Inhaltszusammenfassung zur Seite Nr. 1
Version 6.0, January 2007
701P46740
Xerox FreeFlow® Print Server
Security Guide
Inhaltszusammenfassung zur Seite Nr. 2
Prepared by: Xerox Corporation Global Knowledge and Language Services 800 Philips Road Bldg. 845-17S Webster, New York 14580 USA ©2007 by Xerox Corporation. All rights reserved. Copyright protection claimed includes all forms and matters of copyrightable material and information now allowed by statutory judicial law or hereinafter granted, including without limitation, material generated from the software programs displayed on the screen such as icons, screen displays, or looks. Printed in th
Inhaltszusammenfassung zur Seite Nr. 3
Table of contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 Customer support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 System supplied security pro
Inhaltszusammenfassung zur Seite Nr. 4
Table of contents Audit Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21 GUI Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21 User Activity on the System . . . . . . . . . . . . . . . . . . . . . . . 2-22 Date/Time User Login/Logout . . . . . . . . . . . . . . . . . . . . . . 2-22 Changing individual passwords . . . . . . . . . . . . . . . . . . . . 2-22 Accessing the Xerox FreeFlow Print Server through ADS . . . 2-22 Limi
Inhaltszusammenfassung zur Seite Nr. 5
Introduction The Security Guide provides the information needed to perform system administration tasks for maintaining the Xerox FreeFlow® Print Server. About this guide This guide is intended for network and system administrators responsible for setting up and maintaining Xerox printers with Xerox FreeFlow Print Server software. System administrators should have an understanding of the Sun workstation, a familiarity with Solaris, and with basic UNIX commands. This includes the use of tex
Inhaltszusammenfassung zur Seite Nr. 6
Customer support To place a customer service call, dial the direct TTY number for assistance. The number is 1-800-735-2988. For additional assistance, dial the following numbers: � Service and software support: 1-800-821-2797 � Xerox documentation and software services: 1-800-327-9753 2 Security Guide
Inhaltszusammenfassung zur Seite Nr. 7
Security This section describes the Xerox FreeFlow® Print Server system- supplied security profiles. It outlines the characteristics of each profile and indicates how each can be customized to create user- defined profiles. The enhanced security features in the Xerox FreeFlow Print Server protect the system against unauthorized access and modification. This section also addresses the options available to the administrator in setting up and managing user accounts. Finally this section offer
Inhaltszusammenfassung zur Seite Nr. 8
Profile Characteristics User Compatibility Comments Low FTP is enabled. First choice Similar to Anonymous FTP is Telnet, rsh is disabled. setting for DocuSP 3.x ready-only and NFS client is enabled. most “High”. restricted. AutoFS is enabled. environments. Walkup users can reprint Supports To enable telnet, go from “Saved Jobs” and FreeFlow® to [Setup], [FTP/ CD-ROM. workflow. Remote Terminal window is Diagnostics]. password protected. Auto-login is enabled. Medium FTP is disabled. Environm
Inhaltszusammenfassung zur Seite Nr. 9
Enable and disable services The following tables provide a list of the services that can be enabled and disabled from the Xerox FreeFlow Print Server “Setup > Security Profiles” menu options. NOTE: Services list may vary, depending on the product. Table 2-2 “System” tab System Service Description Allow_host.equiv_plus Background: The /etc/hosts.equiv and /.rhosts files provide the remote authentication database for rlogin, rsh, rcp, and rexec. The files specify remote hosts and users that
Inhaltszusammenfassung zur Seite Nr. 10
System Service Description Secure Network Settings Secure Sendmail Force sendmail to only handle outgoing mail. No incoming mail will be handled by sendmail. Security Warning Enable security warning banners to be displayed when a user logins Banners or telnets into the Xerox FreeFlow Print Server. The warning message explains that only authorized users should be using the system and that any others face the possibility of being monitored by law enforcement officials. Table 2-3 “INIT” tab
Inhaltszusammenfassung zur Seite Nr. 11
RC2 Service Description slp uucp Table 2-4 “INIT” tab RC3 section RC3 Service Description S15NFS.SERVER NFS Server. Disable ability to export Xerox FreeFlow Print Server file systems. This service is enabled if legacy DigiPath/FreeFlow® and Decomposition Services (NetAgent) are enabled. S17HCLNFS.DAEMON S25openssh.server OpenSSH server. S17BWNFS.DAEMON Secure mounted file systems. There are two shared file systems that are exported by the Xerox FreeFlow Print Server. The two directories ar
Inhaltszusammenfassung zur Seite Nr. 12
INETD Service Description daytime Daytime Protocol Displays the date and time. Used primarily for server testing. Not used by the Xerox FreeFlow Print Server. discard Discard Protocol server Discards everything sent to it.Used primarily for testing. Not used by the Xerox FreeFlow Print Server. dtspc CDE sub-process CDE sub-process Control Service (dtspcd) is a Control Service network daemon that accepts requests from clients to execute commands and launch applications remotely. Not used
Inhaltszusammenfassung zur Seite Nr. 13
INETD Service Description name DARPA trivial name in.tnamed is a server that supports the DARPA server Name Server Protoco. Seldom used anymore. Not used by Xerox FreeFlow Print Server. ocfserv OCF server The OCF server, ocfserv, is a per-host daemon that acts as the central point of communications with all smartcards connected to the host. Applications that need to use a smartcard can do so by using the APIs in libsmartcard.so or smartcard.jar. The internal implementation of these APIs
Inhaltszusammenfassung zur Seite Nr. 14
INETD Service Description sadmind Distributed system Used by Solstice AdminSuite applications to administration daemon perform distributed system administration. Not used by the Xerox FreeFlow Print Server. shell Remote execution Used by rsh(1) and rcp(1) commands. The server Xerox print command line client relies on the remote shell internet service being enabled since it uses the rcp(1) command to transfer files onto the Xerox FreeFlow Print Server. However, this service represents a s
Inhaltszusammenfassung zur Seite Nr. 15
Solaris file permissions Secure File Permission options can be enabled or disabled through the Xerox FreeFlow Print Server interface. Fix-modes include: � fixmodes-xerox: fix file permissions for all packages to make them more secure. Available under the System tab under the “Secure File Permissions” drop-down menu. � fixmodes-solaris: fix file permissions only for Solaris packages to make them more secure. Available under the System tab under the “Secure File Permissions” drop- down menu.
Inhaltszusammenfassung zur Seite Nr. 16
NOTE: All of these services are prohibited with a 'high' security setting, but if they are re-enabled manually the hostname information will remain hidden. Sendmail daemon secured Sendmail is forced to perform only outgoing mail. No incoming mail will be accepted. Network parameters secured Sun's nddconfig security tool is run. For additional information, view Sun's document, Solaris Operating Environment Network Settings for Security, at http://www.sun.com/solutions/ blueprints/1200/netwo
Inhaltszusammenfassung zur Seite Nr. 17
Security warning banners Security warning banners are displayed when a user logs in or telnets into the Xerox FreeFlow Print Server. This message explains that only authorized users should be using the system and that any others face the possibility of being monitored by law enforcement officials. NOTE: DRW (Xerox FreeFlow Print Server Remote Workflow) is not impacted by security settings. Disabling LP anonymous printing You can choose to disable anonymous printing on all existing LP print
Inhaltszusammenfassung zur Seite Nr. 18
Creating user-defined profiles To create a customized profile, the administrator can copy and edit any security profile according to the needs of the customer environment. This new user profile can be selected, edited, set as current, set as default, or deleted. Setting the current and default profiles The administrator can select any profile and set it as the Current Profile. This Current Profile persists throughout Xerox FreeFlow Print Server restarts and system reboot until it is changed
Inhaltszusammenfassung zur Seite Nr. 19
between 2-8 characters in length and is case sensitive. � The user name is a string of characters from the set of alphabetic characters (a-z, A-Z), numeric characters (0-9), period (.), underscore (_), and hyphen (-); the first character must be alphabetic and the string must contain at least one lower case alphabetic character. � Each account has the following attributes: user name, password, user group, account disabled/enabled, and comments. � The maximum number of user accounts is 25,0
Inhaltszusammenfassung zur Seite Nr. 20
Creating user accounts The Xerox FreeFlow Print Server user interface enables the Administrator to manage accounts easily by selecting [Setup], [Users & Groups], and the [Users] tab. When the administrator selects the Users tab, a pop-up window appears that enables the administrator to create, edit, or delete an account and indicate whether the account should be enabled or disabled. Group authorization Job Management and Customer Diagnostics are two functions of the Xerox FreeFlow Print Se