Network scan and print data are overlooked areas when it comes to network security. Documents routinely contain sensitive information, like financial data, information that personally identifies customers or employees, and account information. Printing and imaging devices are commonly located in high-traffic areas with only basic physical security. In this environment, it’s very easy for confidential information to end up in the wrong hands, either accidentally or intentionally.
Lexmark printers include standard features that can substantially reduce this vulnerability.
Protected USB Ports
Lexmark laser printers and multifunction printers (MFPs) include support for USB devices which may cause concern in environments where security is critical. Designed with security in mind, USB host ports have various mechanisms in place to keep them from being used in a malicious manner. These protections include but are not limited to:
- Completely disable the USB host port
- Restrict access through authentication and authorization
- Schedule interactions with devices
- Limit the file types that can be written to and/or read from a device
- Disallow any boot support
Download the white paper: Security and USB Ports on Lexmark Devices
LDAP Address Book Lookup
When sending e-mails or faxes, users can look up the recipients’ e-mail addresses and fax numbers. Lexmark MFPs use LDAP to perform lookups by directing queries to your corporate directory server.
Authentication and Authorization
Device functions can be restricted so that users must authenticate prior to accessing the functions of the device, such as copy, fax, scan to e-mail, scan to network folder, workflow scripts, and/or embedded applications. Lexmark devices can be configured to authenticate users against Internal accounts, passwords, and/or PINs. Lexmark devices can also be configured to authenticate users against a corporate directory via NTLM, Kerberos 5, LDAP, and/or LDAP+GSSAPI. These authentication methods are secure and compatible with Active Directory and other directory server platforms.
On top of authentication, device functions can be restricted via user/group based authorization. Authorization is the ability to restrict particular device functions based on a user/group membership within a corporate directory infrastructure.
Auto-Insertion of Sender’s E-mail Address
When a user authenticates in order to scan a document to e-mail, the e-mail address of the sender is automatically looked up and inserted into the “From” field. This lets the recipient clearly see that the e-mail was generated by that individual, not anonymously or from the MFP.
Building blocks are the various methods for validating user credentials. Examples of building blocks include: Internal Accounts, NTLM, Kerberos 5, LDAP, LDAP+GSSAPI, Password, and PIN.
Security templates are used to restrict access and are made from one or more building blocks. Security templates are defined by the device administrator and appear in the Access Control drop-down menu. The templates are applied to specific menus and workflows on the Lexmark device. The breadth that a security template can cover is large, providing control over some of the most important security settings on the Lexmark device.
All LDAP traffic to and from Lexmark devices can be secured with TLS/SSL. LDAP information such as credentials, names, e-mail addresses and fax numbers exchanged over a TLS/SSL connection ensures the information is encrypted to preserve the confidentiality and privacy of the data.
Access controls allow you to choose from a drop-down list of available security templates to control local and remote access to specific menus, functions and workflows. It also provides the ability to disable functions entirely. Over 50 access controls are available, providing greater flexibility for your unique environment. Examples of available access controls include those for device functions (copy, print, fax, scan to e-mail, FTP, held jobs, address book, and others), security menus, firmware updates, embedded applications, device menu settings (reports, paper, settings, network/ports, and others), operator panel lockout, remote management settings, and more.
You can prevent unauthorized use of a device by restricting the number of consecutive failed logins. When this limit is exceeded, the device is locked for a predetermined amount of time specified by the administrator. These settings can be configured when utilizing Login Restrictions on the Lexmark device. In addition, the Home Screen and Remote Login timeouts can be adjusted within the Login Restriction configuration settings. With Audit Logging enabled, the device will track the security events related to the Login Restrictions.
Operator Panel Lock
The Operator Panel Lock feature allows an MFP to be put in a locked state so that the operator panel cannot allow any user operations or configuration. It cannot copy or scan jobs, it cannot be reconfigured via the operator panel, and incoming jobs will not sit exposed in the output bin. If the device has a hard disk, incoming print and fax jobs are stored on the hard disk instead of being printed. The device can be unlocked by entering an authorized user’s credentials, at which time the held jobs will be printed and the device will resume its normal operation.
Print jobs are held in RAM or on the hard disk until the intended recipient enters the appropriate PIN, allowing the job to print. Held jobs can be set to expire after an elapsed time (configurable from one hour to one week). In addition, a limit can be set on the number of times a PIN can be entered incorrectly before the corresponding jobs are purged.
Incoming Fax Holding
Lexmark devices can be configured to hold rather than print incoming faxes during scheduled times. Incoming faxes are held securely on the hard disk until the proper credentials have been entered on the Lexmark device. Examples of credentials include a PIN, password, and user network ID and password.