Version 1.1
December 2014
Xerox® Color C60/C70
Security Function Supplementary
Guide
Table of Contents
1. Before Using the Security Function................................................................................... |
1 |
Preface............................................................................................................................................................................................................ |
1 |
Security Features ..................................................................................................................................................................................... |
2 |
Settings for the Secure Operation .......................................................................................................................................... |
2 |
Data Restoration................................................................................................................................................................................... |
3 |
Starting Use of the Data Encryption Feature and Changing the Settings .......................................... |
4 |
Use of the Overwrite Hard Disk.................................................................................................................................................... |
4 |
Service RepresentativeRestricted Operation ..................................................................................................................... |
5 |
For Optimal Performanceof the Security Features....................................................................................................... |
5 |
Confirm the Machine ROM Version and the System Clock.................................................................................... |
7 |
How to Check with Control Panel............................................................................................................................... |
7 |
How to Check with Print Report.................................................................................................................................... |
7 |
How to Check the System Clock ................................................................................................................................ |
7 |
2. Initial Settings ProceduresUsing Control Panel.......................................................... |
9 |
Authenticationfor Entering the System AdministrationMode........................................................................... |
9 |
Set Use Passcode Entry for Control Panel......................................................................................................................... |
9 |
Set Overwrite Hard Disk.............................................................................................................................................................. |
10 |
Set Data Encryption......................................................................................................................................................................... |
10 |
Set Authentication.............................................................................................................................................................................. |
10 |
Set Private Print ................................................................................................................................................................................... |
11 |
Set Software Download................................................................................................................................................................ |
11 |
Set Direct Fax........................................................................................................................................................................................... |
12 |
Set Auto Clear....................................................................................................................................................................................... |
12 |
Set Report Print...................................................................................................................................................................................... |
13 |
Set Self Test............................................................................................................................................................................................. |
13 |
3. Initial Settings ProceduresUsing Xerox® CentreWare® Internet Services14 |
|
Preparationsfor Settings on the Xerox® CentreWare® Internet Services................................................... |
14 |
Change the System Administrator’s Passcode............................................................................................................. |
14 |
Set Maximum Login Attempts................................................................................................................................................ |
15 |
Set Scheduled Image Overwrite ........................................................................................................................................... |
15 |
Set Access Control............................................................................................................................................................................... |
15 |
Set User Passcode Minimum Length................................................................................................................................ |
16 |
Set SSL/TLS............................................................................................................................................................................................... |
16 |
Set WebDAV........................................................................................................................................................................................... |
16 |
Set Receive E-mail.............................................................................................................................................................................. |
17 |
Set IPP.......................................................................................................................................................................................................... |
17 |
ConfiguringMachine Certificates............................................................................................................................................ |
17 |
Set IPSec.................................................................................................................................................................................................... |
17 |
Set IPSec Address................................................................................................................................................................. |
18 |
Set SNMPv3 ............................................................................................................................................................................................ |
18 |
Set S/MIME ............................................................................................................................................................................................. |
19 |
Xerox® Color C60/C70 Security Function Supplementary Guide |
|
Set WSD (Scan)...................................................................................................................................................................................... |
20 |
Set SOAP..................................................................................................................................................................................................... |
20 |
Set CSRF...................................................................................................................................................................................................... |
20 |
Set USB........................................................................................................................................................................................................ |
20 |
Set LDAP Server ................................................................................................................................................................................... |
21 |
Set Kerberos Server.............................................................................................................................................................................. |
21 |
Set Service RepresentativeRestricted Operation......................................................................................................... |
22 |
Set Audit Log.......................................................................................................................................................................................... |
22 |
Set Browser Refresh ........................................................................................................................................................................... |
22 |
Set Job Deletion.................................................................................................................................................................................. |
22 |
4. Regular Review by Audit Log............................................................................................... |
24 |
Import the Audit Log File................................................................................................................................................................ |
24 |
5. Self Testing....................................................................................................................................... |
26 |
6. Authenticationfor the secure operation.................................................................... |
27 |
Overview of Authentication.......................................................................................................................................................... |
27 |
Users Controlled by Authentication..................................................................................................................... |
27 |
Machine Administrator.................................................................................................................................................... |
27 |
Authenticated Users (with System Administrator Privileges)................................................................ |
27 |
Authenticated Users (with No System Administrator Privileges) ....................................................... |
28 |
UnauthenticatedUsers...................................................................................................................................................... |
28 |
Local Machine Authentication (Login to Local Accounts).................................................................................... |
28 |
Remote Authentication (Login to Remote Accounts)........................................................................................... |
28 |
Functions Controlled by Authentication............................................................................................................................. |
28 |
Authenticationfor Folder............................................................................................................................................................... |
30 |
Types of Folder....................................................................................................................................................................... |
30 |
7. Operation Using Control Panel........................................................................................... |
32 |
User Authentication .......................................................................................................................................................................... |
32 |
Create/ViewUser Accounts.......................................................................................................................................................... |
33 |
Change User Passcode by General User ............................................................................................................................ |
34 |
Job Deletion by System Administrator................................................................................................................................ |
34 |
Folder / Stored File Settings......................................................................................................................................................... |
35 |
Folder Service Settings ..................................................................................................................................................... |
35 |
Stored File Settings.............................................................................................................................................................. |
35 |
Create Folder........................................................................................................................................................................................... |
36 |
Send from Folder ............................................................................................................................................................................... |
37 |
Private Charge Print ......................................................................................................................................................................... |
37 |
8. Operation Using Xerox® CentreWare® Internet Services.................................. |
39 |
Accessing Xerox® CentreWare® Internet Services.................................................................................................... |
39 |
Print................................................................................................................................................................................................................. |
40 |
Scan (Folder Operation)............................................................................................................................................................... |
41 |
Folder: List of Files................................................................................................................................................................. |
42 |
Edit Folder................................................................................................................................................................................... |
43 |
Folder Setup.............................................................................................................................................................................. |
43 |
Import the files........................................................................................................................................................................ |
44 |
Printing Job Deletion.......................................................................................................................................................................... |
44 |
Xerox® Color C60/C70 Security Function Supplementary Guide |
|
|
Change User Passcode by System Administrator(Using Xerox® CentreWare® Internet Services) |
|
|
............................................................................................................................................................................................................................ |
44 |
9. Problem Solving ............................................................................................................................ |
45 |
|
|
Fault Clearance Procedure............................................................................................................................................................ |
45 |
|
Fault Codes............................................................................................................................................................................................... |
45 |
10. |
Security @ Xerox.......................................................................................................................... |
54 |
11. |
Appendix......................................................................................................................................... |
55 |
Xerox® Color C60/C70 Security Function Supplementary Guide
1. Before Using the
Security Function
This section describes the certified security functions and the items to be confirmed.
Preface
This guide is intended for the manager and system administrator of the organization where the machine is installed, and describes the setup procedures related to security.
For general users, this guide describes the operations related to security features.
For information on the other features available for the machine, refer to the following guidance.
Xerox® Color C60/C70 System Administrator Guide:
Version 1.0
Xerox® Color C60/C70 User Guide:
Version 1.0
The hash values of the PDF files are described in the Security Target disclosed at the Xerox (http://www.office.xerox.com/digital-printing-equipment/enus.html) and JISEC (http://www.ipa.go.jp/security/jisec/jisec_e/) website.
Please check that the hash values of your manuals are correct.
The security features of the Xerox® Color C60/C70 are supported by the following ROM versions.
Controller |
Ver. 1.200.17 |
IOT ROM |
Ver. 67.20.0 |
ADF ROM |
Ver. 13.19.3 |
Important:
The machine has obtained IT security certification for Common Criteria EAL3+ALC_FLR.2.
This certifies that the target of evaluation has been evaluated based on the certain evaluation criteria and methods, and that it conforms to the security assurance requirements.
Your ROM and user documentation may not be the certified version because they may have been updated along with machine improvements.
For the latest information concerning your device, download the latest versions from http://www.support.xerox.com/support.
Please check the state of the delivered machine's packaging. If you could not confirm the packaging state at delivery and would like to know the details of the delivered state, please contact our sales representative or customer engineer.
- 1 -
Xerox® Color C60/C70 Security Function Supplementary Guide
Also, if you have such inquiries as the following, please contact us:
-Inquiries about the machine's functions
-All other inquiries.
Security Features
Xerox® Color C60/C70 has the following security features:
Hard Disk Data Overwrite
Hard Disk Data Encryption
User Authentication
System Administrator’s Security Management
Customer Engineer Operation Restriction
Security Audit Log
Internal Network data protection
Self Test
Information Flow Security
Settings for the Secure Operation
For the effective use of the security features, the System Administrator (Machine Administrator) must follow the instructions below:
Item |
Description |
Passcode Entry from Control Panel |
Set to [Enabled]. |
|
|
Overwrite Hard Disk |
Default [3 Overwrites]. |
|
|
Data Encryption |
Default [On]. |
|
|
Authentication |
Set to [Login to Local Accounts] or [Login to Remote |
|
Accounts]. |
|
|
Private Print |
Set to [Save as Private Charge Print]. |
|
|
Software Download |
Set to [Disabled]. |
|
|
Direct Fax |
Set to [Disabled] |
|
|
Auto Clear |
Default [on]. |
|
|
Report Print |
Set to [Disabled]. |
|
|
Self Test |
Set to [on]. |
|
|
The System Administrator Passcode |
Change the default passcode to another passcode of 9 or |
|
more characters. |
|
|
Maximum Login Attempts |
Default [5] Times. |
|
|
Scheduled Image Overwrite |
Set to [Enabled]. |
|
|
Access Control |
Set to [Locked] for Device Access and Service Access. |
|
|
|
- 2 - |
Xerox® Color C60/C70 Security Function Supplementary Guide
Item |
Description |
User Passcode Minimum Length |
Set to [9] characters. |
|
|
SSL/TLS |
Set to [Enabled]. |
|
|
WebDAV |
Set to [Disabled]. |
|
|
Receive E-mail |
Default [Disabled]. |
|
|
IPP |
Default [Enabled]. |
|
|
IPSec |
Set to [Enabled]. |
|
|
SNMPv1/v2c |
Set to [Disabled]. |
|
|
SNMPv3 |
Set to [Enabled]. |
|
|
S/MIME |
Set to [Enabled]. |
|
|
WSD (Scan) |
Set to [Disabled]. |
|
|
SOAP |
Set to [Disabled]. |
|
|
CSRF |
Set to [Enabled]. |
|
|
USB |
Set to [Disabled]. |
|
|
Service Representative Restricted |
Set to [Enabled], and enter a passcode of 9 or more |
Operation |
characters. |
|
|
Audit Log |
Set to [Enabled]. |
|
|
Browser Refresh |
Set to [Disabled]. |
|
|
Job Deletion |
Set to [Administrator Only]. |
|
|
Important:
The security will not be effective if you do not correctly follow the above setting instructions. The Information Flow Security feature requires no special settings by System Administrator. When you set Data Encryption to [On] again, enter an encryption key of 12 characters.
Data Restoration
The enciphered data cannot be restored in the following conditions.
When a problem occurs in the hard disk.
Without the correct encryption key.
Without the correct System Administrator ID and passcode when setting [Service Rep. Restricted Operation] to [On].
- 3 -
Xerox® Color C60/C70 Security Function Supplementary Guide
Starting Use of the Data Encryption Feature and Changing the Settings
When data encryption is started or ended, or when the encryption key is changed, the machine must be restarted. The corresponding recording area (the Hard Disk) is reformatted when restarting. In this case, the previous data is not guaranteed.
The recording area stores the following data:
Spooled print data
Print data including the secure print and sample print
Forms for the form overlay feature
Folder and Job Flow sheet settings (Folder name, passcode, etc.)
Files in Folder
Address book data
Important:
Be sure to save all necessary settings and files before starting to use the data encryption feature or changing the settings.
An error occurs if the connected hard disk does not match the encryption settings.
Use of the Overwrite Hard Disk
In order to protect the data stored on the hard disk from unauthorized retrieval, you can set the overwrite conditions to apply them to the data stored on the hard disk.
You can select the number of overwrite passes as one or three times. When [1 Overwrite] is selected, “0” is written to the disk area. [3 Overwrites] ensures higher security than [1 Overwrite].
The feature also overwrites temporarily saved data such as copy documents.
Important:
If the machine is powered off during the overwriting operation, unfinished files may remain on the hard disk. When the power is restored, the overwriting operation will resume with the unfinished files remaining on the hard disk.
- 4 -
Xerox® Color C60/C70 Security Function Supplementary Guide
Service Representative Restricted
Operation
Specifies whether the Service Representative has full access to the security features of the machine, including the ability to change System Administrator settings.
For the C60/C70, select [On] and then set [Maintenance Passcode] to restrict the Service Representative from entering the System Administration mode.
Important:
If the System Administrator’s ID and the passcode are lost when [Service Rep. Restricted Operation] is set to [On], neither you nor the Xerox representative will be able to change any setting in the System Administration mode.
For Optimal Performance of the Security
Features
The manager (of the organization that the machine is used for) needs to follow the instructions below:
The manager needs to assign appropriate people as system and machine administrators, and manage and train them properly.
The system administrator need to train users about the machine operation and precautions according to the policies of their organization and the product guidance.
The machine needs to be placed in a secure or monitored area where the machine is protected from unmanaged physical access.
If the network where the machine is installed is to be connected to external networks, configure the network properly to block any unauthorized external access.
The users must set a user ID and a passcode in [Accounting Configuration] via the printer driver.
Users and administrators need to set passcodes and an encryption key according to the following rules for the client PC login and the machine’s setup:
-Do not use easily guessed character strings for passcodes.
-A passcode needs to contain both numeric and alphabetic characters.
Users and administrators need to manage and operate the machine so that their user IDs and passcodes may not be disclosed to another person.
Administrators need to set the account policies on the remote authentication server as follows:
-Set password policy to [9 or more characters].
-Set account lockout policy to [5 times].
For secure operation, all of the remote trusted IT products that communicate with the machine shall implement the communication protocol in accordance with industry standard practice with respect to RFC/other standard compliance (SSL/TLS, IPSec, SNMPv3, S/MIME) and shall work as advertised.
The settings described below are required for both the machine’s configuration and the client’s configuration.
- 5 -
Xerox® Color C60/C70 Security Function Supplementary Guide
1) SSL/TLS
For the SSL/TLS client (Web browser) and the SSL/TLS server that communicate with the machine, select a data encryption suite from the following:
-TLS_RSA_WITH_AES_128_CBC_SHA
-TLS_RSA_WITH_AES_256_CBC_SHA
-TLS_RSA_WITH_AES_128_CBC_SHA256
-TLS_RSA_WITH_AES_256_CBC_SHA256
(The recommended browser is Microsoft® Internet Explorer 7/8/9/10)
For secure operation, you should disable the SSL function of remote clients/servers.
2) S/MIME
For the machine and e-mail clients, select an Encryption Method/Message Digest Algorithm from the following:
-3Key Triple-DES/168bit, AES/128bit, AES/192bit, AES/256bit, SHA1, SHA256
3)IPSec
For the IPSec host that communicates with the machine, select an Encryption Method/Message Digest Algorithm from the following:
-AES (128bit)/SHA1
-3Key Triple-DES (168bit)/SHA1
4)SNMPv3
The encryption method of SNMPv3 is DES/56bit or AES128bit. Set [Message Digest Algorithm] to [SHA1].
Important:
•For secure operation, while you are using the Xerox® CentreWare® Internet Services, do not access other web sites, and do not use other applications.
•For secure operation, when you change [Authentication Type] or prior to disposing of the machine, initialize the hard disk by resetting [Data Encryption] and changing [encryption key].
•For preventing SSL vulnerability, you should set the machine address in the proxy exclusion list of browser.
With this setting, secure communication will be ensured because the machine and the remote browser communicate directly without proxy server, and thus you can prevent man-in-the-middle attacks.
- 6 -
Xerox® Color C60/C70 Security Function Supplementary Guide
Confirm the Machine ROM Version
and the System Clock
Before making initial settings, the System Administrator (Machine Administrator) needs to check the machine ROM version and system clock.
How to Check with Control Panel
1.Press the <Machine Status> button on the control panel.
2.Select [Device information] on the touch screen.
3.Select [Software Version] on the [Machine information] screen.
You can identify the software versions of the components of the machine on the screen.
How to Check with Print Report
1.Press the <Machine Status> button on the control panel.
2.Select [Print Reports] on the [Machine information] screen.
3.Select [Printer Reports] on the touch screen.
4.Select [Configuration Reports].
5.Press the <Start> button on the control panel.
You can identify the software versions of the components of the machine by Print Report.
How to Check the System Clock
1.Press the <Log In/Out> button on the control panel.
2.Enter the System Administrator’s Login ID and the passcode if prompted.
3.Select [Enter] on the touch screen.
4.Press the <Machine Status> button on the control panel.
5.Select [Tools] on the touch screen.
6.Select [System Settings].
7.Select [Common Service Settings].
8.Select [System Clock/Timers].
9.You can check the time and the date of the internal clock. If you need to change the time and the date, refer to the following procedures.
10.Select the required option.
11.Select [Change Settings].
- 7 -
Xerox® Color C60/C70 Security Function Supplementary Guide
12.Change the required setting. Use the scroll bars to switch between screens.
13.Select [Save].
14.To exit the [Tools] screen, select [Close] twice.
- 8 -
Xerox® Color C60/C70 Security Function Supplementary Guide
2. Initial Settings Procedures
Using Control Panel
This section describes the initial settings related to Security Features, and how to set them on the machine’s control panel.
Authentication for Entering the System Administration Mode
1.Press the <Log In/Out> button on the control panel.
2.Enter the system administrator’s ID with the keypad displayed.
3.Select [Next] .
4.Enter the system administrator’s passcode from the keypad.
5.Select [Enter].
6.Press the <Machine Status> button on the control panel. ?
7.Select [Tools].
Set Use Passcode Entry for Control Panel
1.Select [Authentication/Security Settings] on the [Tools] screen.
2.Select [Authentication].
3.Select [Passcode Policy].
4.Select [Passcode Entry from Control Panel].
5.Select [Change Settings].
6.Select [On].
7.Select [Save].
- 9 -
Xerox® Color C60/C70 Security Function Supplementary Guide
Set Overwrite Hard Disk
1.Select [Authentication/Security Settings] on the [Tools] screen.
2.Select [Overwrite Hard Disk].
3.Select [Number of Overwrites].
4.Select [1 Overwrite] or [3 Overwrites].
5.Select [Save].
Set Data Encryption
1.Select [System Settings] on the [Tools] screen.
2.Select [Common Service Settings].
3.Select [Other Settings].
4.On the [Other Settings] screen, select [Data Encryption].
5.Select [Change Settings].
6.Select [On].
7.Select [New Encryption Key].
8.Enter a new encryption key of 12 characters by using the keyboard displayed, and then select [Save].
9.Select [Re-enter the Encryption Key]
10.Enter the same passcode, and then select [Save].
11.Select [Save].
12.Select [Yes] to apply the change.
13.Select [Yes] to reboot.
Set Authentication
1.Select [Authentication/Security Settings] on the [Tools] screen.
2.Select [Authentication].
3.Select [Login Type].
4.On the [Login Type] screen, select [Login to Local Accounts] or [Login to Remote Accounts].
5.Select [Save].
When [Login to Remote Accounts] is selected in step 4, proceed to steps 6 to 13
6.Select [System Settings] on the [Tools] screen.
7.Select [Connectivity & Network Setup].
- 10 -
Xerox® Color C60/C70 Security Function Supplementary Guide
8.Select [Remote Authentication Server Setting].
9.Select [Authentication System Setup].
10.Select [Authentication System].
11.Select [Change Settings].
12.On the [Authentication System] screen, select [LDAP] or [Kerberos].
13.Select [Save].
14.To exit the [Remote Authentication Server Setting] screen, select [Close].
Set Private Print
1.Select [Authentication/Security Settings] on the [Tools] screen.
2.Select [Authentication].
3.Select [Charge/Private Print Settings].
4.On the [Charge/Private Print Settings] screen, select [Received Control].
5.Select [Change Settings].
When [Login to Local Accounts] is selected
1)On the [Receive Control] screen, select [According to Print Auditron].
2)Select [Save As Private Charge Print Job] for [Job Login Success].
3)Select [Delete Job] for [Job Login Failure].
4)Select [Delete Job] for [Job without User ID].
When [Login to Remote Accounts] is selected
1)On the [Receive Control] screen, select [Save As Private Charge Print Job].
6.Select [Save].
7.To exit the [Charge/Private Print Settings] screen, select [Close].
Set Software Download
1.Select [System Settings] on the [Tools] screen.
2.Select [Common Service Settings].
3.Select [Other Settings].
4.On the [Other Settings] screen, select [Software Download].
5.Select [Change Settings].
6.Select [Disabled].
- 11 -
Xerox® Color C60/C70 Security Function Supplementary Guide
7.Select [Save].
8.To exit the [Common Service Settings] screen, select [Close].
9.To exit the [Tools] screen, press the <Services> button on the control panel.
Set Direct Fax
1.Select [System Settings] on the [Tools] screen.
2.Select [Fax Service Settings].
3.Select [Fax Control].
4.Select [Direct Fax].
5.Select [Change Settings].
6.Select [Disabled].
7.Select [Save].
8.To exit the [Fax Control] screen, select [Close].
Set Auto Clear
1.Select [System Settings] on the [Tools] screen.
2.Select [Common Service Settings].
3.Select [System Clock/Timers].
4.Select [Auto Clear].
5.Select [Change Settings].
6.Select [On].
7.Select [Save].
8.To exit the [Machine Clock/Timers] screen, select [Close].
- 12 -
Xerox® Color C60/C70 Security Function Supplementary Guide
Set Report Print
1.Select [System Settings] on the [Tools] screen.
2.Select [Common Service Settings].
3.Select [Reports].
4.Select [Print Reports Button].
5.Select [Disabled].
6.Select [Save].
7.To exit the [Reports] screen, select [Close].
Set Self Test
1.Select [System Settings] on the [Tools] screen.
2.Select [Common Service Settings].
3.Select [Maintenance].
4.Select [Power on Self Test].
5.Select [On].
6.Select [Save].
7.To exit the [Tools] screen, select [Close] twice.
8.Select [Reboot Now] on the confirmation screen.
- 13 -
Xerox® Color C60/C70 Security Function Supplementary Guide
3. Initial Settings Procedures
Using Xerox®
CentreWare® Internet
Services
This section describes the initial settings related to Security Features, and how to set them on Xerox® CentreWare® Internet Services.
Preparations for Settings on the Xerox® CentreWare® Internet Services
Prepare a computer supporting the TCP/IP protocol to use Xerox® CentreWare® Internet Services. Xerox® CentreWare® Internet Services supports the browsers that satisfy "SSL/TLS" conditions.
1.Open your Web browser, enter the TCP/IP address of the machine in the Address or Location field, and press the <Enter> key.
2.Enter the System Administrator’s ID and the passcode.
3.Display the [Properties] screen by clicking the [Properties] tab.
Change the System Administrator’s
Passcode
1.Click [Security] on the [Properties] screen.
2.Click [System Administrator Settings].
3.Enter the system administrator’s ID in the [Administrator’s Login ID] box.
4.Enter a new system administrator’s passcode of 9 or more characters in the [Administrator’s Passcode] box.
5.Enter the new system administrator’s passcode in the [Retype Administrator’s Passcode] box.
- 14 -
Xerox® Color C60/C70 Security Function Supplementary Guide
6. Click [Apply].
Set Maximum Login Attempts
1.Click [Security] on the [Properties] screen.
2.Click [System Administrator Settings].
3.Enter the system administrator’s ID in the [Administrator’s Login ID] box.
4.Enter [5] in the [Maximum Login Attempts] box.
5.Click [Apply].
Set Scheduled Image Overwrite
1.Click [Security] on the [Properties] screen.
2.Click [On Demand Overwrite].
3.Click [Scheduled].
4.Check the [Enabled] box for [Scheduled Image Overwrite].
5.Select [Daily], [Weekly], or [Monthly] for [Frequency]
6.Set [Day], [Hour],and [Minutes],
7.Click [Apply].
Set Access Control
1.Click [Security] on the [Properties] screen.
2.Click [Authentication Configuration].
3.Click [Next].
4.Click [Configure] for [Device Access].
5.Select [Locked] for [Service Pathway], [Job Status Pathway], and [Machine Status Pathway].
6.Click [Apply].
7.Click [Authentication].
8.Click [Next].
9.Click [Configure] for [Service Access].
10.Click [Lock All].
11.Click [Apply].
12.Click [Reboot Machine].
- 15 -
Xerox® Color C60/C70 Security Function Supplementary Guide
Loading...