and profiles created by LDSS - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 46
other products, programs, or services, except those expressly designated by the manufacturer, are the user's responsibility. For Lexmark technical support, visit http://support.lexmark.com. For information on supplies and downloads, visit www.lexmark.com. ©2013 Lexmark International, Inc. All rights - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 47
Notices 47 GifEncoder GifEncoder - writes out an image as a GIF. Transparency handling and variable bit size courtesy OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 48
Notices 48 "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 49
not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or specific language governing permissions and limitations under the License. - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 50
Glossary of Security Terms 50 Glossary of Security Terms Access Controls Authentication Authorization Building Block Group Security Template Settings that control whether individual device menus, functions, and settings are available, and to whom. Also referred to as Function Access Controls on - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 51
32 Out of Service Erase 35 TCP/IP port access setting 32 configuring device certificate information 23 Configuring Out of Service Erase 35 connecting 27 disposing of printer hard disk 33 downloading certificate 24 Certificate Authority (CA) certificates 19 E encrypting the printer hard disk 36 - Lexmark MS610dn | Embedded Web Server-Security: Administrator's Guide - Page 52
types installed on printer 33 menu, security Erase Temporary Data Files 27 N non‑volatile memory 33 erasing 34 notices 46 O Out of Service Erase configuring 35 GSSAPI authentication 15 login restrictions 20 password 8 PIN 9, 10 reset jumper on motherboard 33 security audit log 27 security templates
Embedded Web Server — Security
Administrator's Guide
October 2013
www.lexmark.com