Security Policy

It is a common practice for organizations to adopt a security policy that defines basic information security objectives and standards, which requires information devices such as computers and multifunctional printers to be operated accordingly. If you have a security policy to be applied in your organization, apply it to this machine as well.
 

Viewing the Security Policy

You can view the security policy set in the machine using the Remote UI.
1
Start the Remote UI. Starting Remote UI
2
Click [Settings/Registration] on the Portal page. Remote UI Screen
3
Click [Security Settings]  [Confirm Security Policy].

Security Policy Items

The following items are displayed by the Remote UI. The items for functions unavailable on this machine are also displayed, but do not affect the machine operation.

[Interface]

[Wireless Connection Policy]
Prevent unauthorized access by prohibiting wireless connections.
[Prohibit Use of Direct Connection]
<Use Direct Connection> is set to <Off>. It is not possible to access the machine from mobile devices.
[Prohibit Use of Wireless LAN]
<Select Wired/Wireless LAN> is set to <Wired LAN>. It is not possible to establish a wireless connection with the machine via a wireless LAN router or access point.
 
[USB Policy]

Prevent unauthorized access and data breaches by prohibiting USB connection.
[Prohibit Use as USB Device]
<Use as USB Device> is set to <Off>. It is not possible to connect to a computer via USB.
[Prohibit Use as USB Storage Device]
<Use USB Storage Device> is set to <Off>. It is not possible to use USB memory devices.

[Network]

[Communication Operational Policy]
Increase the security of communications by requiring the verification of signatures and certificates.
[Always Verify Signatures for SMS/WebDAV Server Functions]
This function is not available on this machine, giving no change to the security level.
[Always Verify Server Certificate When Using TLS]
The following settings in [Use TLS for SMTP] and [Use TLS for POP] are set to [On].
[Verify Certificate]
[Add CN to Verification Items]
The following settings in [Confirm TLS Certificate for LDAP Server Access] of [LDAP Server (For Search)] and [LDAP Server (For Authentication)] are set to [On].
[Confirm TLS Certificate for LDAP Server Access]
[Add CN to Verification Items]
[Prohibit Cleartext Authentication for Server Functions]
<Dedicated Port Auth. Method> is set to <Mode 2>. When using the machine as a server, plain text authentication and functions that use plain text authentication are not available.
[Prohibit Use of SNMPv1]
In <SNMP Settings>, <SNMPv1 Settings> is set to <Off>. It is not possible to use SNMPv1 when obtaining device information from the computer.
This setting does not apply to communication with IEEE 802.1X networks, even if [Always Verify Server Certificate When Using TLS] is set to [On].
If [Prohibit Cleartext Authentication for Server Functions] is set to [On] and your device management software or driver version is old, it may not be possible to connect to the machine. Ensure that you are using the latest versions.
 
[Port Usage Policy]

Prevent external breaches by closing unused ports.
[Restrict LPD Port (Port Number: 515)]
In <LPD Settings>, <Use LPD Printing> is set to <Off>. It is not possible to perform LPD printing.
[Restrict RAW Port (Port Number: 9100)]
In <RAW Settings>, <Use RAW Printing> is set to <Off>. It is not possible to perform RAW printing.
[Restrict FTP Port (Port Number: 21)]
This function is not available on this machine, giving no change to the security level.
[Restrict WSD Port (Port Number: 3702, 60000)]
The following settings in <WSD Settings> are set to <Off>. It is not possible to use WSD functions.
<Use WSD Printing>
<Use WSD Browsing>
<Use WSD Scanning>
<Use Computer Scanning>
<Use Multicast Discovery>
[Restrict BMLinkS Port (Port Number: 1900)]
This function is not available on this machine, giving no change to the security level.
[Restrict IPP Port (Port Number: 631)]
Part of the settings to enable printing from mobile devices using applications will be turned <Off>, disabling part of printing from mobile devices using applications.
[Restrict SMB Port (Port Number: 137, 138, 139, 445)]
This function is not available on this machine, giving no change to the security level.
[Restrict SMTP Port (Port Number: 25)]
This function is not available on this machine, giving no change to the security level.
[Restrict Dedicated Port (Port Number: 9002, 9006, 9007, 9011-9015, 9017-9019, 9022, 9023, 9025, 20317, 47545-47547)]
<Use Dedicated Port> is set to <Off>. It is not possible to use dedicated ports.
[Restrict Remote Operator's Software Port (Port Number: 5900)]
This function is not available on this machine, giving no change to the security level.
[Restrict SIP (IP Fax) Port (Port Number: 5004, 5005, 5060, 5061, 49152)]
This function is not available on this machine, giving no change to the security level.
[Restrict mDNS Port (Port Number: 5353)]
The following settings will be turned <Off>, and part of the settings to enable printing from mobile devices using applications will also be turned <Off>. It will be disabled to search the network or perform automatic settings using mDNS. In addition, part of printing from mobile devices using applications will be disabled as well.
<mDNS Settings> (IPv4)
<mDNS Settings> (IPv6)
[Restrict SLP Port (Port Number: 427)]
In [Multicast Discovery Settings], [Discovery Response] is set to [Off]. It is not possible to search the network or perform automatic settings using SLP.
[Restrict SNMP Port (Port Number: 161)]
In <SNMP Settings>, the <SNMPv1 Settings> and <SNMPv3 Settings> are set to <Off>, and <Scan w/Canon PRINT Business> is set to <Off>. It is not possible to obtain device information from the computer or configure settings using SNMP.

[Authentication]

[Authentication Operational Policy]
[Prohibit Guest Users to Use Device]
This function is not available on this machine, giving no change to the security level.
[Force Setting of Auto Logout]
This function is not available on this machine, giving no change to the security level.
 
[Password Operational Policy]
[Prohibit Caching of Password for External Servers]
This function is not available on this machine, giving no change to the security level.
[Display Warning When Default Password Is in Use]
This function is not available on this machine, giving no change to the security level.
[Prohibit Use of Default Password for Remote Access]
This function is not available on this machine, giving no change to the security level.
 
[Password Settings Policy]
[Minimum Number of Characters for Password]
This function is not available on this machine, giving no change to the security level.
[Password Validity Period]
This function is not available on this machine, giving no change to the security level.
[Prohibit Use of 3 or More Identical Consecutive Characters]
This function is not available on this machine, giving no change to the security level.
[Force Use of at Least 1 Uppercase Character]
This function is not available on this machine, giving no change to the security level.
[Force Use of at Least 1 Lowercase Character]
This function is not available on this machine, giving no change to the security level.
[Force Use of at Least 1 Digit]
This function is not available on this machine, giving no change to the security level.
[Force Use of at Least 1 Symbol]
This function is not available on this machine, giving no change to the security level.
 
[Lockout Policy]

Block users from logging in for a specified period of time after a certain number of consecutive invalid login attempts.
[Enable Lockout]
In <Lockout>, <Enable Lockout> is set to <On>. Specify the values for <Lockout Threshold> and <Lockout Period>.

[Key/Certificate]

Protect important data by preventing the use of weak encryption, or by saving encrypted user passwords and keys in a designated hardware component.
[Prohibit Use of Weak Encryption]
<Prohibit Use of Weak Encrypt.> is set to <On>. It is not possible to use weak encryption.
[Prohibit Use of Key/Certificate with Weak Encryption]
In <Prohibit Use of Weak Encrypt.>, <Prohibit Weak Encryp. Key/Cert.> is set to <On>. It is not possible to use a key or certificate with weak encryption.
[Use TPM to Store Password and Key]
This function is not available on this machine, giving no change to the security level.

[Log]

[Force Recording of Audit Log]
This function is not available on this machine, giving no change to the security level.
[Force SNTP Settings]
This function is not available on this machine, giving no change to the security level.

[Job]

[Printing Policy]
[Prohibit Immediate Printing of Received Jobs]
This function is not available on this machine, giving no change to the security level.
 
[Sending/Receiving Policy]

Limit the sending operations for destinations, and limit how received data is processed.
[Allow Sending Only to Registered Addresses]
<Restrict New Destinations> is set to <On>. It is only possible to send to destinations that are registered in the Address Book.
[Force Confirmation of Fax Number]
<Confirm Entered Fax Number> is set to <On>. Users are required to enter a fax number again for confirmation when sending a fax.
[Prohibit Auto Forwarding]
In <Forwarding Function>, the <Use Forwarding Function> is set to <Off>. It is not possible to automatically forward faxes.

[Storage]

[Force Complete Deletion of Data]
This function is not available on this machine, giving no change to the security level.

To Apply the Security Policy to the Machine

You can import the security policy edited on the imageRUNNER ADVANCE Series or using Device Management Software to apply it to this machine. In addition, you can export the security policy as applied to this machine to apply it to other machines*. Importing/Exporting the Setting Data
*Only Canon devices that are compatible with security policy settings
The security policy settings can only be imported if the security policy setting password on the exporting machine matches that of the importing machine, or if no password has been set for the importing machine. If no password has been set for the importing machine, the password configured for the exporting machine is set to the importing machine.
You cannot set or change the security policy on this machine.
8051-086