Dell S5840cdn User Manual
Embedded Web Server — Security
Administrator's Guide
May 2016
Contents 2
Contents
Change history.............................................................................................. 4
Overview........................................................................................................ 5
Supported printers.............................................................................................................................................. 5
Securing network connections................................................................... 6
Accessing the Embedded Web Server.......................................................................................................... 6
Configuring TCP/IP port access settings....................................................................................................... 6
Configuring IP Security (IPsec) settings......................................................................................................... 6
Configuring 802.1x authentication...................................................................................................................7
Setting the restricted server list.......................................................................................................................8
Managing devices remotely........................................................................ 9
Using HTTPS for printer management...........................................................................................................9
Setting up SNMP..................................................................................................................................................9
Configuring security audit log settings.........................................................................................................10
Updating firmware...............................................................................................................................................11
Managing login methods........................................................................... 12
Restricting public access to functions, applications, printer management, and security
options..............................................................................................................................................................12
Using local accounts......................................................................................................................................... 12
Using LDAP or LDAP+GSSAPI.........................................................................................................................14
Using Kerberos................................................................................................................................................... 16
Using Active Directory...................................................................................................................................... 18
Creating LDAP, LDAP+GSSAPI, or Active Directory groups...................................................................20
Editing or deleting LDAP, LDAP+GSSAPI, or Active Directory groups................................................ 20
Understanding access controls......................................................................................................................21
Managing certificates.................................................................................23
Configuring printer certificate defaults........................................................................................................23
Creating a printer certificate...........................................................................................................................23
Installing certificates manually.......................................................................................................................24
Installing certificates automatically...............................................................................................................24
Viewing, downloading, and deleting a certificate.................................................................................... 24
Contents 3
Managing other access functions............................................................ 25
Scheduling access to USB devices..............................................................................................................25
Setting login restrictions..................................................................................................................................25
Configuring confidential printing...................................................................................................................25
Enabling solutions LDAP settings................................................................................................................. 26
Showing secured applications or functions on the home screen........................................................26
Enabling print permission................................................................................................................................26
Enabling the security reset jumper...............................................................................................................27
Securing data.............................................................................................. 28
Erasing printer memory................................................................................................................................... 28
Erasing printer hard disk memory.................................................................................................................28
Configuring printer hard disk encryption....................................................................................................28
Restoring factory default settings................................................................................................................. 28
Statement of Volatility...................................................................................................................................... 29
Troubleshooting..........................................................................................30
User is locked out............................................................................................................................................. 30
User is logged out automatically...................................................................................................................30
User cannot access applications or functions...........................................................................................30
KDC and MFP clocks are out of sync...........................................................................................................30
Domain controller certificate is not installed...............................................................................................31
KDC is not responding within the required time........................................................................................31
LDAP lookups fail............................................................................................................................................... 31
Notices......................................................................................................... 32
Index.............................................................................................................36
Change history 4
Change history
January 2016
• Initial document release for multifunction products with a tablet-like touch‑screen display
Overview 5
Overview
Use this document to secure the printer using the Embedded Web Server. To secure the printer, combine login
methods and access controls to
use.
Using the Embedded Web Server you can configure the printer to reach Common Criteria Evaluation Assurance
Level 2 (EAL 2). For more information, see the Common Criteria Installation Supplement and Administrator
Guide.
users who are allowed to use the printer, and the functions they can
define
Before you begin, make sure that the printer settings have been
see the printer User’s Guide.
Also, identify the following conditions:
configured
for e‑mail. For more information,
• The login method to use
– Local accounts—Use the authentication methods available on the printer. User credentials are stored
in the printer memory.
– Lightweight Directory Access Protocol (LDAP)
– with Generic Security Services Application Program Interface (LDAP+GSSAPI)
– Kerberos
– Active Directory
• Other solutions that you want to include.
– Smart Card Authentication—A collection of applications used to secure access to printers and their
functions. The applications let you log in to a printer manually or using a smart card, and then securely
send e-mails and release print jobs. You can also configure more security settings in an application, such
as e-mail signing and encryption.
– Card Authentication—Secure access to a printer using a card reader. When users badge in, their
credentials are authenticated using a master printer, LDAP, or Identity Service Providers (ISP).
Note: For more information, see the Administrator’s Guide for the solution.
• The group where the users belong to. You can create groups after creating the login methods.
• The applications, functions, and printer management settings that users can access.
You may need administrative rights to configure or troubleshoot the security settings.
Supported printers
• Dell S5840cdn
Securing network connections 6
Securing network connections
Accessing the Embedded Web Server
1 Obtain the printer IP address. Do either of the following:
• Locate the IP address on the top of the printer home screen.
• From the printer home screen, touch Settings > Network/Ports > Network Overview.
2 Open a Web browser, and then type the printer IP address.
Configuring TCP/IP port access settings
You can control your network device activities by configuring your device to filter out trac on specific network
connections. Protocols (such as FTP, HTTP, and Telnet) can be disabled.
Port filtering on devices disables network connections individually. When a port is closed, a device does not
respond to trac on the specified port whether the corresponding network application is enabled.
We recommend closing any ports that you do not plan to use under standard operation by clearing them.
1 From the Embedded Web Server, click Settings > Network/Ports > TCP/IP > TCP/IP Port Access.
2 Enable the access to the TCP/IP ports.
3 Click Save.
Note: For more information on each port, contact your system administrator.
Configuring IP Security (IPsec) settings
Apply IPsec between the printer and the workstation or server to secure
strong encryption. The printers support IPsec with preshared keys (PSK) and
options simultaneously.
When using PSK authentication, printers are configured to establish a secure IPsec connection with up to seven
other systems. Printers and the systems are configured with a pass phrase that is used to authenticate the
systems and to encrypt the data.
When using the CA certificate authentication, printers are configured to establish a secure IPsec connection
with up to
integrated with a PKI or CA infrastructure. Certificates provide a robust and scalable solution, without configuring
or managing keys and pass phrases.
1 From the Embedded Web Server, click Settings > Network/Ports > IPSec.
systems or subnets. Printers exchange data securely with many systems, and the process is
five
between the systems with a
trac
certificates.
You can use both
2 Select Enable IPSec.
3 Configure the following settings to specify the encryption and authentication methods of the printer:
• Base Configuration
• DH (Die‑Hellman) Group Proposal
• Proposed Encryption method
Securing network connections 7
• Proposed Authentication Method
• IPSec Device Certificate
4 Do one or more of the following:
• From the Pre‑Shared Key Authenticated Connections section, type the IP address of the client printer
that you want to connect to the printer.
• From the Certificate Authenticated Connections section, type the IP address of the client printer that you
want to connect to the printer.
5 Click Save.
Notes:
• If there are no CA
certificates
added, then the default
certificate
is used.
• If you are using PSK authentication, then type the corresponding key. Retain the key to use later when
configuring client printers.
Configuring 802.1x authentication
Though normally associated with wireless devices and connectivity, 802.1x authentication supports both wired
and wireless environments.
Notes:
• If using digital certificates to establish a secure connection to the authentication server, then configure
the
certificates
“Managing certificates” on page 23.
• Make sure that all printers on the same network using 802.1x are supporting the same EAP
authentication type.
1 From the Embedded Web Server, click Settings > Network/Ports > 802.1x.
2 From the 802.1x Authentication section, do the following:
a Select Active.
b Type the login name and password that the printer uses to log in to the authentication server.
on the printer before changing 802.1x authentication settings. For more information, see
c Select Validate Server
Note: Server certificate validation is necessary when using Transport Layer Security (TLS), Protected
Extensible Authentication Protocol (PEAP), and Tunneled Transport Security Layer (TTLS).
Certificate
.
d Select Enable Event Logging.
Warning—Potential Damage: To reduce
part wear, use this feature only when necessary.
flash
e In the 802.1x Device Certificate list, select the digital certificate that you want to use.
Note: If only one certificate is installed, then default is the only option that appears.
3 From the Allowable Authentication Mechanisms section, select one or more authentication protocols.
• EAP‑MD5, EAP‑MSCHAPv2, and LEAP require a login name and password.
• PEAP, and EAP‑TTLS require a login name and password and a CA certificate.
• EAP‑TLS requires a login name and password, a CA certificate, and a signed printer certificate.
Securing network connections 8
4 In the TTLS Authentication Method menu, select the authentication method to use.
5 Click Save.
Setting the restricted server list
You can
connections from other addresses, protecting the printer against unauthorized printing and
configure
printers to connect only from a list of
specified
TCP/IP addresses. This action blocks all TCP
configuring.
1 From the Embedded Web Server, click Settings > Network/Ports > TCP/IP.
2 In the Restricted Server List field, type up to 10 IP addresses, separated by commas, that are allowed to
make TCP connections.
3 Click Save.
Managing devices remotely 9
Managing devices remotely
Using HTTPS for printer management
To restrict the access of the printer Embedded Web Server to HTTPS only, turn o the HTTP port, leaving the
HTTPS port (443) active. This action ensures that all communication with the printer using the Embedded Web
Server is encrypted.
1 From the Embedded Web Server, click Settings > Network/Ports > TCP/IP > TCP/IP Port Access.
2 Clear TCP 8000 (HTTP) and TCP 80 (HTTP).
3 Click Save.
Setting up SNMP
Configuring
1 From the Embedded Web Server, click Settings > Network/Ports > SNMP.
2 From the “SNMP Versions 1 and 2c” section, select Enabled > Allow SNMP Set.
3 In the SNMP Community
is public.
4 Select Enable PPM Mib (Printer Port Monitor MIB) to facilitate the automatic installation of printer drivers
and other printing applications.
5 Click Save.
Configuring
Before you begin, disable SNMP versions 1 and 2c.
1 From the Embedded Web Server, click Settings > Network/Ports > SNMP.
2 From the SNMP Version 3 section, select Enabled.
3 If necessary, configure the following by providing your authentication credentials:
• Set Read/Write Credentials—Allow remote installation and configuration changes and printer
monitoring.
• Set Read-only Credentials—Allow only printer monitoring.
SNMP versions 1 or 2c settings
type a name for the SNMP Community
field,
SNMP version 3 settings
identifier.
The default community name
4 In the Authentication Hash menu, select the hash function of your SNMP server.
5 In the Minimum Authentication Level, select Authentication, Privacy.
6 In the Privacy Algorithm menu, select the strongest setting supported by your network environment.
7 Click Save.
Managing devices remotely 10
Configuring SNMP traps
After configuring SNMP settings, you can customize which alerts are sent to the network management system
by designating events (SNMP traps) that trigger an alert message.
1 From the Embedded Web Server, click Settings > Network/Ports > SNMP > Set SNMP Traps.
2 In one of the IP Address fields, type the IP address of the network management server or monitoring station.
3 Select the conditions for which you want to generate an alert.
4 Click Save.
Configuring security audit log settings
The security audit log lets administrators monitor security‑related events on a device, including failed user
authorization, successful administrator authentication, and Kerberos
logs are stored on the device, but may also be transmitted to a network system log (syslog) server for further
processing or storage.
We recommend enabling audit in secure environments.
uploads to a device. By default, security
file
1 From the Embedded Web Server, click Settings > Security > Security Audit Log.
2 Do one or more of the following:
Activate security audit logging
Select Enable Audit.
Configure
This option lets you use both the remote syslog server and the internal logging.
a Select Enable Remote Syslog.
b Configure the Remote Syslog settings.
• Remote Syslog Server—Type the IP address or host name of the server.
• Remote Syslog Port—Type the port number used for the destination server. The default value is 514.
• Remote Syslog Method—Select Normal UDP to send log messages and events using a lower‑priority
• Remote Syslog Facility—Select a facility code for events logged to the destination server. All events
• Severity of Events to Log—Select the priority level cuto for logging messages and events. The
• Remote Syslog Non‑Logged Events—Send all events regardless of severity to the remote server.
transmission to a network syslog server
transmission protocol. Otherwise, select Stunnel.
sent from the device are tagged with the same code to aid in sorting and filtering by network monitor
or intrusion detection software.
highest severity is 0, and the lowest is 7. The selected severity level and anything higher are logged.
For example, if you select 4 ‑ Warning, then severity levels 0–4 are logged.
Managing devices remotely 11
Configure e‑mail notification
Before you begin, make sure that the printer settings have been
configured
properly for e‑mail.
a In the Admin’s E‑mail Address field, type one or more e‑mail addresses, separated by commas.
b
Configure
the
notification
• E‑mail Log Cleared Alert—Send a
settings.
notification
when the Delete Log button is clicked.
• E‑mail Log Wrapped Alert—Send a notification when the log becomes full and begins to overwrite
the oldest entries.
• Log Full Behavior—Wrap over oldest entries or e‑mail the log and then delete all entries.
• E‑mail % Full Alert—Send a notification when log storage space reaches a certain percentage of
capacity.
• % Full Alert Level—Specify how full the log must be before an alert is triggered.
• E‑mail Log Exported Alert—Send a notification when the log file is exported.
• E‑mail Log Settings Changed Alert—Send a notification when the log settings are changed.
• Log Line Endings—Specify how the log file terminates the end of each line.
• Digitally Sign Exports—Add a digital signature to each exported log
file.
3 Click Save.
Managing security audit logs
• To delete the syslog, in the Clear Log menu, click Clear.
• To view or save the syslog, in the Export Log menu, select the file type, and then click Export.
Updating firmware
Automated
to perform this update can be restricted to authorized administrators by using access control.
Printers inspect all downloaded
the packages. The firmware is packaged in a proprietary format and encrypted with a symmetric encryption
algorithm through an embedded key that is known only to the manufacturer. However, the strongest security
measure comes from requiring all
the manufacturer. If these signatures are not valid, or if the message logs indicate a change in
the signatures were applied, then the firmware is discarded.
firmware
1 From the Embedded Web Server, click Settings > Device > Update Firmware.
2 Browse to the firmware file.
3 Click Upload.
updates can be done simultaneously over a network of printers. For security, the ability
firmware
packages for some required attributes before adopting and executing
firmware
packages to include multiple digital 2048-bit RSA signatures from
firmware
after
Managing login methods 12
Managing login methods
Restricting public access to functions, applications, printer management, and security options
The guest account can use the printer without logging in. To control the access of guest account users, restrict
the functions, applications, printer management, and security options for the guest account.
1 From the Embedded Web Server, click Settings > Security > Login Methods.
2 From the Public section, click Manage Permissions.
3 Select the access controls that the guest account can access. For more information, see “Understanding
access controls” on page 21.
4 Click Save.
Using local accounts
Local accounts are stored in the printer memory and provides authentication‑level security.
Creating local accounts
1 From the Embedded Web Server, click Settings > Security > Login Methods.
2 From the Local Accounts section, click Add User.
3 Select the type of authentication method that you want the account to use when logging in to the printer.
• User Name/Password—Add an account with a user name and password.
• User Name—Add an account with a user name only.
• Password—Add an account with a password only.
• PIN—Add an account with a personal identification number (PIN) only.
4 From the User Information section, type the user information and authentication credentials.
5 From the Permission Groups section, select one or more groups.
Note: To create a group for the user, select Add New Group. For more information, see “Creating local
account groups” on page 13.
6 Click Save.
Editing and deleting local accounts
1 From the Embedded Web Server, click Settings > Security > Login Methods.
2 From the Local Accounts section, click the authentication method where the user account belongs to.
3 Click the user account that you want to edit or delete.
Loading...