Common Criteria Installation Supplement and Administrator Guide November 2011 www.lexmark.com Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or other countries. All other trademarks are the property of their respective owners. © 2011 Lexmark International, Inc. All rights reserved.
Edition notice November 2011 The following paragraph does not apply to any country where such provisions are inconsistent with local law: LEXMARK INTERNATIONAL, INC., PROVIDES THIS PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you.
Contents Overview and first steps...............................................................................5 Overview...................................................................................................................................................5 Using this guide...................................................................................................................................................5 Supported devices .......................................................
Creating security templates using the EWS ......................................................................................................32 Controlling access to device functions....................................................................................................33 Configuring PKI Held Jobs .................................................................................................................................33 Controlling access to device functions using the EWS..........
Overview and first steps Overview This guide describes how to configure a supported LexmarkTM multifunction printer (MFP) to reach Common Criteria Evaluation Assurance Level 2 (EAL 2). It is critical that you carefully follow the instructions in this guide, as failure to do so may result in a device that does not meet the requirements of the evaluation.
Operating environment The instructions provided in this guide are based on the following assumptions and objectives: • The MFP is installed in a cooperative, nonhostile environment that is physically secure or monitored and provides protection from unauthorized access to MFP external interfaces. • The administration platform and local area network are physically and logically secure.
Attaching a lock Once a lock is attached, the metal plate and system board cannot be removed, and the security jumper cannot be accessed without causing visible damage to the device. Note: If you are using a Lexmark 6500e scanner with a T650, T652, T654, or T656 printer, then you must attach a lock to both the scanner and the printer. 1 Verify that the MFP case is closed. 2 Locate the security slot, and then attach a lock.
3 Verify that the MFP is in Configuration mode by locating the Exit Config Menu icon in the lower right corner of the touch screen. 4 Scroll through the configuration menus to locate the Disk Encryption menu selection. 5 Touch Disk Encryption > Enable. Warning: Enabling disk encryption will erase the contents of the hard disk. 6 The following message appears: Contents will be lost. Continue? • Touch Yes to proceed with disk wiping and encryption.
Installing the minimum configuration You can achieve an evaluated configuration on a non-networked (standalone) device in just a few steps. For this configuration, all tasks are performed at the device, using the touch screen. Configuring the device Configuration checklist This checklist outlines the steps required to implement an evaluated configuration on a standalone device. For information about additional configuration options, see “Administering the device” on page 15.
3 Retype the password, and then touch Done to save the new password and return to the Edit Backup Password screen. 4 Set Use Backup Password to On. 5 Touch Submit. Creating user accounts Creating internal (device) accounts for use with the evaluated configuration involves not only assigning a user ID and password to each user, but also segmenting users into groups.
Group name Type of user group would be selected for Authenticated_Users • Administrators permitted to access all device functions • Administrators permitted to use device functions and access the Reports menu • Administrators permitted to use device functions and access the Security menu • Non‑administrators (all other users) Step 2: Creating accounts 1 From the home screen, touch > Security > Edit Security Setups > Edit Building Blocks > Internal Accounts > General Settings.
3 Type a unique name to identify the template. Use a descriptive name, such as ”Administrator_Only” or “Authenticated_Users,” and then touch Done. 4 On the Authentication Setup screen, select the internal accounts building block, and then touch Done. 5 On the Authorization Setup screen, select the internal accounts building block, and then touch Done. 6 Select one or more groups to be included in the template, and then touch Done to save your changes and return to the Edit Security Templates screen.
Access control Level of protection Paper Menu at the Device Authenticated users only Paper Menu Remotely Authenticated users only Reports Menu at the Device Administrator access only Reports Menu Remotely Administrator access only Settings Menu at the Device Administrator access only Settings Menu Remotely Administrator access only Network/Ports Menu at the Device Administrator access only Network/Ports Menu Remotely Administrator access only Manage Shortcuts at the Device Authenticat
Access control Level of protection Held Jobs Access Disabled Use Profiles Authenticated users only Change Language from Home Screen Authenticated users only Cancel Jobs at the Device Administrator access only PictBridge Printing Not applicable—USB port disabled Solution 1 Authenticated users only Note: When eSF applications are configured, Solution 1 controls access to Held Jobs.
Administering the device This chapter describes how to configure additional settings and functions that may be available on your device. Using the Embedded Web Server Many settings can be configured using either the Embedded Web Server (EWS) or the touch screen. Accessing the EWS 1 Type the device IP address or host name in the address field of your Web browser using the secure version of the page (with the address beginning “https://”).
• Country/Region—Type the country or region where the company or organization issuing the certificate is located (2‑character maximum). • Province Name—Type the province where the company or organization issuing the certificate is located. • City Name—Type the city where the company or organization issuing the certificate is located. • Subject Alternate Name—Type the alternate name and prefix that conforms to RFC 2459. For example, enter an IP address using the format IP:255.255.255.255.
The contents of the file should be in the following format: -----BEGIN CERTIFICATE----MIIE1jCCA76gAwIBAgIQY6sV0KL3tIhBtlr4gHG85zANBgkqhkiG9w0BAQUFADBs … l3DTbPe0mnIbTq0iWqKEaVne1vvaDt52iSpEQyevwgUcHD16rFy+sOnCaQ== -----END CERTIFICATE----- • Download Signing Request—Download or save the signing request as a .csr file. • Install Signed Certificate—Upload a previously signed certificate.
Disabling the AppleTalk protocol IP is the only network protocol permitted under this evaluation. The AppleTalk protocol must be disabled. Using the EWS Note: For information about accessing the EWS, see “Using the Embedded Web Server” on page 15. 1 From the Embedded Web Server, click Settings > Network/Ports > AppleTalk. 2 Verify that the Activate check box is cleared, and then click Submit. Using the touch screen 1 From the home screen, touch > Network/Ports > Standard Network > STD NET SETUP.
3 Click Submit. Other settings and functions Network Time Protocol Use Network Time Protocol (NTP) to automatically sync MFP date and time settings with a trusted clock so that Kerberos requests and audit log events will be accurately time‑stamped. Note: If your network uses DHCP, then verify that NTP settings are not automatically provided by the DHCP server before manually configuring NTP settings. Using the EWS 1 From the Embedded Web Server, click Settings > Security > Set Date and Time.
3 Under Simple Kerberos Setup, for KDC Address, type the IP address or host name of the KDC (Key Distribution Center) IP. 4 For KDC Port, type the number of the port used by the Kerberos server. 5 For Realm, type the realm used by the Kerberos server. Note: The Realm entry must be typed in all uppercase letters. 6 Click Submit to save the information as a krb5.conf file. Note: Because only one krb5.
3 Type the IP address or host name of the Remote Syslog Server, and then select the Enable Remote Syslog check box. Note: The Enable Remote Syslog check box is unavailable until an IP address or host name is entered. 4 Type the Remote Syslog Port number used on the destination server. 5 For Remote Syslog Method, select Normal UDP or Stunnel (if implemented on the destination server). 6 For “Severity of events to log,” select 5 ‑ Notice.
9 If you want the MFP to add a digital signature to e-mail alerts, then set “Digitally sign exports” to On. 10 For “Severity of events to log,” select 5 ‑ Notice. The chosen severity level and anything higher (0–4) will be logged. 11 If you want the MFP to send all events regardless of severity to the remote server, then set “Remote Syslog non‑logged events” to Yes.
3 Type the Primary SMTP Gateway Port number of the destination server. 4 If you are using a secondary or backup SMTP server, then type the IP address or host name and SMTP port for that server. 5 For SMTP Timeout, type the number of seconds (5–30) the device will wait for a response from the SMTP server before timing out. 6 If you want to receive responses to messages sent from the MFP (in case of failed or bounced messages), then type a Reply Address.
6 If you want to receive responses to messages sent from the MFP (in case of failed or bounced messages), then provide a Reply Address. 7 Set Use SSL to Disabled, Negotiate or Required to specify whether e-mail will be sent using an encrypted link. 8 If the SMTP server requires user credentials, then select a method for SMTP Server Authentication. 9 Set Device‑Initiated E‑mail to Use Device SMTP Credentials.
Setting up a fax storage location (optional) 1 Turn off the MFP using the power switch. 2 Simultaneously press and hold the 2 and 6 keys on the numeric keypad while turning the MFP back on. It takes approximately a minute to boot into the Configuration menu. Once the MFP is ready, the touch screen displays a list of functions instead of standard home screen icons such as Copy and Fax.
Example: Employees in the warehouse will be given access to black‑and‑white printing only, administrative office staff will be able to print in black and white and send faxes, and employees in the marketing department will have access to black‑and‑white printing, color printing, and faxing.
5 Click Settings > Security > Security Setup > Internal Accounts. 6 Click Add an Internal Account, and then provide the information needed for each account: • Account Name—Type the user's account name (example: “Jack Smith”). • User ID—Type an ID for the account (example: “jsmith”). • Password—Passwords must: – Contain a minimum of 8 characters. – Contain at least one lowercase letter, one uppercase letter, and one non‑alphabetic character. – Not be dictionary words or a variation of the user ID.
• Mail Attribute—Type the mail attribute. • Full Name Attribute—Type the full name attribute. • Search Base—Specify the node in the LDAP server where user accounts reside. Multiple search bases can be entered, separated by semicolons. Note: A search base consists of multiple attributes, such as cn (common name), ou (organizational unit), o (organization), c (country), or dc (domain), separated by semicolons. • Search Timeout—Specify a value from 5 to 30 seconds.
• Full Name Attribute—Type the full name attribute. • Search Base—Specify the node in the LDAP server where user accounts reside. Multiple search bases can be entered, separated by semicolons. Note: A search base consists of multiple attributes, such as cn (common name), ou (organizational unit), o (organization), c (country), or dc (domain), separated by semicolons. • Search Timeout—Specify a value from 5 to 30 seconds. Touch Submit to save the settings and return to the General Information screen.
Configuring Common Access Card access A set of Public Key Infrastructure (PKI) embedded applications comes installed on the MFP. These applications provide for additional functionality, including the use of Smart Cards such as the Department of Defense Common Access Card (CAC). For more information on using a card reader with your MFP, see “Using a Common Access Card to access the printer” on page 50. Note: You must configure Kerberos before setting up CAC access.
• Domain—This is the card domain that should be mapped to the specified realm. This is the principal name used on the card and should be listed by itself, followed by a comma, a period, and then the principal name again. This value is case‑sensitive and usually appears in lowercase. Multiple values can be entered, separated by commas. Example: If a U.S. DoD Common Access Card uses “123456789@mil” to identify a user, then “mil” is the principal name. In this case, you would enter the domain as mil,.mil.
Creating security templates using the EWS A security template is assigned to each device function to control which users are permitted to access that function. At a minimum, you must create two security templates: one for "Administrator_Only" and one for "Authenticated_Users." If there is a need to grant access to some functions while restricting others, then you can create additional security templates, such as “Administrator_Reports” or “Color_User.
Notes: • Clicking Delete List from the Manage Security Templates screen will delete all security templates on the MFP, regardless of which one is selected. To delete an individual security template, select it from the list, and then click Delete Entry. • You can delete a security template only if it is not in use; however, security templates currently in use can be modified.
• Verify Job Expiration—This can be set to Off, Same as Confidential Print, or one of four intervals ranging from one hour to one week. • Repeat Job Expiration—This can be set to Off, Same as Confidential Print, or one of four intervals ranging from one hour to one week. 8 Under Advanced Settings, select the Require All Jobs to be Held and Clear Print Data check boxes. 9 Click Apply.
Access control Level of protection Network/Ports Menu at the Device Administrator access only Network/Ports Menu Remotely Administrator access only Manage Shortcuts at the Device Authenticated users only Manage Shortcuts Remotely Authenticated users only Supplies Menu at the Device Authenticated users only Supplies Menu Remotely Authenticated users only Option Card Configuration at the Device Administrator access only Option Card Configuration Remotely Administrator access only Managem
Access control Level of protection Use Profiles Authenticated users only Change Language from Home Screen Authenticated users only Cancel Jobs at the Device Administrator access only PictBridge Printing Not applicable–USB port disabled Device Solutions Access control Level of protection Solution 1 Authenticated users only Note: When eSF applications are configured, Solution 1 controls access to Held Jobs.
Troubleshooting Login issues “Unsupported USB Device” error message MAKE SURE A SUPPORTED SMART CARD READER IS ATTACHED Only the OmniKey reader that came with the printer is supported. Remove the unsupported reader and attach the OmniKey reader. The printer home screen fails to return to a locked state when not in use Try one or more of the following: MAKE SURE THE AUTHENTICATION TOKEN IS INSTALLED AND RUNNING 1 From the Embedded Web Server, click Settings > Device Solutions > Solutions (eSF).
“The KDC and MFP clocks are different beyond an acceptable range; check the MFP's date and time” error message This error indicates that the printer clock is more than five minutes out of sync with the domain controller clock. VERIFY THE DATE AND TIME ON THE PRINTER 1 From the Embedded Web Server, click Settings > Security > Set Date and Time. 2 If you have manually configured date and time settings, then verify and correct them as needed.
“The Domain Controller Issuing Certificate has not been installed” error message MAKE SURE THAT THE CORRECT CERTIFICATE HAS BEEN INSTALLED ON THE PRINTER For information on installing, viewing, or modifying certificates, see “Creating and modifying digital certificates” on page 15.
“Realm on the card was not found in the Kerberos Configuration File” error message This error occurs during Smart Card login. UPLOAD A KERBEROS CONFIGURATION FILE AND MAKE SURE THE REALM HAS BEEN ADDED TO THE FILE The PKI Authentication settings do not support multiple Kerberos Realm entries. If multiple realms are needed, then you must create and upload a krbf5.conf file containing the needed realms.
LDAP issues LDAP lookups take a long time and then fail This issue can occur during login (at “Getting User Info”) or during address book searches. Try one or more of the following: MAKE SURE PORT 389 (NON‑SSL) AND PORT 636 (SSL) ARE NOT BLOCKED BY A FIREWALL The printer uses these ports to communicate with the LDAP server. The ports must be open for LDAP lookups to work.
Held Jobs/Print Release Lite issues “You are not authorized to use this feature” Held Jobs error message ADD THE USER TO THE APPROPRIATE ACTIVE DIRECTORY GROUP If user authorization is enabled for Held Jobs, then add the user to an Active Directory group that is included in the authorization list for the Held Jobs function.
Jobs are printing out immediately Try one or more of the following: MAKE SURE PKI HELD JOBS IS INSTALLED AND RUNNING 1 From the Embedded Web Server, click Settings > Device Solutions > Solutions (eSF). 2 Verify that the PKI Held Jobs solution appears in the list of installed solutions and that it is in a “Running” state. • If PKI Held Jobs is installed but is not running, then select the check box next to the application name, and then click Start.
Appendix A: Using the touch screen Understanding the home screen The screen located on the front of the MFP is touch‑sensitive and can be used to access device functions and navigate settings and configuration menus. The home screen looks similar to this (yours may contain additional icons): Release Held Faxes Copy E-mail @ Search Held Jobs FTP Held jobs Ready. Status/ Supplies Touch on the lower right to access settings and configuration menus for the device.
To type a single uppercase or shift character, touch Shift, and then touch the letter or number you need to uppercase. To turn on Caps Lock, touch Caps, and then continue typing. Caps Lock will remain engaged until you touch Caps again. Password ~ 1 ! 2 Caps Shift .com 3 # W Q @ @ A .org $ E S Z 4 R D X % 5 ^ T F C 6 & H B 8 * U Y G V 7 9 ( K J M _ ) L , < [ ; .
Appendix B: Acronyms Acronyms used in this guide CA Certificate Authority CAC Common Access Card DC Domain Controller DHCP Dynamic Host Configuration Protocol DNS Domain Name Service DoD Department of Defense EAL Evaluation Assurance Level EWS Embedded Web Server GIF Graphic Interchange Format GSSAPI Generic Security Service Applications Programming Interface HTTP Hypertext Transfer Protocol HTTPS Secure Hypertext Transfer Protocol IP Internet Protocol IPSec Internet Protocol
Appendix C: Description of access controls Access controls Depending on the device type and installed options, some access controls (referred to on some devices as Function Access Controls) may not be available for your printer. Administrative Menus Function access control What it does Configuration Menu This protects access to the Configuration Menu. Manage Shortcuts at the Device This protects access to the Manage Shortcuts section of the Settings menu from the printer control panel.
Function access control What it does Settings Menu Remotely This protects access to the General and Print Settings sections of the Settings menu from the Embedded Web Server. Supplies Menu at the Device This protects access to the Supplies menu from the printer control panel. Supplies Menu Remotely This protects access to the Supplies menu from the Embedded Web Server.
Function access control What it does Create Profiles This controls the ability to create new profiles. E‑mail Function This controls access to the Scan to E‑mail function. Fax Function This controls access to the Scan to Fax function. Flash Drive Color Printing This controls the ability to print color from a flash drive. Users who are denied will have their print jobs printed in black and white. Flash Drive Firmware Updates This controls the ability to update firmware from a flash drive.
Appendix D: Using Common Access Cards Using a Common Access Card to access the printer 1 Insert your Common Access Card into the card reader attached to the printer. 2 When prompted, enter your PIN using the keypad that appears on the touch screen, and then touch Next. It may take a moment for the printer to validate your credentials. After your credentials have been validated, the printer will return to the home screen.
Notices LEXMARK SOFTWARE LICENSE AGREEMENT PLEASE READ CAREFULLY BEFORE INSTALLING AND/OR USING THIS SOFTWARE: This Software License Agreement ("License Agreement") is a legal agreement between you (either an individual or a single entity) and Lexmark International, Inc.
c Reservation of Rights. The Software Program, including all fonts, is copyrighted and owned by Lexmark 4 5 6 7 8 9 International, Inc. and/or its suppliers. Lexmark reserves all rights not expressly granted to you in this License Agreement. d Freeware.
11 12 13 14 15 16 17 18 all copies of the Software Program together with all modifications, documentation, and merged portions in any form. TAXES. You agree that you are responsible for payment of any taxes including, without limitation, any goods and services and personal property taxes, resulting from this Agreement or your Use of the Software Program. LIMITATION ON ACTIONS.
Index A access controls list of 47 setting at the device 12 using the EWS to set 34 acronyms 46 AppleTalk disabling 18 assumptions 6 audit logging configuring 20 authentication token 30 B backup password using the touch screen to enable 9 before configuring the device verifying firmware 6 verifying physical interfaces 6 C certificates creating and modifying 15 Common Access Cards how to use 50 controlling access to device functions using the EWS 34 using the touch screen 12 D date and time setting 19
security audit log configuring 20 security certificates creating and modifying 15 security objectives 6 security reset jumper enabling 25 security slot finding 7 security templates using the EWS to create 32 using the touch screen to create 11 setting date and time 19 shutting down port access 18 Smart Cards 50 SMTP settings configuring 22 supported devices 5 syslog configuring 20 T touch screen using the 44 troubleshooting authentication failure 38 authorization to use Held Jobs 42 authorization to us
www.lexmark.com PN 3065326 Rev.
