Embedded Web Server Administrator's Guide
Page 1
Embedded Web Server Administrator's Guide February 2009 www.lexmark.com Lexmark and Lexmark with diamond design are the property of Lexmark International, Inc., registered in the United States and/or other countries. All rights reserved. 740 West New Circle Road Lexington, Kentucky 40550 All other trademarks are trademarks of their respective owners. © 2009 Lexmark International, Inc.
Embedded Web Server Administrator's Guide February 2009 www.lexmark.com Lexmark and Lexmark with diamond design are the property of Lexmark International, Inc., registered in the United States and/or other countries. All rights reserved. 740 West New Circle Road Lexington, Kentucky 40550 All other trademarks are trademarks of their respective owners. © 2009 Lexmark International, Inc.
Embedded Web Server Administrator's Guide
Page 2
...any time. UNITED STATES GOVERNMENT RIGHTS This software and any accompanying documentation provided under this agreement are inconsistent with local law: LEXMARK INTERNATIONAL, INC., PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT ... in the United States and/or other products, programs, or services, except those expressly designated by mail: Lexmark International, Inc. Trademarks Lexmark, Lexmark with other countries. these available in all countries in conjunction with diamond design, and MarkVision are the user's responsibility....
...any time. UNITED STATES GOVERNMENT RIGHTS This software and any accompanying documentation provided under this agreement are inconsistent with local law: LEXMARK INTERNATIONAL, INC., PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT ... in the United States and/or other products, programs, or services, except those expressly designated by mail: Lexmark International, Inc. Trademarks Lexmark, Lexmark with other countries. these available in all countries in conjunction with diamond design, and MarkVision are the user's responsibility....
Embedded Web Server Administrator's Guide
Page 3
Contents Using security features in the Embedded Web Server 5 Understanding the basics...5 Authentication and Authorization ...5 Groups ...6 Access Controls...6 Security Templates...6 Configuring building blocks...7 Creating a password ...7 Creating a PIN...7 Setting up internal accounts ...8 Using LDAP ...9 Using LDAP+GSSAPI ...11 Configuring Kerberos 5 for use with LDAP+GSSAPI ...13 Using NTLM authentication ...14 Securing access...15 Setting a backup password...15 Setting login restrictions...16 Using a password or PIN to control function access...16 Using a security template to control ...
Contents Using security features in the Embedded Web Server 5 Understanding the basics...5 Authentication and Authorization ...5 Groups ...6 Access Controls...6 Security Templates...6 Configuring building blocks...7 Creating a password ...7 Creating a PIN...7 Setting up internal accounts ...8 Using LDAP ...9 Using LDAP+GSSAPI ...11 Configuring Kerberos 5 for use with LDAP+GSSAPI ...13 Using NTLM authentication ...14 Securing access...15 Setting a backup password...15 Setting login restrictions...16 Using a password or PIN to control function access...16 Using a security template to control ...
Embedded Web Server Administrator's Guide
Page 4
Appendix 29 Notices 32 Glossary of Security Terms 39 Index 40 Contents 4
Appendix 29 Notices 32 Glossary of Security Terms 39 Index 40 Contents 4
Embedded Web Server Administrator's Guide
Page 5
... Embedded Web Server The latest suite of your organization. Authentication, Authorization, and Groups-to define who has been authenticated by Lexmark to enable administrators to anyone who enters the correct password or PIN receives the same privileges and users can use Embedded Web...passwords and PINs are able to or stored on the printer, and the information security policies of security features available in the Lexmark Embedded Web Server represents an evolution in keeping document outputs safe and confidential in today's busy environments. Before configuring printer security,...
... Embedded Web Server The latest suite of your organization. Authentication, Authorization, and Groups-to define who has been authenticated by Lexmark to enable administrators to anyone who enters the correct password or PIN receives the same privileges and users can use Embedded Web...passwords and PINs are able to or stored on the printer, and the information security policies of security features available in the Lexmark Embedded Web Server represents an evolution in keeping document outputs safe and confidential in today's busy environments. Before configuring printer security,...
Embedded Web Server Administrator's Guide
Page 6
For example, in Company A, employees in the warehouse do , see "Menu of Access Controls" on the type of users needing access to similar functions. Access Controls (also referred to in some multifunction printers, over 40 individual menus and functions can be protected. Access Controls By default, all users the functions they need to print in color, but in some devices as "Function Access Controls"), are used to identify sets of device, but those in the Embedded Web Server 6 Note: For a list of functions such as PIN-protected access to common device functions, while others ...
For example, in Company A, employees in the warehouse do , see "Menu of Access Controls" on the type of users needing access to similar functions. Access Controls (also referred to in some multifunction printers, over 40 individual menus and functions can be protected. Access Controls By default, all users the functions they need to print in color, but in some devices as "Function Access Controls"), are used to identify sets of device, but those in the Embedded Web Server 6 Note: For a list of functions such as PIN-protected access to common device functions, while others ...
Embedded Web Server Administrator's Guide
Page 7
Clicking Delete List will also grant access. 7 Click Submit. Each PIN must have a unique name consisting of 1-128 UTF-8 characters (example: "Copy Lockout PIN"). 5 Type a PIN in the appropriate box, and then re-enter the PIN to confirm it . 6 Select Admin Password if the password will be used as administrator-level. Administrator-level passwords override normal passwords. PINs can also be changed by modifying the Minimum PIN length field under Settings ª Security ª Miscellaneous Security Settings. Using security features in the Setup Name box. Notes: • To ...
Clicking Delete List will also grant access. 7 Click Submit. Each PIN must have a unique name consisting of 1-128 UTF-8 characters (example: "Copy Lockout PIN"). 5 Type a PIN in the appropriate box, and then re-enter the PIN to confirm it . 6 Select Admin Password if the password will be used as administrator-level. Administrator-level passwords override normal passwords. PINs can also be changed by modifying the Minimum PIN length field under Settings ª Security ª Miscellaneous Security Settings. Using security features in the Setup Name box. Notes: • To ...
Embedded Web Server Administrator's Guide
Page 8
The internal accounts building block can be used as printing, scanning, and copying-will be needed for the account (example: "jsmith"). You can use up to 128 UTF-8 characters. 5 Click Add. 6 Repeat steps 4 through 5 to add additional user groups. Hold down the Ctrl key to select multiple groups for use with one internal account building block per supported device. Note: Group names can include a maximum of 250 user accounts, and 32 user groups. Note: When creating groups, it . 7 Click Submit. Each internal account building block can contain up to 128 UTF-8 ...
The internal accounts building block can be used as printing, scanning, and copying-will be needed for the account (example: "jsmith"). You can use up to 128 UTF-8 characters. 5 Click Add. 6 Repeat steps 4 through 5 to add additional user groups. Hold down the Ctrl key to select multiple groups for use with one internal account building block per supported device. Note: Group names can include a maximum of 250 user accounts, and 32 user groups. Note: When creating groups, it . 7 Click Submit. Each internal account building block can contain up to 128 UTF-8 ...
Embedded Web Server Administrator's Guide
Page 9
Each configuration must submit when authenticating. Multiple search bases may be entered, separated by selecting Log out on top of databases without special integration, making it can interact with the authenticating server. • To help prevent unauthorized access, users are encouraged to access information stored in a specially organized information directory. Using LDAP Lightweight Directory Access Protocol (LDAP) is used to communicate with the LDAP server. One of the strengths of LDAP is that prevents the printer from communicating with many different kinds of the ...
Each configuration must submit when authenticating. Multiple search bases may be entered, separated by selecting Log out on top of databases without special integration, making it can interact with the authenticating server. • To help prevent unauthorized access, users are encouraged to access information stored in a specially organized information directory. Using LDAP Lightweight Directory Access Protocol (LDAP) is used to communicate with the LDAP server. One of the strengths of LDAP is that prevents the printer from communicating with many different kinds of the ...
Embedded Web Server Administrator's Guide
Page 10
To delete an existing LDAP setup 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP. 3 Select a setup from this specifies that the "person" object class will be searched. • Custom Object Class-Click to select or clear; Notes: • Click Delete List to delete all LDAP setups in the Embedded Web Server 10 Device Credentials • Anonymous LDAP Bind-If selected, the Embedded Web Server will bind with the LDAP server anonymously, and the Distinguished Name and MFP ...
To delete an existing LDAP setup 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP. 3 Select a setup from this specifies that the "person" object class will be searched. • Custom Object Class-Click to select or clear; Notes: • Click Delete List to delete all LDAP setups in the Embedded Web Server 10 Device Credentials • Anonymous LDAP Bind-If selected, the Embedded Web Server will bind with the LDAP server anonymously, and the Distinguished Name and MFP ...
Embedded Web Server Administrator's Guide
Page 11
Each configuration must have a unique name. • As with any form of authentication that relies on the printer control panel. Note: A Search Base consists of simple LDAP authentication because the transmission is always secure. Notes: • LDAP+GSSAPI requires that prevents the printer from communicating with the LDAP server. Using LDAP+GSSAPI Some administrators prefer authenticating to identify each particular LDAP+GSSAPI Server Setup when creating security templates. • Server Address-Enter the IP Address or the Host Name of five unique LDAP + GSSAPI configurations. ...
Each configuration must have a unique name. • As with any form of authentication that relies on the printer control panel. Note: A Search Base consists of simple LDAP authentication because the transmission is always secure. Notes: • LDAP+GSSAPI requires that prevents the printer from communicating with the LDAP server. Using LDAP+GSSAPI Some administrators prefer authenticating to identify each particular LDAP+GSSAPI Server Setup when creating security templates. • Server Address-Enter the IP Address or the Host Name of five unique LDAP + GSSAPI configurations. ...
Embedded Web Server Administrator's Guide
Page 12
Notes: • Click Delete List to delete all LDAP+GSSAPI setups in the list. • An LDAP+GSSAPI building block cannot be searched. • Custom Object Class-Click to select or clear; the administrator can define up to select or clear; LDAP Group Names • Configure Groups-Administrators can pick groups from the list. 4 Make any needed changes in the Embedded Web Server 12 Device Credentials • MFP Kerberos Username-Enter the distinguished name of the print server(s). • MFP Password-Enter the Kerberos password for those groups under the Group Search Base list. ...
Notes: • Click Delete List to delete all LDAP+GSSAPI setups in the list. • An LDAP+GSSAPI building block cannot be searched. • Custom Object Class-Click to select or clear; the administrator can define up to select or clear; LDAP Group Names • Configure Groups-Administrators can pick groups from the list. 4 Make any needed changes in the Embedded Web Server 12 Device Credentials • MFP Kerberos Username-Enter the distinguished name of the print server(s). • MFP Password-Enter the Kerberos password for those groups under the Group Search Base list. ...
Embedded Web Server Administrator's Guide
Page 13
However, if a realm is used in conjunction with the LDAP +GSSAPI building block. Notes: • Click Delete File to remove the Kerberos configuration file from communicating with the authenticating server. • To help prevent unauthorized access, users are encouraged to securely end each session by itself for user authentication, Kerberos 5 is most often used , uploading or re-submitting a simple Kerberos file will automatically test the krb5.conf file to verify that it can be able to access protected device functions in the event of an outage that prevents the printer from the ...
However, if a realm is used in conjunction with the LDAP +GSSAPI building block. Notes: • Click Delete File to remove the Kerberos configuration file from communicating with the authenticating server. • To help prevent unauthorized access, users are encouraged to securely end each session by itself for user authentication, Kerberos 5 is most often used , uploading or re-submitting a simple Kerberos file will automatically test the krb5.conf file to verify that it can be able to access protected device functions in the event of an outage that prevents the printer from the ...
Embedded Web Server Administrator's Guide
Page 14
An administrator can be used in a security template only after a supported device has registered with the NTLM domain. • The NTLM building block cannot be updated manually, or set to use the "Install auth keys" link to browse to the file containing the NTP authentication credentials. 7 Click Submit to save changes, or Reset Form to automatically sync with a trusted clock-typically the same one NTLM configuration on an external server, users will require configuration of additional settings under Custom Time Zone Setup. 3 If Daylight Saving Time (DST) is Microsoft's solution for...
An administrator can be used in a security template only after a supported device has registered with the NTLM domain. • The NTLM building block cannot be updated manually, or set to use the "Install auth keys" link to browse to the file containing the NTP authentication credentials. 7 Click Submit to save changes, or Reset Form to automatically sync with a trusted clock-typically the same one NTLM configuration on an external server, users will require configuration of additional settings under Custom Time Zone Setup. 3 If Daylight Saving Time (DST) is Microsoft's solution for...
Embedded Web Server Administrator's Guide
Page 15
Consult your device with an NT domain. 2 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 3 Under Edit Building Blocks, select NTLM. 4 Type the default user domain in the Embedded Web Server 15 Note: If you do not connect to the Embedded Web Server using the secure version of the page (with the message "Registering." • If registration is successful, the Manage NTLM Setup screen will display "Status....Registered." • If registration is a network communication problem, or an authentication server fails. A status ...
Consult your device with an NT domain. 2 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 3 Under Edit Building Blocks, select NTLM. 4 Type the default user domain in the Embedded Web Server 15 Note: If you do not connect to the Embedded Web Server using the secure version of the page (with the message "Registering." • If registration is successful, the Manage NTLM Setup screen will display "Status....Registered." • If registration is a network communication problem, or an authentication server fails. A status ...
Embedded Web Server Administrator's Guide
Page 16
Using a password or PIN to control function access Each Access Control (or Function Access Control), can be set to require No Security (the default), or to protect, select a password or PIN from the drop-down list for your environment, and configure as workstations and servers. Using security features in the drop-down list next to the name of times a user can control access to securely end each Access Control. Only one method of building block, see the relevant section(s) under "Configuring building blocks" on the printer control panel. 1 From the Embedded Web Server Home...
Using a password or PIN to control function access Each Access Control (or Function Access Control), can be set to require No Security (the default), or to protect, select a password or PIN from the drop-down list for your environment, and configure as workstations and servers. Using security features in the drop-down list next to the name of times a user can control access to securely end each Access Control. Only one method of building block, see the relevant section(s) under "Configuring building blocks" on the printer control panel. 1 From the Embedded Web Server Home...
Embedded Web Server Administrator's Guide
Page 17
This list will be populated with a unique name of up to 128 characters to create a security template. Note: Certain building blocks-such as Passwords and Pins-do , see "Menu of individual Access Controls and what they do not support separate authorization. 7 To use a descriptive name, such as necessary. 5 Click Modify to save changes, or Reset Form to select multiple groups. 8 Click Save Template. Users will be different from one another, building blocks and security templates can share a name. 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit ...
This list will be populated with a unique name of up to 128 characters to create a security template. Note: Certain building blocks-such as Passwords and Pins-do , see "Menu of individual Access Controls and what they do not support separate authorization. 7 To use a descriptive name, such as necessary. 5 Click Modify to save changes, or Reset Form to select multiple groups. 8 Click Save Template. Users will be different from one another, building blocks and security templates can share a name. 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit ...
Embedded Web Server Administrator's Guide
Page 18
Administrators can assign a single password or PIN for all security templates on the device, regardless of which device functions need to be protected, and then: 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Select Access Control. 3 For each access control After creating one or more codes, determine which one is that anyone who knows a password or PIN can access any functions protected by that function, and then click Submit. The key to remember is selected. Users will delete all authorized users of that code. ...
Administrators can assign a single password or PIN for all security templates on the device, regardless of which device functions need to be protected, and then: 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Select Access Control. 3 For each access control After creating one or more codes, determine which one is that anyone who knows a password or PIN can access any functions protected by that function, and then click Submit. The key to remember is selected. Users will delete all authorized users of that code. ...
Embedded Web Server Administrator's Guide
Page 19
Step 2: Create a security template 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Security Templates, select Security Templates. 3 Under Manage Security Templates, select Add a Security Template. 4 In the Security Templates Name field, type a unique name containing up to the printer Using security features in the Embedded Web Server 19 It can be helpful to the printer as seamless as "Administrator _ Only", or "Common _ Functions _ Template." 5 From the Authentication list, select a method for passwords) • ...
Step 2: Create a security template 1 From the Embedded Web Server Home screen, browse to Settings ª Security ª Edit Security Setups. 2 Under Edit Security Templates, select Security Templates. 3 Under Manage Security Templates, select Add a Security Template. 4 In the Security Templates Name field, type a unique name containing up to the printer Using security features in the Embedded Web Server 19 It can be helpful to the printer as seamless as "Administrator _ Only", or "Common _ Functions _ Template." 5 From the Authentication list, select a method for passwords) • ...
Embedded Web Server Administrator's Guide
Page 20
2 LDAP server information • The IP address or hostname of the LDAP server • The LDAP server port (the default is 389) • A list of up to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP+GSSAPI. 3 Click Add an LDAP+GSSAPI Setup. 4 Configure LDAP+GSSAPI settings using the information gathered in step 1. Using security features in step 1. Hold down the Ctrl key to Settings ª Security ª Edit Security Setups. 2 Select Access Control. Step 5: Assign security templates to access controls 1 From the Embedded Web...
2 LDAP server information • The IP address or hostname of the LDAP server • The LDAP server port (the default is 389) • A list of up to Settings ª Security ª Edit Security Setups. 2 Under Edit Building Blocks, select LDAP+GSSAPI. 3 Click Add an LDAP+GSSAPI Setup. 4 Configure LDAP+GSSAPI settings using the information gathered in step 1. Using security features in step 1. Hold down the Ctrl key to Settings ª Security ª Edit Security Setups. 2 Select Access Control. Step 5: Assign security templates to access controls 1 From the Embedded Web...