C3850/C3350/C3850FS
User’s Guide
Security Operations
2016. 2 Ver. 2.02
1 |
Security |
|
|
|
1.1 |
Introduction ................................................................................................................ |
..................... 1-2 |
|
|
Compliance with the ISO15408 Standard ......................................................................................... |
1-2 |
|
|
Operating Precautions ....................................................................................................................... |
1-2 |
|
|
INSTALLATION CHECKLIST.............................................................................................................. |
1-3 |
|
1.2 |
Security Functions .......................................................................................................................... |
1-5 |
|
|
Check Count Clear Conditions .......................................................................................................... |
1-5 |
|
1.3 |
Precautions for Operation Control ................................................................................................ |
1-6 |
|
|
Roles of the Owner of the Machine ................................................................................................... |
1-6 |
|
|
Roles and Requirements of the Administrator of the machine .......................................................... |
1-6 |
|
|
Password Usage Requirements ........................................................................................................ |
1-6 |
|
|
External authentication server control requirements ......................................................................... |
1-7 |
|
|
Security function operation setting operating requirements.............................................................. |
1-7 |
|
|
Operation and control of the machine ............................................................................................... |
1-7 |
|
|
Machine Maintenance Control........................................................................................................... |
1-9 |
|
1.4 |
Miscellaneous................................................................................................................................ |
1-10 |
|
|
Password Rules ............................................................................................................................... |
1-10 |
|
|
Precautions for Use of Various Types of Applications..................................................................... |
1-10 |
|
|
Encrypting communications ............................................................................................................ |
1-11 |
|
|
Print functions .................................................................................................................................. |
1-11 |
|
|
IPP printing ...................................................................................................................................... |
1-11 |
|
|
Items of Data Cleared by Data Erase Function................................................................................ |
1-12 |
|
|
HDD Format ..................................................................................................................................... |
1-13 |
|
|
Upgrading of the firmware ............................................................................................................... |
1-13 |
|
|
Software and hardware used in the machine .................................................................................. |
1-13 |
|
|
Self-test function (encryption key and firmware verification)........................................................... |
1-13 |
|
|
IPsec setting .................................................................................................................................... |
1-14 |
|
|
CS Remote Care function ................................................................................................................ |
1-14 |
|
|
Terminating a Session and Logging out .......................................................................................... |
1-14 |
|
|
Authentication error during external server authentication.............................................................. |
1-15 |
2 |
Administrator Operations |
|
|
|
2.1 |
Accessing the Administrator Settings .......................................................................................... |
2-2 |
|
|
Accessing the Administrator Settings................................................................................................ |
2-2 |
|
2.2 |
Enhancing the Security Function................................................................................................... |
2-5 |
|
2.2.1 |
Setting the Password Rules............................................................................................................... |
2-7 |
|
2.2.2 |
Setting the Enhanced Security Mode ................................................................................................ |
2-9 |
|
2.3 |
Canceling the Operation Prohibited State.................................................................................. |
2-10 |
|
|
Performing Release Setting ............................................................................................................. |
2-10 |
|
2.4 |
Setting the Authentication Method ............................................................................................. |
2-12 |
|
|
Setting the Authentication Method .................................................................................................. |
2-12 |
|
2.5 |
ID & Print Setting Function........................................................................................................... |
2-14 |
|
|
Setting the ID & Print........................................................................................................................ |
2-14 |
|
2.6 |
System Auto Reset Function ....................................................................................................... |
2-15 |
|
|
Setting the System Auto Reset function.......................................................................................... |
2-15 |
|
2.7 |
User Setting Function................................................................................................................... |
2-17 |
|
|
Making user setting.......................................................................................................................... |
2-17 |
|
2.8 |
Memory RX Function .................................................................................................................... |
2-19 |
|
2.8.1 |
Setting Memory RX .......................................................................................................................... |
2-19 |
|
2.8.2 |
Accessing the Memory RX file ......................................................................................................... |
2-21 |
|
2.9 |
Changing the Administrator Password....................................................................................... |
2-22 |
|
|
Changing the Administrator Password ............................................................................................ |
2-22 |
|
2.10 |
Protecting Data in the HDD.......................................................................................................... |
2-25 |
|
2.10.1 |
Setting the Encryption Key .............................................................................................................. |
2-25 |
bizhub C3850/C3350/C3850FS |
Contents-1 |
|
|
|
|
|
|
2.10.2 |
.............................................................................................................Deleting the encryption key |
2-28 |
2.10.3 |
Setting the Overwrite HDD Data ...................................................................................................... |
2-29 |
2.11Erasing data when the machine is to be discarded or use of a leased machine is
|
|
terminated...................................................................................................................................... |
2-31 |
|
2.11.1 |
Setting the Overwrite All Data.......................................................................................................... |
2-31 |
|
2.11.2 |
Setting the Restore All ..................................................................................................................... |
2-34 |
|
2.12 |
Obtaining Job Log......................................................................................................................... |
2-36 |
|
2.12.1 |
Obtaining and deleting a Job Log.................................................................................................... |
2-36 |
|
2.12.2 |
Downloading the Job Log data........................................................................................................ |
2-38 |
|
|
Job Log data.................................................................................................................................... |
2-40 |
|
2.13 |
Setting time/date in machine....................................................................................................... |
2-43 |
|
2.13.1 |
Setting time/date.............................................................................................................................. |
2-43 |
|
2.13.2 |
Setting daylight saving time............................................................................................................. |
2-45 |
|
2.14 |
SSL Setting Function .................................................................................................................... |
2-47 |
|
2.14.1 |
Device Certificate Setting ................................................................................................................ |
2-47 |
|
2.14.2 |
SSL Setting ...................................................................................................................................... |
2-49 |
|
2.14.3 |
Removing a Certificate..................................................................................................................... |
2-50 |
|
2.15 |
Accessing the Scan to HDD file................................................................................................... |
2-51 |
|
|
Accessing the image file .................................................................................................................. |
2-51 |
|
2.16 |
TCP/IP Setting Function............................................................................................................... |
2-53 |
|
2.16.1 |
Setting the IP Address ..................................................................................................................... |
2-53 |
|
2.16.2 |
Registering the DNS Server ............................................................................................................. |
2-54 |
|
2.17 |
E-Mail Setting Function ................................................................................................................ |
2-55 |
|
|
Setting the SMTP Server (E-Mail Server) ......................................................................................... |
2-55 |
3 |
User Operations |
|
|
|
3.1 |
User Authentication Function ........................................................................................................ |
3-2 |
|
|
Performing user authentication.......................................................................................................... |
3-2 |
|
3.2 |
ID & Print Function.......................................................................................................................... |
3-6 |
|
3.2.1 |
Registering ID & Print files ................................................................................................................. |
3-6 |
|
3.2.2 |
Accessing the ID & Print file............................................................................................................... |
3-8 |
|
3.3 |
Change Password Function......................................................................................................... |
3-10 |
|
|
Performing Change Password ......................................................................................................... |
3-10 |
|
3.4 |
Scan to HDD Function .................................................................................................................. |
3-11 |
|
3.4.1 |
Registering image files..................................................................................................................... |
3-11 |
|
3.4.2 |
Accessing the image file .................................................................................................................. |
3-13 |
|
3.5 |
S/MIME transmission function .................................................................................................... |
3-15 |
|
|
Sending E-mail by S/MIME.............................................................................................................. |
3-15 |
|
3.6 |
Memory RX Function .................................................................................................................... |
3-17 |
|
3.6.1 |
Accessing the Memory RX file ......................................................................................................... |
3-17 |
4 |
Application Software |
|
|
|
4.1 |
PageScope Data Administrator ..................................................................................................... |
4-2 |
|
|
Precautions during backup or restore ............................................................................................... |
4-2 |
|
4.1.1 |
Accessing from PageScope Data Administrator ............................................................................... |
4-2 |
|
4.1.2 |
Setting the user authentication method............................................................................................. |
4-4 |
|
4.1.3 |
Changing the authentication mode.................................................................................................... |
4-6 |
|
4.1.4 |
Making the user settings.................................................................................................................... |
4-8 |
|
4.1.5 |
Making the Address setting ............................................................................................................... |
4-9 |
bizhub C3850/C3350/C3850FS |
Contents-2 |
1
Security
1.1 |
|
|
|
|
Introduction |
1 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1.1Introduction
Thank you for purchasing our product.
This User's Guide contains the operating procedures and precautions to be used when using the security functions offered by the bizhub C3850/C3350/C3850FS machine. To ensure the best possible performance and effective use of the machine, read this manual thoroughly before using the security functions. The Administrator of the machine should keep this manual for ready reference. The manual should be of great help in finding solutions to operating problems and questions.
This User's Guide (Ver. 2.02) covers the following.
Model name |
bizhub C3850/bizhub C3350/bizhub C3850FS/ineo+ 3850/ineo+ 3350/ineo+ 3850FS |
Version |
G0607-999 |
|
|
For any query, request, or opinion concerning the machine, please contact your dealer from which you purchased your machine or Service Representative.
Any notice concerning this machine will be given in writing by the dealer from which you purchased your machine or Service Representative.
When the Enhanced Security Mode on this machine is set to [ON], more enhanced security functions are available.
This machine offers the security functions that comply with the ISO/IEC15408 (level: EAL2) and 2600.2-PP, Protection Profile for Hardcopy Devices, Operational Environment B.
The machine gives an alarm message or an alarm sound (peep) when a wrong operation is performed or a wrong entry is made during operation of the machine. (No "peep" alarm sound is issued if a specific sound setting in Sound Setting of Accessibility Setting is set to [OFF].) If the alarm message or alarm sound is given, perform the correct operation or make the correct entry according to the instructions given by the message or other means.
The administrator of the machine should exit from the current mode to return to the basic screen whenever the access to that mode is completed or if he or she leaves the machine with the mode screen left displayed.
The administrator of the machine should make sure that each individual general user exits from the current mode to return to the basic screen whenever the access to that mode is completed or if the user leaves the machine with the mode screen left displayed.
If an error message appears during operation of the machine, perform steps as instructed by the message. For details of the error messages, refer to the User’s Guide furnished with the machine. If the error cannot be remedied, contact your service representative.
The PageScope Web Connection functions can be used only if the setting is made to accept "Cookie."
NOTICE
This machine permits duplicate login operations performed by the service engineer, the Administrator of the machine, and the user.
-The Administrator of the machine should make sure that, when the service engineer changes the settings, neither the Administrator of the machine nor the user performs the login operation.
-The Administrator of the machine should make sure that no user is allowed to perform the login operation when the Administrator of the machine changes or deletes user information or user data.
-To prevent settings of the machine from being duplicated, the Administrator of the machine should not attempt to change the settings in a condition of having logged onto a mode simultaneously from the control panel and the client PC.
bizhub C3850/C3350/C3850FS |
1-2 |
1.1 |
Introduction |
1 |
|
|
|
This Installation Checklist contains items that are to be check by the Service Engineer installing this machine. The Service Engineer should check the following items, then explain each checked item to the Administrator of the machine.
To Service Engineer
Make sure that each of these items is properly carried out by checking the box on the right of each item.
1.Perform the following steps before installing this machine.
Check with the administrator to determine if the security functions of this machine should be enhanced. If the functions should be enhanced, check the following.
If the security functions are not to be enhanced, quit the operation without checking the following.
Before installing the machine, check with the administrator of the machine to determine if the following is confirmed.
•Whether the Service Engineer has been informed that the unpacking procedure is to be performed by the Service Engineer in the presence of the administrator of the machine.
•Whether the machine has been under the control of the administrator of the machine with a check made to ensure that evidently the machine has not been unpacked or used.
The Service Engineer should obtain the administrator's consent to the performance of this item.
If the machine has been unpacked, check with the administrator that it was the administrator who unpacked the machine and nobody but the administrator has gain access to the machine after the unpacking. Then, obtain the administrator's consent to the performance of the installation procedure for the unpacked machine before attempting to start the procedure. If the administrator's consent cannot be obtained, call the dealer.
I swear that I would never disclose information as it relates to the settings of this machine to anybody, or perform malicious or intentional act during setup and service procedures for the machine.
When giving a copy of the User's Guide, explain the following to the administrator:
•A digital signature is assigned to the data certified by ISO15408. To ensure integrity of the file, have the administrator of the machine confirm the digital signature using the property of the provided data file in the user's PC environment.
Confirm the digital signature as follows.
Right click the provided exe file to display the property screen.
Select [Digital Signatures] - [Details] - [General], and check that Konica Minolta, Inc. is displayed in the Name of signer field.
Select [View Certificate] - [General], and check the Signing time is within the validated date of the certificate.
•Two versions are available, the User's Guide and User's Guide Security Operations (this User's Guide).
•This User's Guide must first be read and the conditions described in this User's Guide Security Operations take precedence over the User's Guide.
•If the security functions of the machine are to be enhanced, the machine and its surrounding environment should be set up and operated according to this User's Guide.
Refer to the Service Manual and perform the required installation and setup steps.
•Explain to the administrator making him/her check the cover of the Service Manual to be referred that it is for bizhub C3850/bizhub C3350/bizhub C3850FS/ineo+ 3850/ineo+ 3350/ineo+ 3850FS (Version: G0607-999). Explain to the administrator that the following settings must be performed referring to the manuals above.
•The Service Engineer must have the administrator confirm that the digital signature is assigned to the firmware and the version of the firmware to be updated is the one that is written on the Service Manual.
2.After this machine is installed, refer to the Service Manual and perform the following steps.
Check that the model name, firmware version value, and the controller F/W hash value contained in the Service Manual agree with the respective values on the firmware version display screen and the firmware verification screen.
Check also that the MFP model name and the part numbers of the MFP board and the SSD board agree with those described in the Service Manual.
If there is a mismatch in the Firmware version number, explain to the administrator of the machine that upgrading of the Firmware is necessary and perform upgrading of the Firmware.
Set the CE Password.
3.After this machine is installed, refer to this User’s Guide and perform the following steps.
Check that the Administrator Password has been set by the Administrator of the machine.
bizhub C3850/C3350/C3850FS |
1-3 |
1.1 |
Introduction |
1 |
|
|
|
Check that the Encryption Key has been set by the administrator of the machine.
Check that the [IPv4 Address], [Subnet Mask], and [Default Gateway] have been set by the administrator of the machine.
Check that the self-signed certificate for SSL communications has been registered by the
Administrator of the machine.
Check that the date and time have been correctly set in the machine by the administrator of the machine.
Check that the ID & Print has been set to [Enable] by the administrator of the machine.
Check that the Memory RX has been set to [ON] by the administrator of the machine.
Check that IPsec has been set by the administrator of the machine for communications between the machine and the DNS server.
Check that IPsec has been set by the administrator of the machine for communications between the machine and the SMTP server.
Check that IPsec has been set by the administrator of the machine for communications between the machine and the external authentication server.
Check that User Authentication has been set to [Device] or [External Server] (Active Directory only) by the Administrator of the machine.
Check that Password Rules has been set to [ON] by the Administrator of the machine.
Let the Administrator of the machine set Enhanced Security Mode to [ON].
Check that the various functions to be disabled manually have been properly disabled by the administrator of the machine.
The languages, in which the contents of the User’s Guide Security Operations have been evaluated, are Japanese and English.
The following lists the manuals compatible with bizhub C3850/bizhub C3350/bizhub C3850FS/ineo+ 3850/ineo+ 3350/ineo+ 3850FS (Version: G0607-999).
•bizhub C3850/C3350/C3850FS User’s Guide v1.00 A3GN-9574BA-00
•bizhub C3850/C3350/C3850FS User’s Guide Security Operations 2016. 2 Ver.2.02
Explain to the administrator that the settings for the security functions for this machine have been specified.
When the above steps have been properly carried out, the Service Engineer should make a copy of this list and give the original of this list to the Administrator of the machine. The copy should be kept at the corresponding Service Representative for filing.
Please direct your any queries about using the machine to the Service Representative shown below.
Product Name |
|
Company Name |
User Division Name, |
Person in charge |
|
|
|
Contact |
|
|
|
|
|
|
Customer (Administrator of Machine) |
|
|
|
|
|
|
|
|
|
Service Representative |
|
|
|
|
|
|
|
|
|
bizhub C3850/C3350/C3850FS |
1-4 |
1.2 |
Security Functions |
1 |
|
|
|
1.2Security Functions
Setting the Enhanced Security Mode to [ON] will validate the security function of this machine. For details of the settings of different security functions to be changed by turning [ON] the Enhanced Security Mode, see page 2-5.
The following the major security functions when the Enhanced Security Mode is set to [ON].
Function |
Description |
Identification and au- |
Access control is then provided through password authentication for any ac- |
thentication function |
cess to the Administrator Settings and User Authentication mode. Access is |
|
thereby granted only to the authenticated user. A password that can be set |
|
must meet the Password Rules. The machine does not accept setting of an |
|
easily decipherable password. For details of the Password Rules, see |
|
page 1-10. |
|
If a wrong password has been entered three cumulative times during pass- |
|
word authentication, the machine determines that it is unauthorized access |
|
through Prohibited Functions When Authentication Error, prohibiting any fur- |
|
ther entry of the password. By prohibiting the password entry operation, the |
|
machine prevents unauthorized use or removal of data, thereby ensuring se- |
|
cured used of the machine. The administrator of the machine is responsible |
|
for resetting the prohibition of the password entry operation. For details, see |
|
page 2-10. |
|
|
User limiting function |
Specific functions to be used by each user may be limited. For details, see |
|
page 2-17. |
|
|
HDD encryption function |
By setting the Encryption Key, the data stored in the HDD is encrypted, there- |
|
by protecting the data in the HDD. For details, see page 2-25. |
|
|
Auditing function |
Information including operations performed on the machine and a job history |
|
can be stored in the HDD. Setting the Job Log (Audit Log) allows an illegal |
|
act or inadequate operation performed on the machine to be traced. The ob- |
|
tained Job Log can be downloaded and viewed from the PageScope Web |
|
Connection. For details, see page 2-36. |
|
|
Residual information de- |
When the machine is to be discarded or use of a leased machine is terminat- |
leting function |
ed at the end of the leasing contract, setting of the Overwrite HDD Data func- |
|
tion while the machine was in use allows residual unnecessary data to be |
|
deleted, because the machine overwrites a specific overwrite value over the |
|
unnecessary data. This prevents data leakage. (Passwords, addresses, and |
|
other data set while the machine was in use should, however, be deleted |
|
manually.) For details, see page 2-29. |
|
The Overwrite All Data function overwrites and erases all data stored in all |
|
spaces of the HDD. In addition, the Restore All function resets all passwords |
|
saved in the memory area on the MFP board and the SSD board to the fac- |
|
tory settings, thus preventing data from leaking. For details, see page 2-31. |
|
For details of items to be cleared by Overwrite All Data function, see |
|
page 1-12. |
|
|
Network communication |
Communication data transmitted to or from the machine and client PC can |
protecting function |
be encrypted using the SSL/TLS, which prevents information leakage |
|
through sniffing over the network. For details, see page 2-47. |
|
|
The following are the conditions for clearing or resetting the check count of the number of wrong entries at the time of authentication.
<Administrator Settings>
-Authentication of Administrator Settings is successful.
-Five minutes elapses after the machine is restarted.
-The Service Engineer performs administrator unlocking.
<User Authentication Mode>
-User Authentication mode is successful.
-Release of Prohibited Functions When Authentication Error is executed.
bizhub C3850/C3350/C3850FS |
1-5 |
1.3 |
Precautions for Operation Control |
1 |
|
|
|
1.3Precautions for Operation Control
This machine and the data handled by this machine should be used in an office environment that meets the following conditions. The machine must be controlled for its operation under the following conditions to protect the data that should be protected.
The owner (an individual or an organization) of the machine should take full responsibility for controlling the machine, thereby ensuring that no improper operations are performed.
-The owner of the machine should have the administrator of the machine recognize the organizational security policy and procedure, educate him or her to comply with the guidance and documents prepared by the manufacturer, and allow time for him or her to acquire required ability. The owner of the machine should also operate and manage the machine so that the administrator of the machine can configure and operate the machine appropriately according to the policy and procedure.
-The owner of the machine should have users of the machine recognize the organizational security policy and procedure, educate them to follow the policy and procedure, and operate and manage the machine so that the users acquire the required ability.
-The owner of the machine should vest the user with authority to use the machine according to the organizational security policy and procedure.
-The owner of the machine should operate and manage the machine so that the administrator of the machine checks the Job Log (Audit Log) data at appropriate timing to thereby determine whether a security compromise or a faulty condition has occurred during an operating period.
-If the Job Log (Audit Log) data is to be exported to another product, the owner of the machine should ensure that only the administrator of the machine performs the task. The owner of the machine should also operate and manage the machine so that the Job Log (Audit Log) data is not illegally accessed, deleted, or altered.
The administrator of the machine should take full responsibility for controlling the machine, thereby ensuring that no improper operations are performed.
<To Achieve Effective Security>
-A single individual person who is capable of taking full responsibility for controlling the machine should be appointed as the administrator of the machine to make sure that no improper operations are performed.
-When using an SMTP server (mail server) or an DNS server, each server should be appropriately managed by the administrator and should be periodically checked to confirm that settings have not been changed without permission.
The Administrator must control the Administrator Password and Memory RX Password appropriately so that they may not be leaked. These passwords should not be ones that can be easily guessed. The user, on the other hand, should control the User Password appropriately so that they may not be leaked. Again, these passwords should not be ones that can be easily guessed.
<To Achieve Effective Security>
-Make absolutely sure that only the Administrator knows the Administrator Password and Memory RX Password.
-The Administrator must change the Administrator Password and Memory RX Password at regular intervals.
-The Administrator should make sure that any number that can easily be guessed from birthdays, employee identification numbers, and the like is not set for the Administrator Password and Memory RX Password.
-If a User Password has been changed, the Administrator should have the corresponding user change the password as soon as possible.
-If the Administrator Password has been changed by the Service Engineer, the Administrator should change the Administrator Password as soon as possible.
-The Administrator should have users ensure that the passwords set for the User Authentication and Memory RX are known only by the user concerned.
-The Administrator should have users change the passwords set for the User Authentication at regular intervals.
bizhub C3850/C3350/C3850FS |
1-6 |
1.3 |
Precautions for Operation Control |
1 |
|
|
|
-The Administrator should make sure that any user does not set any number that can easily be guessed from birthdays, employee identification numbers, and the like for the passwords set for the User Authentication.
-Upon change of the Administrators, the old Administrator of the machine should promptly have the new one change the Administrator password.
The administrator of the machine and the server administrator are required to apply patches to, or perform account control for, this machine and the external authentication server connected to the office LAN in which the machine is installed to ensure operation control that achieves appropriate access control.
<To Achieve Effective Security>
-Apply patches so that the external authentication server is always up-to-date.
-Change the corresponding account information promptly as soon as user authorities are changed.
-Delete the corresponding account information promptly as soon as the specific user is transferred.
The administrator of the machine should observe the following operating conditions.
-The administrator of the machine should make sure that the machine is operated with the settings described in the installation checklist made properly in advance.
-The administrator of the machine should make sure of correct operation control so that the machine is used with the Enhanced Security Mode set to [ON].
-When the Enhanced Security Mode is turned [OFF], the administrator of the machine is to make various settings according to the installation checklist and then set the Enhanced Security Mode to [ON] again. For details of settings made by the service engineer, contact your service representative.
-When the machine is to be discarded or use of a leased machine is terminated at the end of the leasing contract, the administrator of the machine should use the Overwrite HDD Data function, the Overwrite All Data function, and the Restore All function to thereby prevent data to be protected from leaking.
The Administrator of the machine should perform the following operation control.
-The Administrator of the machine should log off from the Administrator Settings whenever the operation in the Administrator Settings is completed. The Administrator of the machine should also make sure that each individual user logs off from the User Authentication mode after the operation in the User Authentication mode is completed.
-During user registration, the administrator of the machine should make sure that the correct settings are made for the correct users, including functional restrictions.
-The administrator of the machine should set the Encryption Key according to the environment, in which this machine is used.
-The administrator of the machine should appropriately control the device certificate (SSL certificate) registered in the machine.
-The administrator of the machine should ensure that no illegal connection or access is attempted when the machine is to be connected to an external interface.
-The administrator of the machine should appropriately control the file of Job Log (Audit Log) data downloaded to, for example, a PC and ensure that none other than the administrator handles it.
-The administrator of the machine should check the Job Log (Audit Log) data at appropriate timing, thereby determining whether a security compromise or a faulty condition has occurred during an operating period.
-When generating or deleting Job Log (Audit Log) and Job Log (Audit Log) data, the administrator of the machine should check conditions of using this machine by the user.
-The administrator of the machine should make sure that each individual user updates the OS of the user's terminal and applications installed in it to eliminate any vulnerabilities.
bizhub C3850/C3350/C3850FS |
1-7 |
1.3 |
Precautions for Operation Control |
1 |
|
|
|
The administrator of the machine disables the following functions and operates and manages the machine under a condition in which those functions are disabled (While the Enhanced Security Mode is set to [ON], do not manually enable these functions).
Function Name |
Setting Procedure |
Delete Other User Jobs |
Using [Administrator Settings] - [System Settings] - [Restrict User Ac- |
|
cess] - [Restrict Access to Job Settings], set [Delete Other User Jobs] |
|
to [Restrict]. |
|
|
RAW Port Setting |
Using [Administrator Settings] - [Network Settings] - [TCP/IP Setting] |
|
- [RAW Port Setting], set [Enable] to [No]. |
|
• By setting [RAW Port Setting] to [No], the printing function via |
|
RAW port connection (Windows standard TCP/IP port) becomes |
|
unavailable. |
|
|
FTP Settings |
Using [Administrator Settings] - [Network Settings], set [FTP Settings] |
|
to [Disable]. |
|
|
SMB Settings |
• Start the PageScope Web Connection and, using [Network] - |
|
[SMB Settings] - [WINS/NetBIOS Settings] of the administrator |
|
mode, set [WINS/NetBIOS] to [Disable]. |
|
• Start the PageScope Web Connection and, using [Network] - |
|
[SMB Settings] - [SMB Client Settings] of the administrator mode, |
|
set [SMB Client] to [Disable]. |
|
• Start the PageScope Web Connection and, using [Network] - |
|
[SMB Settings] - [Direct Hosting Settings] of the administrator |
|
mode, set [Direct Hosting] to [Disable]. |
|
|
E-mail RX (POP) |
Start the PageScope Web Connection and, using [Network] - [E-mail |
|
Settings] of the administrator mode, set [E-mail RX (POP)] to [Disable]. |
|
|
SNMP Settings |
Using [Administrator Settings] - [Network Settings], set [SNMP Set- |
|
tings] to [OFF]. |
|
• To perform Registration of Device in the PageScope Data Admin- |
|
istrator, first register the machine before disabling the SNMP Set- |
|
tings. |
|
|
TCP Socket Settings |
Start the PageScope Web Connection and, using [Network] - [TCP |
|
Socket Settings] - [TCP Socket Settings] of the administrator mode, |
|
set [TCP Socket] to [Disable]. |
|
• By setting [TCP Socket] to [Disable], TWAIN connection becomes |
|
unavailable. |
|
|
SSL/TLS Version Setting |
Start the PageScope Web Connection and, using [Security] - [PKI Set- |
|
tings] - [SSL/TLS Settings] of the administrator mode, cancel the se- |
|
lection of [SSL 3.0] of [SSL/TLS Version]. |
|
|
WebDAV Settings |
Start the PageScope Web Connection and, using [Network] - [Web- |
|
DAV Settings] - [WebDAV Client Settings] of the administrator mode, |
|
set [WebDAV Client] to [Disable]. |
|
|
DPWS Settings (Printer Set- |
• Start the PageScope Web Connection and, using [Network] - |
tings/Scanner Settings) |
[Web Service Settings] - [Printer Settings] of the administrator |
|
mode, set [Print Function] to [Disable]. |
|
• Start the PageScope Web Connection and, using [Network] - |
|
[Web Service Settings] - [Scanner Settings] of the administrator |
|
mode, set [Scan Function] to [Disable]. |
|
|
Bonjour Setting |
Using [Administrator Settings] - [Network Settings], set [Bonjour Set- |
|
ting] to [Disable]. |
|
|
LPD Setting |
Start the PageScope Web Connection and, using [Network] - [TCP/IP |
|
Settings] of the administrator mode, set [LPD] to [Disable]. |
|
• By setting [LPD] to [Disable], the printing function via LPR port |
|
connection becomes unavailable. |
|
|
Manual destination entry prohi- |
The administrator of the machine registers only fax destinations and |
bition |
E-mail addresses. |
|
|
OpenAPI External |
Start the PageScope Web Connection and, using [Network] - [OpenA- |
|
PI Settings] of the administrator mode, set [OpenAPI External] to [Dis- |
|
able]. |
|
|
Confidential RX User Box |
Select [Administrator Settings] - [Fax Settings] - [Confidential RX User |
|
Box] and check that Confidential RX User Box is not registered. |
|
|
bizhub C3850/C3350/C3850FS |
1-8 |
1.3 |
Precautions for Operation Control |
|
1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Function Name |
Setting Procedure |
|
|
|
LDAP Setting |
Start the PageScope Web Connection and, using [Network] - [LDAP |
|
|
|
|
Settings] - [LDAP Settings] of the administrator mode, set [LDAP] to |
|
|
|
|
[Disable]. |
|
|
|
|
|
|
The Administrator of the machine should perform the following maintenance control activities.
-Provide adequate control over the machine to ensure that only the Service Engineer is able to perform physical service operations on the machine.
-Provide adequate control over the machine to ensure that any physical service operations performed on the machine by the Service Engineer are overseen by the Administrator of the machine.
-Some options require that Enhanced Security Mode be turned [OFF] before they can be used on the machine. If you are not sure whether a particular option to be additionally purchased is fully operational with the Enhanced Security Mode turned [ON], contact your Service Representative.
-Install the machine at a safe site that can be monitored and operate and manage the machine while ensuring that the machine is protected from unauthorized physical access.
bizhub C3850/C3350/C3850FS |
1-9 |
1.4 |
Miscellaneous |
1 |
|
|
|
1.4Miscellaneous
Study the following table for details of the number and types of characters that can be used for each password. For details of the settings of the Password Rules, see page 2-7.
Types of |
Number of |
Types of characters |
Conditions for set- |
||
passwords |
characters |
|
|
ting/changes |
|
User Password |
8 to 64 |
• |
Numeric characters: 0 to 9 |
• A password only consist- |
|
|
characters* |
• |
Alpha characters: upper and |
|
ing of identical charac- |
|
|
|
lower case letters |
|
ters cannot be registered |
|
|
• |
Symbols: !, #, $, %, &, ’, (, ), |
|
or changed. |
|
|
|
*, ,, -, ., /, :, ;, <, =, >, ?, @, [, |
• |
The current password |
|
|
|
\, ], ^, _, `, {, |, }, ~, +, SPACE |
|
must be entered before a |
|
|
Selectable from among a total of |
|
change can be made in |
|
|
|
94 characters |
|
the setting. |
|
|
|
• "”" cannot be used |
• A new password to be |
||
|
|
|
|
|
set should not be the |
|
|
|
|
|
same as the current one. |
|
|
|
|
|
|
Administrator |
8 to 16 |
• |
Numeric characters: 0 to 9 |
• A password only consist- |
|
Password |
characters* |
• |
Alpha characters: upper and |
|
ing of identical charac- |
|
|
|
lower case letters |
|
ters cannot be registered |
|
|
• |
Symbols: !, #, $, %, &, ’, (, ), |
|
or changed. |
|
|
|
*, ,, -, ., /, :, ;, <, =, >, ?, @, [, |
• |
The current password |
|
|
|
\, ], ^, _, `, {, |, }, ~, ”, +, |
|
must be entered before a |
|
|
|
SPACE |
|
change can be made in |
|
|
Selectable from among a total of |
|
the setting. |
|
|
|
95 characters |
• A new password to be |
||
|
|
|
|
|
set should not be the |
|
|
|
|
|
same as the current one. |
|
|
|
|
|
|
*: The minimum number of characters set in [Set Minimum Password Length] must be set for the password. The default value is eight.
Comply with the following requirements when using the PageScope Web Connection or an application of various other types.
The administrator of the machine should make sure that the user observes the following requirements.
-The password control function of each application stores the password that has been entered in the PC being used. Disable the password management function of each application and perform an operation without storing a password.
Use a web browser or an application of various other types that shows "*" or "-" for the password entered.
-Once the password has been entered, do not leave your PC idle without logging on.
-Set the web browser so that cache files are not saved.
-Do not access any other site once you have logged onto the machine with the PageScope Web Connection. Accessing any other site or a link included in e-mail, in particular, can lead to execution of an unintended type of operation. Whenever access to any other site is necessary, be sure first to log off from the machine through the PageScope Web Connection.
-Using the same password a number of times increases the risk of spoofing.
-If a web browser such as Internet Explorer is used on the client PC side, "TLS v1" should be used for the SSL setting.
-Optional applications not described in this User’s Guide are not covered by certification of ISO15408.
bizhub C3850/C3350/C3850FS |
1-10 |
1.4 |
Miscellaneous |
1 |
|
|
|
The following are the cryptographic algorithms of key exchange and communications encryption systems supported in generation of encryption keys.
-TLS_RSA_WITH_3DES_EDE_CBC_SHA
-TLS_RSA_WITH_AES_128_CBC_SHA
-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
-TLS_DHE_RSA_WITH_AES_256_CBC_SHA
NOTICE
The administrator of the machine should make sure that SSL encryption communication is not performed with the SSL set in SSL v3.
Do not use an SSL certificate that is electronically signed by MD5, as an increased risk results of data to be protected being tampered with or leaked.
To eliminate the risk of the data to be protected being tampered with or leaked, refer to the recommended ciphers list disclosed by, for example, NIST and CRYPTREC and use the appropriate cryptographic technique.
Use the following browsers to ensure SSL encryption communication with appropriate strength. Use of any of the following browsers achieves SSL encryption communication that ensures confidentiality of the image data transmitted and received.
For Windows
-Microsoft Internet Explorer 11 or later
Microsoft Internet Explorer 11 is used for the ISO15408 evaluation for this machine.
Only the following procedures are guaranteed for the print functions performed from the client PC.
-Use IPPS printing for the print functions performed using the printer driver.
-Use direct printing from the PageScope Web Connection for the print functions not performed via the printer driver.
IPP (Internet Printing Protocol) is a function that allows image data stored in HDD to be printed via the Internet by using the HTTP (HyperText Transfer Protocol) of the TCP/IP Protocol. IPPS (IPP over SSL/TLS) is the type of IPP that performs the SSL encryption communication.
<Installing printer driver>
To perform IPPS printing, the printer driver must be installed.
In the printer addition wizard of Windows Vista/7/8/8.1, Server 2008, Server 2008 R2, Server 2012, or Server 2012 R2, type the IP address of the machine in the following format in the "URL" field.
https://[host name].[domain name]/ipp
For [Host Name] and [Domain Name], specify the names set with the DNS server.
It is noted that the name resolution is enabled through the LLMNR protocol even without ".[Domain Name]" within the local segment (the range not beyond the router).
bizhub C3850/C3350/C3850FS |
1-11 |
1.4 |
Miscellaneous |
1 |
|
|
|
<Registering the certificate in Windows Vista or later>
Windows Vista or later, which offers enhanced security functions, gives a certificate error message if the SSL certificate is one that is not issued by a certification body. In such cases, it becomes necessary to register the certificate of this machine as that issued by a reliable party for the computer account.
First, register Host Name and IP address of this machine in the DNS server in advance. Then, in TCP/IP Settings of PageScope Web Connection, set the DNS Host Name and DNS Default Domain Name registered with the DNS server.
It should also be noted that, for the certificate to be imported, a certificate for SSL encryption communication should be registered in PageScope Web Connection and exported in advance as the certificate including the public key.
1
2
From "Continue to this website," call the PageScope Web Connection window to the screen.
Click "Certificate Error" to display the certificate. Then, click "Install Certificate" to install the certificate.
3 Display the physical stores. Then, deploy the certificate, which has earlier been exported, in "Local Computer" of "Trusted Root Certification Authorities" to thereby import the certificate.
The data erase function clears the following items of data.
NOTICE
Perform "Restore All" from the control panel of the machine, and not via the network.
The encryption key is not deleted even if Restore All or Overwrite All Data is performed. For the detailed deleting procedure, see page 2-28.
Items of Data Cleared |
Description |
Method |
Enhanced Security Mode |
Set to [OFF] |
Overwrite All Data |
|
|
HDD Format |
|
|
Restore All |
|
|
|
User registration data |
Deletes all user-related data that has been |
Overwrite All Data |
|
registered |
HDD Format |
|
|
|
Scan to HDD file |
Deletes all files stored as "Personal" by |
Overwrite All Data |
|
Scan to HDD |
HDD Format |
|
|
|
ID & Print file |
Deletes all ID & Print files |
Overwrite All Data |
|
|
HDD Format |
|
|
|
Image files |
• Image files saved other than the files |
Overwrite All Data |
|
stored as "Personal" by Scan to HDD, |
HDD Format |
|
and ID & Print files |
|
|
• Image files of jobs in job queue state |
|
|
• Remainder data files, used as image |
|
|
files and not deleted through only the |
|
|
general deletion operation |
|
|
• Temporary data files generated during |
|
|
print image file processing |
|
|
|
|
Destination recipient data |
Deletes all destination recipient data in- |
Overwrite All Data |
files |
cluding e-mail addresses and telephone |
HDD Format |
|
numbers |
|
|
|
|
Administrator Password |
Clears the currently set password, reset- |
Restore All |
|
ting it to the factory setting |
|
|
|
|
SSL certificate |
Deletes the currently set SSL certificate |
Overwrite All Data |
|
|
HDD Format |
|
|
Restore All |
|
|
|
Network Setting |
Clears the currently set network settings |
Restore All |
|
(DNS Server setting, IP Address setting, |
|
|
and SMTP Server setting), resetting it to |
|
|
the factory setting |
|
|
|
|
Machine setting data |
Deletes the machine setting data |
Restore All |
|
|
|
Trusted channel setting data |
Deletes the trusted channel setting data |
Restore All |
|
|
|
bizhub C3850/C3350/C3850FS |
1-12 |
1.4 |
Miscellaneous |
|
|
1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Items of Data Cleared |
Description |
Method |
|
|
|
External server identification |
Deletes the external server identification |
Overwrite All Data |
|
|
|
setting data |
setting data |
HDD Format |
|
|
|
|
|
|
|
|
|
Time Adjustment Settings |
Set to [Disable] |
Restore All |
|
|
|
(NTP) |
|
|
|
|
|
|
|
|
|
HDD Format
Execute HDD format when, for example, to initialize the HDD (to be reset to the default state) or when the HDD is replaced with a referent one. Executing HDD format deletes data saved in the machine’s HDD.
-For details of items that are cleared by HDD Format, see page 1-12.
-HDD formatting turns [OFF] the Enhanced Security Mode. So, it must be turned [ON] again. For details of settings, see page 2-5.
-To execute HDD format, perform [HDD Format] in [Utility] - [Administrator Settings] - [Security Settings] - [HDD Settings].
If upgrading of the firmware has been performed by the service engineer, the Administrator of the machine must execute [Restore All]. Execute [Restore All] after the firmware has been upgraded. For details of the execution of [Restore All], see page 2-34.
-For details of items of data to be cleared by [Restore All], see page 1-12.
-The execution of [Restore All] will turn [OFF] the Enhanced Security Mode. So, it must be turned [ON] again. For details of settings, see page 2-5.
The following lists the software, hardware, and their versions used for the ISO15408 evaluation for this machine and they are the same as those listed on the security target.
The user should appropriately manage the software and hardware used with the machine on his or her own responsibility.
Software/Hardware |
Version, etc. |
||
FAX Kit |
FK-512 |
||
|
|
||
OS (Operating System) |
Windows 7 Professional SP1 |
||
|
|
||
Internet Explorer |
Ver. 11 |
||
|
|
||
Mozilla Firefox |
Ver. 36 |
||
|
|
|
|
Printer Driver |
• |
PCL v3.0.0 |
|
|
|
• |
XPS v3.0.1 |
|
|
||
PageScope Data Administrator |
Ver. 1.0.06000 |
||
with Device Set-Up and Utilities |
|
|
|
|
|
|
|
|
PageScope Data |
Ver. 4.1.35000 |
|
|
Administrator |
|
|
|
|
|
|
When the Enhanced Security Mode is set to [ON], the machine checks the encryption key and the firmware to make sure that they remain intact when the power switch is turned ON.
If a fault is present, an alarm screen that warns that a fault has occurred appears when the machine is started. If the alarm screen appears, contact your Service Representative.
bizhub C3850/C3350/C3850FS |
1-13 |
1.4 |
Miscellaneous |
1 |
|
|
|
This machine offers a choice of two authentication methods of [Pre-Shared Key] and [Digital Signature] for authenticating the remote machine with which to communicate.
When [Pre-Shared Key] is to be used, control the pre-shared key appropriately to ensure that it is not leaked to any third party other than the remote machine with which to communicate. For the shared key, set a value that consists of a combination of eight or more alphanumeric characters and that cannot be easily guessed. Do not set a value that can be easily guessed from your birthday, employee identification number, and the like.
[Digital Signature] has a higher security strength than [Pre-Shared Key].
[Main Mode] and [Aggressive Mode] are available in [Negotiation Mode] of [IKE Settings]. The default setting is [Main Mode]. The administrator of the machine should operate the machine with the [Main Mode] setting.
The ISO15408 evaluation for the machine is performed on the basis of the [Pre-Shared Key].
In IPsec setting, perform the proper management so that the conditions below are complied.
-Do not use DES but use 3DES or AES in [Encryption Algorithm].
-Do not specify NULL in [ESP Encryption Algorithm].
-Do not specify manual keys in [Key Exchange Method].
-Use character strings according to the Password Rules in [Pre-Shared Key].
CS Remote Care is a system that manages the machine through transmission and reception of various types of data for managing the machine between the machine and the CS Remote Care center computer via a telephone/fax line, a network, or E-mail.
When the Enhanced Security Mode is set to [ON], the following functions are no longer usable: instructing to rewrite the firmware, rewriting settings of the machine.
The machine allows the operator to automatically log out from or terminate a session, if it is unable to detect an operation on the control panel or a communication packet on the network.
The following shows the setting range and the default setting of each function. Set the time according to the environment in which the machine is used.
The administrator of the machine should explain to the user that the following settings are made. The administrator of the machine should also explain to the user immediately as soon as the setting has been changed.
Function name/software, etc |
Description |
System Auto Reset |
Setting range |
|
• [1] to [9] minutes, Default setting: [1] minute |
|
Setting procedure |
|
• [Administrator Settings] - [System Settings] - [Reset Settings] - |
|
[System auto reset] - [System Auto Reset Time] |
|
|
Auto Logout |
Setting range |
(PageScope Web Connection) |
• [Admin. Mode Logout Time]: [1] to [60] minutes |
|
Default setting: [10] minutes |
|
• [User Mode Logout Time]: [1] to [60] minutes |
|
Default setting: [60] minutes |
|
Setting procedure |
|
• Start the PageScope Web Connection and, in the Administrator |
|
Mode, select [Security] - [Auto Logout]. |
|
|
PageScope Data Administrator |
Default setting: [60] minutes (No change can be made in the setting) |
|
The time setting represents consideration for the time-consuming |
|
task, such as downloading the registered information. Be careful |
|
about leaving your seat, because the time setting is rather long. |
|
|
bizhub C3850/C3350/C3850FS |
1-14 |
1.4 |
Miscellaneous |
1 |
|
|
|
If a user is unable to log in successfully during user authentication using the external server authentication, possible causes include the status of connection to the external server, the condition of the external server (the server is down), and the status of user registration with the external server such as the number of users to be controlled by the machine reaching its limit and the user password quality on the external server.
The administrator of the machine should check these points and make the appropriate settings.
bizhub C3850/C3350/C3850FS |
1-15 |
2 Administrator Operations
2.1 |
|
|
|
|
Accessing the Administrator Settings |
2 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2.1Accessing the Administrator Settings
In Administrator Settings, the settings for the machine system and network can be registered or changed.
This machine implements authentication of the user of the Administrator Settings function through the Administrator Password that verifies the identity as the Administrator of the person who accesses the function. During the authentication procedure, the Administrator Password entered for the authentication purpose appears as "*" or "-" on the display. A failure in authentication as a result of the entry of a wrong password is counted as unauthorized access.
NOTICE
Make sure that none of the general users of the machine will know the Administrator Password.
If the Administrator Password is forgotten, it must be set again by the Service Engineer. Contact your Service Representative.
The machine does not accept access to the Administrator Settings under any of the following conditions. Wait for some while before attempting to gain access to the Administrator Settings again (Except for access from PageScope Web Connection).
-There is a job being executed by the machine.
-There is a reserved job (timer TX, fax redial waiting, etc.) in the machine.
-Immediately after the power switch has been turned ON.
-A malfunction code is displayed on the machine.
<From the Control Panel>
0Do not leave the machine with the setting screen of Administrator Settings left shown on the display. If it is absolutely necessary to leave the machine, be sure first to log off from the Administrator Settings.
1Touch [Utility].
2Touch [Administrator Settings].
bizhub C3850/C3350/C3850FS |
2-2 |
2.1 |
Accessing the Administrator Settings |
2 |
|
|
|
3 Enter the Administrator Password from the keyboard.
%Touch [C] to clear all characters.
%Touch [] to delete the last character entered.
%Touch [Shift] to show the upper case/symbol screen.
%Touch [Cancel] to go back to the previous screen.
4 Touch [OK].
%If a wrong Administrator Password is entered, a message that tells that the Administrator Password does not match appears. Enter the correct Administrator Password.
%A failure in authentication as a result of the entry of a wrong password is counted as unauthorized access. If the cumulative number of unauthorized accesses reaches three during operation of the machine, the machine is set into an access lock state and prohibits any subsequent password entry operations. To cancel the access lock state, settings must be made by the Service Engineer; or, turn off, then on, the power switch of the machine. When the power switch is turned off, then on again, wait at least 10 seconds to turn it on after turning it off. This interval is necessary to ensure that the machine functions properly.
5 Press the [Reset] key to log off from the Administrator Settings.
bizhub C3850/C3350/C3850FS |
2-3 |
2.1 |
Accessing the Administrator Settings |
2 |
|
|
|
<From PageScope Web Connection>
0Do not leave the machine with the Administrator Mode setting screen left shown on the display. If it is absolutely necessary to leave the machine, be sure first to log off from the Administrator Mode.
1Start the Web browser.
2Enter the IP address of the machine in the address bar.
3Press the [Enter] key to start PageScope Web Connection.
4Click the Administrator radio button and [Log in].
5 Enter the Administrator Password in the password box.
%When accessing the Administrator Mode using the PageScope Web Connection, enter the same Administrator Password as that for the machine.
6 Click [OK].
%If a wrong Administrator Password is entered, a message that tells that the authentication has failed appears. Enter the correct Administrator Password.
%A failure in authentication as a result of the entry of a wrong password is counted as unauthorized access. If the cumulative number of unauthorized accesses reaches three during operation of the machine, the machine is set into an access lock state and prohibits any subsequent password entry operations. To cancel the access lock state, settings must be made by the Service Engineer; or, turn off, then on, the power switch of the machine. When the power switch is turned off, then on again, wait at least 10 seconds to turn it on after turning it off. This interval is necessary to ensure that the machine functions properly.
7 Click [Log out]. This allows you to log off from the Administrator Mode.
bizhub C3850/C3350/C3850FS |
2-4 |
2.2 |
Enhancing the Security Function |
2 |
|
|
|
2.2Enhancing the Security Function
When access to the machine by the Administrator of the machine through the Administrator Settings from the control panel is authenticated, the machine enables setting of the Enhanced Security Mode that allows settings for enhancing each of different security functions to be converted all at once.
In the Enhanced Security Mode, the machine allows selection of whether to use the Enhanced Security Mode or not. When the Enhanced Security Mode is set to [ON], the security function is enhanced by automatically setting such functions as that which determines whether each password meets predetermined requirements.
The following settings must first be made before the Enhanced Security Mode is set to [ON].
Settings to be Made in Advance |
Description |
Administrator Password |
Meet the Password Rules. |
|
The factory setting is "12345678." |
|
|
Encryption Key |
Set the Encryption Key. |
|
|
User Authentication |
Set to either [Device] or [External Server] (Active Directory). |
|
|
Certificate for SSL |
Register the self-signed certificate for SSL communications. |
|
|
Password Rules |
Set to [ON]. |
|
|
Service settings |
Calls for setting made by the Service Engineer. For details, contact |
|
your Service Representative. |
|
|
Setting the Enhanced Security Mode to [ON] changes the setting values of the following functions.
Function Name |
Factory Setting |
When Enhanced Security Mode is set to [ON] |
Password Rules |
OFF |
ON (not to be changed) |
|
|
* If [ON] is set for Password Rules, the types and number |
|
|
of characters to be used for each password are limited. |
|
|
For details of the Password Rules, see page 1-10. |
|
|
|
Public Access |
Restrict |
Restrict (not to be changed) |
|
|
|
Print without Authentica- |
Restrict |
Restrict (not to be changed) |
tion |
|
|
|
|
|
User Name List |
OFF |
OFF (not to be changed) |
|
|
|
Registering and Chang- |
Allow |
Restrict (not to be changed) |
ing Address by the user |
|
|
|
|
|
SSL |
Disable |
Enable (not to be changed) |
|
|
|
SSL Encryption Strength |
AES-256, 3DES, |
AES-256, 3DES (not to be changed to one containing |
|
RC4-128, |
strength lower than AES/3DES) |
|
DES, RC4-40 |
|
|
|
|
SSL Settings (http) |
OFF |
ON (not to be changed) |
|
|
|
SSL communication |
Non-SSL Only |
SSL Only (not to be changed) |
(OpenAPI) |
|
|
|
|
|
FTP Server |
Enable |
Disable |
|
|
(Selection can be made between [Enable] and [Disable]) |
|
|
|
S/MIME |
Disable |
Enable (not to be changed) |
|
|
|
E-mail Text Encryption |
3DES |
3DES (not to be changed if the encryption method |
Method |
|
stronger than 3DES is applied) |
(when S/MIME is enabled) |
|
|
|
|
|
Digital Signature |
Do not add |
Select when sending |
(when S/MIME is enabled) |
signature |
|
|
|
|
Digital Signature Type |
SHA-1 |
SHA-256 (not to be changed) |
(when S/MIME is enabled) |
|
|
|
|
|
Administrator Password |
Enabled |
Restrict |
Change Via Network |
|
|
(PageScope Web Con- |
|
|
nection) |
|
|
|
|
|
Network firmware update |
Invalid |
Valid |
protect |
|
|
|
|
|
bizhub C3850/C3350/C3850FS |
2-5 |
2.2 |
Enhancing the Security Function |
|
2 |
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Function Name |
Factory Setting |
When Enhanced Security Mode is set to [ON] |
|
|
|
CS Remote Care |
Usable |
Remote device setting disabled |
|
|
|
|
|
|
|
|
|
IWS Settings |
Disable |
Disable (not to be changed) |
|
|
|
|
|
|
|
|
|
Account Track |
Off |
Off (Not to be changed) |
|
|
|
|
|
|
|
|
|
Restrict Scan to USB |
OFF |
ON (not to be changed) |
|
|
|
|
|
|
|
|
|
Print Document |
ON |
OFF (not to be changed) |
|
|
|
(External memory) |
|
|
|
|
|
|
|
|
|
|
|
WebDAV Server Settings |
Enable |
Disable (not to be changed) |
|
|
|
|
|
|
|
|
|
Audit Log |
OFF |
ON (not to be changed) |
|
|
|
|
|
|
|
|
|
Web Browser Setting |
Enable |
Disable (not to be changed) |
|
|
|
|
|
|
|
|
|
Restrict Internet Fax TX |
Allow |
Restrict (to be changed) |
|
|
|
|
|
|
|
|
|
Restrict Internet Fax RX |
Allow |
Restrict (to be changed) |
|
|
|
|
|
|
|
|
|
Restrict PC-Fax TX |
Allow |
Restrict (to be changed) |
|
|
|
|
|
|
|
|
|
SSDP |
Disable |
Disable (to be changed) |
|
|
|
|
|
|
|
|
|
Polling TX (Fax) |
OFF |
OFF (to be changed) |
|
|
|
|
|
|
|
|
|
Overwrite HDD Data |
Disable |
Enable (not to be changed) |
|
|
|
|
|
|
|
|
|
Self-test function |
Disable |
Enable |
|
|
|
(encryption key and |
|
|
|
|
|
firmware verification) |
|
|
|
|
|
|
|
|
|
|
|
Temporarily Save Au- |
Enable |
Disable (not to be changed) |
|
|
|
thentication Information |
|
|
|
|
|
(external server authenti- |
|
|
|
|
|
cation) |
|
|
|
|
|
|
|
|
|
|
|
External Memory Backup |
Allow |
Restrict |
|
|
|
(Service mode) |
|
|
|
|
|
|
|
|
|
|
|
IC card authentication |
None |
None |
|
|
|
|
|
|
|
|
|
QR Code Display Setting |
Not Display |
Not Display (not to be changed) |
|
|
|
|
|
|
|
|
|
FAX function restriction |
Allow |
Restrict (Default value for registration) |
|
|
|
(Registration user) |
|
|
|
|
|
|
|
|
|
|
|
FAX function restriction |
Allow |
Restrict (not to be changed) |
|
|
|
(User using external serv- |
|
|
|
|
|
er authentication) |
|
|
|
|
|
|
|
|
|
|
|
Import/export of destina- |
Allow |
Restrict (not to be changed) |
|
|
|
tion/authentication infor- |
|
|
|
|
|
mation |
|
|
|
|
|
|
|
|
|
NOTICE
When Password Rules is set to [ON] the number and types of characters used for each password are restricted. For details of the Password Rules, see page 1-10.
Turning ON the Enhanced Security Mode does not enable the ID & Print function. Enable the function manually to protect image files. For details of the ID & Print function, see page 2-14.
The Enhanced Security Mode is set to [OFF], if the Administrator of the machine executes any of the following functions. Set the Enhanced Security Mode to [ON] again.
-[HDD Format] is executed.
-[Overwrite All Data] is executed.
-[Restore All] of [Initialize] is executed.
-[Restore Network] of [Initialize] is executed.
-[Restore System] of [Initialize] is executed.
bizhub C3850/C3350/C3850FS |
2-6 |
2.2 |
Enhancing the Security Function |
2 |
|
|
|
0 For the procedure to call the Administrator Settings on the display, see page 2-2.
0Do not leave the machine with the setting screen of Administrator Settings left shown on the display. If it is absolutely necessary to leave the machine, be sure first to log off from the Administrator Settings.
NOTICE
Password Rules cannot be set to [ON], if the various types of currently set passwords do not meet the Password Rules. First, make sure that the passwords meet the Password Rules before attempting to set Password Rules to [ON]. For details of the Password Rules, see page 1-10.
1
2
3
Call the Administrator Settings on the display from the control panel.
Touch [ ].
Touch [Security Settings].
4 Touch [Security Details].
5 Touch [Password Rules].
bizhub C3850/C3350/C3850FS |
2-7 |
2.2 |
Enhancing the Security Function |
2 |
|
|
|
6
7
Select [ON] and set [Set Minimum Password Length] (8 to 16 characters).
Touch [OK].
bizhub C3850/C3350/C3850FS |
2-8 |
2.2 |
Enhancing the Security Function |
2 |
|
|
|
0 For the procedure to call the Security Settings screen on the display, see steps 1 through 3 of page 2-7.
0Do not leave the machine with the setting screen of Administrator Settings left shown on the display. If it is absolutely necessary to leave the machine, be sure first to log off from the Administrator Settings.
0The Enhanced Security Mode is factory-set to [OFF]. Be sure to turn [ON] the Enhanced Security Mode so as to enable the security function of the machine.
1Call the Security Settings screen on the display from the control panel.
2Touch [Enhanced Security Mode].
3 Select [ON] to enable the Enhanced Security Mode and touch [OK]. Touch [OK], then the machine restarts automatically.
%[ON] can be selected only if the Administrator of the machine has made the necessary settings beforehand. For details of the necessary settings, see page 2-5.
%If the Enhanced Security Mode is properly set to [ON], a key icon appears at the portion enclosed by a red frame of the screen, indicating that the machine is in the Enhanced Security Mode.
|
|
|
|
|
|
|
|
|
|
bizhub C3850/C3350/C3850FS |
2-9 |
2.3 |
Canceling the Operation Prohibited State |
2 |
|
|
|
2.3Canceling the Operation Prohibited State
When access to the machine by the administrator of the machine through the Administrator Settings from the control panel is authenticated, the machine enables the operation of Release Setting performed for canceling the state of Prohibited Functions When Authentication Error (access lock state) as a result of unauthorized access.
If a wrong password has been entered three cumulative times during password authentication, the machine determines that it is unauthorized access, prohibiting any further entry of the password. By prohibiting the password entry operation, the machine prevents unauthorized use or removal of data, thereby ensuring secured used of the machine.
Release Setting clears the unauthorized access check count for all User Authentication, resetting it to zero and canceling the operation prohibited state. Perform the following procedure to cancel the operation prohibited state.
Operation Prohibited State |
Canceling procedure |
Administrator Settings |
Turn OFF and ON the power switch; wait for five minutes and then |
|
cancel the operation prohibited state. |
|
|
User authentication |
The Administrator touches [Release] to cancel the operation pro- |
|
hibited state. |
|
|
NOTICE
The cumulative number of times a wrong password is entered is counted commonly, and not uniquely, by the control panel and the client PC. When either one is set into the access lock state, access via the other one is also prohibited.
0 For the procedure to call the Security Details screen on the display, see steps 1 through 4 of page 2-7.
0Do not leave the machine with the setting screen of Administrator Settings left shown on the display. If it is absolutely necessary to leave the machine, be sure first to log off from the Administrator Settings.
0When the power switch is turned off, then on again, wait at least 10 seconds to turn it on after turning it off. if there is no wait period between turning the power switch off, then on again, the machine may not function properly.
1Call the Security Details screen on the display from the control panel.
2Touch [Release].
bizhub C3850/C3350/C3850FS |
2-10 |
2.3 |
Canceling the Operation Prohibited State |
2 |
|
|
|
3
4
Select the function, for which Prohibit Function as a result of unauthorized access is to be released.
Touch [OK].
This clears the unauthorized access check count of the specific function selected in the previous step and cancels the operation prohibited state.
bizhub C3850/C3350/C3850FS |
2-11 |
2.4 |
Setting the Authentication Method |
2 |
|
|
|
2.4Setting the Authentication Method
When access to the machine by the Administrator of the machine through the Administrator Settings is authenticated, the machine enables setting of the authentication method for User Authentication.
The User Authentication method may be [Device] that uses the authentication system the machine has, [External Server] that uses the external server authentication of the external server, or [Off]. If the Enhanced Security Mode is set to [ON], the authentication method should be operated by either [Device] or [External Server] (Active Directory).
NOTICE
If [External Server] is selected for the authentication method, be sure to select [Active Directory] in the External Server Settings.
For the Kerberos protocol of the Active Directory, specify AES-128 or AES-256 instead of DES as the encryption level on the server settings.
0 For the procedure to access the Administrator Mode, see page 2-2.
0Do not leave the machine with the Administrator Mode setting screen left shown on the display. If it is absolutely necessary to leave the machine, be sure first to log off from the Administrator Mode.
1Start PageScope Web Connection and access the Administrator Mode.
2Click the [Security] tab.
3Select [Device] or [External Server] from the User Authentication pull-down menu, and click [Apply]. If [External Server] is selected, perform steps 4 through 8.
4 If [External Server] is selected, click [External Server List] from [Authentication] menu.
%When external server authentication is used, change settings after deleting registered users.
%Do not use an external server on which more than 1,000 users are registered.
%Make sure that the machine and the external server retain the same user registration status at all times.
%Do not add any user who is yet to be registered in the machine to the external server when the machine has 1,000 registered users.
bizhub C3850/C3350/C3850FS |
2-12 |