Version 6.
Prepared by: Xerox Corporation Global Knowledge and Language Services 800 Philips Road Bldg. 845-17S Webster, New York 14580 USA ©2007 by Xerox Corporation. All rights reserved. Copyright protection claimed includes all forms and matters of copyrightable material and information now allowed by statutory judicial law or hereinafter granted, including without limitation, material generated from the software programs displayed on the screen such as icons, screen displays, or looks.
Table of contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Customer support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 System supplied security profiles . . .
Tab l e of c o n te nts Audit Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21 GUI Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21 User Activity on the System . . . . . . . . . . . . . . . . . . . . . . . 2-22 Date/Time User Login/Logout . . . . . . . . . . . . . . . . . . . . . . 2-22 Changing individual passwords . . . . . . . . . . . . . . . . . . . . 2-22 Accessing the Xerox FreeFlow Print Server through ADS . . .
Introduction The Security Guide provides the information needed to perform system administration tasks for maintaining the Xerox FreeFlow® Print Server. About this guide This guide is intended for network and system administrators responsible for setting up and maintaining Xerox printers with Xerox FreeFlow Print Server software. System administrators should have an understanding of the Sun workstation, a familiarity with Solaris, and with basic UNIX commands.
Customer support To place a customer service call, dial the direct TTY number for assistance. The number is 1-800-735-2988.
Security This section describes the Xerox FreeFlow® Print Server systemsupplied security profiles. It outlines the characteristics of each profile and indicates how each can be customized to create userdefined profiles. The enhanced security features in the Xerox FreeFlow Print Server protect the system against unauthorized access and modification. This section also addresses the options available to the administrator in setting up and managing user accounts.
Profile Characteristics User FTP is enabled. Telnet, rsh is disabled. NFS client is enabled. AutoFS is enabled. Walkup users can reprint from “Saved Jobs” and CD-ROM. Terminal window is password protected. Auto-login is enabled. First choice setting for most environments. Medium FTP is disabled. telnet, rsh is disabled. NFS client is disabled. AutoFS is disabled, e.g.; / net/and home/ are not automatically mounted). NFS server is filtered via RPC tab.
Enable and disable services The following tables provide a list of the services that can be enabled and disabled from the Xerox FreeFlow Print Server “Setup > Security Profiles” menu options. NOTE: Services list may vary, depending on the product. Table 2-2 “System” tab System Service Allow_host.equiv_plus Description Background: The /etc/hosts.equiv and /.rhosts files provide the remote authentication database for rlogin, rsh, rcp, and rexec.
System Service Description Secure Network Settings Secure Sendmail Force sendmail to only handle outgoing mail. No incoming mail will be handled by sendmail. Security Warning Banners Enable security warning banners to be displayed when a user logins or telnets into the Xerox FreeFlow Print Server. The warning message explains that only authorized users should be using the system and that any others face the possibility of being monitored by law enforcement officials.
RC2 Service Description slp uucp Table 2-4 “INIT” tab RC3 section RC3 Service Description S15NFS.SERVER NFS Server. Disable ability to export Xerox FreeFlow Print Server file systems. This service is enabled if legacy DigiPath/FreeFlow® and Decomposition Services (NetAgent) are enabled. S17HCLNFS.DAEMON S25openssh.server OpenSSH server. S17BWNFS.DAEMON Secure mounted file systems. There are two shared file systems that are exported by the Xerox FreeFlow Print Server.
INETD Service 8 Description daytime Daytime Protocol server Displays the date and time. Used primarily for testing. Not used by the Xerox FreeFlow Print Server. discard Discard Protocol server Discards everything sent to it.Used primarily for testing. Not used by the Xerox FreeFlow Print Server. dtspc CDE sub-process Control Service CDE sub-process Control Service (dtspcd) is a network daemon that accepts requests from clients to execute commands and launch applications remotely.
INETD Service Description name DARPA trivial name server in.tnamed is a server that supports the DARPA Name Server Protoco. Seldom used anymore. Not used by Xerox FreeFlow Print Server. ocfserv OCF server The OCF server, ocfserv, is a per-host daemon that acts as the central point of communications with all smartcards connected to the host. Applications that need to use a smartcard can do so by using the APIs in libsmartcard.so or smartcard.jar.
INETD Service Description sadmind Distributed system administration daemon Used by Solstice AdminSuite applications to perform distributed system administration. Not used by the Xerox FreeFlow Print Server. shell Remote execution server Used by rsh(1) and rcp(1) commands. The Xerox print command line client relies on the remote shell internet service being enabled since it uses the rcp(1) command to transfer files onto the Xerox FreeFlow Print Server. However, this service represents a security risk.
Solaris file permissions Secure File Permission options can be enabled or disabled through the Xerox FreeFlow Print Server interface. Fix-modes include: • fixmodes-xerox: fix file permissions for all packages to make them more secure. Available under the System tab under the “Secure File Permissions” drop-down menu. • fixmodes-solaris: fix file permissions only for Solaris packages to make them more secure. Available under the System tab under the “Secure File Permissions” dropdown menu.
NOTE: All of these services are prohibited with a 'high' security setting, but if they are re-enabled manually the hostname information will remain hidden. Sendmail daemon secured Sendmail is forced to perform only outgoing mail. No incoming mail will be accepted. Network parameters secured Sun's nddconfig security tool is run. For additional information, view Sun's document, Solaris Operating Environment Network Settings for Security, at http://www.sun.com/solutions/ blueprints/1200/network-updt1.pdf.
Security warning banners Security warning banners are displayed when a user logs in or telnets into the Xerox FreeFlow Print Server. This message explains that only authorized users should be using the system and that any others face the possibility of being monitored by law enforcement officials. NOTE: DRW (Xerox FreeFlow Print Server Remote Workflow) is not impacted by security settings.
Creating user-defined profiles To create a customized profile, the administrator can copy and edit any security profile according to the needs of the customer environment. This new user profile can be selected, edited, set as current, set as default, or deleted. Setting the current and default profiles The administrator can select any profile and set it as the Current Profile.
between 2-8 characters in length and is case sensitive. • The user name is a string of characters from the set of alphabetic characters (a-z, A-Z), numeric characters (0-9), period (.), underscore (_), and hyphen (-); the first character must be alphabetic and the string must contain at least one lower case alphabetic character. • Each account has the following attributes: user name, password, user group, account disabled/enabled, and comments. • The maximum number of user accounts is 25,000.
Creating user accounts The Xerox FreeFlow Print Server user interface enables the Administrator to manage accounts easily by selecting [Setup], [Users & Groups], and the [Users] tab. When the administrator selects the Users tab, a pop-up window appears that enables the administrator to create, edit, or delete an account and indicate whether the account should be enabled or disabled.
Function Users Operators Administrat ors (sa and cse) Changeable via GUI Reprint Management Enabled Enabled Enabled No Printer Manager(Finish ing, Image Quality …etc) - - Enabled No Resource Management(L CDS Resources, PDL Fonts, Forms, ….
Function Users Operators Administrat ors (sa and cse) Changeable via GUI Setup (Security profile, SSL/ TLS, IP Filter) - - Enabled No Setup (Users & Groups) - - Enabled No Change password Self Self Enabled No Service Diagnostics - - Enabled No Customer Diagnostics Enabled Enabled Enabled Yes Backup / Restore - Enabled Enabled No Comment Auto-Logon The Automatic Logon feature enables or disables the ability of users to directly access the Xerox FreeFlow Print Server, inclu
Default Screen/Auto-Logoff Under [Setup/System Preferences/Default Screen], any member of the operator or system administrators group can select which of the Xerox FreeFlow Print Server screens (Job or Print) the UI should return to after a specified amount of time (1-10 minutes) of inactivity (i.e. no movement from the keyboard or mouse). When the time-out occurs, the user will also be changed to the user account specified for auto-logon.
NOTE: Please be aware that Xerox Customer Support Personnel must have access to the new root password for service and support. It is the customer's responsibility to ensure that the root and system administrator passwords are available for them. Strong Passwords The Xerox FreeFlow Print Server provides additional security for users required to adhere to strict security guidelines. It provides a means in which a strong password policy can be enforced.
function will only apply to failed login attempts via the Xerox FreeFlow Print Server UI and does not apply to the root (su) user. How to Enable/Disable Login Attempts • From the Setup menu select [Users and Groups] • From the Policies drop down menu select [Password] • Enable/Disable Login Attempts from the Password Policies window. The default setting is “Disable”. Password Expiration The System Administrator can set a password expiration via the Solaris Management Control.
User Activity on the System When the High security profile is enabled, the Solaris Basic Security Module (BSM) is activated. Date/Time User Login/Logout This information is kept in the authlog and syslog in the /var/log directory. Login/Logout to the Xerox FreeFlow Print Server is tracked as well as Network Login/Logout.
2. Select the ADS tab, and enter in the fully qualified domain name of the ADS domain. 3. Click “Join…” button to join the Xerox FreeFlow Print Server to the ADS domain specified. NOTE: If DNS is not enabled, the “Join...” button will not be available. Map the ADS groups to the Print Server user groups From the Setup menu, Users & Groups option, select the ADS Groups tab.
Specified Connections. Additional subnet mask can also be specified. Refer to online help for detailed descriptions of IP Filtering property tabs such as: General tab, System tab, INIT tab, INETD tab, RPC tab. Remote Workflow Remote Workflow allows for a remote connection to the Xerox FreeFlow Print Server controller. The administrator can limit access through the Xerox FreeFlow Print Server interface [Setup > System Preferences menu option].
2. Use an existing certificate obtained from a certificate authority (i.e. VeriSign, Thawte, etc.) When SSL is disabled When SSL is disabled (off), other web-based logins provided by the Xerox FreeFlow Print Server may not be secure (encrypted).
NOTE: During steps 2-5, the user may go back and correct any mistakes made in previous steps. – Click on the 'Enable SSL/TLS' checkbox at the top of the SSL/ TLS window.
Digital Certificates SSL/TLS cannot be enabled unless a digital certificate has been installed on the system, using the Add Certificate button. Installing a digital certificate can only be done by someone with administrator privileges. The administrator selects SSL/TLS from the [Setup] Menu and clicks on the [Add Certificate] button. This invokes the Add Certificate wizard. There are two options regarding digital certificates. One option is “Self-signed certificate”.
Network Protocol HTTP Required Used when connecting to the server via the HTTP gateway. Connections can also be filtered using the IP Filter feature under Setup -> IP Filter. NOTE: When SSL is disabled (off) other web-based logins provided by the Xerox FreeFlow Print Server may not be secure. Use the HTTPs qualifier to guarantee a secure interaction.
Network Protocol Required FTP Access the server via FTP and/or submit jobs from a DigiPath/ FreeFlow client via the Digipath/FreeFlow Print Manager. This service (ftpd) is shutdown when Xerox FreeFlow Print Server security is set to high. In FreeFlow v2.0, the client has the ability to use secure FTP (sFTP) when Xerox FreeFlow Print Server security is set to high and FTP is not available.
Prevent Unauthorized Queue Changes Queue Lock • Queues can be locked and unlocked by the System Administrator. • Properties of a locked queue cannot be changed without first unlocking the queue. • Locked queues can only be deleted by the System Administrator. • Locked queues can be copied by an Operator. The resulting new queue will not be locked. • An Operator can change the Accept/Do Not Accept Jobs and Release/Do Not Release Jobs attributes on a locked queue.
updated to the newer version. Any security patch that is determined to have a negative impact to Xerox FreeFlow Print Server operation will not be added. Customer Responsibilities The administrator has the primary responsibility for maintaining the security of the network within the customer's site. It is important that network security is continuously monitored and maintained, and that appropriate security policies are established and followed.
Virus Scan The Xerox FreeFlow Print Server runs on the Solaris 10 Operating System (OS). This OS makes the Xerox FreeFlow Print Server less susceptible to virus and worms. Online Help for security A great deal of helpful security information can be found in Online Help. Sun's security tools and blueprints may be found at: http://www.sun.com/solutions/blueprints/ Other security information, including alerts, may be found at: http://sunsolve.sun.com/pub-cgi/ show.pl?target=security/sec http://www.cert.
