Security Policy Setting Items

The setting items related to the security policy of the machine are described below. Select the check boxes for the items that you want to apply on the setting screen.

[Interface]

[Wireless Connection Policy]
Prevent unauthorized access by prohibiting wireless connections.
[Prohibit Use of Direct Connection]
<Use Direct Connection> and <Always Keep Enabled If SSID/Network Key Specified> are set to <Off>. It is not possible to access the machine from mobile devices.
[Prohibit Use of Wireless LAN]
If <Select Interface> is set to <Wireless LAN> or <Wired LAN + Wireless LAN>, it changes to <Wired LAN>. Wireless connections can no longer be made via a wireless LAN router or access point.
 
[USB Policy]

Prevent unauthorized access and data breaches by prohibiting USB connection.
[Prohibit use as USB device]
<Use as USB Device> is set to <Off>. It is not possible to connect to a computer via USB.
[Prohibit use as USB storage device]
<Use USB Storage Device> is set to <Off>. It is not possible to use USB storage devices.

[Network]

[Communication Operational Policy]
Increase the security of communications by requiring the verification of signatures and certificates.
[Always verify signatures for SMB/WebDAV server functions]
There are no setting items that the security policy is applied to for the machine.
-
[Always verify server certificate when using TLS]
The following settings are set to <On>, and a check mark is added to <CN>.
<Confirm TLS Certificate for WebDAV TX>
<Confirm TLS Certificate for FTPS TX>
<Confirm TLS Certificate for SMTP TX>
<Confirm TLS Certificate for POP RX>
<Confirm TLS Certificate for Network Access>
<Confirm TLS Certificate Using AddOn Application>
<Confirm TLS Certificate for LDAP Server Access>
The following settings are set to <On>.
[License/Other
]  [Visual Message Settings]  [Confirm Certificate for TLS Communication]
[License/Other
]  [Visual Message Settings]  [Add CN to Verification Items]
During TLS communication, verification will be performed for digital certificates with common names.
[Prohibit cleartext authentication for server functions]
<Use FTP Printing> in <FTP Print Settings> is set to <Off>, <Allow TLS (SMTP RX)> in <E-Mail/I-Fax Settings>  <Communication Settings> is set to <Always TLS>, <Dedicated Port Authentication Method> in <Network> is set to <Mode 2>. When using the machine as a server, plain text authentication and functions that use plain text authentication are not available.
[Prohibit use of SNMPv1]
In <SNMP Settings>, <Use SNMPv1> is set to <Off>. It is not possible to use SNMPv1 when obtaining device information from the computer.
This setting does not apply to communication with IEEE 802.1X networks, even if the check box is selected for [Always verify server certificate when using TLS].
If [Prohibit cleartext authentication for server functions] is selected and your device management software or driver version is old, it may not be possible to connect to the machine. Ensure that you are using the latest versions.
 
[Port Usage Policy]

Prevent external breaches by closing unused ports.
[Restrict LPD port (port number: 515)]
<LPD Print Settings> is set to <Off>. It is not possible to perform LPD printing.
[Restrict RAW port (port number: 9100)]
<RAW Print Settings> is set to <Off>. It is not possible to perform RAW printing.
[Restrict FTP port (port number: 21)]
In <FTP Print Settings>, <Use FTP Printing> is set to <Off>. It is not possible to perform FTP printing.
[Restrict WSD port (port number: 3702, 60000)]
In <WSD Settings>, <Use WSD Printing>, <Use WSD Browsing>, and <Use WSD Scan> are all set to <Off>. It is not possible to use WSD functions.
[Restrict BMLinkS port (port number: 1900)]
There are no setting items that the security policy is applied to for the machine.
[Restrict IPP port (port number: 631)]
The <IPP Print Settings> and <Use Mopria> options are all set to <Off>. It is not possible to print using IPP or Mopria™.
[Restrict SMB port (port number: 139, 445)]
There are no setting items that the security policy is applied to for the machine.
-
[Restrict SMTP port (port number: 25)]
In <E-Mail/I-Fax Settings>  <Communication Settings>, <SMTP RX> is set to <Off>. SMTP reception is not possible.
[Restrict dedicated port (port number: 9002, 9006, 9007, 9011-9015, 9017-9019, 9022, 9023, 9025, 20317, 47545-47547)]
<Dedicated Port Settings> is set to <Off>. It is not possible to use dedicated ports.
[Restrict Remote Operator's Software port (port number: 5900)]
<Remote Operation Settings> is set to <Off>. It is not possible to use remote operation functions.
[Restrict SIP (IP Fax) port (port number: 5004, 5005, 5060, 5061, 49152)]
There are no setting items that the security policy is applied to for the machine.
-
[Restrict mDNS port (port number: 5353)]
In <mDNS Settings>, the <Use IPv4 mDNS> and <Use IPv6 mDNS> options are set to <Off>, <Use Mopria> is set to <Off>. It is not possible to search the network or perform automatic settings using mDNS. It is also not possible to print using Mopria™.
[Restrict SLP port (port number: 427)]
In <Multicast Discovery Settings>, <Response> is set to <Off>. It is not possible to search the network or perform automatic settings using SLP.
[Restrict SNMP port (port number: 161)]
In <SNMP Settings>, the <Use SNMPv1> and <Use SNMPv3> options are set to <Off>, and <Display Scan for Mobile> is set to <Off>. It is not possible to obtain device information from the computer or configure settings using SNMP.

[Authentication]

[Authentication Operational Policy]
Prevent unregistered users from performing unauthorized operations by implementing secure user authentication.
[Prohibit guest users to use device]
The following settings are set to <On>.
<User Management> <Authentication Management> <Use User Authentication>
<Restrict Job from Remote Device w/out User Authent.>
[Login for Unregistered Users:] [Allow unregistered users to log in as Guest User]
<Login Screen Display Settings> is set to <Displ When Dev Operation Start>.
It becomes [Standard Authentication Mode] if [Guest Authentication Mode] is set for [Authentication Mode:] in [Remote UI Authentication].
In addition, [Guest Authentication Mode] can no longer be selected for [Authentication Mode:] in [Remote UI Authentication].
Unregistered users cannot log in to the machine, and print jobs from computers are canceled.
[Force setting of auto logout]
<Auto Reset Time> is enabled. The user is automatically logged out if no operations are performed for a specified period of time. Select [Time Until Logout:] on the Remote UI setting screen.
 
[Password Operational Policy]

Impose strict limits for password operations.
[Prohibit caching of password for external servers]
<Prohibit Caching of Authentication Password> is set to <On>, and <Save authentication information for login users> is set to <Off>. Users will always be required to enter a password when accessing an external server.
[Display warning when default password is in use]
<Display Warning When Default Password Is in Use> is set to <On>. A warning message will be displayed whenever the machine's factory default password is used.
[Prohibit use of default password for remote access]
<Allow Use of Default Password for Remote Access> is set to <Off>. It is not possible to use the factory default password when accessing the machine from a computer.
 
[Password Settings Policy]

Prevent third parties from easily guessing passwords by setting a minimum level of complexity and a period of validity for user authentication passwords.
[Set minimum number of characters for password]
<Minimum Length Settings> is set to <On>. It is not possible to set a password with fewer characters than the number specified for [Minimum Number of Characters] on the Remote UI setting screen.
[Set password validity period]
<Validity Period Settings> is set to <On>. A period of validity is set for the password. Specify the period in [Validity Period:] on the Remote UI setting screen.
[Prohibit use of 3 or more identical consecutive characters]
<Prohibit Use of 3 or More Identical Consec. Characters> is set to <On>. It is not possible to set a password that includes the same character repeated three or more times consecutively.
[Force use of at least 1 uppercase character]
<Use at Least 1 Uppercase Character> is set to <On>. Passwords are required to include at least one uppercase alphabetic character.
[Force use of at least 1 lowercase character]
<Use at Least 1 Lowercase Character> is set to <On>. Passwords are required to include at least one lowercase alphabetic character.
[Force use of at least 1 digit]
<Use at Least 1 Digit> is set to <On>. Passwords are required to include at least one numeric character.
[Force use of at least 1 symbol]
<Use at Least 1 Symbol> is set to <On>. Passwords are required to include at least one symbol.
 
[Lockout Policy]

Block users from logging in for a specified period of time after a certain number of consecutive invalid login attempts.
[Enable lockout]
In <Lockout Settings>, <Enable Lockout> is set to <On>. Specify the values for [Lockout Threshold] and [Lockout Period] on the Remote UI setting screen.

[Key/Certificate]

Protect important data by preventing the use of weak encryption, or by saving encrypted user passwords and keys in a designated hardware component.
[Prohibit use of weak encryption]
<Prohibit Use of Weak Encryption> is set to <On>. It is not possible to use weak encryption. When the check box is selected, [Prohibit use of key/certificate with weak encryption] can be selected.
[Prohibit use of key/certificate with weak encryption]
In <Prohibit Use of Weak Encryption>, <Prohibit Use of Key/Certificate with Weak Encryption> is set to <On>. It is not possible to use a key or certificate with weak encryption.
[Use TPM to store password and key]
There are no setting items that the security policy is applied to for the machine.
-

[Log]

You can periodically survey how the machine is used, by requiring logs to be recorded.
[Force recording of audit log]
<Display Job Log> is set to <On>, <Retrieve Job Log with Management Software> in <Display Job Log> is set to <Allow>, <Save Audit Log> is set to <On>, <Retrieve Network Authentication Log> is set to <On>, and <Use Login Name as User Name for Print Jobs> is set to <On>. Audit logs are always recorded.
[Force SNTP settings]
In <SNTP Settings>, <Use SNTP> is set to <On>. Time synchronization via SNTP is required. Enter a value for [NTP Server Address] on the Remote UI setting screen.

[Job]

[Printing Policy]
Prevent information leakage from occurring when printing.
[Prohibit immediate printing of received jobs]
The following settings are set to <On>.
<Fax Memory Lock> in the Fax/I-Fax Inbox
<I-Fax Memory Lock> in the Fax/I-Fax Inbox
<Set Fax/I-Fax Inbox> <Use Fax Memory Lock>
<Set Fax/I-Fax Inbox> <Use I-Fax Memory Lock>
<Forced Hold>
<Handle Files with Forwarding Errors> is set to <Store/Print>.
<Memory Lock End Time> is set to <Do Not Specify>.
Only <Hold as Shared Job> can be set for the operation conditions of <Forced Hold>.
Printing does not occur immediately, even when printing operations are performed.
 
[Sending/Receiving Policy]

Limit the sending operations for destinations, and limit how received data is processed.
[Allow sending only to registered addresses]
In <Restrict New Destinations>, the <Fax>, <E-Mail>, <I-Fax>, and <File> options are set to <On>. It is only possible to send to destinations that are registered in the Address Book.
[Force confirmation of fax number]
<Confirm Entered Fax Number> is set to <On>. Users are required to enter a fax number again for confirmation when sending a fax.
[Prohibit auto forwarding]
<Use Forwarding Settings> is set to <Off>. It is not possible to automatically forward faxes.

[Storage]

Prevent information leakage by deleting unnecessary data on the storage device.
[Force Complete Deletion of Data]
There are no setting items that the security policy is applied to for the machine.
A9H4-0C7