Lexmark X654, X736DE, T650, X658, X738DTE User Manual

...
Embedded Web Server
Administrator's Guide
February 2009 www.lexmark.com
Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or other countries. All other trademarks are the property of their respective owners.
© 2009 Lexmark International, Inc. All rights reserved.
740 West New Circle Road Lexington, Kentucky 40550
Edition notice
February 2009 The following paragraph does not apply to any country where such provisions are inconsistent with local law: LEXMARK INTERNATIONAL,
INC., PROVIDES THIS PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you.
This publication could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in later editions. Improvements or changes in the products or the programs described may be made at any time.
For Lexmark technical support, visit support.lexmark.com. For information on supplies and downloads, visit www.lexmark.com. If you don't have access to the Internet, you can contact Lexmark by mail: Lexmark International, Inc.
Bldg 004-2/CSC 740 New Circle Road NW Lexington, KY 40550
References in this publication to products, programs, or services do not imply that the manufacturer intends to make these available in all countries in which it operates. Any reference to a product, program, or service is not intended to state or imply that only that product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any existing intellectual property right may be used instead. Evaluation and verification of operation in conjunction with other products, programs, or services, except those expressly designated by the manufacturer, are the user’s responsibility.
© 2009 Lexmark International, Inc. All rights reserved.
UNITED STATES GOVERNMENT RIGHTS
This software and any accompanying documentation provided under this agreement are commercial computer software and documentation developed exclusively at private expense.
Trademarks
Lexmark, Lexmark with diamond design, and MarkVision are trademarks of Lexmark International, Inc., registered in the United States and/or other countries.
All other trademarks are the property of their respective owners.

Contents

Using security features in the Embedded Web Server...............5
Understanding the basics...................................................................................................................................................5
Authentication and Authorization ..............................................................................................................................................5
Groups ...................................................................................................................................................................................................6
Access Controls...................................................................................................................................................................................6
Security Templates............................................................................................................................................................................6
Configuring building blocks..............................................................................................................................................7
Creating a password ........................................................................................................................................................................7
Creating a PIN......................................................................................................................................................................................7
Setting up internal accounts .........................................................................................................................................................8
Using LDAP ..........................................................................................................................................................................................9
Using LDAP+GSSAPI...................................................................................................................................................................... 11
Configuring Kerberos 5 for use with LDAP+GSSAPI ..........................................................................................................13
Using NTLM authentication........................................................................................................................................................ 14
Securing access....................................................................................................................................................................15
Setting a backup password.........................................................................................................................................................15
Setting login restrictions.............................................................................................................................................................. 16
Using a password or PIN to control function access.......................................................................................................... 16
Using a security template to control function access .......................................................................................................16
Scenarios.................................................................................................................................................................................18
Scenario: Printer in a public place............................................................................................................................................. 18
Scenario: Standalone or small office........................................................................................................................................ 18
Scenario: Network running Active Directory........................................................................................................................ 19
Managing certificates and other settings...................................................................................................................21
Managing certificates.................................................................................................................................................................... 21
Setting certificate defaults ..........................................................................................................................................................22
Configuring confidential printing............................................................................................................................................. 22
Enabling and disabling USB devices........................................................................................................................................ 23
Disk wiping........................................................................................................................................................................................ 23
Encrypting the hard disk.............................................................................................................................................................. 24
Configuring security audit log settings ..................................................................................................................................25
Configuring 802.1x authentication.......................................................................................................................................... 26
Setting up SNMP............................................................................................................................................................................. 27
Enabling the security reset jumper ..........................................................................................................................................28
Contents
3
Appendix............................................................................................29
Notices................................................................................................32
Glossary of Security Terms.............................................................39
Index...................................................................................................40
Contents
4

Using security features in the Embedded Web Server

The latest suite of security features available in the Lexmark Embedded Web Server represents an evolution in keeping document outputs safe and confidential in today's busy environments. Incorporating traditional components such as authentication and group permissions, administrators can use Embedded Web Server Security Templates to control access to the devices that produce, store, and transmit sensitive documents. Security templates are an innovative new tool developed by Lexmark to enable administrators to build secure, flexible profiles that provide end users the functionality they require, while limiting access to sensitive printer functions or outputs to only those users holding appropriate credentials. Utilizing soft configuration features alone or in conjunction with physical security such as Common Access Cards, the printer will no longer be a weak link in the document security chain.

Understanding the basics

Securing a printer through the Embedded Web Server involves combining one or more components— Authentication, Authorization, and Groups—to define who is allowed to use the printer, and which functions those users are allowed to access.
Before configuring printer security, it can be helpful to create a plan that identifies who the users will be and what they will need to do. Items to consider might include the location of the printer and whether non-authorized persons have access to that area, sensitive documents that will be sent to or stored on the printer, and the information security policies of your organization.

Authentication and Authorization

Authentication is the method by which a system securely identifies a user (that is, who you are). Authorization specifies which functions are available to a user who has been authenticated by the system. This set
of authorized functions is also referred to as “permissions.” The Embedded Web Server handles authentication and authorization using one or more of the following, also referred
to as Building Blocks:
PIN
Password
Internal accounts
LDAP
LDAP+GSSAPI
Kerberos 5 (used only in conjunction with LDAP+GSSAPI)
NTLM
Some Building Blocks, such as Password or PIN, can be used alone to provide low-level security, by simply limiting access to a printer—or specific functions of a printer—to anyone who knows the correct code. This type of security might be appropriate in a situation in which a printer is located in the lobby or other public area of a business, so that only employees who know the password or PIN are able to use the printer. Because anyone who enters the correct password or PIN receives the same privileges and users can not be individually identified, passwords and PINs are considered less secure than other building blocks that require a user to be identified, or both identified and authorized.
Using security features in the Embedded Web Server
5

Groups

Administrators can designate up to 32 groups to be used in association with either the Internal accounts or LDAP/LDAP+GSSAPI building blocks. For the purposes of Embedded Web Server security, groups are used to identify sets of users needing access to similar functions. For example, in Company A, employees in the warehouse do not need to print in color, but those in sales and marketing use color every day. In this scenario, it makes sense to create a “Warehouse” group, and a “Sales and Marketing” group.

Access Controls

By default, all device menus, settings, and functions come with no security enabled. Access Controls (also referred to in some devices as “Function Access Controls”), are used to manage access to specific menus and functions or to disable them entirely. Access controls can be set using a password, PIN, or security template. The number of functions that can be controlled varies depending on the type of device, but in some multifunction printers, over 40 individual menus and functions can be protected.
Note: For a list of individual Access Controls and what they do, see “Menu of Access Controls” on page 29.

Security Templates

Some scenarios call for only basic security such as PIN-protected access to common device functions, while others require tighter security and role-based restrictions. Individually, building blocks, groups, and access controls may not meet the needs of a complex security environment. In order to accommodate users in different groups needing access to a common set of functions such as printing, copying, and faxing, administrators must be able to combine these components in ways that give all users the functions they need, while restricting other functions to only authorized users.
A Security Template is a profile constructed using a building block, or certain building blocks paired with one or more groups. How they are combined determines the type of security created:
Building block Type of security
Internal Accounts Authentication only Internal Accounts with Groups Authentication and authorization Kerberos 5 Authentication only LDAP Authentication only LDAP with Groups Authentication and authorization LDAP + GSSAPI Authentication only LDAP + GSSAPI with Groups Authentication and authorization Password Authorization only PIN Authorization only
Each device can support up to 140 security templates, allowing administrators to create very specific profiles—or roles—for each access control.
Using security features in the Embedded Web Server
6

Configuring building blocks

Creating a password

The Embedded Web Server can store a combined total of 250 user-level and administrator-level passwords on each supported device.
To create a password
1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select Password. 3 Under Manage Passwords, select Add a Password. 4 Type a name for the password in the Setup Name box. Each password must have a unique name consisting of
1-128 UTF-8 characters (example: “Copy Lockout Password”).
5 Type a password in the appropriate box, and then re-enter the password to confirm it. 6 Select Admin Password if the password will be used as the Administrator password.
Note: Selecting the Admin Password box sets the password as administrator-level. Administrator-level
passwords override normal passwords. If a function or setting is protected by a normal password, any administrator-level password will also grant access.
7 Click Submit.
Notes:
To edit a password, select a password from the list, and then modify the settings.
To delete a password, select a password from the list and then click Delete Entry. Clicking Delete List will delete
all passwords on the list, whether they are selected or not.

Creating a PIN

Typically, Personal Identification Numbers (PINs) are used to control access to specific device menus or to a device itself. PINs can also be used to control access to document outputs, by requiring a user to type a correct PIN to retrieve a held print, copy, or fax job. The Embedded Web Server can store a combined total of 250 user-level and administrator-level PINs.
To create a PIN
1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select PIN. 3 Select Add a PIN. 4 Type the name of the PIN configuration in the Setup Name box. Each PIN must have a unique name consisting
of 1-128 UTF-8 characters (example: “Copy Lockout PIN”).
5 Type a PIN in the appropriate box, and then re-enter the PIN to confirm it.
Note: The default PIN length is four digits, which may be changed by modifying the Minimum PIN length field under Settings ª Security ª Miscellaneous Security Settings.
Using security features in the Embedded Web Server
7
6 Select Admin PIN if the PIN will be used as the Administrator PIN.
Note: If an activity is secured by a specific Administrator PIN, then only that PIN will grant access to it.
7 Click Submit.

Setting up internal accounts

Embedded Web Server administrators can configure one internal account building block per supported device. Each internal account building block can include a maximum of 250 user accounts, and 32 user groups.
The internal accounts building block can be used by itself in a security template to provide authentication-level security, or in conjunction with one or more groups to provide both authentication and authorization.
Defining user groups
If using groups for authorization, define them prior to creating new internal accounts.
1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select Internal Accounts. 3 Select Setup groups for use with internal accounts. 4 Type the Group Name.
Note: Group names can contain up to 128 UTF-8 characters.
5 Click Add. 6 Repeat steps 4 through 5 to add additional user groups.
Note: When creating groups, it is helpful to first make a list of all users, and then determine which device functions
—such as printing, scanning, and copying—will be needed by all users, and which functions will be needed only by certain users. Each group will fulfill a role once combined into a security template, and users can be assigned to more than one group (or role), in order to grant them access to all needed functions.
Creating user accounts
1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select Internal Accounts. 3 Select Add an Internal Account, and then provide the information needed for each account:
Account Name—Type the user's account name (example: “Jack Smith”). You can use up to 128 UTF-8
characters.
User ID—Type an ID for the account (example: “jsmith”). You can use up to 128 UTF-8 characters.
Password—Type a password of between 8 and 128 characters.
Re-enter Password—Type the password entered in the field above.
E-mail—Type the user's E-mail address (example: “jsmith@company.com”).
Groups—Select the groups to which the account belongs. Hold down the Ctrl key to select multiple groups
for the account.
4 Click Submit to save the new account, or Cancel to return to the Manage Internal Accounts menu without storing
the new account.
Using security features in the Embedded Web Server
8
Specifying settings for internal accounts
Settings selected in the Internal Accounts Settings section will determine the information an administrator must submit when creating a new internal account, as well as the information a user must submit when authenticating.
Require e-mail address—Select this box to make the E-mail address a required field when creating new internal
accounts.
Required user credentials—Select either User ID or User ID and Password to specify the information a user
must submit when authenticating.

Using LDAP

Lightweight Directory Access Protocol (LDAP) is a standards-based, cross-platform, extensible protocol that runs directly on top of the TCP/IP layer, and is used to access information stored in a specially organized information directory. One of the strengths of LDAP is that it can interact with many different kinds of databases without special integration, making it more flexible than other authentication methods.
Notes:
Supported devices can store a maximum of five unique LDAP configurations. Each configuration must have a
unique name.
Administrators can create up to 32 user-defined groups that apply to each unique LDAP configuration.
As with any form of authentication that relies on an external server, users will not be able to access protected
device functions in the event of an outage that prevents the printer from communicating with the authenticating server.
To help prevent unauthorized access, users are encouraged to securely end each session by selecting Log out
on the printer control panel.
To add a new LDAP setup
1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP. 3 Click Add an LDAP Setup. 4 The LDAP Server Setup dialog is divided into four parts:
General Information
Setup Name—This name will be used to identify each particular LDAP Server Setup when creating security
templates.
Server Address—Enter the IP Address or the Host Name of the LDAP server where the authentication will
be performed.
Server Port—The port used by the Embedded Web Server to communicate with the LDAP server. The default
LDAP port is 389.
Use SSL/TLS—From the drop-down menu select None, SSL/TLS (Secure Sockets Layer/Transport Layer
Security), or TLS.
Userid Attribute—Type either cn (common name), uid, userid, or user-defined.
Search Base—The Search Base is the node in the LDAP server where user accounts reside. Multiple search
bases may be entered, separated by commas.
Note: A Search Base consists of multiple attributes—such as cn (common name), ou (organizational unit), o (organization), c (country), or dc (domain)—separated by commas.
Using security features in the Embedded Web Server
9
Search Timeout—Enter a value of from 5 to 30 seconds.
Required User Input—Select either User ID and Password or User ID to specify which credentials a user
must provide when attempting to access a function protected by the LDAP building block.
Device Credentials
Anonymous LDAP Bind—If selected, the Embedded Web Server will bind with the LDAP server anonymously,
and the Distinguished Name and MFP Password fields will be grayed out.
Distinguished Name—Enter the distinguished name of the print server(s).
MFP Password—Enter the password for the print server(s).
Search specific object classes
Person—Click to select or clear; this specifies that the “person” object class will also be searched.
Custom Object Class—Click to select or clear; the administrator can define up to three custom search object
classes (optional).
LDAP Group Names
Configure Groups—Administrators can associate as many as 32 named groups stored on the LDAP server,
by entering identifiers for those groups under the Group Search Base list. Both the Short name for group, and Group Identifier must be provided.
When creating Security Templates, the administrator can pick groups from this setup for controlling access
to device functions.
5 Click Submit to save changes, or Cancel to return to previous values.
To edit an existing LDAP setup
1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP. 3 Click a setup from the list. 4 Make any needed changes in the LDAP Configuration dialog. 5 Click Modify to save changes, or click Cancel to return to previous values.
To delete an existing LDAP setup
1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP. 3 Select a setup from the list. 4 Click Delete Entry to remove the profile, or Cancel to return to previous values.
Notes:
Click Delete List to delete all LDAP setups in the list.
An LDAP building block cannot be deleted if it is being used as part of a security template.
Using security features in the Embedded Web Server
10
To validate an existing LDAP setup
1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP. 3 Click Test LDAP Authentication Setup next to the setup you want to test.

Using LDAP+GSSAPI

Some administrators prefer authenticating to an LDAP server using Generic Security Services Application Programming Interface (GSSAPI) instead of simple LDAP authentication because the transmission is always secure. Instead of
authenticating directly with the LDAP server, the user will first authenticate with a Kerberos server to obtain a Kerberos “ticket.” This ticket is then presented to the LDAP server using the GSSAPI protocol for access. LDAP+GSSAPI is typically used for networks running Active Directory.
Notes:
LDAP+GSSAPI requires that Kerberos 5 also be configured.
Supported devices can store a maximum of five unique LDAP + GSSAPI configurations. Each configuration must
have a unique name.
As with any form of authentication that relies on an external server, users will not be able to access protected
device functions in the event of an outage that prevents the printer from communicating with the authenticating server.
To help prevent unauthorized access, users are encouraged to securely end each session by selecting Log out
on the printer control panel.
To add a new LDAP+GSSAPI setup
1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP+GSSAPI. 3 Click Add an LDAP+GSSAPI Setup. 4 The LDAP+GSSAPI Server Setup dialog is divided into four parts:
General Information
Setup Name—This name will be used to identify each particular LDAP+GSSAPI Server Setup when creating
security templates.
Server Address—Enter the IP Address or the Host Name of the LDAP server where the authentication will
be performed.
Server Port—The port used by the Embedded Web Server to communicate with the LDAP server. The default
LDAP port is 389.
Use SSL/TLS—From the drop-down menu select None, SSL/TLS (Secure Sockets Layer/Transport Layer
Security), or TLS.
Userid Attribute—Enter either cn (common name), uid, userid, or user-defined.
Search Base—The Search Base is the node in the LDAP server where user accounts reside. Multiple search
bases may be entered, separated by commas.
Note: A Search Base consists of multiple attributes—such as cn (common name), ou (organizational unit), o (organization), c (country), or dc (domain)—separated by commas.
Using security features in the Embedded Web Server
11
Search Timeout—Enter a value of from 5 to 30 seconds.
Required User Input—Select either User ID and Password or User ID to specify which credentials a user
must provide when attempting to access a function protected by the LDAP building block.
Device Credentials
MFP Kerberos Username—Enter the distinguished name of the print server(s).
MFP Password—Enter the Kerberos password for the print server(s).
Search specific object classes
Person—Click to select or clear; this specifies that the “person” object class will also be searched.
Custom Object Class—Click to select or clear; the administrator can define up to three custom search object
classes (optional).
LDAP Group Names
Configure Groups—Administrators can associate as many as 32 named groups stored on the LDAP server,
by entering identifiers for those groups under the Group Search Base list. Both the Short name for group, and Group Identifier must be provided.
When creating Security Templates, the administrator can pick groups from this setup for controlling access
to device functions.
5 Click Submit to save changes, or Cancel to return to previous values.
To edit an existing LDAP+GSSAPI setup
1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP+GSSAPI. 3 Select a setup from the list. 4 Make any needed changes in the LDAP Configuration dialog. 5 Click Modify to save changes, or Cancel to return to previous values.
To delete an existing LDAP+GSSAPI setup
1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP+GSSAPI. 3 Select a setup from the list. 4 Click Delete Entry to remove the profile, or Cancel to return to previous values.
Notes:
Click Delete List to delete all LDAP+GSSAPI setups in the list.
An LDAP+GSSAPI building block cannot be deleted if it is being used as part of a security template.
Using security features in the Embedded Web Server
12
Loading...
+ 28 hidden pages