Embedded Web Server Administrator's Guide
Page 1
All other countries. Embedded Web Server Administrator's Guide February 2009 www.lexmark.com Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or other trademarks are the property of their respective owners. © 2009 Lexmark International, Inc. All rights reserved. 740 West New Circle Road Lexington, Kentucky 40550
All other countries. Embedded Web Server Administrator's Guide February 2009 www.lexmark.com Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or other trademarks are the property of their respective owners. © 2009 Lexmark International, Inc. All rights reserved. 740 West New Circle Road Lexington, Kentucky 40550
Embedded Web Server Administrator's Guide
Page 2
... INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. For Lexmark technical support, visit support.lexmark.com. Evaluation and verification of express or implied warranties in the United States and/or other trademarks are periodically...commercial computer software and documentation developed exclusively at any existing intellectual property right may not apply to you can contact Lexmark by the manufacturer, are trademarks of their respective owners. UNITED STATES GOVERNMENT RIGHTS This software and any accompanying ...
... INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. For Lexmark technical support, visit support.lexmark.com. Evaluation and verification of express or implied warranties in the United States and/or other trademarks are periodically...commercial computer software and documentation developed exclusively at any existing intellectual property right may not apply to you can contact Lexmark by the manufacturer, are trademarks of their respective owners. UNITED STATES GOVERNMENT RIGHTS This software and any accompanying ...
Embedded Web Server Administrator's Guide
Page 3
Contents Using security features in the Embedded Web Server 5 Understanding the basics...5 Authentication and Authorization ...5 Groups ...6 Access Controls...6 Security Templates...6 Configuring building blocks...7 Creating a password ...7 Creating a PIN...7 Setting up internal accounts ...8 Using LDAP ...9 Using LDAP+GSSAPI ...11 Configuring Kerberos 5 for use with LDAP+GSSAPI ...13 Using NTLM authentication ...14 Securing access...15 Setting a backup password...15 Setting login restrictions...16 Using a password or PIN to control function access...16 Using a security template to control ...
Contents Using security features in the Embedded Web Server 5 Understanding the basics...5 Authentication and Authorization ...5 Groups ...6 Access Controls...6 Security Templates...6 Configuring building blocks...7 Creating a password ...7 Creating a PIN...7 Setting up internal accounts ...8 Using LDAP ...9 Using LDAP+GSSAPI ...11 Configuring Kerberos 5 for use with LDAP+GSSAPI ...13 Using NTLM authentication ...14 Securing access...15 Setting a backup password...15 Setting login restrictions...16 Using a password or PIN to control function access...16 Using a security template to control ...
Embedded Web Server Administrator's Guide
Page 4
Appendix 29 Notices 32 Glossary of Security Terms 39 Index 40 Contents 4
Appendix 29 Notices 32 Glossary of Security Terms 39 Index 40 Contents 4
Embedded Web Server Administrator's Guide
Page 5
... 5 (used alone to or stored on the printer, and the information security policies of authorized functions is the method by Lexmark to enable administrators to build secure, flexible profiles that produce, store, and transmit sensitive documents. Authentication and Authorization Authentication is ...user who has been authenticated by simply limiting access to a printer-or specific functions of security features available in the Lexmark Embedded Web Server represents an evolution in keeping document outputs safe and confidential in today's busy environments. Using security features...
... 5 (used alone to or stored on the printer, and the information security policies of authorized functions is the method by Lexmark to enable administrators to build secure, flexible profiles that produce, store, and transmit sensitive documents. Authentication and Authorization Authentication is ...user who has been authenticated by simply limiting access to a printer-or specific functions of security features available in the Lexmark Embedded Web Server represents an evolution in keeping document outputs safe and confidential in today's busy environments. Using security features...
Embedded Web Server Administrator's Guide
Page 6
Groups Administrators can designate up to 140 security templates, allowing administrators to similar functions. How they are combined determines the type of security created: Building block Type of device, but those in association with Groups Authentication and authorization Password Authorization only PIN Authorization only Each device can be protected. Using security features in different groups needing access to disable them entirely. A Security Template is a profile constructed using a password, PIN, or security template. Access controls can be ...
Groups Administrators can designate up to 140 security templates, allowing administrators to similar functions. How they are combined determines the type of security created: Building block Type of device, but those in association with Groups Authentication and authorization Password Authorization only PIN Authorization only Each device can be protected. Using security features in different groups needing access to disable them entirely. A Security Template is a profile constructed using a password, PIN, or security template. Access controls can be ...
Embedded Web Server Administrator's Guide
Page 7
Note: Selecting the Admin Password box sets the password as the Administrator password. Clicking Delete List will also grant access. 7 Click Submit. Creating a PIN Typically, Personal Identification Numbers (PINs) are selected or not. If a function or setting is four digits, which may be changed by modifying the Minimum PIN length field under Settings ª Security ª Miscellaneous Security Settings. To create a PIN 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select PIN. 3 ...
Note: Selecting the Admin Password box sets the password as the Administrator password. Clicking Delete List will also grant access. 7 Click Submit. Creating a PIN Typically, Personal Identification Numbers (PINs) are selected or not. If a function or setting is four digits, which may be changed by modifying the Minimum PIN length field under Settings ª Security ª Miscellaneous Security Settings. To create a PIN 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select PIN. 3 ...
Embedded Web Server Administrator's Guide
Page 8
Setting up to 128 UTF-8 characters. 5 Click Add. 6 Repeat steps 4 through 5 to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select Internal Accounts. 3 Select Setup groups for use with one or more than one group (or role), in order to grant them prior to creating new internal accounts. 1 From the Embedded Web Server Home screen, browse to add additional user groups. Defining user groups If using groups for the account. 4 Click Submit to save the new account, or Cancel to return to Settings ª Security ª Edit Security Setups. 2 Under ...
Setting up to 128 UTF-8 characters. 5 Click Add. 6 Repeat steps 4 through 5 to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select Internal Accounts. 3 Select Setup groups for use with one or more than one group (or role), in order to grant them prior to creating new internal accounts. 1 From the Embedded Web Server Home screen, browse to add additional user groups. Defining user groups If using groups for the account. 4 Click Submit to save the new account, or Cancel to return to Settings ª Security ª Edit Security Setups. 2 Under ...
Embedded Web Server Administrator's Guide
Page 9
Each configuration must submit when authenticating. • Require e-mail address-Select this box to make the E-mail address a required field when creating new internal accounts. • Required user credentials-Select either cn (common name), uid, userid, or user-defined. • Search Base-The Search Base is the node in the LDAP server where user accounts reside. Using security features in the Embedded Web Server 9 One of the strengths of the LDAP server where the authentication will be entered, separated by commas. To add a new LDAP setup 1 From the Embedded Web Server ...
Each configuration must submit when authenticating. • Require e-mail address-Select this box to make the E-mail address a required field when creating new internal accounts. • Required user credentials-Select either cn (common name), uid, userid, or user-defined. • Search Base-The Search Base is the node in the LDAP server where user accounts reside. Using security features in the Embedded Web Server 9 One of the strengths of the LDAP server where the authentication will be entered, separated by commas. To add a new LDAP setup 1 From the Embedded Web Server ...
Embedded Web Server Administrator's Guide
Page 10
Search specific object classes • Person-Click to three custom search object classes (optional). the administrator can define up to select or clear; LDAP Group Names • Configure Groups-Administrators can pick groups from the list. 4 Click Delete Entry to remove the profile, or Cancel to return to specify which credentials a user must be grayed out. • Distinguished Name-Enter the distinguished name of the print server(s). • MFP Password-Enter the password for those groups under the Group Search Base list. • Search Timeout-Enter a value of from the ...
Search specific object classes • Person-Click to three custom search object classes (optional). the administrator can define up to select or clear; LDAP Group Names • Configure Groups-Administrators can pick groups from the list. 4 Click Delete Entry to remove the profile, or Cancel to return to specify which credentials a user must be grayed out. • Distinguished Name-Enter the distinguished name of the print server(s). • MFP Password-Enter the password for those groups under the Group Search Base list. • Search Timeout-Enter a value of from the ...
Embedded Web Server Administrator's Guide
Page 11
This ticket is then presented to obtain a Kerberos "ticket." The default LDAP port is 389. • Use SSL/TLS-From the drop-down menu select None, SSL/TLS (Secure Sockets Layer/Transport Layer Security), or TLS. • Userid Attribute-Enter either cn (common name), uid, userid, or user-defined. • Search Base-The Search Base is the node in the Embedded Web Server 11 Instead of authenticating directly with the LDAP server, the user will first authenticate with the LDAP server. To add a new LDAP+GSSAPI setup 1 From the Embedded Web Server Home screen, browse to Settings ª ...
This ticket is then presented to obtain a Kerberos "ticket." The default LDAP port is 389. • Use SSL/TLS-From the drop-down menu select None, SSL/TLS (Secure Sockets Layer/Transport Layer Security), or TLS. • Userid Attribute-Enter either cn (common name), uid, userid, or user-defined. • Search Base-The Search Base is the node in the Embedded Web Server 11 Instead of authenticating directly with the LDAP server, the user will first authenticate with the LDAP server. To add a new LDAP+GSSAPI setup 1 From the Embedded Web Server Home screen, browse to Settings ª ...
Embedded Web Server Administrator's Guide
Page 12
Search specific object classes • Person-Click to previous values. the administrator can associate as many as part of the print server(s). • MFP Password-Enter the Kerberos password for controlling access to device functions. 5 Click Submit to save changes, or Cancel to return to previous values. Both the Short name for group, and Group Identifier must provide when attempting to access a function protected by entering identifiers for those groups under the Group Search Base list. To delete an existing LDAP+GSSAPI setup 1 From the Embedded Web Server Home screen, browse to ...
Search specific object classes • Person-Click to previous values. the administrator can associate as many as part of the print server(s). • MFP Password-Enter the Kerberos password for controlling access to device functions. 5 Click Submit to save changes, or Cancel to return to previous values. Both the Short name for group, and Group Identifier must provide when attempting to access a function protected by entering identifiers for those groups under the Group Search Base list. To delete an existing LDAP+GSSAPI setup 1 From the Embedded Web Server Home screen, browse to ...
Embedded Web Server Administrator's Guide
Page 13
Notes: • Click Delete File to remove the Kerberos configuration file from communicating with the LDAP +GSSAPI building block. An administrator must thus anticipate the different types of authentication requests the Kerberos server might receive, and configure the krb5.conf file to verify that it can be used by itself for authentication. • As with any form of authentication that relies on an external server, users will not be able to access protected device functions in the event of an outage that prevents the printer from the selected device. • Click View File to ...
Notes: • Click Delete File to remove the Kerberos configuration file from communicating with the LDAP +GSSAPI building block. An administrator must thus anticipate the different types of authentication requests the Kerberos server might receive, and configure the krb5.conf file to verify that it can be used by itself for authentication. • As with any form of authentication that relies on an external server, users will not be able to access protected device functions in the event of an outage that prevents the printer from the selected device. • Click View File to ...
Embedded Web Server Administrator's Guide
Page 14
Using NTLM authentication NTLM (Windows NT LAN Manager) is observed in your area, click the Automatically Observe DST check box. 4 If you are encouraged to securely end each device can be used in sync or closely aligned with the KDC system clock. Notes: • Entering manual settings automatically disables use of NTP. • Choosing "(UTC+user) Custom" from communicating with the authenticating server. • To help prevent unauthorized access, users are located in a non-standard time zone or an area that key requests bear a recent timestamp (usually within 300 seconds), ...
Using NTLM authentication NTLM (Windows NT LAN Manager) is observed in your area, click the Automatically Observe DST check box. 4 If you are encouraged to securely end each device can be used in sync or closely aligned with the KDC system clock. Notes: • Entering manual settings automatically disables use of NTP. • Choosing "(UTC+user) Custom" from communicating with the authenticating server. • To help prevent unauthorized access, users are located in a non-standard time zone or an area that key requests bear a recent timestamp (usually within 300 seconds), ...
Embedded Web Server Administrator's Guide
Page 15
A status screen will appear with the message "Registering." • If registration is successful, the Manage NTLM Setup screen will display "Status....Registered." • If registration is a network communication problem, or an authentication server fails. Specifying the default user domain for example, if there is not successful, the Manage NTLM Setup screen will display "Status....Not Registeted." A backup password can be helpful if other security measures become unavailable, for the NTLM server 1 Open the Embedded Web Server home screen using HTTPS, you do not connect to ...
A status screen will appear with the message "Registering." • If registration is successful, the Manage NTLM Setup screen will display "Status....Registered." • If registration is a network communication problem, or an authentication server fails. Specifying the default user domain for example, if there is not successful, the Manage NTLM Setup screen will display "Status....Not Registeted." A backup password can be helpful if other security measures become unavailable, for the NTLM server 1 Open the Embedded Web Server home screen using HTTPS, you do not connect to ...
Embedded Web Server Administrator's Guide
Page 16
Embedded Web Server administrators should verify that printer login restrictions also comply with organizational security policies. 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Miscellaneous Security Settings. 2 Select Login Restrictions. 3 Enter the appropriate login restrictions: • Login failures-Specify the number of lockout. • Panel Login Timeout-Specify how long a user may be logged in before being automatically logged off . 4 Click Submit to save changes, or Reset Form to use any function controlled by selecting Log out on page...
Embedded Web Server administrators should verify that printer login restrictions also comply with organizational security policies. 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Miscellaneous Security Settings. 2 Select Login Restrictions. 3 Enter the appropriate login restrictions: • Login failures-Specify the number of lockout. • Panel Login Timeout-Specify how long a user may be logged in before being automatically logged off . 4 Click Submit to save changes, or Reset Form to use any function controlled by selecting Log out on page...
Embedded Web Server Administrator's Guide
Page 17
It can be helpful to use a descriptive name, such as necessary. 5 Click Modify to save changes, or Reset Form to Settings ª Security ª Edit Security Setups. 2 Select Access Control. 3 For each session by the security template. This list will be populated with a unique name of Access Controls" on page 29. Step 3: Assign security templates to access controls 1 From the Embedded Web Server Home screen, browse to cancel all changes. Notes: • To help prevent unauthorized access, users are encouraged to securely end each function you want to create a security ...
It can be helpful to use a descriptive name, such as necessary. 5 Click Modify to save changes, or Reset Form to Settings ª Security ª Edit Security Setups. 2 Select Access Control. 3 For each session by the security template. This list will be populated with a unique name of Access Controls" on page 29. Step 3: Assign security templates to access controls 1 From the Embedded Web Server Home screen, browse to cancel all changes. Notes: • To help prevent unauthorized access, users are encouraged to securely end each function you want to create a security ...
Embedded Web Server Administrator's Guide
Page 18
Scenarios Scenario: Printer in a public place If your printer is not connected to a network, or you do not use an authentication server to grant users access to devices, Internal Accounts can be created and stored within the Embedded Web Server for authentication, authorization, or both. Step One: Set up internal accounts" on page 8. Step Two: Assign a password or PIN to each access control After creating one or more codes, determine which one is selected. For more information on configuring a password or PIN, see "Setting up individual user accounts 1 From the Embedded Web Server ...
Scenarios Scenario: Printer in a public place If your printer is not connected to a network, or you do not use an authentication server to grant users access to devices, Internal Accounts can be created and stored within the Embedded Web Server for authentication, authorization, or both. Step One: Set up internal accounts" on page 8. Step Two: Assign a password or PIN to each access control After creating one or more codes, determine which one is selected. For more information on configuring a password or PIN, see "Setting up individual user accounts 1 From the Embedded Web Server ...
Embedded Web Server Administrator's Guide
Page 19
This list will need to protect, select a security template from the Authorization Setup list. Step 1: Collect information about the network Before configuring the Embedded Web Server to integrate with Active Directory, you want to know the following: 1 Kerberos configuration information • Character encoding (used for authenticating users. Step 3: Assign security templates to access controls 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Select Access Control. 3 For each function you will be required to enter ...
This list will need to protect, select a security template from the Authorization Setup list. Step 1: Collect information about the network Before configuring the Embedded Web Server to integrate with Active Directory, you want to know the following: 1 Kerberos configuration information • Character encoding (used for authenticating users. Step 3: Assign security templates to access controls 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Select Access Control. 3 For each function you will be required to enter ...
Embedded Web Server Administrator's Guide
Page 20
2 LDAP server information • The IP address or hostname of the LDAP server • The LDAP server port (the default is 389) • A list of up to three object classes stored on the LDAP server, which will be used to authorize user for access to printer functions Step 2: Configure Kerberos setup 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select Kerberos 5. 3 Configure Kerberos settings using the information gathered in the Embedded Web Server 20 For more of up to your LDAP+GSSAPI...
2 LDAP server information • The IP address or hostname of the LDAP server • The LDAP server port (the default is 389) • A list of up to three object classes stored on the LDAP server, which will be used to authorize user for access to printer functions Step 2: Configure Kerberos setup 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select Kerberos 5. 3 Configure Kerberos settings using the information gathered in the Embedded Web Server 20 For more of up to your LDAP+GSSAPI...
