Security Policy Setting Items

The setting items related to the security policy of the machine are described below. Select the check boxes for the items that you want to apply on the setting screen.

[Interface]

[Wireless Connection Policy]
Prevent unauthorized access by prohibiting wireless connections.
[Prohibit Use of Direct Connection]
<Use Direct Connection> and <Always Keep Enabled If SSID/Network Key Specified> are set to <Off>. It is not possible to access the machine from mobile devices.
[Prohibit Use of Wireless LAN]
<Select Wired/Wireless LAN> is set to <Wired LAN>. It is not possible to establish a wireless connection with the machine via a wireless LAN router or access point.
 
[USB Policy]

Prevent unauthorized access and data breaches by prohibiting USB connection.
[Prohibit use as USB device]
<Use as USB Device> is set to <Off>. It is not possible to connect to a computer via USB.
[Prohibit use as USB storage device]
<Use USB Storage Device> is set to <Off>. It is not possible to use USB storage devices.

[Network]

[Communication Operational Policy]
Increase the security of communications by requiring the verification of signatures and certificates.
[Always verify signatures for SMS/WebDAV server functions]
In <SMB Server Settings>, the <Require SMB Signature for Connection> and <Use SMB Authentication> options are set to <On>, and <Use TLS> in <WebDAV Server Settings> is set to <On>. When the machine is used as an SMB server or WebDAV server, digital certificate signatures are verified during communication.
[Always verify server certificate when using TLS]
The following settings are set to <On>, and a check mark is added to <CN>.
<Confirm TLS Certificate for WebDAV TX>
<Confirm TLS Certificate for FTPS TX>
<Confirm TLS Certificate for SMTP TX>
<Confirm TLS Certificate for POP RX>
<Confirm TLS Certificate for Network Access>
<Confirm TLS Certificate Using MEAP Application>
<Confirm TLS Certificate for LDAP Server Access>
The following settings are set to <On>.
<SIP Settings> <TLS Settings> <Verify Server Certificate>
<SIP Settings> <TLS Settings> <Verify CN>
[License/Other
]  [Visual Message Settings]  [Confirm Certificate for TLS Communication]
[License/Other
]  [Visual Message Settings]  [Add CN to Verification Items]
During TLS communication, verification will be performed for digital certificates with common names.
IP FAX Expansion Kit User's Guide
[Prohibit cleartext authentication for server functions]
<Use FTP Printing> in <FTP Print Settings> is set to <Off>, <Allow TLS (SMTP RX)> in <E-Mail/I-Fax Settings>  <Communication Settings> is set to <Always TLS>, <Dedicated Port Authentication Method> in <Network> is set to <Mode 2>, and <Use TLS> in <WebDAV Server Settings> is set to <On>. When using the machine as a server, plain text authentication and functions that use plain text authentication are not available.
[Prohibit use of SNMPv1]
In <SNMP Settings>, <Use SNMPv1> is set to <Off>. It is not possible to use SNMPv1 when obtaining device information from the computer.
This setting does not apply to communication with IEEE 802.1X networks, even if the check box is selected for [Always verify server certificate when using TLS].
If [Prohibit cleartext authentication for server functions] is selected and your device management software or driver version is old, it may not be possible to connect to the machine. Ensure that you are using the latest versions.
 
[Port Usage Policy]

Prevent external breaches by closing unused ports.
[Restrict LPD port (port number: 515)]
<LPD Print Settings> is set to <Off>. It is not possible to perform LPD printing.
[Restrict RAW port (port number: 9100)]
<RAW Print Settings> is set to <Off>. It is not possible to perform RAW printing.
[Restrict FTP port (port number: 21)]
In <FTP Print Settings>, <Use FTP Printing> is set to <Off>. It is not possible to perform FTP printing.
[Restrict WSD port (port number: 3702, 60000)]
In <WSD Settings>, <Use WSD>, <Use WSD Browsing>, and <Use WSD Scan> are all set to <Off>. It is not possible to use WSD functions.
[Restrict BMLinkS port (port number: 1900)]
There are no setting items that the security policy is applied to for the machine.
[Restrict IPP port (port number: 631)]
The <IPP Print Settings> and <Use Mopria> options are all set to <Off>. It is not possible to print using IPP or Mopria™.
[Restrict SMB port (port number: 139, 445)]
In <SMB Server Settings>, <Use SMB Server> is set to <Off>. It is not possible to use the machine as an SMB server.
[Restrict SMTP port (port number: 25)]
In <E-Mail/I-Fax Settings>  <Communication Settings>, <SMTP RX> is set to <Off>. SMTP reception is not possible.
[Restrict dedicated port (port number: 9002, 9006, 9007, 9011-9015, 9017-9019, 9022, 9023, 9025, 20317, 47545-47547)]
<Dedicated Port Settings> is set to <Off>. It is not possible to use dedicated ports.
[Restrict Remote Operator's Software port (port number: 5900)]
<Remote Operation Settings> is set to <Off>. It is not possible to use remote operation functions.
[Restrict SIP (IP Fax) port (port number: 5004, 5005, 5060, 5061, 49152)]
<Use Intranet> in <Intranet Settings> and <Use VoIP Gateway> in <VoIP Gateway Settings> are set to <Off>. It is not possible to use IP fax.
IP FAX Expansion Kit User's Guide
[Restrict mDNS port (port number: 5353)]
In <mDNS Settings>, the <Use IPv4 mDNS> and <Use IPv6 mDNS> options are set to <Off>, <Use Mopria> is set to <Off>. It is not possible to search the network or perform automatic settings using mDNS. It is also not possible to print using Mopria™.
[Restrict SLP port (port number: 427)]
In <Multicast Discovery Settings>, <Response> is set to <Off>. It is not possible to search the network or perform automatic settings using SLP.
[Restrict SNMP port (port number: 161)]
In <SNMP Settings>, the <Use SNMPv1> and <Use SNMPv3> options are set to <Off>, and <Display Scan for Mobile> is set to <Off>. It is not possible to obtain device information from the computer or configure settings using SNMP.

[Authentication]

[Authentication Operational Policy]
Prevent unregistered users from performing unauthorized operations by implementing secure user authentication.
[Prohibit guest users to use device]
The following settings are set to <On>.
<Advanced Space Settings> <Authentication Management>
<User Management> <Authentication Management> <Use User Authentication>
<Restrict Job from Remote Device without User Auth.>
[Login for Unregistered Users:] [Allow unregistered users to log in as Guest User]
<Login Screen Display Settings> is set to <Displ When Dev Operation Start>.
It becomes [Standard Authentication Mode] if [Guest Authentication Mode] is set for [Authentication Mode:] in [Remote UI Authentication].
In addition, [Guest Authentication Mode] can no longer be selected for [Authentication Mode:] in [Remote UI Authentication].
Unregistered users cannot log in to the machine, and print jobs from computers are canceled.
ACCESS MANAGEMENT SYSTEM Administrator Guide
[Force setting of auto logout]
<Auto Reset Time> is enabled. The user is automatically logged out if no operations are performed for a specified period of time. Select [Time Until Logout:] on the Remote UI setting screen.
 
[Password Operational Policy]

Impose strict limits for password operations.
[Prohibit caching of password for external servers]
<Prohibit Caching of Authentication Password> is set to <On>, and <Save authentication information for login users> is set to <Off>. Users will always be required to enter a password when accessing an external server.
[Display warning when default password is in use]
<Display Warning When Default Password Is in Use> is set to <On>. A warning message will be displayed whenever the machine's factory default password is used.
[Prohibit use of default password for remote access]
<Allow Use of Default Password for Remote Access> is set to <Off>. It is not possible to use the factory default password when accessing the machine from a computer.
 
[Password Settings Policy]

Prevent third parties from easily guessing passwords by setting a minimum level of complexity and a period of validity for user authentication passwords.
[Set minimum number of characters for password]
<Minimum Length Settings> is set to <On>. It is not possible to set a password with fewer characters than the number specified for [Minimum Number of Characters] on the Remote UI setting screen.
[Set password validity period]
<Validity Period Settings> is set to <On>. A period of validity is set for the password. Specify the period in [Validity Period:] on the Remote UI setting screen.
[Prohibit use of 3 or more identical consecutive characters]
<Prohibit Use of 3 or More Identical Consecutive Char.> is set to <On>. It is not possible to set a password that includes the same character repeated three or more times consecutively.
[Force use of at least 1 uppercase character]
<Use at Least 1 Uppercase Character> is set to <On>. Passwords are required to include at least one uppercase alphabetic character.
[Force use of at least 1 lowercase character]
<Use at Least 1 Lowercase Character> is set to <On>. Passwords are required to include at least one lowercase alphabetic character.
[Force use of at least 1 digit]
<Use at Least 1 Digit> is set to <On>. Passwords are required to include at least one numeric character.
[Force use of at least 1 symbol]
<Use at Least 1 Symbol> is set to <On>. Passwords are required to include at least one symbol.
 
[Lockout Policy]

Block users from logging in for a specified period of time after a certain number of consecutive invalid login attempts.
[Enable lockout]
In <Lockout Settings>, <Enable Lockout> is set to <On>. Specify the values for [Lockout Threshold] and [Lockout Period] on the Remote UI setting screen.

[Key/Certificate]

Protect important data by preventing the use of weak encryption, or by saving encrypted user passwords and keys in a designated hardware component.
[Prohibit use of weak encryption]
<Prohibit Use of Weak Encryption> is set to <On>. It is not possible to use weak encryption. When the check box is selected, [Prohibit use of key/certificate with weak encryption] can be selected.
[Prohibit use of key/certificate with weak encryption]
In <Prohibit Use of Weak Encryption>, <Prohibit Use of Key/Certificate with Weak Encryption> is set to <On>. It is not possible to use a key or certificate with weak encryption.
[Use TPM to store password and key]
<TPM Settings> is set to <On>. Passwords and keys are encrypted and saved in a designated hardware component.
When TPM settings are enabled
Make sure to change the "Administrator" password from the default value, to prevent a third party other than the administrator from being able to back up the TPM key. If a third party takes the TPM backup key, you will not be able to restore the TPM key.
For the purpose of enhanced security, the TPM key can only be backed up once. If the TPM settings are enabled, make sure to back up the TPM key on to a USB memory device, and store it in a secure place to prevent loss or theft.
The security functions provided by TPM do not guarantee complete protection of the data and hardware.

[Log]

You can periodically survey how the machine is used, by requiring logs to be recorded.
[Force recording of audit log]
<Save Operation Log> is set to <On>, <Display Job Log> is set to <On>, <Retrieve Job Log with Management Software> in <Display Job Log> is set to <Allow>, <Save Audit Log> is set to <On>, <Retrieve Network Authentication Log> is set to <On>, and <Use Login Name as User Name for Print Jobs> is set to <On>. Audit logs are always recorded.
[Force SNTP settings]
In <SNTP Settings>, <Use SNTP> is set to <On>. Time synchronization via SNTP is required. Enter a value for [Server Name] on the Remote UI setting screen.

[Job]

[Printing Policy]
Prevent information leakage from occurring when printing.
[Prohibit immediate printing of received jobs]
The following settings are set to <On>.
<Fax Memory Lock> in the Fax/I-Fax Inbox
<I-Fax Memory Lock> in the Fax/I-Fax Inbox
<Set Fax/I-Fax Inbox> <Use Fax Memory Lock>
<Set Fax/I-Fax Inbox> <Use I-Fax Memory Lock>
<Forced Hold>
The following settings are set to <Off>.
<Set/Register Mail Boxes> <Print When Storing from Printer Driver>
<Box Security Settings> <Display Print When Storing from Printer Driver>
<Handle Files with Forwarding Errors> is set to <Store/Print>.
<Memory Lock End Time> is set to <Do Not Specify>.
Only <Hold as Shared Job> can be set for the operation conditions of <Forced Hold>.
In addition, settings for <Settings for All Mail Boxes> <Print When Storing from Printer Driver> cannot be changed.
Printing does not occur immediately, even when printing operations are performed.
 
[Sending/Receiving Policy]

Limit the sending operations for destinations, and limit how received data is processed.
[Allow sending only to registered addresses]
In <Limit New Destination>, the <Fax>, <E-Mail>, <I-Fax>, and <File> options are set to <On>. It is only possible to send to destinations that are registered in the Address Book.
[Force confirmation of fax number]
<Confirm Entered Fax Number> is set to <On>. Users are required to enter a fax number again for confirmation when sending a fax.
[Prohibit auto forwarding]
<Use Forwarding Settings> is set to <Off>. It is not possible to automatically forward faxes.

[Storage]

Prevent information leakage by deleting unnecessary data on the storage device.
[Force Complete Deletion of Data]
There are no setting items that the security policy is applied to for the machine.
A989-0F2