How it Works
Xerox
Loading...
EPS-10912
User Manual
34 pgs380.65 Kb0
Table of contents
Loading...

Xerox EPS-10912 User Manual

Xerox Document Services Platform Series Common Controller
Security

Version 50.xx, September 2005

701P25380
Guide
Prepared by: Xerox Corporation Global Knowledge and Language Services 800 Philips Road Bldg. 845-17S Webster, New York 14580 USA ©2005 by Xerox Corporation. All rights reserved. Copyright protection claimed includes all forms and matters of copyrightable material and information now allowed by statutory judicial law or hereinafter granted, including without limitation, material generated from the software programs displayed on the screen such as icons, screen displays, or looks. Printed in the United States of America. XEROX® and all Xerox product names mentioned in this publication are trademarks of XEROX CORPORATION. Other company trademarks are also acknowledged. Changes are periodically made to this document. Changes, technical inaccuracies, and typographic errors will be corrected in subsequent editions.
This product includes software developed by the Apache Software Foundation (http:// www.apache.org/).” SWOP® is a registered trademark of SWOP, Inc.
DocuSP includes use of GNU source and object code, which is subject to the terms of the GNU GPL. Please review the GNU GPL terms and conditions to understand the restrictions under this license. For more information on GNU, please go to http:// www.gnu.org/licenses/gpl.txt.
As a requirement of the GNU GPL terms and conditions, source code of the above programs list can be found on the www.xerox.com website for the applicable DocuSP­based product or can be ordered from Xerox.
This information is provided for information purposes only. Xerox Corporation makes no claims; promises or guarantees about the accuracy, completeness, or adequacy of the information contained in this document and disclaims all liability concerning the information and/or the consequences of acting on any such information. Performance of the products referenced herein is exclusively subject to the applicable Xerox Corporation terms and conditions of sale and/or lease. Nothing stated in this document constitutes the establishment of any additional agreement or binding obligations between Xerox Corporation and any third party.
Product Recycling and Disposal
If you are managing the disposal of your Xerox product, please note that the product contains lead, mercury and other materials whose disposal may be regulated due to environmental considerations in certain countries or states. The presence of lead and mercury is fully consistent with global regulations applicable at the time that the product was placed on the market.
European Union
Some equipment may be used in both a domestic/household and a professional/ business application.
Domestic/Household Environment
Application of this symbol on your equipment is confirmation that you should not dispose of the equipment in the normal household waste stream.
In accordance with European legislation end of life electrical and electronic equipment subject to disposal must be segregated from household waste.
Private households within EU Member States may return used electrical and electronic equipment to designated collection facilities free of charge. Please contact your local disposal authority for information.
In some Member States when you purchase new equipment your local retailer may be required to take back your old equipment free of charge. Please ask your retailer for information.
Professional/Business Environment
Application of this symbol on your equipment is confirmation that you must dispose of this equipment in compliance with agreed national Procedures.
In accordance with European legislation end of life electrical and electronic equipment subject to disposal must be managed within agreed procedures.
Prior to disposal please contact your local dealer or Xerox representative for end of life take back information.
Security Guide
Security Guide
Security Guide

Table of Contents

About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Customer support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
System supplied security profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Enable and disable services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
User level changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Solaris file permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Disabling secure name service databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Multicast routing disabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
OS and host information hidden . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Sendmail daemon secured . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Network parameters secured . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Executable stacks disabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
NFS port monitor restricted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Remote CDE login disabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
DocuSP router capabilities disabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Security warning banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Disabling LP anonymous printing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Remote shell internet service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
enable-ftp and disable-ftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Creating user-defined profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Setting the current and default profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Account management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Local users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Default user groups and user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Creating user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Group authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Password security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Strong Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Changing individual passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Accessing DocuSP through ADS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Limiting access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
IP Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Remote Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Secure Socket Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Using the DocuSP SSL/TLS Security Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Creating and Using a Self-Signed Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Using an Existing Signed Certificate from a Certificate Authority . . . . . . . . . . . . . . 22
Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Network Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Roles and responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Xerox responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Customer Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Security tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Document and backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Online Help for security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Security Guide i
ii Security Guide
About this guide

Introduction

The Security Guide provides the information needed to perform system administration tasks for maintaining the Xerox Document Services Platform (DocuSP) for printing systems.
This guide is intended for network and system administrators responsible for setting up and maintaining Xerox printers with DocuSP software. System administrators should have an understanding of the Sun workstation, a familiarity with Solaris, and with basic UNIX commands. This includes the use of text editors such as vi or te xtedit a nd the abi lity t o mane uver withi n the Solaris environment. To enable them to setup a customer site, system administrators are expected to have a worki ng knowledge of Local Area Networks (LANs), communicat ion protocols, and t he applicable client platforms.
Contents
In general, this document covers information about the DocuSP that is not covered in the Online Help or other availabl e guides.
The following list describes the contents of this guide:
Gateway and Network Configuration
Backup and Restore
Security and Network Setup
Printing
Finishing
Fonts
MICR
Tape Client
Accounting and Billing
Troubleshooting
Hints and Tips
Conventions
This guide includes the following conventions:
Security Guide 1
Angle brackets - Variable information that is displayed on your
Square brackets - Names of options you select are shown in square
Notes are hints that help you perform a task or understand the text.
NOTE: This is an example of a note.
Customer support
To place a customer service call, dial the direct TTY number for assistance. The number is 1-800-735-2988.
For additional assistance, dial the following numbers:
Service and software support: 1-800-821-2797
Xerox documentation and software services: 1-800-327-9753
screen is enclosed within angle brackets; for example, “Unable to copy <filename>.”
brackets; for example, [OK] and [Cancel].
Notes are found in the following format:
2 Security Guide

Security

This section describes the DocuSP system-supplied security profiles. It outlines the charact eristic s of each profil e and indicates how each can be customized to create user- defined profiles. The enhanced security features in DocuSP protect the system against unauthorized access and modification.
This section also addresses the options available to the administrator in setting up and managing user accounts.
Finally this section offers general guidelines to security-related procedures that can be impl emented to imp rove the securi ty of the DocuSP controller and the Solaris OS.
System supplied security profiles
The four system-supplied profiles are: none, low, medium, and high. The following table describes the characteristics of each security level and the configurable settings that restrict access to various devices and operating system ser vices.The default set ting is “Low .”
Table 2-1 Security Profiles
Profile Characteristics User Compatibility Comments
None Default Solaris and
system security. All ports are open. Walkup users can repr int anything. Full workspace menu is available. Auto logon is enabled.
Low FTP is enabled.
Telnet, rsh is disabled. NFS client is enabled. AutoFS is enabled. Walkup users can repr int from “Saved Jobs” and CD-ROM. Terminal window is password protected. Auto-login is enabled.
Physically closed environments.
First choice setting for most environments.
Close to DocuSP 2.1 and 3.1.
Similar to DocuSP 3.X “Medium”.
Similar to DocuSP 3.x “High”.
Supports DigiPath workflow.
Anonymous FTP is read-only and restricted.
The Solaris desktop is removed from all settings except none.
Anonymous FTP is ready-only and restricted.
T o enable telnet , go to [Setup], [FTP/ Remote Diagnostics].
“Low” is the default setting.
Security Guide 3
Profile Characteristics User Compatibility Comments
Medium FTP is enabled.
telnet, rsh is disabled. NFS client is disabled. AutoFS is disabled, e.g./ net/<hostname>and home/<username> are not automatically mounted. NFS server is filtered via RPC tab. Walkup user can reprint from CD_ROM. Terminal window is password protected.
High FTP is disabled.
telnet, rsh is disabled. NFS client is disabled. AutoFS is disabled, e.g./ net/<hostname>and home/<username> are not automatically mounted. NFS server is disabled on customer network. Walkup users cannot reprint anything. Terminal window is password protected. Auto login is disabled (login is always required from GUI).
Environments requiring high security but with a need to integrate DigiPath.
For government market.
Supports DigiPath workflow.
Does not support DigiPath workflow.
Anonymous FTP is ready-only and restricted. T o enable telnet , go to [Setup], [F T P / Remote Diagnostics].
File FTP is disabled.
File transfer can be done via Secure FTP.
For CFA support, that is FTP upload of outload, go to [Setup], [FTP/ Remote Diagnostics] menu.
Custom Any profile can be edited
to adjust to user needs
NOTE: Regardless of the security profile, anonymous FTP is Read-only with restricted access to /export/home/ftphome only.
Enable and d is a b le se rvices
The following tables provide a list of the ser vices that can be enabled and disabled from the DocuSP “Setup > Security Profiles” menu options.
4 Security Guide
Table 2-2 “System” tab
System Service Description
Allow_host.equiv_plus Background: The /etc/hosts. equiv and /.rhost s files provide the remote
authentication database for rlogin, rsh, rcp, and rexec. The files specify remote hosts and users that are considered to be trusted. Trusted users are allowed to access the local system without supplying a password. These files can be removed or modified to enhance security. DocuSP is provided with both of these files deleted entirely. The setting All_host.equiv_plus is set to disabled, then anytime that security settings are applied, the + will be removed from host.equiv . IMPOR T ANT NOTE: Removing the + from the host s.equiv file will prevent the use of the Xerox command line client print from remote clients. An alterna ti ve would be to remove the + and add the name of each trusted host that requires this functionality. Leaving the + will allow a user from any remote host to access the system wit h the
same username BSM Enable or disable the Basic Security Module (BSM) on Solaris Executable Stacks Some security exploits take advantage of the Solaris OE kernel
executable system stack to attack the system. Some of these expl oits
can be avoided by making the system stack non-executable. The
following lines are added to /etc/system/fP file:set
noexec_user_stack=1s et noexec_user_stack_log=1 Remote CDE Logins Deny all remote access (direct/broadcast ) to the X server running on
DocuSP by installing an appropriate /etc/dt/config/Xaccess file. Router Disable router mode by creating an empty the empty file: /etc/
notrouter. Secure Sendmail Force sendmail to only handle outgoing mail. No incomin g mai l wi ll b e
handled by sendmail. Security Warning
Banners
Enable security warning banners to be displayed when a user logins
or telnets into the DocuSP server.
Table 2-3 “INIT” tab RC2 section
RC2 Service Description
S40LLC2 Class II logical link control driver S47ASPPP Asynchronous PPP link manager. This service is re-enabled via
enable-remote-diagnostics command. S70UUCP UUCP server S71LDAP.CLIENT LDAP daemon to cache server and client information for NIS lookups. S72AUTOINSTALL Script executed during stub JumpStart or AUTOINSTALL JumpStart S72SLPD Service Location Protocol daemon
Security Guide 5
Loading...
+ 23 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use