Xerox WORKCENTRE 7120 User Manual

Xerox WorkCentre 7120

Security Function Supplementary Guide

Version 1.0,_ May 2010

Table of Contents

Before Using the Security Function............................................................... 4

Preface...................................................................................................................................................4

Security Features............................................................................................................................... 5

Settings for the Secure Operation .............................................................................................5

Data Restoration............................................................................................................................... 6

Starting use of the data encryption feature and changing the settings .................. 6

Use of the Overwrite Hard Disk................................................................................................... 7

Service Representative Restricted Operation........................................................................ 7

For Optimal Performance of the Security features ............................................................8

Confirm the Machine ROM version and the System Clock.............................................. 9

How to check by Control Panel .......................................................................................9

How to check by Print Report........................................................................................... 9

How to check the Clock ......................................................................................................9

Initial Settings Procedures Using Control Panel .....................................10

Use Passcode Entry from Control Panel ............................................................................... 10

Authentication for entering the System Administration mode .................................10

Change the System Administrator’s Passcode .................................................................. 11

Set Maximum Login Attempts ................................................................................................. 11

Set Service Rep. Restricted Operation ................................................................................... 11

Set Overwrite Hard Disk .............................................................................................................. 11

Set Data Encryption...................................................................................................................... 12

Set Scheduled Image Overwrite .............................................................................................. 12

Set Authentication ........................................................................................................................ 12

Set Access Control ......................................................................................................................... 13

Set Private Print .............................................................................................................................. 13

Set User Passcode Minimum Length ..................................................................................... 14

Set Direct Fax................................................................................................................................... 14

Preparations for settings on the CentreWare Internet Services ................................ 15

Set SMB .............................................................................................................................................. 15

Set WebDAV..................................................................................................................................... 15

Set LDAP ............................................................................................................................................ 15

Set SSL/TSL ....................................................................................................................................... 16

Configuring Machine certificates............................................................................................ 16

Set IPSec............................................................................................................................................ 16

Set SNMPv3...................................................................................................................................... 17

Set S/MIME....................................................................................................................................... 18

Regular Review by Audit Log..........................................................................19

Set Audit Log.................................................................................................................................... 19

Import the Audit Log File ........................................................................................................... 19

Authentication for the Secure Operation..................................................20

Overview of Authentication....................................................................................................... 20

Users Controlled by Authentication........................................................................... 20

Machine Administrator.................................................................................................... 20

Authenticated Users (with System Administrator Privileges) ......................... 21

Authenticated Users (with No System Administrator Privileges).................. 21

Unauthenticated Users ................................................................................................... 21

Local Machine Authentication (Login to Local Accounts) ............................................ 21

Remote Authentication (Login to Remote Accounts) .................................................... 21

Authentication for Folder ........................................................................................................... 24

Types of Folder ................................................................................................................... 24

Operation Using Control Panel......................................................................26

User Authentication...................................................................................................................... 26

Create/View User Accounts .......................................................................................................26

Change User Passcode by General User .............................................................................. 28

Folder / Stored File Settings ...................................................................................................... 29

Folder Service Settings..................................................................................................... 29

Stored File Settings ........................................................................................................... 29

Create Folder ................................................................................................................................... 30

Send from Folder............................................................................................................................ 31

Private Charge Print ...................................................................................................................... 33

Operation Using CentreWare Internet Services .....................................34

Accessing CentreWare Internet Services ............................................................................. 35

Print...................................................................................................................................................... 36

Scan (Folder Operation).............................................................................................................. 37

Folder: List of Files ............................................................................................................. 38

Edit Folder............................................................................................................................. 38

Folder Setup ......................................................................................................................... 39

Import the files ................................................................................................................... 39

Change User Passcode by System Administrator (Using CentreWare Internet Services) 40

Problem Solving...................................................................................................41

Fault Clearance Procedure ......................................................................................................... 41

Fault Codes ....................................................................................................................................... 42

Appendix ................................................................................................................49

Before Using the Security Function

This section describes the certified security functions and the items to be confirmed.

Preface

This guide is intended for the manager and system administrator of the organization where the machine is installed, and describes the setup procedures related to security.

And for general users, this guide describes the operations related to security features.

For information on the other features available for the machine, refer to the following Guidance.

WorkCentre 7120 System Administrator Guide

:Version 1.0, May 2010

WorkCentre 7120 User Guide

:Version 1.0, May 2010

The security features of the WorkCentre 7120 is supported by the following ROM versions.

Controller ROM Ver. 1. 201.6

IOT ROM Ver.4.21.0

ADF ROM Ver. 7.06.50

Important:

The machine has obtained IT security certification for Common Criteria EAL3.

This certifies that the target of evaluation has been evaluated based on the certain evaluation criteria and methods, and that it conforms to the security assurance requirements.

Note: however, that your ROM and Guidance may not be the certified version because it may have been updated

along with machine improvements.

Security Features

WorkCentre 7120 has the following security features:

 Hard Disk Data Overwrite  Hard Disk Data Encryption  User Authentication  System Administrator’s Security Management  Customer Engineer Operation Restriction  Security Audit Log  Internal Network data protection  FAX Flow Security

Settings for the Secure Operation

For the effective use of the security features, The System Administrator (Machine Administrator) must follow the instructions below:

 Passcode Entry from Control Panel Default [On].  The System Administrator Passcode Change the default passcode "1111" to another passcode of 9 or more

characters.

 Maximum Login Attempts Default [5] Times.  Service Rep. Restricted Operation Set to [On], and then enter a passcode of 9 or more characters.  Overwrite Hard Disk Set to [1 Overwrite] or [3 Overwrites].  Data Encryption Set to [On]  Scheduled Image Overwrite Set to [Enabled].  Authentication Set to [Login to Local Accounts] or [Login to Remote Accounts]  Access Control Set to [Locked] for Device Access and Service Access  Private Print Set to [Save in Private Charge Print]  User Passcode Minimum Length Set to [9] characters.  Direct Fax Set to [Disable]: when remote authentication is used.  SMB Set to [Disabled] for [NetBEUI]  WebDAV Set to [Disabled] : when remote authentication is used.  SSL/TLS Set to [Enabled]  IPSec Set to [Enabled]  SNMP v1/v2c Set to [Disabled]  SNMPv3 Set to [Enabled]  S/MIME Set to [Enabled]  Audit Log Set to [Enabled]

Important:

• The security will not be warranted if you do not correctly follow the above setting instructions.

• FAX Flow Security feature requires no special setting by System Administrator.

• When you set Data Encryption [On] again, enter an encryption key of 12 characters.

Data Restoration

The enciphered data cannot be restored in the following conditions.

 When a trouble occurs in the hard disk.  When you have forgotten the encryption key.  When you have forgotten the System Administrator ID and a passcode when making [Service Rep. Restricted

Operation] set to [On].

Starting use of the data encryption feature and changing the settings

When data encryption is started or ended, or when the encryption key is changed, the machine must be restarted. The corresponding recording area (the hard disk) is reformatted when restarting. In this case, the previous data is not guaranteed.

The recording area stores the following data.

 Spooled print data  Print data including the secure print and sample print  Forms for the form overlay feature  Folder and job flow sheet settings (Folder name, passcode, etc.)  Files in Folder  Address book data

Important:

Be sure to save all necessary settings and files before starting to use the data encryption feature or changing the settings.

An error occurs if the connected hard disk does not match the encryption settings.

Use of the Overwrite Hard Disk

In order to protect data stored on the hard disk from unauthorized retrieval, you can set the overwrite conditions to apply to data stored on the hard disk.

You can select the number of overwrite passes from one time or three times. When [1 Overwrite] is selected, “0” is written to the disk area. [3 Overwrites] ensures higher security than [1 Overwrite].

The setting also overwrites temporarily saved data such as copy documents.

Important:

If the machine is powered off during the overwriting operation, unfinished files may remain on the hard disk. The overwriting operation will resume if you power the machine on again with the unfinished files remaining on the hard disk.

Service Representative Restricted Operation

Specifies whether the Service Representative has full access to the security features of the machine, including the ability to change System Administrator settings.

For the WorkCentre 7120, select [On] and then set [Maintenance Passcode] to restrict the Service Representative from entering the System Administration mode.

Important:

If the System Administrator’s user ID and passcode are lost when [Service Rep. Restricted Operation] is set to [On], not only you but also we are no longer able to change any setting in the System Administration mode.

For Optimal Performance of the Security features

The manager (of the organization that the machine is used for) needs to follow the instructions below:

 Assign appropriate persons as system and machine administrators, and manage and train them properly.  If the network where the machine is installed is to be connected to external networks, configure the network

properly to block any unauthorized external access.

 The users have to set a user ID and a passcode certainly on accounting configuration of printer driver.  Users and administrators have to set passcodes and encryption key according to the following rule for the

client PC login and the machine’s setup. ・Do not use an easily guessed character strings passcodes.

・Passcodes have to contain both numeric and alphabetic.

 Administrators have to set the account policy in the LDAP server as follows.

・set password policy to [9 or more characters]

・set account lockout policy to [5 times]

 For secure operation, all of the remote trusted IT products that communicate with the machine implement the

communication protocol in accordance with industry standard practice with respect to RFC/other standard compliance (SSL/TLS, IPSec, SNMPv3, S/MIME) and work as advertised.

 The settings described below are required same as the machine’s configuration.

1. SSL/TLS

Set the SSL client（WEB browser） and SSL server that communicate with the machine as following data encryption suite

・SSL_RSA_WITH_RC4_128_SHA

・SSL_RSA_WITH_3DES_EDE_CBC_SHA

・TLS_RSA_WITH_AES_128_CBC_SHA

・TLS_RSA_WITH_AES_256_CBC_SHA

（Specifically, recommended browser is Microsoft internet Explorer 6/7/8, Mozilla Firefox 2.x/3.x）

2. S/MIME

Set the machine and mail clients as following Encryption Method/Message Digest Algorithm.

・RC2(128bit)/SHA1

・3Key Triple-DES(168bit)/SHA1

3. IPSec

Set the IPSec host that communicates with the machine as following Encryption Method/Message Digest Algorithm.

・AES(128bit)/SHA1

・3Key Triple-DES(168bit)/SHA1

4. SNMPv3

Encryption Method of SNMPv3 is DES fixed. Set the Message Digest Algorithm to SHA1.

Important:

For secure operation, while you are using the CentreWare Internet Services, please do not access other web site.

For secure operation, when you Change [Authentication Type], please initialize the hard disk by reset [Data Encryption] and changing the [encryption key].

For preventing SSL vulnerability, you should set the machine address in proxy exclusion list of browser.

By this setting, secure communication will be ensured because the machine and the remote browser communicate directly without Proxy server, and you can prevent man-in-the-middle attack.

Confirm the Machine ROM version and the System Clock

Before initial settings, the System Administrator (Machine Administrator) has to check the machine ROM version and the system clock of the machine.

How to check by Control Panel

1. Press the <Machine Status> button on the control panel.

2. Select [Machine information] on the touch screen.

3. Select [Software Version] on the [Machine information] screen.

You can identify the software versions of the components of machine on the screen.

How to check by Print Report

1. Press the <Machine Status> button on the control panel.

2. Select [Print Reports] on the [Machine information] screen.

3. Select [Printer Reports] on the touch screen.

4. Select [Configuration Reports].

5. Press the <Start> button on the control panel.

You can identify the software versions of the components of machine by Print Report.

How to check the Clock

1. Press the <Log In / Out> button on the control panel.

2. Enter the System Administrator’s Login ID and Passcode if prompted (default admin, 1111).

3. Select [Enter] on the touch screen.

4. Press the <Machine Status> button on the control panel.

5. Select [Tools] on the touch screen.

6. Select [System Settings].

7. Select [Common Service Settings].

8. Select [Machine Clock/Timers].

You can Check the time and date of internal clock. If it is required to change, refer to following procedures.

1. Select the required option.

2. Select [Change Settings].

3. Change the required setting. Use the scroll bars to switch between screens.

4. Select [Save].

Initial Settings Procedures Using Control Panel

This chapter describes the initial settings related to Security Features, and how to set them on the machine’s control panel.

Use Passcode Entry from Control Panel

1. Press the <Log In/Out> button on the control panel.

2. Enter "admin" with the the keyboard displayed. This is the factory default "ID".

3. Select [Enter] on the touch screen.

4. Select [Tools].

5. Select [Authentication/Security Settings].

6. Select [Authentication].

7. Select [Passcode Policy].

8. On the [Passcode Policy] screen, select [Passcode Entry from Control Panel].

9. Select [Change Settings].

10. On the [Passcode Entry from Control Panel] screen, select [On].

11. Select [Save].

12. To exit the [Passcode Policy] screen, select [Close] in the upper right corner of the screen.

13. To exit the [Tools] screen, select [Close] in the upper right corner of the screen.

14. Select [Reboot Now] on the confirmation screen.

Authentication for entering the System Administration mode

1. Press the <Log In/Out> button on the control panel.

2. Enter "admin" with the keyboard displayed. This is the factory default "ID".

3. Select [Next] on the touch screen.

4. Enter "1111" for passcode from the keyboard.

5. Select [Enter] on the touch screen.

6. Select [Tools].

Change the System Administrator’s Passcode

1. Select [Authentication/Security Settings] on the [Tools] screen.

2. Select [System Administrator Settings].

3. Select [System Administrator’s Passcode].

4. On the [System Administrator's Passcode] screen, Select [Keyboard].

5. Enter a new passcode of 9 or more characters in [New Passcode], and select [Save].

6. In [Retype Passcode], select [Keyboard].

7. Enter the same passcode, and select [Save] twice.

8. In the [Do you want to change the System Administrator’s Passcode?] screen, select [Yes].

Set Maximum Login Attempts

1. Select [Authentication/Security Settings] on the [Tools] screen.

2. Select [Authentication].

3. Select [Maximum Login Attempts By System Administrator].

4. On the [Maximum Login Attempts] screen, select [Limit Attempts].

5. With [] and [], set [5].

6. Select [Save].

Set Service Rep. Restricted Operation

1. Select [System Settings] on the [Tools] screen.

2. Select [Common Service Settings].

3. Select [Other Settings].

4. On the [Other Settings] screen, select [Service Rep. Restricted Operation].

5. Select [Change Settings].

6. Select [On].

7. Select [Maintenance Passcode].

8. Select [Keyboard], and enter a new passcode of 9 or more characters in [New Passcode].

9. Select [Save].

10. Select [Keyboard], and enter the same passcode in [Retype Passcode].

11. Select [Save].

12. Select [Save] twice.

13. In the [Do you want to proceed?] screen, select [Yes].

14. In the [Do you still want to proceed?] screen, select [Yes].

Set Overwrite Hard Disk

1. Select [Authentication/Security Settings] on the [Tools] screen.

2. Select [Overwrite Hard Disk].

3. Select [Number of Overwrites].

4. On the [Number of Overwrites] screen, select [1 Overwrite] or [3 Overwrites].

5. Select [Save].

Set Data Encryption

1. Select [System Settings] on the [Tools] screen.

2. Select [Common Service Settings].

3. Select [Other Settings].

4. On the [Other Settings] screen, select [Data Encryption].

5. Select [Change Settings].

6. Select [On].

7. Select [Keyboard], and enter a New Encryption Key of 12 characters.

8. Select [Save].

9. Select [Keyboard], and Re-enter the Encryption Key.

10. Select [Save] twice.

11. Select [Yes] to make the change.

12. Select [Yes] to Reboot.

Set Scheduled Image Overwrite

1. Select [Authentication/Security Settings] on the [Tools] screen..

2. Select [Overwrite Hard Disk].

3. Select [Scheduled Image Overwrite].

4. On the [Scheduled Image Overwrite] screen, Select [Daily] or [Weekly] or [Monthly].

5. Set [Day], [Hour], [minutes],

6. Select [Save].

Set Authentication

1. Select [Authentication/Security Settings] on the [Tools] screen.

2. Select [Authentication].

3. Select [Login Type].

4. On the [Login Type] screen, select [Login to Local Accounts] or [Login to Remote Accounts].

5. Select [Save].

When [Login to Remote Accounts] is selected in step 4, proceed to steps 6 to 12.

6. Select [System Settings] on the [Tools] screen.

7. Select [Connectivity&Network Setup].

8. Select [Remote Authentication/Directory Service].

9. Select [Authentication System Setup].

10. On the [Authentication System] screen, Select [LDAP].

11. Select [Close].

12. To exit the [Remote Authentication/Directory Service] screen, select [Close] in the upper right corner of the

screen.

Set Access Control

1. Select [Authentication/Security Settings] on the [Tools] screen.

2. Select [Authentication].

3. Select [Access Control].

4. Select [Device Access].

5. On the [Device Access] screen, select [Locked] for [All Services Pathway].

6. Select [Save].

7. Select [Service Access].

8. On the [Service Access] screen, select [Locked] for all Items by [Change Settings].

9. To exit the [Access Control] screen, select [Close] in the upper right corner of the screen.

Set Private Print

1. Select [Authentication/Security Settings] on the [Tools] screen.

2. Select [Authentication].

3. Select [Charge/Private Print Settings].

4. On the [Charge/Private Print Settings] screen, select [Received Control].

5. Select [Change Settings].

When [Login to Local Accounts] is selected

1) On the [Receive Control] screen, select [According to Print Auditron].

2) Select [Save As Private Charge Print Job] for [Job Login Success].

3) Select [Delete Job] for [Job Login Failure].

4) Select [Delete Job] for [Job without User ID].

When [Login to Remote Accounts] is selected

1) On the [Receive Control] screen, select [Save As Private Charge Print Job].

6. Select [Save].

7. To exit the [Charge/Private Print Settings] screen, select [Close] in the upper right corner of the screen.

Set User Passcode Minimum Length

Note: This feature is only applicable to Local Authentication mode.

1. Select [Authentication/Security Settings] on the [Tools] screen.

2. Select [Authentication].

3. Select [Passcode Policy].

4. On the [Passcode Policy] screen, select [Minimum Passcode Length].

5. Select [Change Settings].

6. On the [Minimum Passcode Length] screen, select [Set].

7. With [] and [], set [9].

8. Select [Save].

9. To exit the [Passcode Policy] screen, select [Close] in the upper right corner of the screen.

10. To exit the [Tools] screen, press the < Services> button on the control panel.

Set Direct Fax

Note ：When remote authentication is used, use the following procedure to set [Direct Fax] to [Disabled].

1. Select [System Settings] on the [Tools] screen.

2. Select [Fax Service Settings].

3. Select [Fax Control].

4. Select [Direct Fax].

5. Select［ Disabled］

6. Select [Save].

7. To exit the [Fax Control] screen, select [Close] in the upper right corner of the screen.

8. To exit the [Tools] screen, select [Close] in the upper right corner of the screen.

Initial Settings Procedures Using CentreWare Internet Services

This section describes the initial settings related to Security Features, and how to set them on CentreWare Internet Services.

Preparations for settings on the CentreWare Internet Services

Prepare a computer supporting the TCP/IP protocol to use CentreWare Internet Services.

CentreWare Internet Services supports the browsers satisfied "SSL/TLS" (1.8) conditions.

1. Open your Web browser and enter the TCP/IP address of the machine in the Address or Location field, press

the <Enter> key at Your Workstation.

2. Enter the System Administrator’s ID and passcode if prompted.

3. Display the [Properties] screen by clicking the [Properties] tab.

Set SMB

1. Click [+] on the left of the [Connectivity] folder on the [Properties] screen.

2. Click [Port Setting].

3. Uncheck the [NetBEUI] box for [SMB].

4. Click the [Apply] button.

Set WebDAV

Note • When remote authentication is used, use the following procedure to disable WebDAV.

1. Click [+] on the left of the [Connectivity] folder on the [Properties] screen.

2. Click [Port Setting].

3. Uncheck the [WebDAV] box.

4. Click the [Apply] button.

Set LDAP

1. Click [+] on the left of the [Connectivity] folder on the [Properties] screen.

2. Click [+] on the left of the [Protocols] folder.

3. Click [+] on the left of the [LDAP] folder.

+ 35 hidden pages