Resumen del contenido incluido en la página 1
Common Criteria
Installation Supplement and Administrator Guide
November 2011 www.lexmark.com
Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or other countries. 3065326-001
All other trademarks are the property of their respective owners.
© 2011 Lexmark International, Inc.
All rights reserved.
740 West New Circle Road
Lexington, Kentucky 40550
Resumen del contenido incluido en la página 2
Edition notice November 2011 The following paragraph does not apply to any country where such provisions are inconsistent with local law: LEXMARK INTERNATIONAL, INC., PROVIDES THIS PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not appl
Resumen del contenido incluido en la página 3
3 Contents Overview and first steps...............................................................................5 Overview...................................................................................................................................................5 Using this guide...................................................................................................................................................5 Supported devices ...........................................
Resumen del contenido incluido en la página 4
4 Creating security templates using the EWS ......................................................................................................32 Controlling access to device functions....................................................................................................33 Configuring PKI Held Jobs .................................................................................................................................33 Controlling access to device functions using the EW
Resumen del contenido incluido en la página 5
5 Overview and first steps Overview TM This guide describes how to configure a supported Lexmark multifunction printer (MFP) to reach Common Criteria Evaluation Assurance Level 2 (EAL 2). It is critical that you carefully follow the instructions in this guide, as failure to do so may result in a device that does not meet the requirements of the evaluation. Using this guide This guide is intended for use by Lexmark service providers, and network administrators responsible for the management of s
Resumen del contenido incluido en la página 6
6 Operating environment The instructions provided in this guide are based on the following assumptions and objectives: � The MFP is installed in a cooperative, nonhostile environment that is physically secure or monitored and provides protection from unauthorized access to MFP external interfaces. � The administration platform and local area network are physically and logically secure. � Authorized administrators are trained and are capable of performing tasks related to the installation, confi
Resumen del contenido incluido en la página 7
7 Attaching a lock Once a lock is attached, the metal plate and system board cannot be removed, and the security jumper cannot be accessed without causing visible damage to the device. Note: If you are using a Lexmark 6500e scanner with a T650, T652, T654, or T656 printer, then you must attach a lock to both the scanner and the printer. 1 Verify that the MFP case is closed. 2 Locate the security slot, and then attach a lock. It is the same type of security slot found on most laptop computers an
Resumen del contenido incluido en la página 8
8 3 Verify that the MFP is in Configuration mode by locating the Exit Config Menu icon in the lower right corner of the touch screen. 4 Scroll through the configuration menus to locate the Disk Encryption menu selection. 5 Touch Disk Encryption > Enable. Warning: Enabling disk encryption will erase the contents of the hard disk. 6 The following message appears: Contents will be lost. Continue? � Touch Yes to proceed with disk wiping and encryption. A status bar will indicate the progress of the
Resumen del contenido incluido en la página 9
9 Installing the minimum configuration You can achieve an evaluated configuration on a non-networked (standalone) device in just a few steps. For this configuration, all tasks are performed at the device, using the touch screen. Configuring the device Configuration checklist This checklist outlines the steps required to implement an evaluated configuration on a standalone device. For information about additional configuration options, see “Administering the device” on page 15. After completing
Resumen del contenido incluido en la página 10
10 3 Retype the password, and then touch Done to save the new password and return to the Edit Backup Password screen. 4 Set Use Backup Password to On. 5 Touch Submit. Creating user accounts Creating internal (device) accounts for use with the evaluated configuration involves not only assigning a user ID and password to each user, but also segmenting users into groups. When configuring security templates, you will select one or more of these groups, and then you will apply a security template to
Resumen del contenido incluido en la página 11
11 Group name Type of user group would be selected for Authenticated_Users � Administrators permitted to access all device functions � Administrators permitted to use device functions and access the Reports menu � Administrators permitted to use device functions and access the Security menu � Non ‑administrators (all other users) Step 2: Creating accounts 1 From the home screen, touch > Security > Edit Security Setups > Edit Building Blocks > Internal Accounts > General Settings. 2 On the Gene
Resumen del contenido incluido en la página 12
12 3 Type a unique name to identify the template. Use a descriptive name, such as ”Administrator_Only” or “Authenticated_Users,” and then touch Done. 4 On the Authentication Setup screen, select the internal accounts building block, and then touch Done. 5 On the Authorization Setup screen, select the internal accounts building block, and then touch Done. 6 Select one or more groups to be included in the template, and then touch Done to save your changes and return to the Edit Security Templates
Resumen del contenido incluido en la página 13
13 Access control Level of protection Paper Menu at the Device Authenticated users only Paper Menu Remotely Authenticated users only Reports Menu at the Device Administrator access only Reports Menu Remotely Administrator access only Settings Menu at the Device Administrator access only Settings Menu Remotely Administrator access only Network/Ports Menu at the Device Administrator access only Network/Ports Menu Remotely Administrator access only Manage Shortcuts at the Device Authenticated user
Resumen del contenido incluido en la página 14
14 Access control Level of protection Held Jobs Access Disabled Use Profiles Authenticated users only Change Language from Home Screen Authenticated users only Cancel Jobs at the Device Administrator access only PictBridge Printing Not applicable—USB port disabled Solution 1 Authenticated users only Note: When eSF applications are configured, Solution 1 controls access to Held Jobs. Solutions 2 ‑10 Administrator access only New Solutions Administrator access only Disabling home screen icons The
Resumen del contenido incluido en la página 15
15 Administering the device This chapter describes how to configure additional settings and functions that may be available on your device. Using the Embedded Web Server Many settings can be configured using either the Embedded Web Server (EWS) or the touch screen. Accessing the EWS 1 Type the device IP address or host name in the address field of your Web browser using the secure version of the page (with the address beginning “https://”). 2 Use the navigation menu on the left to access config
Resumen del contenido incluido en la página 16
16 � Country/Region—Type the country or region where the company or organization issuing the certificate is located (2 ‑character maximum). � Province Name—Type the province where the company or organization issuing the certificate is located. � City Name—Type the city where the company or organization issuing the certificate is located. � Subject Alternate Name—Type the alternate name and prefix that conforms to RFC 2459. For example, enter an IP address using the format IP:255.255.255.255. Le
Resumen del contenido incluido en la página 17
17 The contents of the file should be in the following format: -----BEGIN CERTIFICATE----- MIIE1jCCA76gAwIBAgIQY6sV0KL3tIhBtlr4gHG85zANBgkqhkiG9w0BAQUFADBs … l3DTbPe0mnIbTq0iWqKEaVne1vvaDt52iSpEQyevwgUcHD16rFy+sOnCaQ== -----END CERTIFICATE----- � Download Signing Request—Download or save the signing request as a .csr file. � Install Signed Certificate—Upload a previously signed certificate. Installing a CA certificate A Certificate Authority (CA) certificate is required if you will be using the
Resumen del contenido incluido en la página 18
18 Disabling the AppleTalk protocol IP is the only network protocol permitted under this evaluation. The AppleTalk protocol must be disabled. Using the EWS Note: For information about accessing the EWS, see “Using the Embedded Web Server” on page 15. 1 From the Embedded Web Server, click Settings > Network/Ports > AppleTalk. 2 Verify that the Activate check box is cleared, and then click Submit. Using the touch screen 1 From the home screen, touch > Network/Ports > Standard Network > STD NET S
Resumen del contenido incluido en la página 19
19 3 Click Submit. Other settings and functions Network Time Protocol Use Network Time Protocol (NTP) to automatically sync MFP date and time settings with a trusted clock so that Kerberos requests and audit log events will be accurately time ‑stamped. Note: If your network uses DHCP, then verify that NTP settings are not automatically provided by the DHCP server before manually configuring NTP settings. Using the EWS 1 From the Embedded Web Server, click Settings > Security > Set Date and Time
Resumen del contenido incluido en la página 20
20 3 Under Simple Kerberos Setup, for KDC Address, type the IP address or host name of the KDC (Key Distribution Center) IP. 4 For KDC Port, type the number of the port used by the Kerberos server. 5 For Realm, type the realm used by the Kerberos server. Note: The Realm entry must be typed in all uppercase letters. 6 Click Submit to save the information as a krb5.conf file. Note: Because only one krb5.conf file is used, uploading or submitting Simple Kerberos settings will overwrite the configu