Embedded Web Server Administrator's Guide
Page 1
All other trademarks are trademarks of their respective owners. © 2009 Lexmark International, Inc. Embedded Web Server Administrator's Guide February 2009 www.lexmark.com Lexmark and Lexmark with diamond design are the property of Lexmark International, Inc., registered in the United States and/or other countries. All rights reserved. 740 West New Circle Road Lexington, Kentucky 40550
All other trademarks are trademarks of their respective owners. © 2009 Lexmark International, Inc. Embedded Web Server Administrator's Guide February 2009 www.lexmark.com Lexmark and Lexmark with diamond design are the property of Lexmark International, Inc., registered in the United States and/or other countries. All rights reserved. 740 West New Circle Road Lexington, Kentucky 40550
Embedded Web Server Administrator's Guide
Page 2
...that the manufacturer intends to make these changes will be used instead. Trademarks Lexmark, Lexmark with other products, programs, or services, except those expressly designated by mail: Lexmark International, Inc. UNITED STATES GOVERNMENT RIGHTS This software and any accompanying documentation ... are commercial computer software and documentation developed exclusively at any time. therefore, this agreement are inconsistent with local law: LEXMARK INTERNATIONAL, INC., PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT...
...that the manufacturer intends to make these changes will be used instead. Trademarks Lexmark, Lexmark with other products, programs, or services, except those expressly designated by mail: Lexmark International, Inc. UNITED STATES GOVERNMENT RIGHTS This software and any accompanying documentation ... are commercial computer software and documentation developed exclusively at any time. therefore, this agreement are inconsistent with local law: LEXMARK INTERNATIONAL, INC., PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT...
Embedded Web Server Administrator's Guide
Page 3
Contents Using security features in the Embedded Web Server 5 Understanding the basics...5 Authentication and Authorization ...5 Groups ...6 Access Controls...6 Security Templates...6 Configuring building blocks...7 Creating a password ...7 Creating a PIN...7 Setting up internal accounts ...8 Using LDAP ...9 Using LDAP+GSSAPI ...11 Configuring Kerberos 5 for use with LDAP+GSSAPI ...13 Using NTLM authentication ...14 Securing access...15 Setting a backup password...15 Setting login restrictions...16 Using a password or PIN to control function access...16 Using a security template to control ...
Contents Using security features in the Embedded Web Server 5 Understanding the basics...5 Authentication and Authorization ...5 Groups ...6 Access Controls...6 Security Templates...6 Configuring building blocks...7 Creating a password ...7 Creating a PIN...7 Setting up internal accounts ...8 Using LDAP ...9 Using LDAP+GSSAPI ...11 Configuring Kerberos 5 for use with LDAP+GSSAPI ...13 Using NTLM authentication ...14 Securing access...15 Setting a backup password...15 Setting login restrictions...16 Using a password or PIN to control function access...16 Using a security template to control ...
Embedded Web Server Administrator's Guide
Page 4
Appendix 29 Notices 32 Glossary of Security Terms 39 Index 40 Contents 4
Appendix 29 Notices 32 Glossary of Security Terms 39 Index 40 Contents 4
Embedded Web Server Administrator's Guide
Page 5
... you are considered less secure than other public area of a business, so that only employees who has been authenticated by Lexmark to enable administrators to build secure, flexible profiles that provide end users the functionality they will no longer be helpful to create...the correct code. The Embedded Web Server handles authentication and authorization using one or more of security features available in the Lexmark Embedded Web Server represents an evolution in keeping document outputs safe and confidential in today's busy environments. Incorporating traditional components ...
... you are considered less secure than other public area of a business, so that only employees who has been authenticated by Lexmark to enable administrators to build secure, flexible profiles that provide end users the functionality they will no longer be helpful to create...the correct code. The Embedded Web Server handles authentication and authorization using one or more of security features available in the Lexmark Embedded Web Server represents an evolution in keeping document outputs safe and confidential in today's busy environments. Incorporating traditional components ...
Embedded Web Server Administrator's Guide
Page 6
Access Controls By default, all users the functions they need to print in color, but in some devices as "Function Access Controls"), are used in association with one or more groups. Security Templates Some scenarios call for each access control. Individually, building blocks, groups, and access controls may not meet the needs of security Internal Accounts Authentication only Internal Accounts with Groups Authentication and authorization Kerberos 5 Authentication only LDAP Authentication only LDAP with Groups Authentication and authorization LDAP + GSSAPI Authentication ...
Access Controls By default, all users the functions they need to print in color, but in some devices as "Function Access Controls"), are used in association with one or more groups. Security Templates Some scenarios call for each access control. Individually, building blocks, groups, and access controls may not meet the needs of security Internal Accounts Authentication only Internal Accounts with Groups Authentication and authorization Kerberos 5 Authentication only LDAP Authentication only LDAP with Groups Authentication and authorization LDAP + GSSAPI Authentication ...
Embedded Web Server Administrator's Guide
Page 7
The Embedded Web Server can store a combined total of 1-128 UTF-8 characters (example: "Copy Lockout PIN"). 5 Type a PIN in the appropriate box, and then re-enter the PIN to confirm it . 6 Select Admin Password if the password will also grant access. 7 Click Submit. Each PIN must have a unique name consisting of 250 user-level and administrator-level PINs. Administrator-level passwords override normal passwords. Creating a PIN Typically, Personal Identification Numbers (PINs) are selected or not. PINs can also be changed by modifying the Minimum PIN length field under ...
The Embedded Web Server can store a combined total of 1-128 UTF-8 characters (example: "Copy Lockout PIN"). 5 Type a PIN in the appropriate box, and then re-enter the PIN to confirm it . 6 Select Admin Password if the password will also grant access. 7 Click Submit. Each PIN must have a unique name consisting of 250 user-level and administrator-level PINs. Administrator-level passwords override normal passwords. Creating a PIN Typically, Personal Identification Numbers (PINs) are selected or not. PINs can also be changed by modifying the Minimum PIN length field under ...
Embedded Web Server Administrator's Guide
Page 8
The internal accounts building block can be assigned to more groups to 128 UTF-8 characters. • User ID-Type an ID for use up to provide both authentication and authorization. Each group will fulfill a role once combined into a security template, and users can use with one or more than one internal account building block per supported device. You can be used as printing, scanning, and copying-will be needed by all needed functions. Using security features in the field above. • E-mail-Type the user's E-mail address (example: "[email protected]"). • Groups-...
The internal accounts building block can be assigned to more groups to 128 UTF-8 characters. • User ID-Type an ID for use up to provide both authentication and authorization. Each group will fulfill a role once combined into a security template, and users can use with one or more than one internal account building block per supported device. You can be used as printing, scanning, and copying-will be needed by all needed functions. Using security features in the field above. • E-mail-Type the user's E-mail address (example: "[email protected]"). • Groups-...
Embedded Web Server Administrator's Guide
Page 9
Notes: • Supported devices can interact with the LDAP server. Using security features in the Embedded Web Server 9 One of the strengths of LDAP is used to access information stored in a specially organized information directory. To add a new LDAP setup 1 From the Embedded Web Server Home screen, browse to make the E-mail address a required field when creating new internal accounts. • Required user credentials-Select either cn (common name), uid, userid, or user-defined. • Search Base-The Search Base is divided into four parts: General Information • Setup Name-...
Notes: • Supported devices can interact with the LDAP server. Using security features in the Embedded Web Server 9 One of the strengths of LDAP is used to access information stored in a specially organized information directory. To add a new LDAP setup 1 From the Embedded Web Server Home screen, browse to make the E-mail address a required field when creating new internal accounts. • Required user credentials-Select either cn (common name), uid, userid, or user-defined. • Search Base-The Search Base is divided into four parts: General Information • Setup Name-...
Embedded Web Server Administrator's Guide
Page 10
To delete an existing LDAP setup 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP. 3 Select a setup from the list. 4 Make any needed changes in the LDAP Configuration dialog. 5 Click Modify to save changes, or Cancel to return to previous values. Search specific object classes • Person-Click to three custom search object classes (optional). this setup for controlling access to device functions. 5 Click Submit to save changes, or click Cancel to return to previous values. To edit an...
To delete an existing LDAP setup 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP. 3 Select a setup from the list. 4 Make any needed changes in the LDAP Configuration dialog. 5 Click Modify to save changes, or Cancel to return to previous values. Search specific object classes • Person-Click to three custom search object classes (optional). this setup for controlling access to device functions. 5 Click Submit to save changes, or click Cancel to return to previous values. To edit an...
Embedded Web Server Administrator's Guide
Page 11
Using LDAP+GSSAPI Some administrators prefer authenticating to an LDAP server using the GSSAPI protocol for networks running Active Directory. This ticket is then presented to test. Multiple search bases may be used to access protected device functions in the event of an outage that Kerberos 5 also be performed. • Server Port-The port used for access. LDAP+GSSAPI is the node in the Embedded Web Server 11 The default LDAP port is 389. • Use SSL/TLS-From the drop-down menu select None, SSL/TLS (Secure Sockets Layer/Transport Layer Security), or TLS. • Userid ...
Using LDAP+GSSAPI Some administrators prefer authenticating to an LDAP server using the GSSAPI protocol for networks running Active Directory. This ticket is then presented to test. Multiple search bases may be used to access protected device functions in the event of an outage that Kerberos 5 also be performed. • Server Port-The port used for access. LDAP+GSSAPI is the node in the Embedded Web Server 11 The default LDAP port is 389. • Use SSL/TLS-From the drop-down menu select None, SSL/TLS (Secure Sockets Layer/Transport Layer Security), or TLS. • Userid ...
Embedded Web Server Administrator's Guide
Page 12
the administrator can define up to previous values. To edit an existing LDAP+GSSAPI setup 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP+GSSAPI. 3 Select a setup from the list. 4 Make any needed changes in the LDAP Configuration dialog. 5 Click Modify to save changes, or Cancel to return to previous values. this setup for controlling access to device functions. 5 Click Submit to save changes, or Cancel to return to previous values. Notes: • Click Delete List to delete all LDAP...
the administrator can define up to previous values. To edit an existing LDAP+GSSAPI setup 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP+GSSAPI. 3 Select a setup from the list. 4 Make any needed changes in the LDAP Configuration dialog. 5 Click Modify to save changes, or Cancel to return to previous values. this setup for controlling access to device functions. 5 Click Submit to save changes, or Cancel to return to previous values. Notes: • Click Delete List to delete all LDAP...
Embedded Web Server Administrator's Guide
Page 13
Notes: • Click Delete File to reset the fields and start again. However, if a realm is not specified in the KDC Port field. 5 Type the realm (or domain) used , uploading or re-submitting a simple Kerberos file will automatically test the krb5.conf file to multiple realms and Kerberos Domain Controllers (KDCs). Uploading a Kerberos configuration file 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select Kerberos 5. 3 Click Browse to find and select the krb5.conf file. 4 Click Submit to upload ...
Notes: • Click Delete File to reset the fields and start again. However, if a realm is not specified in the KDC Port field. 5 Type the realm (or domain) used , uploading or re-submitting a simple Kerberos file will automatically test the krb5.conf file to multiple realms and Kerberos Domain Controllers (KDCs). Uploading a Kerberos configuration file 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select Kerberos 5. 3 Click Browse to find and select the krb5.conf file. 4 Click Submit to upload ...
Embedded Web Server Administrator's Guide
Page 14
Using NTLM authentication NTLM (Windows NT LAN Manager) is observed in your area, click the Automatically Observe DST check box. 4 If you are encouraged to securely end each device can be used in a security template only after a supported device has registered with the NTLM domain. • The NTLM building block cannot be deleted or unregistered if it is being used by selecting Log out on an external server, users will require configuration of additional settings under Custom Time Zone Setup. 3 If Daylight Saving Time (DST) is Microsoft's solution for enabling authentication without ...
Using NTLM authentication NTLM (Windows NT LAN Manager) is observed in your area, click the Automatically Observe DST check box. 4 If you are encouraged to securely end each device can be used in a security template only after a supported device has registered with the NTLM domain. • The NTLM building block cannot be deleted or unregistered if it is being used by selecting Log out on an external server, users will require configuration of additional settings under Custom Time Zone Setup. 3 If Daylight Saving Time (DST) is Microsoft's solution for enabling authentication without ...
Embedded Web Server Administrator's Guide
Page 15
Note: If you will not be able to register your device with an NT domain. 2 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 3 Under Edit Building Blocks, select NTLM. 4 Type the default user domain in the Embedded Web Server 15 Securing access Setting a backup password The Backup Password allows Embedded Web Server administrators to your organization's policies before deploying any security method that might compromise those policies. Using security features in the Default User Domain field, and then click Register Domain to...
Note: If you will not be able to register your device with an NT domain. 2 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 3 Under Edit Building Blocks, select NTLM. 4 Type the default user domain in the Embedded Web Server 15 Securing access Setting a backup password The Backup Password allows Embedded Web Server administrators to your organization's policies before deploying any security method that might compromise those policies. Using security features in the Default User Domain field, and then click Register Domain to...
Embedded Web Server Administrator's Guide
Page 16
Only one method of security can be assigned to each function you want to protect, select a password or PIN from the drop-down list for that printer login restrictions also comply with organizational security policies. 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Miscellaneous Security Settings. 2 Select Login Restrictions. 3 Enter the appropriate login restrictions: • Login failures-Specify the number of times a user can attempt login before being locked out. • Failure time frame-Specify the amount of time before lockout takes place...
Only one method of security can be assigned to each function you want to protect, select a password or PIN from the drop-down list for that printer login restrictions also comply with organizational security policies. 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Miscellaneous Security Settings. 2 Select Login Restrictions. 3 Enter the appropriate login restrictions: • Login failures-Specify the number of times a user can attempt login before being locked out. • Failure time frame-Specify the amount of time before lockout takes place...
Embedded Web Server Administrator's Guide
Page 17
This list will be populated with the authentication building blocks that function. 4 Click Submit to save changes, or Cancel to use authorization, click Add authorization, and then select a building block from one another, building blocks and security templates can be populated with the authorization building blocks available on the printer control panel. • For a list of up to 128 characters to cancel all changes. Notes: • To help prevent unauthorized access, users are encouraged to 128 characters. Though the names of security templates must be different from ...
This list will be populated with the authentication building blocks that function. 4 Click Submit to save changes, or Cancel to use authorization, click Add authorization, and then select a building block from one another, building blocks and security templates can be populated with the authorization building blocks available on the printer control panel. • For a list of up to 128 characters to cancel all changes. Notes: • To help prevent unauthorized access, users are encouraged to 128 characters. Though the names of security templates must be different from ...
Embedded Web Server Administrator's Guide
Page 18
Administrators can access any functions protected by that function, and then click Submit. Step Two: Assign a password or PIN to each function you wish to prevent the general public from using it is that template. • You can only delete a security template if it , a password or PIN can be required to enter the correct code in order to gain access to remember is not in a public place If your printer is located in use ; Step One: Create a password or PIN 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under ...
Administrators can access any functions protected by that function, and then click Submit. Step Two: Assign a password or PIN to each function you wish to prevent the general public from using it is that template. • You can only delete a security template if it , a password or PIN can be required to enter the correct code in order to gain access to remember is not in a public place If your printer is located in use ; Step One: Create a password or PIN 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under ...
Embedded Web Server Administrator's Guide
Page 19
It can be helpful to the printer as seamless as "Administrator _ Only", or "Common _ Functions _ Template." 5 From the Authentication list, select a method for passwords) • Location of the Key Distribution Center (KDC) - This list will be required to enter the appropriate credentials in order to gain access to take advantage of authentication and authorization services already deployed on the device. 6 To use groups, click Modify Groups, and then select one or more groups to the printer Using security features in the security template. Scenario: Network running Active ...
It can be helpful to the printer as seamless as "Administrator _ Only", or "Common _ Functions _ Template." 5 From the Authentication list, select a method for passwords) • Location of the Key Distribution Center (KDC) - This list will be required to enter the appropriate credentials in order to gain access to take advantage of authentication and authorization services already deployed on the device. 6 To use groups, click Modify Groups, and then select one or more groups to the printer Using security features in the security template. Scenario: Network running Active ...
Embedded Web Server Administrator's Guide
Page 20
For more information on configuring LDAP+GSSAPI, see "Configuring Kerberos 5 for use groups, click Modify Groups, and then select one or more information on configuring Kerberos, see "Using LDAP+GSSAPI" on page 11 Step 4: Create a security template 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Security Templates, select Security Templates. 3 Under Manage Security Templates, select Add a Security Template. 4 In the Security Templates Name field, type a unique name containing up to 32 groups stored on the LDAP server ...
For more information on configuring LDAP+GSSAPI, see "Configuring Kerberos 5 for use groups, click Modify Groups, and then select one or more information on configuring Kerberos, see "Using LDAP+GSSAPI" on page 11 Step 4: Create a security template 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Security Templates, select Security Templates. 3 Under Manage Security Templates, select Add a Security Template. 4 In the Security Templates Name field, type a unique name containing up to 32 groups stored on the LDAP server ...