Xerox Print Advisor Quick Reference Guide

®
Xerox
Print Advisor
Using a Domain Service Account Quick Reference
This document is made available for use only pursuant to the terms of license(s) pursuant to which Xerox Corporation restricts their use, copying, distribution, and decompilation/reverse engineering. In addition, Xerox Corporation reserves the right to make improvements in the product described in this manual pursuant to such license(s), which may include making changes at anytime and without notice. This document and the product described in this manual are copyrighted. All rights reserved. No part of this document may be copied, reproduced, translated or reduced to any electronic medium or machine readable form or in any form by any means without prior written authorization of Xerox Corporation.
®
Documentation © 2010 Xerox Corporation. Xerox or registered trademarks of Xerox Corporation in the United States and/or other countries. All rights reserved. Microsoft or trademarks of Microsoft Corporation in the United States and/or other countries. Other names may be trademarks or registered trademarks of their respective owners.
© Preo Software Inc. 2010
®
, Windows®, Windows XP®, Windows Vista®, .NET® and Active Directory® are registered trademarks
, the Xerox® Logo, and Xerox® Print Advisor are trademarks
1 Using a Domain Service
Account (DSA)
Domain Service Accounts (DSAs) allow System Administrators to create a class of cross-domain accounts that can be used to manage and maintain certain services on the computer network. DSAs are generally used to enhance security by isolating the privileges for an application.
®
With Xerox IT configuration.
Using a Domain Service Account
If a Domain Service Account is used for Print Advisor, the DSA must be able to communicate to the hosted Print Advisor Application Server over port 443 SSL (Secure Sockets Layer).
Print Advisor, DSAs are recommended when a Proxy Server is part of your organization’s
®
Note: Set up the Domain Service Account PRIOR to starting the Xerox
Altering the account information after installation is difficult and time-consuming if you have installed Xerox
®
Print Advisor on all of your organization’s workstations.
Print Advisor installation.
Securing the Domain Service Account
The Domain Service Account should be secured with a Group Policy in accordance with your security policies for Service Accounts, or Microsoft’s Service Account Guidelines available at
http://www.microsoft.com/downloads
If your organization does not currently have security policies in place for locking down service accounts, we recommend at a minimum that you apply the following settings:
Setting up a User Account
Set Password to Never Expire. Use complexity for passwords (minimum 8 characters; include special characters).
.
®
Xerox
Print Advisor Quick Reference 3
Using a Domain Service Account (DSA)
Setting up a Group Policy
Deny logon locally (User Rights Assignments). Disable Shut Down the System (User Rights Assignments). Enable an Account Lockout Policy (3 invalid attempts lock the account for 10 minutes). Require Logon as a Service (User Rights Assignments). Deny log on through Terminal Services (User Rights Assignments). Disable Allow Logon Locally (User Rights Assignments). You may want to continue locking down this group policy, as long as User Rights Assignments are
not affected.
Set options to Enforcement (no override); this setting takes precedence over any Group Policy
setting linked to child containers.
Set the Block inheritance flag. Create an account as an OU controlled subtree. Enable auditing on controlled subtree. Use AdminSDHolder function; this setting compares the privilege level every hour and ensures that
the settings have not been altered.
Using Domain Service Accounts for Proxy Servers
The account you select for Xerox® Print Advisor must have the ability to navigate through your proxy server. If you use a Proxy Server at your organization, it is highly recommended you use a Domain Service Account. While Xerox sufficient authorization to navigate an organization’s Proxy Server.
When Xerox
®
Print Advisor is installed using a DSA (Domain Service Account), the account must have at
a minimum the following privileges:
The ability to contact the Internet through the proxy server. The ability to iterate local printers on the machine on which the DSA is installed.
Advantages of using a DSA with a proxy server:
Using a DSA with a proxy server is advantageous in that the DSA can be set as follows:
Set up to communicate through the proxy server to the hosted Xerox
Server.
Restricted to communicate only to a known IP address range. Set to have a non-expiring password. Be locked down with just the permissions needed to run Print Advisor.
Additionally, the Service Account management can be centrally controlled.
®
Print Advisor can run as the Local System account, it rarely has
®
Print Advisor Application
4 Xerox
®
Print Advisor Quick Reference
Loading...