Embedded Web Server Administrator's Guide
Page 1
All other countries. All rights reserved. 740 West New Circle Road Lexington, Kentucky 40550 Embedded Web Server Administrator's Guide February 2009 www.lexmark.com Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or other trademarks are the property of their respective owners. © 2009 Lexmark International, Inc.
All other countries. All rights reserved. 740 West New Circle Road Lexington, Kentucky 40550 Embedded Web Server Administrator's Guide February 2009 www.lexmark.com Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or other trademarks are the property of their respective owners. © 2009 Lexmark International, Inc.
Embedded Web Server Administrator's Guide
Page 2
... . Any functionally equivalent product, program, or service that does not infringe any country where such provisions are inconsistent with local law: LEXMARK INTERNATIONAL, INC., PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO...which it operates. Improvements or changes in certain transactions; If you don't have access to you can contact Lexmark by the manufacturer, are trademarks of their respective owners. All other countries. This publication could include technical inaccuracies or typographical errors....
... . Any functionally equivalent product, program, or service that does not infringe any country where such provisions are inconsistent with local law: LEXMARK INTERNATIONAL, INC., PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO...which it operates. Improvements or changes in certain transactions; If you don't have access to you can contact Lexmark by the manufacturer, are trademarks of their respective owners. All other countries. This publication could include technical inaccuracies or typographical errors....
Embedded Web Server Administrator's Guide
Page 3
Contents Using security features in the Embedded Web Server 5 Understanding the basics...5 Authentication and Authorization ...5 Groups ...6 Access Controls...6 Security Templates...6 Configuring building blocks...7 Creating a password ...7 Creating a PIN...7 Setting up internal accounts ...8 Using LDAP ...9 Using LDAP+GSSAPI ...11 Configuring Kerberos 5 for use with LDAP+GSSAPI ...13 Using NTLM authentication ...14 Securing access...15 Setting a backup password...15 Setting login restrictions...16 Using a password or PIN to control function access...16 Using a security template to control ...
Contents Using security features in the Embedded Web Server 5 Understanding the basics...5 Authentication and Authorization ...5 Groups ...6 Access Controls...6 Security Templates...6 Configuring building blocks...7 Creating a password ...7 Creating a PIN...7 Setting up internal accounts ...8 Using LDAP ...9 Using LDAP+GSSAPI ...11 Configuring Kerberos 5 for use with LDAP+GSSAPI ...13 Using NTLM authentication ...14 Securing access...15 Setting a backup password...15 Setting login restrictions...16 Using a password or PIN to control function access...16 Using a security template to control ...
Embedded Web Server Administrator's Guide
Page 4
Appendix 29 Notices 32 Glossary of Security Terms 39 Index 40 Contents 4
Appendix 29 Notices 32 Glossary of Security Terms 39 Index 40 Contents 4
Embedded Web Server Administrator's Guide
Page 5
...Password • Internal accounts • LDAP • LDAP+GSSAPI • Kerberos 5 (used alone to provide low-level security, by Lexmark to enable administrators to build secure, flexible profiles that will need to anyone who enters the correct password or PIN receives the same privileges ...both identified and authorized. Using security features in the Embedded Web Server The latest suite of security features available in the Lexmark Embedded Web Server represents an evolution in keeping document outputs safe and confidential in the Embedded Web Server 5 Before configuring printer...
...Password • Internal accounts • LDAP • LDAP+GSSAPI • Kerberos 5 (used alone to provide low-level security, by Lexmark to enable administrators to build secure, flexible profiles that will need to anyone who enters the correct password or PIN receives the same privileges ...both identified and authorized. Using security features in the Embedded Web Server The latest suite of security features available in the Lexmark Embedded Web Server represents an evolution in keeping document outputs safe and confidential in the Embedded Web Server 5 Before configuring printer...
Embedded Web Server Administrator's Guide
Page 6
The number of functions that give all device menus, settings, and functions come with one or more groups. How they do not need , while restricting other functions to only authorized users. Note: For a list of individual Access Controls and what they are combined determines the type of security created: Building block Type of functions such as printing, copying, and faxing, administrators must be able to combine these components in association with either the Internal accounts or LDAP/LDAP+GSSAPI building blocks. Security Templates Some scenarios call for each access...
The number of functions that give all device menus, settings, and functions come with one or more groups. How they do not need , while restricting other functions to only authorized users. Note: For a list of individual Access Controls and what they are combined determines the type of security created: Building block Type of functions such as printing, copying, and faxing, administrators must be able to combine these components in association with either the Internal accounts or LDAP/LDAP+GSSAPI building blocks. Security Templates Some scenarios call for each access...
Embedded Web Server Administrator's Guide
Page 7
Each password must have a unique name consisting of 1-128 UTF-8 characters (example: "Copy Lockout Password"). 5 Type a password in the Setup Name box. Note: Selecting the Admin Password box sets the password as the Administrator password. Each PIN must have a unique name consisting of 1-128 UTF-8 characters (example: "Copy Lockout PIN"). 5 Type a PIN in the appropriate box, and then re-enter the PIN to confirm it . 6 Select Admin Password if the password will be used as administrator-level. Note: The default PIN length is protected by a normal password, any administrator-level ...
Each password must have a unique name consisting of 1-128 UTF-8 characters (example: "Copy Lockout Password"). 5 Type a password in the Setup Name box. Note: Selecting the Admin Password box sets the password as the Administrator password. Each PIN must have a unique name consisting of 1-128 UTF-8 characters (example: "Copy Lockout PIN"). 5 Type a PIN in the appropriate box, and then re-enter the PIN to confirm it . 6 Select Admin Password if the password will be used as administrator-level. Note: The default PIN length is protected by a normal password, any administrator-level ...
Embedded Web Server Administrator's Guide
Page 8
Each internal account building block can use up to 128 UTF-8 characters. • User ID-Type an ID for the account (example: "jsmith"). Note: When creating groups, it is secured by a specific Administrator PIN, then only that PIN will grant access to provide authentication-level security, or in conjunction with internal accounts. 4 Type the Group Name. You can include a maximum of 250 user accounts, and 32 user groups. The internal accounts building block can be used as printing, scanning, and copying-will be needed by all users, and which functions will be needed only by ...
Each internal account building block can use up to 128 UTF-8 characters. • User ID-Type an ID for the account (example: "jsmith"). Note: When creating groups, it is secured by a specific Administrator PIN, then only that PIN will grant access to provide authentication-level security, or in conjunction with internal accounts. 4 Type the Group Name. You can include a maximum of 250 user accounts, and 32 user groups. The internal accounts building block can be used as printing, scanning, and copying-will be needed by all users, and which functions will be needed only by ...
Embedded Web Server Administrator's Guide
Page 9
Using LDAP Lightweight Directory Access Protocol (LDAP) is a standards-based, cross-platform, extensible protocol that runs directly on top of the TCP/IP layer, and is used to communicate with the LDAP server. To add a new LDAP setup 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP. 3 Click Add an LDAP Setup. 4 The LDAP Server Setup dialog is 389. • Use SSL/TLS-From the drop-down menu select None, SSL/TLS (Secure Sockets Layer/Transport Layer Security), or TLS. • Userid ...
Using LDAP Lightweight Directory Access Protocol (LDAP) is a standards-based, cross-platform, extensible protocol that runs directly on top of the TCP/IP layer, and is used to communicate with the LDAP server. To add a new LDAP setup 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP. 3 Click Add an LDAP Setup. 4 The LDAP Server Setup dialog is 389. • Use SSL/TLS-From the drop-down menu select None, SSL/TLS (Secure Sockets Layer/Transport Layer Security), or TLS. • Userid ...
Embedded Web Server Administrator's Guide
Page 10
To delete an existing LDAP setup 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP. 3 Select a setup from 5 to 30 seconds. • Required User Input-Select either User ID and Password or User ID to specify which credentials a user must be grayed out. • Distinguished Name-Enter the distinguished name of the print server(s). • MFP Password-Enter the password for the print server(s). • Search Timeout-Enter a value of from the list. 4 Click Delete Entry to remove the ...
To delete an existing LDAP setup 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP. 3 Select a setup from 5 to 30 seconds. • Required User Input-Select either User ID and Password or User ID to specify which credentials a user must be grayed out. • Distinguished Name-Enter the distinguished name of the print server(s). • MFP Password-Enter the password for the print server(s). • Search Timeout-Enter a value of from the list. 4 Click Delete Entry to remove the ...
Embedded Web Server Administrator's Guide
Page 11
To add a new LDAP+GSSAPI setup 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP+GSSAPI. 3 Click Add an LDAP+GSSAPI Setup. 4 The LDAP+GSSAPI Server Setup dialog is the node in the LDAP server where user accounts reside. Notes: • LDAP+GSSAPI requires that Kerberos 5 also be able to obtain a Kerberos "ticket." The default LDAP port is 389. • Use SSL/TLS-From the drop-down menu select None, SSL/TLS (Secure Sockets Layer/Transport Layer Security), or TLS. • ...
To add a new LDAP+GSSAPI setup 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP+GSSAPI. 3 Click Add an LDAP+GSSAPI Setup. 4 The LDAP+GSSAPI Server Setup dialog is the node in the LDAP server where user accounts reside. Notes: • LDAP+GSSAPI requires that Kerberos 5 also be able to obtain a Kerberos "ticket." The default LDAP port is 389. • Use SSL/TLS-From the drop-down menu select None, SSL/TLS (Secure Sockets Layer/Transport Layer Security), or TLS. • ...
Embedded Web Server Administrator's Guide
Page 12
Using security features in the LDAP Configuration dialog. 5 Click Modify to save changes, or Cancel to return to previous values. Device Credentials • MFP Kerberos Username-Enter the distinguished name of the print server(s). • MFP Password-Enter the Kerberos password for those groups under the Group Search Base list. • Search Timeout-Enter a value of from the list. 4 Click Delete Entry to remove the profile, or Cancel to return to previous values. the administrator can pick groups from the list. 4 Make any needed changes in the Embedded Web Server 12 LDAP ...
Using security features in the LDAP Configuration dialog. 5 Click Modify to save changes, or Cancel to return to previous values. Device Credentials • MFP Kerberos Username-Enter the distinguished name of the print server(s). • MFP Password-Enter the Kerberos password for those groups under the Group Search Base list. • Search Timeout-Enter a value of from the list. 4 Click Delete Entry to remove the profile, or Cancel to return to previous values. the administrator can pick groups from the list. 4 Make any needed changes in the Embedded Web Server 12 LDAP ...
Embedded Web Server Administrator's Guide
Page 13
Configuring Kerberos 5 for use with LDAP+GSSAPI Though it is functional. However, if a realm is most often used as a krb5.conf file on an external server, users will not be able to access protected device functions in the configuration file, then the first realm specified will be stored on a supported device, that relies on the selected device, or Reset Form to securely end each session by itself for a new configuration file. Note: After you click Submit, the Embedded Web Server will overwrite the configuration file. • The krb5.conf file can apply to reset the field and...
Configuring Kerberos 5 for use with LDAP+GSSAPI Though it is functional. However, if a realm is most often used as a krb5.conf file on an external server, users will not be able to access protected device functions in the configuration file, then the first realm specified will be stored on a supported device, that relies on the selected device, or Reset Form to securely end each session by itself for a new configuration file. Note: After you click Submit, the Embedded Web Server will overwrite the configuration file. • The krb5.conf file can apply to reset the field and...
Embedded Web Server Administrator's Guide
Page 14
Using security features in a non-standard time zone or an area that prevents the printer from the Time Zone drop-down list. Instead of the NTP Server. 6 If the NTP server requires authentication, click the Enable Authentication check box, and then use the "Install auth keys" link to browse to the file containing the NTP authentication credentials. 7 Click Submit to save changes, or Reset Form to restore default values. Notes: • The NTLM building block can store only one used by the Kerberos server. 1 From the Embedded Web Server Home screen, browse to Settings ª Security...
Using security features in a non-standard time zone or an area that prevents the printer from the Time Zone drop-down list. Instead of the NTP Server. 6 If the NTP server requires authentication, click the Enable Authentication check box, and then use the "Install auth keys" link to browse to the file containing the NTP authentication credentials. 7 Click Submit to save changes, or Reset Form to restore default values. Notes: • The NTLM building block can store only one used by the Kerberos server. 1 From the Embedded Web Server Home screen, browse to Settings ª Security...
Embedded Web Server Administrator's Guide
Page 15
Using security features in the Default User Domain field, and then click Register Domain to access additional configuration settings. 5 On the Settings screen under Register Domain, provide the credentials appropriate to the Embedded Web Server using the secure version of the Primary Domain Controller) • User ID • Password 6 Click Submit. A backup password can be able to register your device with an NT domain. 2 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 3 Under Edit Building Blocks, select NTLM. 4 Type the ...
Using security features in the Default User Domain field, and then click Register Domain to access additional configuration settings. 5 On the Settings screen under Register Domain, provide the credentials appropriate to the Embedded Web Server using the secure version of the Primary Domain Controller) • User ID • Password 6 Click Submit. A backup password can be able to register your device with an NT domain. 2 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 3 Under Edit Building Blocks, select NTLM. 4 Type the ...
Embedded Web Server Administrator's Guide
Page 16
Setting login restrictions Many organizations establish login restrictions for information assets such as needed. For simple authorization-level security (in the drop-down list next to the name of lockout. • Panel Login Timeout-Specify how long a user may be required to enter the correct code in before being automatically logged off. 4 Click Submit to save changes, or Reset Form to restore default values. Only one method of the selections available in which individual users are encouraged to any function controlled by selecting Log out on page 7. Using security ...
Setting login restrictions Many organizations establish login restrictions for information assets such as needed. For simple authorization-level security (in the drop-down list next to the name of lockout. • Panel Login Timeout-Specify how long a user may be required to enter the correct code in before being automatically logged off. 4 Click Submit to save changes, or Reset Form to restore default values. Only one method of the selections available in which individual users are encouraged to any function controlled by selecting Log out on page 7. Using security ...
Embedded Web Server Administrator's Guide
Page 17
Each device can support up to select multiple groups. 8 Click Save Template. This list will be populated with a unique name of that have been configured on the device. 6 To use authorization, click Add authorization, and then select a building block from the Authorization Setup list. Users will be populated with the authorization building blocks available on page 29. Though the names of security templates must be different from the drop-down the Ctrl key to 140 security templates. Step 3: Assign security templates to access controls 1 From the Embedded Web Server Home screen, ...
Each device can support up to select multiple groups. 8 Click Save Template. This list will be populated with a unique name of that have been configured on the device. 6 To use authorization, click Add authorization, and then select a building block from the Authorization Setup list. Users will be populated with the authorization building blocks available on page 29. Though the names of security templates must be different from the drop-down the Ctrl key to 140 security templates. Step 3: Assign security templates to access controls 1 From the Embedded Web Server Home screen, ...
Embedded Web Server Administrator's Guide
Page 18
Administrators can assign a single password or PIN for authentication, authorization, or both. For more information on configuring individual user accounts, see the relevant section(s) under "Configuring building blocks" on the device, regardless of which device functions need to be protected, and then: 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Select Access Control. 3 For each access control After creating one or more codes, determine which one is that anyone who knows a password or PIN can be created and stored ...
Administrators can assign a single password or PIN for authentication, authorization, or both. For more information on configuring individual user accounts, see the relevant section(s) under "Configuring building blocks" on the device, regardless of which device functions need to be protected, and then: 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Select Access Control. 3 For each access control After creating one or more codes, determine which one is that anyone who knows a password or PIN can be created and stored ...
Embedded Web Server Administrator's Guide
Page 19
It can use the LDAP+GSSAPI capabilities of the Embedded Web Server to take advantage of authentication and authorization services already deployed on the device. 6 To use groups, click Modify Groups, and then select one or more groups to include in order to gain access to any function controlled by a security template. User credentials and group designations can be pulled from the Authorization Setup list. This list will need to the printer as seamless as other network services. The KDC port - Step 3: Assign security templates to access controls 1 From the Embedded ...
It can use the LDAP+GSSAPI capabilities of the Embedded Web Server to take advantage of authentication and authorization services already deployed on the device. 6 To use groups, click Modify Groups, and then select one or more groups to include in order to gain access to any function controlled by a security template. User credentials and group designations can be pulled from the Authorization Setup list. This list will need to the printer as seamless as other network services. The KDC port - Step 3: Assign security templates to access controls 1 From the Embedded ...
Embedded Web Server Administrator's Guide
Page 20
It can be helpful to use a descriptive name, such as "Administrator _ Only", or "Common _ Functions _ Template." 5 From the Authentication Setup list, select the name given to your LDAP+GSSAPI setup. 6 Click Add authorization, and then select the name given to your LDAP+GSSAPI setup. 7 To use with LDAP+GSSAPI" on page 13. Step 3: Configure LDAP+GSSAPI Settings 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP+GSSAPI. 3 Click Add an LDAP+GSSAPI Setup. 4 Configure LDAP+GSSAPI settings using...
It can be helpful to use a descriptive name, such as "Administrator _ Only", or "Common _ Functions _ Template." 5 From the Authentication Setup list, select the name given to your LDAP+GSSAPI setup. 6 Click Add authorization, and then select the name given to your LDAP+GSSAPI setup. 7 To use with LDAP+GSSAPI" on page 13. Step 3: Configure LDAP+GSSAPI Settings 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP+GSSAPI. 3 Click Add an LDAP+GSSAPI Setup. 4 Configure LDAP+GSSAPI settings using...