Canon A3100ISRED Film Camera User Manual
Contents
1. Description name ocfserv rpc cmsd rpc rusersd rpc rwalld rpc sprayd rcp ttdbserverd rpc rstatd rquotad DARPA trivial name server OCF server Calendar manager service daemon network username server Network rwall server Spray server RPC based ToolTalk database server rstatd kernel statistics Server Remote quota server in tnamed is a server that supports the DARPA Name Server Protoco Seldom used anymore Not used by Xerox FreeFlow Print Server The OCF server ocfserv is a per host daemon that acts as the central point of communications with all smartcards connected to the host Applications that need to use a smartcard can do so by using the APIs in libsmartcard so or smartcard jar The internal implementation of these APIs communicates with ocfserv to perform the requested function inetd 1M automatically starts the ocfserv command when itis needed Once started ocfserv runs forever If ocfserv is killed or crashes it restarts automatically there is not a reason to run it manually Must have root privileges to execute this utility rpc cmsd is a small database manager for appointment and resource scheduling data Its primary client is Calendar Manager Not used by Xerox FreeFlow Print Server Gives intruder information about accounts Not used by Xerox FreeFlow Print Server Server that handles rwall 1M command requests Can be used for spoofing attacks Not used by X2. IP Address e Other Step 3 Enter the requested information Organization required Organizational Unit optional E mail optional Locality optional e State Province optional Country required Step 4 Browse to the location of the signed certificate pem file Step 5 Verify information entered in previous steps Step 6 A message will appear indicating that the certificate has been installed NOTE During steps 2 5 the user may go back and correct any 4 mistakes made in previous steps Security Guide Digital Certificates Network Protocol Network Protocol Samba SMB SSL TLS cannot be enabled unless a digital certificate has been installed on the system using the Add Certificate button Installing a digital certificate can only be done by someone with administrator privileges The administrator selects SSL TLS from the Setup Menu and clicks on the Add Certificate button This invokes the Add Certificate wizard There are two options regarding digital certificates One option is Self signed certificate This is selected when no third party Certificate Authority is being used Another option is Signed Certificate from a Certificate Authority In this case the administrator needs to supply the fully qualified domain name IP address organization and country of the Certificate Authority If the choice is to use a Certificate Authority all Certificate information
3. Auto login is enabled High FTP is disabled For Does not File FTP is telnet rsh is disabled government support legacy disabled NFS client is disabled market DigiPath AutoFS is disabled e g workflow File transfer can be net lt hostname gt and Supports done via Secure home lt username gt are FreeFlow FTP not automatically workflow mounted For CFA support NFS server is disabled on that is FTP upload customer network of outload go to Walkup users cannot Setup FTP reprint anything Remote Terminal window is Diagnostics menu password protected select enable FTP Auto login is disabled login is always required from GUI Custom Any profile can be edited to adjust to user needs NOTE Regardless of the security profile anonymous FTP is 4 Read only with restricted access to export home ftphome only Security Guide Enable and disable services The following tables provide a list of the services that can be enabled and disabled from the Xerox FreeFlow Print Server Setup gt Security Profiles menu options NOTE Services list may vary depending on the product Table 2 2 System tab System Service Allow_host equiv_plus Anonymous FTP BSM Executable Stacks Hide Info Banners Multicast Routing Remote CDE Logins Restrict DFS tab Restrict NFS Portmon Router Secure File Permissions Description Background The etc hosts equiv and rhosts files provid
4. User Activity on the System aa 2 22 Date Time User Login Logout lessen 2 22 Changing individual passwords 2 22 Accessing the Xerox FreeFlow Print Server through ADS 2 22 Littitiig ACCESS esed pen o rise ve ota SUPE 2 23 IP PINGING nora uc cot eor da Saat bet es aree d 2 23 Remote WOrKIOoW 1 inka wes bok eg ek us 2 24 Secure Socket Layer 0000 e eee eee ees 2 24 Using the Print Server SSL TLS Security Feature 2 24 Creating and Using a Self Signed Certificate 2 25 Using an Existing Signed Certificate from a Certificate Author ly sicko A d HOUSE Moti KNA AA Pa dow ay 2 26 Digital COMniGates m 3s 9i ya dep RET bo S Sas 2 27 Network Protocol Lois sos eni ete tt etn oho 2 27 Secure Prnt cies sere RDRKRREGK Ru pEEEEEN Eu Ee 2 29 MICR modes vaL ave shi We Rr rod oe ires 2 29 Prevent Unauthorized Queue Changes 2 30 Queue Lock ono eoe petente de ea ein 2 30 Roles and responsibilities l llle 2 30 Xerox responsibilities llle 2 30 Customer Responsibilities 2 31 SECUS TIBS oos aant oed deeds ADA PUN Ba meet Sane nct 2 31 Virs EGRE 4 2 p cout hatc ne pd Kahn AA Dn et d ege 2 32 Online Help for security 0c eee eee 2 32 Xerox FreeFlow Print Server Security Guide ii About this guide Contents Introduction The Security Guide provides the information needed t
5. a lt of allowed attempts gt argument with rpc nispasswad For example to limit users to no more than four attempts the default is 3 you would type rpc nispasswd a 4 How to Enable Disable Strong Password From the Setup menu select Users and Groups From the Policies drop down menu select Password Enable Disable Strong Password from the Password Policies window The default setting is Disable Login Attempts Allowed The Xerox FreeFlow Print Server has provided a means to lockout users after reaching the maximum number of consecutive attempts Once this is done the user will need to apply reset a security policy and reboot the system The number of failed attempts and enable disable is configurable via the Password Policy screen When enabled login attempts can be set from 1 6 attempts before the user is locked out This 20 Security Guide function will only apply to failed login attempts via the Xerox FreeFlow Print Server Ul and does not apply to the root su user How to Enable Disable Login Attempts From the Setup menu select Users and Groups From the Policies drop down menu select Password Enable Disable Login Attempts from the Password Policies window The default setting is Disable Password Expiration Audit Logs GUI Logging The System Administrator can set a password expiration via the Solaris Management Control NOTE SMC Solaris Management Control
6. cachefs chargen comsat RPC Smart Card Interface Cached File System server Character Generator Protocol server Biff server Not used by the Xerox FreeFlow Print Server Not used by the Xerox FreeFlow Print Server Sends revolving pattern of ASCII characters Sometimes used in packet debugging and can be used for denial of service attacks Not used by the Xerox FreeFlow Print Server comsat is the server process which listens for reports of incoming mail and notifies users who have requested to be told when mail arrives Not used by the Xerox FreeFlow Print Server Security Guide INETD Service Description daytime discard dtspc echo exec finger fs ktkt warnd ftp gssd kcms server login Daytime Protocol server Discard Protocol server CDE sub process Control Service Echo Protocol server Remote execution Server Remote user information server X font server Kerberos warning daemon File transfer protocol server RPC program authentication KCMS library service daemon Remote login server Displays the date and time Used primarily for testing Not used by the Xerox FreeFlow Print Server Discards everything sent to it Used primarily for testing Not used by the Xerox FreeFlow Print Server CDE sub process Control Service dtspcd is a network daemon that accepts requests from clients to execute commands and launch ap
7. has replaced AdminTool AdminTool has been retired in Solaris 10 1 Open a terminal window and login as root Type smc amp 3 Go to System Configuration gt Users gt User Accounts gt lt select user gt gt Password Options tab 4 Enter values in the drop down menus associated with each password expiration parameter The Xerox FreeFlow Print Server UI does not handle password expiration Thus the Print Server will not prompt the user to enter a new password if his her password has expired Instead a message is posted indicating unknown user name or password It is up to the customer to determine that the password has expired To do so the customer should open a terminal window and attempt to login as the user in question If the password has expired the system will prompt for the user to enter a new password Mouse clicks within the Xerox FreeFlow Print Server UI can be monitored via the Log Console These activities are associated with the current user This feature can only be enabled disabled by members of the System Administrators group Security Guide 21 User Activity on the System When the High security profile is enabled the Solaris Basic Security Module BSM is activated Date Time User Login Logout This information is kept in the authlog and syslog in the var log directory Login Logout to the Xerox FreeFlow Print Server is tracked as well as Network Login Logout Changing individua
8. The number is 1 800 735 2988 For additional assistance dial the following numbers e Service and software support 1 800 821 2797 e Xerox documentation and software services 1 800 327 9753 Security Guide Security This section describes the Xerox FreeFlow Print Server system supplied security profiles It outlines the characteristics of each profile and indicates how each can be customized to create user defined profiles The enhanced security features in the Xerox FreeFlow Print Server protect the system against unauthorized access and modification This section also addresses the options available to the administrator in setting up and managing user accounts Finally this section offers general guidelines to security related procedures that can be implemented to improve the security of the Xerox FreeFlow Print Server controller and the Solaris OS System supplied security profiles The four system supplied profiles are default operating system only low medium and high The following table describes the characteristics of each security level and the configurable settings that restrict access to various devices and operating system services NOTE Customers have the option to setup and use custom profiles Custom profiles are copied from one of the system supplied profiles and provides the ability to enable disable any of the default settings Multiple custom profiles can be saved on the system Table 2 1 Secu
9. databases 2 11 Multicast routing disabled AA 2 11 OS and host information hidden 2 11 Sendmail daemon secured 2 12 Network parameters secured U 2 12 Executable stacks disabled 2 12 NFS port monitor restricted 2 12 Remote CDE login disabled a 2 12 Xerox FreeFlow Print Server router capabilities disabled 2 12 Security warning banners 0 20 000 2 13 Disabling LP anonymous printing 2 13 Remote shell internet service 2 13 enable ftp and disable filp 0 2 13 Creating user defined profiles 2 14 Setting the current and default profiles 2 14 Account management 02 cee eee eee 2 14 Local users and grolps x1 e aie REX disks Ses 2 14 Default user groups and user accounts 2 15 Creating user accounts a 2 16 Group authorization oae cie tie cc bee RR 2 16 Auto EGgort o5 a x tee es e ERO que nese ee eed 2 18 Default Screen Auto Logoff Nuvera Only 2 19 Password security use Grae Xo e OR ORO END TR e Xx 2 19 Strong Passwords caesa qoe trae do a e RR ned NR e 2 20 Xerox FreeFlow Print Server Security Guide Table of contents Audit HOGS soi ae hows rt o D oF Era hia ee KA AEs 2 21 GUI LOGGING snc ez e Pal ie eee Saale ee uud 2 21
10. for auto logon If auto logon is disabled a user will be forced to log in again before the Xerox FreeFlow Print Server UI is displayed When the system is installed the Change System Password dialog box appears and prompts users to establish all System Default Accounts with new passwords For security reasons all system passwords must be changed root has super user access to the workstation The initial password for this account is set during installation of the operating system and should be obtained from the Xerox service personnel NOTE For security reasons the root account password should be changed as soon as the Xerox service personnel have completed the installation The Xerox user name is the account from which the Xerox software runs Enter the Xerox user password for this account Contact your Customer Service Representative if this is unknown NOTE The administrator should verify access to the Xerox application for all levels before the service installation personnel leave the site ftp an account to permit some clients to retrieve their software from the Xerox FreeFlow Print Server controller using the TCP IP communication protocol This account will be set to Read only access to the export home ftp directory NOTE 7o maintain system security it is recommended that any restricted access login be terminated as soon as the session has been completed NOTE The user and group identifications uid and gi
11. including alerts may be found at http sunsolve sun com pub cgi show pl target security sec http www cert org nav index main html http www cve mitre org http www xerox comisecurity 32 Security Guide
12. only one user group It is the user group that is associated with a security profile that defines the privileges of the group Default user accounts are provided to allow easy transition from legacy Xerox FreeFlow Print Server versions For customers that do not require authentication the Xerox FreeFlow Print Server can be configured to have the system automatically log on using a default user account Local users and groups Local user accounts are constructed based on the Solaris operating system model with its limitations and restrictions using the Users amp Groups selection on the Xerox FreeFlow Print Server interface Each local user account has an associated user name 14 Security Guide between 2 8 characters in length and is case sensitive The user name is a string of characters from the set of alphabetic characters a z A Z numeric characters 0 9 period underscore and hyphen the first character must be alphabetic and the string must contain at least one lower case alphabetic character Each account has the following attributes user name password user group account disabled enabled and comments The maximum number of user accounts is 25 000 Each local user account has an associated user password that is a sequence of characters that is case sensitive and between 0 8 characters in length User accounts are organized into groups Each user account is a member of
13. protocol and the application protocol layer The network client and the web server printing system decide which protocol to use for data transfer and communication The encryption level can be either secure or normal Normal security in the SSL TLS tab means that the user can access IPP or HTTP via http or https Using the Print Server SSL TLS Security Feature The Secure Socket Layer SSL and Transport Layer Security TLS are two protocols used to provide a reliable end to end secure and authenticated connection between two points over a network The Xerox FreeFlow Print Server SSL TLS feature allows a System Administrator to do the following 1 Create and use a self signed SSL TLS certificate 24 Security Guide 2 Use an existing certificate obtained from a certificate authority i e VeriSign Thawte etc When SSL is disabled When SSL is disabled off other web based logins provided by the Xerox FreeFlow Print Server may not be secure encrypted To guarantee a secure connection with Xerox FreeFlow Print Server do one of the following Enable SSL optionally via the GUI and connect to the Xerox FreeFlow Print Server via https Require SSL as mandatory via the GUI and connect to the ISGW Creating and Using a Self Signed Certificate Logon to the Xerox FreeFlow Print Server as System Administrator or as a user who belongs to the System Administrator group Go to Setup gt SSL TLS If not
14. Administrator Properties of a locked queue cannot be changed without first unlocking the queue Locked queues can only be deleted by the System Administrator e Locked queues can be copied by an Operator The resulting new queue will not be locked e An Operator can change the Accept Do Not Accept Jobs and Release Do Not Release Jobs attributes on a locked queue Placing the cursor on the tool tip accesses the date and time the queue was last locked Roles and responsibilities Xerox will make every effort to assist the administrator in ensuring that the customer environment is secure Xerox responsibilities Xerox is committed to providing a level of security which will allow the Xerox FreeFlow Print Server controller to be a good network citizen in response to current security intrusions Additional security beyond this remains the responsibility of the customer Xerox is constantly evaluating the security of the Xerox FreeFlow Print Server controller and the Sun Solaris operating system Xerox is committed to providing the latest Solaris security patches provided by Sun Microsystems in each major Xerox FreeFlow Print Server release The Xerox FreeFlow Print Server development team will also add Solaris security patches in between major release cycles All OS security patches for applications that are added during a Xerox FreeFlow Print Server install will be included even if the application code is not normally used by
15. Enabled Enabled Enabled Enabled Enabled Enabled Changeable via GUI No No No No No No No Comment The Limit Print Service Paths in Security Profile controls the directories that users can reprint The defaults are DEFAULT Operating System Only Saved Jobs and CD ROM Removal Media LOW Saved Jobs and CD ROM Removable Media MED CD ROM Removable Media HIGH Nothing CUSTOM User Defined Security Guide 17 Administrat Function Users Operators ors oT eee Comment Setup Security Enabled No profile SSL TLS IP Filter Setup Users amp Enabled No Groups Change Self Self Enabled No password Service Enabled No Diagnostics Customer Enabled Enabled Enabled Yes Diagnostics Backup Enabled Enabled No Restore Auto Logon The Automatic Logon feature enables or disables the ability of users to directly access the Xerox FreeFlow Print Server including Web UI HTTP access to the Print Server without having to manually log on It is enabled in the Default Operating System Only Low and Medium security profiles and disabled in the High security profile The feature can be configured by any member of the System Administrators group To configure the Automatic Logon feature a custom profile must be created under Security Profiles by copying one of the default security profiles An administrator must then set
16. Flow Print Server Setup gt FTP Remote Diagnostics menu option Security Guide 13 Creating user defined profiles To create a customized profile the administrator can copy and edit any security profile according to the needs of the customer environment This new user profile can be selected edited set as current set as default or deleted Setting the current and default profiles The administrator can select any profile and set it as the Current Profile This Current Profile persists throughout Xerox FreeFlow Print Server restarts and system reboot until it is changed by the administrator Similarly the administrator can specify a security profile as a Default Profile Specifying a profile as default does not enable the profile but indicates that it will be the profile setting across Xerox FreeFlow Print Server upgrades By clicking the Restore Default Profile the Default profile can be selected as the Current profile this operation will take several minutes to complete Account management Any interaction between a user and the Xerox FreeFlow Print Server is associated with a user account and is done via a logon session which is the basis for granting access Xerox FreeFlow Print Server user accounts are defined either locally at the device or remotely at a trusted network location like ADS The local user account is composed of a logon user name and an assigned user group A user account can be a member of
17. P HTTPS SMB Printing Raw TCP Printing and FTP Connections The administrator can limit access through the Xerox FreeFlow Print Server interface Setup 5 IP Filtering menu option The filter allows the blocking of specific IP addresses or a range of addresses from accessing the system Available options include Enable All Connections Disable All Connections Enable Security Guide 23 Secure Socket Layer Specified Connections Additional subnet mask can also be specified Refer to online help for detailed descriptions of IP Filtering property tabs such as General tab System tab INIT tab INETD tab RPC tab Remote Workflow Remote Workflow allows for a remote connection to the Xerox FreeFlow Print Server controller The administrator can limit access through the Xerox FreeFlow Print Server interface Setup gt System Preferences menu option Remote Workflow options include Enable All Connections Disable All Connections Enable Specified Connections by specific IP Address NOTE The default is Enable All Connections The Xerox FreeFlow Print Server implements Secure Socket Layer technology using encryption a secure port and a signed digital certificate Secure Socket Layer SSL and Transport Layer Security TLS are two network security protocols that encrypt and transmit data via HTTP and IPP over the TCP IP network SSL is a protocol layer placed between a reliable connection oriented network layer
18. XE ROX cis FreeFlow Version 6 0 anuary 2007 101P 46740 Xerox FreeFlow P rint Server Security Guide Prepared by Xerox Corporation Global Knowledge and Language Services 800 Philips Road Bldg 845 17S Webster New York 14580 USA 2007 by Xerox Corporation All rights reserved Copyright protection claimed includes all forms and matters of copyrightable material and information now allowed by statutory judicial law or hereinafter granted including without limitation material generated from the software programs displayed on the screen such as icons screen displays or looks Printed in the United States of America XEROX and all Xerox product names mentioned in this publication are trademarks of XEROX CORPORATION Other company trademarks are also acknowledged Changes are periodically made to this document Changes technical inaccuracies and typographic errors will be corrected in subsequent editions Table of contents Lc 1 1 ADOUMINS guide 5a tex xax Wa KE BE aes disap abate 2 1 Contents a iocis enna ee Ge n nO RE EN EAM RES 2 1 GonVerttlOrS z toep earainn dede wha BS Sears ped op dH Seir SIE 2 1 Customer support St wp er Or nt RR Sand eed 2 2 System supplied security profiles 2 3 Enable and disable services 200 05 2 5 User level changes a sect ectesiee seeker nee eae 2 10 Solaris file permissions aa 2 11 Disabling secure name service
19. Xerox FreeFlow Print Server users Security patches for applications that are not loaded by a Xerox FreeFlow Print Server install will not be evaluated or included Only the version of a patch impacting security will be included If a security patch has a newer version that is not security related then this patch will not be 30 Security Guide updated to the newer version Any security patch that is determined to have a negative impact to Xerox FreeFlow Print Server operation will not be added Customer Responsibilities The administrator has the primary responsibility for maintaining the security of the network within the customer s site It is important that network security is continuously monitored and maintained and that appropriate security policies are established and followed The procedures outlined in this document assume a basic knowledge of UNIX the vi editor and general computing concepts It is expected that the network administrator or system administrator responsible for network security understands the base commands cd chmod cp grep kill In Is man more ps etc and the UNIX directory path and filename structures shown in this document There is information within the text and in the appendix sections for reference to those who may not use UNIX often The Xerox FreeFlow Print Server operates on a Solaris OS Enhancements have been made to increase security over the default OS configuration Additio
20. already enabled click the OK button in the Information pop up box Click on the Add Certificate Button This will launch the Add Certificate Wizard Step 1 Select Self Signed Certificate Step 2 Select and enter either the server Domain Name P Address Other Step 3 Enter the requested information Organization required Organizational Unit optional E mail optional Locality optional e State Province optional Country required Step 4 Enter the length of time that the certificate will be valid for Step 5 Verify information entered in previous steps Step 6 A message will appear indicating that the self signed certificate has been installed Security Guide 25 NOTE During steps 2 5 the user may go back and correct any 4 mistakes made in previous steps Click on the Enable SSL TLS checkbox at the top of the SSL TLS window Select a SSL TLS mode of operation Normal Encrypted and Unencrypted Access e Secure Encrypted Access Only Select encryption strength e Normal DES MD5 56 bit Normal DES MD5 40 bit Normal DES MD5 128 bit Normal 3DES MD5 128bit High RC4 MD5 128 bit e High 3DES MD5 1 28 bit Using an Existing Signed Certificate from a Certificate Authority If SSL TLS is not already enabled Click Add Certificate Step 1 Select Signed Certificate from a Certificate Authority Step 2 Select and enter either the server Domain Name
21. ay choose to restrict From the Setup gt Users amp Groups menu option select the Group Authorizations tab in the interface The administrator can choose to enable or disable the service for a particular user group NOTE The following table describes the functions allowed for the three built in groups The column labeled as Changeable via Graphical User Interface GUI implies that the function service can be enabled disabled from the Users amp Groups Group Authorization tab Table 2 6 Enable disable from the Group Authorizations tab Function Users Administrat ors sa and cse Changeable via GUI Comment Operators Job a Management release hold proof promote move delete etc Queue Management New Delete Properties Queue Job Operations Acc ept Jobs Release Jobs B1C Enabled Enabled Yes Enabled Enabled No Enabled Enabled No Security Guide Function Reprint Management Printer Manager Finish ing Image Quality etc Resource Management L CDS Resources PDL Fonts Forms etc Accounting Billing System Preferences Setup System configuration Gateways Setup Feature licenses Network configuration Users Enabled Operators Enabled Enabled Enabled Can set Internatio nal Job Processin g Stocks amp Trays View amp Print only Administrat ors sa and cse Enabled
22. can also be filtered using the IP Filter feature under Setup gt Security Profiles gt lt Any Profile gt gt RPC tab Secure Print MICR mode NOTE The IP Filtering Setup IP Filter feature can also help in limiting access to the server This is the Xerox FreeFlow Print Server s GUI interface to the SunScreen Lite firewall that is part of the Solaris 8 Operating System This feature allows the user to limit the number of clients who are allowed to access the server via services such as LPR IPP HTTP HTTPS SMB Printing and FTP By default the firewall is disabled all ports open but can be enabled to either only allow specified connections by IP address IP address range or subnet mask or to close all ports For DRW clients this mechanism exists under System Preferences gt Remote Workflow gt Enable Specified Connections NOTE FreeFlow v2 0 and newer allows users to select whether or not the Xerox FreeFlow Print Server server they connecting to will have high security enabled If so the client will use other communication paths such as sIPP via SSL for job submissions and sFTP for decomposition services NetAgent The MICR mode disables all Xerox FreeFlow Print Server features that allow additional prints to be produced such as Sample Print Reposition Output etc Security Guide 29 Prevent Unauthorized Queue Changes Queue Lock Queues can be locked and unlocked by the System
23. d for the Xerox accounts that are listed above cannot be arbitrarily changed in the password and group files to new values because the software is based on the proper access to the Xerox supplied files Security Guide 19 NOTE Please be aware that Xerox Customer Support Personnel must have access to the new root password for service and support It is the customer s responsibility to ensure that the root and system administrator passwords are available for them Strong Passwords The Xerox FreeFlow Print Server provides additional security for users required to adhere to strict security guidelines It provides a means in which a strong password policy can be enforced Strong Passwords can be Enabled and Disabled default setting via the Password Policies window Strong passwords must consist of ALL of the following Aminimum of 8 characters in length Contain at least one capital letter Contain at least one number e Contain at least one special character 96 amp including open and close parentheses hyphenf underscore and period NOTE The strong password requirements cannot be modified A strong password cannot be set for root or any other Solaris user accounts that are not created by the Xerox FreeFlow Print Server NOTE Remote Network Server If running NIS name service strong passwords would be enforced via the NIS server This policy can be set by using the
24. der the System tab under the Secure File Permissions drop down menu e fixmodes solaris fix file permissions only for Solaris packages to make them more secure Available under the System tab under the Secure File Permissions drop down menu The fix modes utility from the Solaris Security Toolkit adjusts group and world write permissions It is run with the s option to secure file permissions for Solaris files that were created at install time only Customer generated files are not affected NOTE When this command is run a file called var sadm install 4 content mods is left Do not delete this file It contains valuable information needed by fix modes to revert the changes to the system file permissions if the security setting is changed back to medium Disabling secure name service databases The following databases are disabled when security is invoked passwd 4 group 4 exec attr 4 prof attr 4 Ser attr 4 Multicast routing disabled Multicast is used to send data to many systems at the same time while using one address OS and host information hidden The ftp telnet and sendmail banners are set to null so that users in cannot see the hostname and OS level Security Guide 11 NOTE All of these services are prohibited with a high security setting but if they are re enabled manually the hostname information will remain hidden Sendmail daemon secured Sendmail is forced to pe
25. e the remote authentication database for rlogin rsh rcp and rexec The files specify remote hosts and users that are considered to be trusted Trusted users are allowed to access the local system without supplying a password These files can be removed or modified to enhance security The Xerox FreeFlow Print Server is provided with both of these files deleted entirely The setting All_host equiv_plus is set to disabled then anytime that security settings are applied the will be removed from host equiv IMPORTANT NOTE Removing the from the hosts equiv file will prevent the use of the Xerox command line client print from remote clients An alternative would be to remove the and add the name of each trusted host that requires this functionality Leaving the will allow a user from any remote host to access the system with the same username Enable or disable the Basic Security Module BSM on Solaris Some security exploits take advantage of the Solaris OE kernel executable system stack to attack the system Some of these exploits can be avoided by making the system stack non executable The following lines are added to etc system fP file set noexec_user_stack 1set noexec_user_stack_log 1 Deny all remote access direct broadcast to the X server running on the Xerox FreeFlow Print Server by installing an appropriate etc dt config Xaccess file Disable router mode by creating an empty the empty file etc notrouter Securit
26. erox FreeFlow Print Server Records the packets sent by the spray 1M command Can be used in denial of service attacks Not used by Xerox FreeFlow Print Server The RPC based tooltalk database server is required for CDE action commands In particular the CDE front panel has various menu items that rely on CDE actions Late in the CP3 1 release the Server UI team disabled the front panel With the panel disabled the need for the tooltalk database server no longer exists rpc rstatd is a server which returns performance statistics obtained from the kernel rup 1 uses rpc rstatd to collect the uptime information that it displays rpc rstatd is an RPC service Used by the quota 1M command to display user quotas for remote file systems Not used by the Xerox FreeFlow Print Server Security Guide INETD Service Description sadmind shell Sun dr DCS Distributed system administration daemon Remote execution server Domain configuration server Used by Solstice AdminSuite applications to perform distributed system administration Not used by the Xerox FreeFlow Print Server Used by rsh 1 and rcp 1 commands The Xerox print command line client relies on the remote shell internet service being enabled since it uses the rcp 1 command to transfer files onto the Xerox FreeFlow Print Server However this service represents a security risk Not used by the Xerox FreeFlow Print Server The D
27. l passwords There are two ways to change passwords Users can change their own passwords using the selection on the Logon menu and the administrator can change the password by double clicking on the user name in the User tab of Users and Groups Management Accessing the Xerox FreeFlow Print Server through ADS If the Xerox FreeFlow Print Server has been configured to join a Windows 2000 ADS domain users may log onto the printer using their Microsoft Active Directory Services ADS user names To provide this option the administrator must first configure the Xerox FreeFlow Print Server appropriately for the DNS gateway see the Gateway and Network Configuration section of this guide Additionally the administrator must access the ADS Groups tab through Users and Groups Management and specify or edit the mapping of the ADS groups to the Xerox FreeFlow Print Server user groups having permission to log on to the printer Configure Print Server to Join the ADS Domain To enable the ADS user accounts the Xerox FreeFlow Print Server must have DNS enabled and joined to the appropriate ADS domain 1 Logon to the Xerox FreeFlow Print Server as a member of the System Administrators From the Network Configuration option select the DNS tab make sure that the Enable DNS check box is checked Ensure that the DNS Server list is filled in with the IP addresses of up to three DNS servers to search when resolving host names to IP addresse
28. mote Workflow is not impacted by security settings Disabling LP anonymous printing You can choose to disable anonymous printing on all existing LP printer queues that are associated with the Xerox FreeFlow Print Server virtual printers When anonymous LP is disabled only systems that have their IP address in the Xerox FreeFlow Print Server controller etc hosts table are authorized to submit LP requests Answer y for yes to disable this printing option Remote shell internet service If you are using the legacy Xerox print command line client the software is not distributed with this release you will need to use the remote shell internet service to transfer files to the Xerox FreeFlow Print Server controller However if you are not using the Xerox print command line client it is strongly recommended that the remote shell internet service is disabled When these three questions are answered all remaining aspects of the High security setting are implemented enable ftp and disable ftp These options allow for temporary enabling and disabling FTP alone Will not persist through reboots You must have FTP enabled when using a Continuous Feed system or FreeFlow Production Print and NetAgent FTP is also required for the Call for Assistance CFA feature This uses FTP to push IOT logs and a Xerox FreeFlow Print Server outload back to the Print Server controller NOTE Temporarily enable FTP through the Xerox Free
29. nal Solaris patches required by the Xerox FreeFlow Print Server are included as well Several scripts are used to provide additional security for the Print Server Not all scripts are public knowledge only those that are public are defined in this document and these can be performed by the customer Xerox FreeFlow Print Server engineering will evaluate the latest Sun Security Alert Packs issued by Sun Microsystems and integrate these patches into the Print Server releases Local customer support will be responsible for loading the latest Print Server software Xerox strongly recommends that the customer change passwords from the default settings since the ultimate security of the printing system resides with the customer NOTE Please be aware that the Xerox Customer Support Personnel must have access to the new root password for service and support It is the customer s responsibility to ensure that the root password is available for them Security tips The following recommendations will enhance security Security Guide 31 Virus Scan The Xerox FreeFlow Print Server runs on the Solaris 10 Operating System OS This OS makes the Xerox FreeFlow Print Server less susceptible to virus and worms Online Help for security A great deal of helpful security information can be found in Online Help Sun s security tools and blueprints may be found at http www sun com solutions blueprints Other security information
30. needs to be held in a file and sent to the Certificate Authority The Authority returns a valid certificate that must be installed on the system NOTE A self signed certificate is not as secure as a certificate signed by a Certificate Authority A self signed certificate is the most convenient way to begin using SSL TLS and does not require the use of a server functioning as a Certificate Authority or a third party Certificate Authority Once the Digital Certificate has been installed the Enable SSL TLS selection becomes available among the Setup options At that time the administrator can select the mode of operation Normal or Secure from a drop down menu This section addresses Network Protocol name service changes and the changes that occur when security is invoked The table below addresses the list of Network Protocols that are used by the Xerox FreeFlow Print Server software or Xerox client operations Table 2 7 Network Protocols Required Network sharing protocol required for Hot Folders and SMB filing Nuvera only XSun Required for functionality of Xerox FreeFlow Print Server diagnostics software Security Guide 27 Network Protocol Required Used when connecting to the server via the HTTP gateway Connections can also be filtered using the IP Filter feature under Setup gt IP Filter NOTE When SSL is disabled off other web based logins provided by the Xerox FreeFlow Print Ser
31. o perform system administration tasks for maintaining the Xerox FreeFlow Print Server This guide is intended for network and system administrators responsible for setting up and maintaining Xerox printers with Xerox FreeFlow Print Server software System administrators should have an understanding of the Sun workstation a familiarity with Solaris and with basic UNIX commands This includes the use of text editors such as vi or textedit and the ability to maneuver within the Solaris environment To enable them to setup a customer site system administrators are expected to have a working knowledge of Local Area Networks LANs communication protocols and the applicable client platforms Conventions In general this document covers information about the Xerox FreeFlow Print Server that is not covered in the Online Help or other available guides This guide includes the following conventions Angle brackets Variable information that is displayed on your screen is enclosed within angle brackets for example Unable to copy lt filename gt Square brackets Names of options you select are shown in square brackets for example OK and Cancel Notes are hints that help you perform a task or understand the text Notes are found in the following format NOTE This is an example of a note Security Guide Customer support To place a customer service call dial the direct TTY number for assistance
32. ocket gateway can be enabled disabled under Setup gt Gateways gt Socket Connections can also be filtered using the IP Filter feature under Setup gt IP Filter LPD LP LPR Required for job submissions via the LP LPR gateway LP LPR client Xerox FreeFlow Print Server Print Service Reprint etc The port assigned to the LPD can be changed and or the gateway can be enabled disabled under Setup gt Gateways gt LPD Access the server via a secure shell SSH SFTP etc 28 Security Guide Network Protocol Required FTP Access the server via FTP and or submit jobs from a DigiPath FreeFlow client via the Digipath FreeFlow Print Manager This service ftpd is shutdown when Xerox FreeFlow Print Server security is set to high In FreeFlow v2 0 the client has the ability to use secure FTP SFTP when Xerox FreeFlow Print Server security is set to high and FTP is not available Connections can also be filtered using the IP Filter feature under Setup gt Security Profiles gt lt Any Profile gt gt RPC tab SSL Required when using the TLS SSL security feature and or a FreeFlow 2 0 client with Xerox FreeFlow Print Server security is set to high Connections can also be filtered using the IP Filter feature under Setup gt IP Filter NFS Necessary when using NFS mounted directories This service is disabled when Xerox FreeFlow Print Server security is set to high Connections
33. omain Configuration Server DCS is a daemon process that runs on Sun servers that support remote Dynamic Reconfiguration DR clients It is started by the Service Management Facility when the first DR request is received from a client connecting to the network service sun dr talk Server for talk program The talk utility is a two way screen oriented communication program Not used by the Xerox FreeFlow Print Server telnet TELNET protocol This can be used to enable disable the telnet server server This does not affect using the telnet client from the Xerox FreeFlow Print Server to another host running on TELNET server time Time Protocol server Outdated time service Seldom used anymore Not used by the Xerox FreeFlow Print Server uucp UUCP server UNIX to UNIX system copy over networks UUCP is not securely set up and can be exploited in many ways Not used by the Xerox FreeFlow Print Server User level changes The following user level changes are made all users for at cron and batch are disallowed nuucp account is disabled e listen account is disabled e password entry locked for bin sys adm uucp nobody noaccess nobody4 and anonymous 10 Security Guide Solaris file permissions Secure File Permission options can be enabled or disabled through the Xerox FreeFlow Print Server interface Fix modes include fixmodes xerox fix file permissions for all packages to make them more secure Available un
34. only one group Default user groups and user accounts The Xerox FreeFlow Print Server provides three default user groups Users Operators and System Administrators It also supplies four default user accounts User Operator SA and CSE User and Operator accounts correspond to User and Operator User Groups while SA and CSE both correspond to the System Administrators group Figure 1 Assignment to Groups User Accounts User Groups Users Users Operators Operators System Administrator System Administrators CSEs The User Operator and SA user accounts cannot be edited deleted disabled or removed from the assigned group The CSE account can be removed from the System Administrator group and assigned to another group or disabled NOTE t is the group that a user is associated with that defines the privileges of the user not the current security profile Security Guide 15 Creating user accounts The Xerox FreeFlow Print Server user interface enables the Administrator to manage accounts easily by selecting Setup Users amp Groups and the Users tab When the administrator selects the Users tab a pop up window appears that enables the administrator to create edit or delete an account and indicate whether the account should be enabled or disabled Group authorization Job Management and Customer Diagnostics are two functions of the Xerox FreeFlow Print Server that the administrator m
35. plications remotely Not used by the Xerox FreeFlow Print Server Echoes back any character sent to it Sometimes used in packet debugging and can be used for denial of service attacks Not used by the Xerox FreeFlow Print Server Used by rexec 1 command Potentially dangerous passwords and subsequent session is clear text not encrypted Not used by the Xerox FreeFlow Print Server Display information about local and remote users Gives away user information Not used by the Xerox FreeFlow Print Server Used by CDE to dynamically render fonts The Xerox FreeFlow Print Server uses bit map fonts ktkt_warnd is a daemon on Kerberos clients that can warn users when their Kerberos tickets are about to expire It is invoked by inetd when a ticket granting ticket TGT is obtained for the first time such as after using the kinit command This can be used to enable disable the ftp server This does not affect using the ftp client from the Xerox FreeFlow Print Server to another host running an FTP server Note that FreeFlow requires this service to be enabled Generates and validates GSS API tokens for kernel RPC Allows the KCMS library to access profiles on remote machines Not used by the Xerox FreeFlow Print Server Used by the rlogin 1 command Potentially dangerous uses rhosts file for authentication passwords and subsequent session is clear text not encrypted Security Guide INETD Service
36. rently mounted SunSoft Print Client daemon The sendmail daemon is used to send mail over the internet If sendmail is not required it can be disabled Solaris serial device CIM Boot Manager Disables WBEM clients from accessing the Xerox FreeFlow Print Server Starts cachefs file systems Solaris network cache and accelerator Security Guide RC2 Service Description slp uucp Table 2 4 INIT tab RC3 section RC3 Service Description S15NFS SERVER S17HCLNFS DAEMON S25openssh server S17BWNFS DAEMON S76SNMPDX S77DMI S80MIPAGENT S82initsma S92VOLMGT NFS Server Disable ability to export Xerox FreeFlow Print Server file systems This service is enabled if legacy DigiPath FreeFlow and Decomposition Services NetAgent are enabled OpenSSH server Secure mounted file systems There are two shared file systems that are exported by the Xerox FreeFlow Print Server The two directories are only required for anyone with XDOD version 3 0 or below With the release of DigiPath Version 1 0 it is not necessary to export these file systems Sun Solstice Enterprise Master Agent Solaris SNMP services are disabled This does not prevent Xerox FreeFlow Print Server SNMP services from operating Sun Solstice Enterprise DMI Service Provider Mobile IP agent Solaris volume management daemon Table 2 5 INETD tab INETD Service Description amiserv
37. rform only outgoing mail No incoming mail will be accepted Network parameters secured Sun s nddconfig security tool is run For additional information view Sun s document Solaris Operating Environment Network Settings for Security at http www sun com solutions blueprints 1200 network updt1 pdf Executable stacks disabled The system stack is made non executable This is done so security exploitation programs cannot take advantage of the Solaris OE kernel executable system stack and thereby attack the system NFS port monitor restricted The NFS server normally accepts requests from any port number The NFS Server is altered to process only those requests from privileged ports Note that with the high security setting NFS is disabled however if the service is re enabled manually the port restriction will still apply Remote CDE login disabled The Remote CDE login is disabled Xerox FreeFlow Print Server router capabilities disabled The Xerox FreeFlow Print Server router capabilities is disabled empty etc notrouter file created 12 Security Guide Security warning banners Security warning banners are displayed when a user logs in or telnets into the Xerox FreeFlow Print Server This message explains that only authorized users should be using the system and that any others face the possibility of being monitored by law enforcement officials NOTE DRW Xerox FreeFlow Print Server Re
38. rity Profiles Profile Characteristics User Compatibility Comments Default All ports are open Physically Close to Anonymous FTP is Operati Walkup users can reprint closed DocuSP 2 1 read only and ng anything environments and 3 1 restricted System Full workspace menu is Only available Similar to The Solaris Auto logon is enabled DocuSP 3 X desktop is removed Medium from all settings except none Security Guide Profile Characteristics User Compatibility Comments Low FTP is enabled First choice Similar to Anonymous FTP is Telnet rsh is disabled setting for DocuSP 3 x ready only and NFS client is enabled most High restricted AutoFS is enabled environments Walkup users can reprint Supports To enable telnet go from Saved Jobs and FreeFlow to Setup FTP CD ROM workflow Remote Terminal window is Diagnostics password protected Auto login is enabled Medium FTP is disabled Environments Supports Anonymous FTP is telnet rsh is disabled requiring high FreeFlow ready only and NFS client is disabled security but workflow and restricted AutoFS is disabled e g with a needto legacy To enable telnet go net lt hostname gt and integrate DigiPath to Setup FTP home lt username gt are FreeFlow workflow Remote not automatically Digipath Diagnostics mounted NFS server is filtered via RPC tab Walkup user can reprint from CD_ROM Terminal window is password protected
39. s This is part of the network configuration procedure 22 Security Guide 2 Select the ADS tab and enter in the fully qualified domain name of the ADS domain 3 Click Join button to join the Xerox FreeFlow Print Server to the ADS domain specified NOTE f DNS is not enabled the Join button will not be available Map the ADS groups to the Print Server user groups From the Setup menu Users amp Groups option select the ADS Groups tab A member of the System Administrators group can specify view and edit the mapping of ADS Groups to the three Xerox FreeFlow Print Server user groups Administrators Operator Users permitted to log on to the printer Log on to the system with ADS user names pi From the Logon menu select ADS for authentication then log on to the system with your ADS user name and password NOTE For this feature to work Administrators must ensure that DNS is enabled the Xerox FreeFlow Print Server is configured to join the ADS domain and ADS groups are mapped to the Xerox FreeFlow Print Server user groups Troubleshoot ADS Limiting access IP Filtering Refer to the online help feature when troubleshooting ADS The Xerox FreeFlow Print Server provides options that allow the administrator to block or limit access to the system IP Filtering allows the administrator to block IP addresses and provides access to services such as LPR IPP HTT
40. the new profile as current and enable the Automatic Logon feature by selecting the checkbox under the General tab When Automatic Logon is enabled a user account must be specified The default is set to automatically log on as user When Automatic Logon is disabled the Xerox FreeFlow Print Server will not launch completely until users log on via a logon window This window will appear before the Xerox FreeFlow Print Server UI is displayed and will require users to manually log on before accessing the Xerox FreeFlow Print Server NOTE When the Automatic Logon feature is enabled users are X not required to log on to gain access to the system In this case the allowed access to the Xerox FreeFlow Print Server is established by the privileges of the user account in Automatic Logon For example if Automatic Logon is enabled and the user account is Administrators then the Xerox FreeFlow Print Server will be open and all access to the Xerox FreeFlow Print Server will be granted 18 Security Guide Default Screen Auto Logoff Password security p5 Under Setup System Preferences Default Screen any member of the operator or system administrators group can select which of the Xerox FreeFlow Print Server screens Job or Print the UI should return to after a specified amount of time 1 10 minutes of inactivity i e no movement from the keyboard or mouse When the time out occurs the user will also be changed to the user account specified
41. ver may not be secure Use the HTTPs qualifier to guarantee a secure interaction Tomcat web server Required for the functionality of the Xerox FreeFlow Print Server Internet Services gateway and the Xerox Remote Services application IPP Required for job submissions from the FreeFlow Print Manager and or a Digipath FreeFlow 2 0 client The IPP gateway can be enabled disabled under Setup gt Gateways gt IPP tab Connections can also be filtered using the IP Filter feature under Setup gt IP Filter Sun RPC Used by many different clients including DigiPath FreeFlow and Xerox FreeFlow Print Server Remote WorkFlow DRW and network services such as NIS Typically used to establish a connection to the server which then redirects the connection to another open port using OS level port management This service is shutdown when Xerox FreeFlow Print Server security is set to high Connections can also be filtered using the IP Filter feature under Setup gt Security Profiles gt lt Any Profile gt gt RPC tab Used for SNMP message exchange and traps The SNMP gateway can be enabled disabled under Setup gt Gateways gt SNMP Required when in an environment where connection to a WINS server is necessary WINS service can be enabled disabled under Setup gt Network Configuration gt WINS tab Socket Raw TCP IP Printing Required if jobs will be submitted via the socket gateway The s
42. y Guide System Service Description Secure Network Settings Secure Sendmail Security Warning Banners Force sendmail to only handle outgoing mail No incoming mail will be handled by sendmail Enable security warning banners to be displayed when a user logins or telnets into the Xerox FreeFlow Print Server The warning message explains that only authorized users should be using the system and that any others face the possibility of being monitored by law enforcement officials Table 2 3 INIT tab RC2 section RC2 Service Description S40LLC2 Class Il logical link control driver S47ASPPP Asynchronous PPP link manager This service is re enabled via enable remote diagnostics command S70UUCP UUCP server S71LDAP CLIENT S72AUTOINSTALL S72SLPD S73cachefs daemon S73NFS CLIENT S74XNTPD S74AUTOFS S80SPC S88SENDMAIL S89bdconfig S90WBEM S93cacheos finish S94ncalogd S95ncad LDAP daemon to cache server and client information for NIS lookups Script executed during stub JumpStart or AUTOINSTALL JumpStart Service Location Protocol daemon Starts cachefs file systems NFS client service Disables the statd service which is only required if your system is an NFS server or a client The automountd service is only required if your system uses NFS to automatically mount file systems Stopping the autofs subsystem will kill the running automountd daemon and unmount any autofs file systems cur
Download Pdf Manuals
Related Search