Xerox 3550 manual Authentication Model, Login and Authentication Methods, User authentication

Page 21

XEROX WorkCentre 3550 Information Assurance Disclosure Paper

3. System Access

3.1. Authentication Model

The authentication model allows for the following:

Local Authentication: Provides access to the scan to network and scan to email services. User account information is kept in a local accounts database and the authentication process will take place locally.

Network Authentication: Provides access to the scan to network and scan to email services. User network credentials are used to authenticate the user at the network domain controller.

Authorization: Provides three levels of access to the CentreWare Internet Services and to the Local User Interface: system administrator, key user and all users.

3.2.Login and Authentication Methods

There are a number of methods for different types of users to be authenticated. In addition, the connected versions of the product also log into remote servers. A description of these behaviors follows.

3.2.1. System Administrator Login [All product configurations]

Users must authenticate themselves to the device. To access the User Tools via the Local UI, a PIN is required. The customer can set the PIN to anywhere from 4 to 32 alphanumeric characters in length. This PIN is stored in the controller NVM and is inaccessible to the user. Xerox strongly recommends that this PIN be changed from its default value immediately upon product installation. The PIN should be set to a minimum of 8 characters in length and changed at least once per month. Longer PINs can be changed less frequently; a 9-character PIN would be good for a year. The same PIN is used to access the Administration screens in the Web UI.

3.2.2. User authentication

Users may authenticate to the device using Kerberos, LDAP or SMB Domain authentication protocols. Once the user is authenticated to the device, the user may proceed to use the scan to network and scan to email features.

The WebUI allows an SA to set up a default authentication domain and as many as 6 additional alternate authentication domains. The device will attempt to authenticate the user at each domain server in turn until authentication is successful, or the list is exhausted.

3.2.2.1.Kerberos Authentication (Solaris or Windows 2000/Windows 2003)

This is an option that must be enabled on the device, and is used in conjunction with scan to network and scan to email features. The authentication steps are:

1)A User enters a user name and password at the device in the Local UI. The device sends an authentication request to the Kerberos Server.

2)The Kerberos Server responds with the encrypted credentials of the user attempting to sign on.

3)The device attempts to decrypt the credentials using the entered password. The user is authenticated if the credentials can be decrypted.

4)The device then logs onto and queries the LDAP server trying to match an email address against the user’s Login Name.

 

21

Ver. 1.3, March 2011

Page 21 of 32

Page 20 Page 22
Image 21
Page 20 Page 22
Contents Prepared by Ver .3, March Device Description Target AudienceSecurity Aspects of Selected Features Purpose Target AudienceDisclaimer Device Description Physical Partitioning Security-relevant SubsystemsSecurity Functions allocated to Subsystems Security Functions allocated to SubsystemsPurpose ControllerMemory Components Controller memory componentsUSB Ports External ConnectionsController External Connections USB PortsScanner Fax ModuleHardware Fax Module memory componentsLocal User Interface LUI Control and Data InterfacesUser Interface memory components System Software Structure Open-source componentsOS Layer in the Controller IPv4 Network Protocol Stack Network ProtocolsIPSec Logical AccessPort 25, Smtp PortsPort 53, DNS Network PortsPort 80, Http Port 68, DhcpPort 88, Kerberos Ports 137, 138, 139, NetbiosPort 389, Ldap Ports 161, 162, SnmpPort 396, Netware Port 427, SLPIP Filtering Login and Authentication Methods Authentication ModelSystem Administrator Login All product configurations User authenticationSMB Authentication with IP Address SMB Authentication Windows NT 4 or Windows 2000/WindowsDdns SMB Authentication with HostnameSystem Accounts DiagnosticsPrinting Multifunction models only Network Scanning Multifunction models onlyMeter Assistant SMart eSolutionsSupplies Assistant SummaryResponses to Known Vulnerabilities Electrically erasable programmable read only memory Appendix a AbbreviationsIPSec Ldap ServerWebUI UDPAppendix B Supported MIB Objects Snmp version / Network Transport support WorkCentreRFC 1759 Printer MIB Group WorkCentre RFC 1213 MIB-II for TCP/IP group WorkCentre RFC 1514 Host Resources MIB group WorkCentreAdditional Capabilities / Application Support WorkCentre Supported MIB ObjectsController Software RFC/StandardController Software Printing Description Languages Appendix E References
Top Page Image Contents