Security Policy Items

You can configure and check the following items on the [Security Policy Settings] screen or [Confirm Security Policy] screen of Remote UI.
[Interface]
[Network]
[Authentication]
[Key/Certificate]
[Log]
[Job]
[Storage]

[Interface]

[Wireless Connection Policy]
Disables the wireless connection to prevent unauthorized access.
[Prohibit Use of Direct Connection]
Prohibits access from mobile devices.
[Use Direct Connection]
[Always Keep Enabled If SSID/Network Key Specified]
[Prohibit Use of Wireless LAN]
Prohibits wireless access via a wireless LAN router or access point. [Select Interface]
[USB Policy]
Disables the USB connection to prevent unauthorized access and data theft.
[Prohibit Use as USB Device]
Prohibits a computer from connecting to the machine via the USB port. [Use as USB Device]
[Prohibit Use as USB Storage Device]
Prohibits use of USB memory devices with the machine. [Use USB Storage Device]

[Network]

[Communication Operational Policy]
Requires a signature or certificate verification for safer communication.
[Always Verify Signatures for SMS/WebDAV Server Functions]
Verifies certificate signatures when using the machine as an SMB server or WEbDAV server.
[SMB Server Settings]
[WebDAV Server Settings]
[Always Verify Server Certificate When Using TLS]
Verifies the certificate including Common Name (CN) when using TLS-encrypted communication.
[Confirm TLS Certificate for WebDAV TX]
[Confirm TLS Certificate for FTPS TX]
[Confirm TLS Certificate for SMTP TX]
[Confirm TLS Certificate for POP RX]
[Confirm TLS Certificate for Network Access]
[Confirm TLS Certificate Using MEAP Application]
[Confirm TLS Certificate for LDAP Server Access]
[SIP Settings]
[Visual Message Settings]
* The following items are hidden and Adobe LiveCycle Rights Management cannot be linked.
[Rights Management Server Settings] [Americas]
[Information Used for Rights Management Server Auth.] [Americas]
* This does not apply to communication with an IEEE 802.1X network.
[Prohibit Cleartext Authentication for Server Functions]
Limits verification information to secure methods only. When you are using the machine as a server, cleartext authentication and functions using cleartext authentication are not available.
[FTP Print Settings]
[Communication Settings]
[Dedicated Port Authentication Method]
[WebDAV Server Settings]
* If you are using an older version of the device management software or driver, you may not be able to connect to the machine. Use an updated version.
[Prohibit Use of SNMPv1]
Prohibits use of SNMPv1 when obtaining device information from a computer. [SNMP Settings]
[Port Usage Policy]
Closes unused ports to prevent external intrusion.
[Restrict LPD Port (Port Number: 515)]
Prohibits printing using the LPD protocol. [LPD Print Settings]
[Restrict RAW Port (Port Number: 9100)]
Prohibits printing using the RAW protocol. [RAW Print Settings]
[Restrict FTP Port (Port Number: 21)]
Prohibits printing using the FTP protocol. [FTP Print Settings]
[Restrict WSD Port (Port Number: 3702, 60000)]
Prohibits use of functions using the WSD protocol. [WSD Settings]
[Restrict BMLinkS Port (Port Number: 1900)]
As this function is not available on the machine, it is not applied to the security policy.
[Restrict IPP Port (Port Number: 631)]
Prohibits printing using IPP protocol. Also disables certain print functions that use mobile apps and prohibits related printing.
[IPP Print Settings]
[Use Mopria]
[Restrict SMB Port (Port Number: 139, 445)]
Prohibits use of the machine as an SMB server. [SMB Server Settings]
[Restrict SMTP Port (Port Number: 25)]
Prohibits SMTP RX. [Communication Settings]
[Restrict Dedicated Port (Port Number: 9002, 9006, 9007, 9011-9015, 9017-9019, 9022, 9023, 9025, 20317, 47545-47547)]
Prohibits use of dedicated ports. [Dedicated Port Settings]
[Restrict Remote Operator's Software Port (Port Number: 5900)]
Prohibits use of remote operation. [Remote Operation Settings]
[Restrict SIP (IP Fax) Port (Port Number: 5004, 5005, 5060, 5061, 49152)]
Prohibits use of IP Fax. [SIP Settings]
[Restrict mDNS Port (Port Number: 5353)]
Disables the mDNS settings (IPv4/IPv6) and certain print functions that use a mobile app. This disables network discovery and automatic settings using mDNS as well as related printing.
[mDNS Settings]
[Use Mopria]
[Restrict SLP Port (Port Number: 427)]
Disables response to discovery in Multicast Discovery Settings as well as network discovery and automatic settings using SLP. [Multicast Discovery Settings]
[Restrict SNMP Port (Port Number: 161)]
Prohibits use of functions using the SNMP protocol. This may prohibit a computer from obtaining and configuring device information using SNMP.
[SNMP Settings]
[Display Scan for Mobile]

[Authentication]

[Authentication Operational Policy]
Uses user authentication to prevent unauthorized operations by unregistered users.
[Prohibit Guest Users to Use Device]
Prevents anyone other than login users from using the machine. In addition, operations such as printing or sending faxes from a computer are canceled when no authentication information is set.
[Authentication Management]
[Use User Authentication]
[Login Screen Display Settings]
[Restrict Job from Remote Device without User Auth.]
* [Guest Authentication Mode] is disabled as an authentication mode to use when logging in to Remote UI. If you selected [Guest Authentication Mode], this is changed to [Standard Authentication Mode]. [Edit Basic Settings] Screen
* When using ACCESS MANAGEMENT SYSTEM, see the manual of ACCESS MANAGEMENT SYSTEM at the online manual site.
https://oip.manual.canon/
[Force Setting of Auto Logout]
If no operations are performed for a specified period of time after login, the user is logged out automatically. Specify the time until the user is logged out when setting the security policy items. [Auto Reset Time]
[Password Operational Policy]
Strictly regulates how passwords are used.
[Prohibit Caching of Password for External Servers]
Requires use of a password to access an external server. Authentication information of the logged-in user is no longer stored.
[Prohibit Caching of Authentication Password]
Registering Authentication Server Information
[Display Warning When Default Password Is in Use]
Displays the screen prompting the user to change the password, when an administrator with the "Administrator" user name logs in to the machine using the default password. [Display Warning When Default Password Is in Use]
[Prohibit Use of Default Password for Remote Access]
Prevents an administrator with the "Administrator" user name from logging in to Remote UI using the default password. [Allow Use of Default Password for Remote Access]
[Password Settings Policy]
Sets passwords used for user authentication with a specific complexity and validity period so they cannot be easily guessed by a third party.
[Set minimum number of characters for password]
Requires passwords to have a specified character length. Specify the minimum number of characters when setting the security policy items. [Minimum Length Settings]
[Set password validity period]
Sets the validity period of passwords to require the change of passwords regularly. Specify the validity period when setting the security policy items. [Validity Period Settings]
[Prohibit Use of 3 or More Identical Consecutive Characters]
Prohibits passwords from using three or more consecutive repeating characters. [Prohibit Use of 3 or More Identical Consecutive Char.]
[Force Use of at Least 1 Uppercase Character]
Requires passwords to have at least one uppercase character. [Use at Least 1 Uppercase Character]
[Force Use of at Least 1 Lowercase Character]
Requires passwords to have at least one lowercase character. [Use at Least 1 Lowercase Character]
[Force Use of at Least 1 Digit]
Requires passwords to have at least one number. [Use at Least 1 Digit]
[Force Use of at Least 1 Symbol]
Requires passwords to have at least one symbol. [Use at Least 1 Symbol]
[Lockout Policy]
Prevents unauthorized login by locking out a user for a specified period of time if the password is incorrect at login.
[Enable Lockout]
Enables lockout. Specify how many failed login attempts until the user is locked out (lockout threshold) and the time until lockout is released when setting the security policy items. [Lockout Settings]

[Key/Certificate]

By preventing weak encryption and securely managing confidential information such as passwords and keys, you can protect sensitive data.
[Prohibit Use of Weak Encryption]
Prohibits use of weak encryption. [Prohibit Use of Weak Encryption]
[Prohibit Use of Key/Certificate with Weak Encryption]
Prohibits use of keys and certificates with weak encryption.
[Use TPM to Store Password and Key]
Enables TPM (Trusted Platform Module). Confidential information such as passwords and keys are encrypted with the TPM chip for secure management. [TPM Settings]
* After enabling TPM, immediately back up the TPM key. The TPM key is required to recover confidential information if the TPM chip should malfunction. Backing Up the TPM Key
IMPORTANT
TPM does not guarantee complete protection of data and hardware.
Canon is not responsible for failure or damage resulting from the use of TPM.
When Using the Administrator with the "Administrator" User Name
Before you enable TPM, change the default password for the "Administrator" user name so that only specific administrators know the new password. Administrator Privileges and Password
* If you leave the password at its default setting, there is a risk that a third party could back up the TPM key and steal the backup data.
  The TPM key can only be backed up one time, so if a third party steals the backup data, you will not be able to restore the TPM key.

[Log]

By recording logs, you can track the machine operations in the event of trouble, and more quickly detect unauthorized use of the machine. You can also use SNTP to obtain accurate time information.
[Force Recording of Audit Log]
Various logs for the machine are always recorded.
[Save Operation Log]
[Display Job Log]
[Save Audit Log]
[Retrieve Network Authentication Log]
[Use Login Name as User Name for Print Jobs]
[Force SNTP Settings]
Enables the machine to obtain the time information from the time server on the network. Specify the server name (IP address of NTP or SNTP server) to be used when you configure the policy settings. [SNTP Settings]
* When you are using a DNS server, you can also enter the host name or the FQDN of the server name instead of the IP address.
 Input example:
  ntp.example.com

[Job]

[Printing Policy]
Prevents printed documents from being left unattended or stolen.
[Prohibit Immediate Printing of Received Jobs]
Temporarily saves the received faxes and print data in the memory of the machine, instead of printing them straight away.
Setting Memory Lock
[Use Fax Memory Lock]
[Use I-Fax Memory Lock]
[Memory Lock End Time]
[Forced Hold]
[Set/Register Mail Boxes]
[Display Print When Storing from Printer Driver]
[Handle Files with Forwarding Errors]
[Sending/Receiving Policy]
Restricts use of destinations when sending data and how received data is handled.
[Allow Sending Only to Registered Addresses]
Prevents users from specifying new destinations. Users can send data only to destinations registered in the Address Book. [Limit New Destination]
[Force Confirmation of Fax Number]
Requires users to enter the fax number again when sending a fax. [Confirm Entered Fax Number]
[Prohibit Auto Forwarding]
Prohibits auto forwarding of faxes. [Use Forwarding Settings]

[Storage]

As this function is not available on the machine, it is not applied to the security policy.
A08C-1UF