MVP allows secure communication between the MarkVision Server and network devices that support the same security protocol. Administrators can communicate with, configure, control, and retrieve information from secured devices on the network. Secure communication reduces the threat of compromised user credentials or device commands. The total security with which the devices and the server communicate is determined by the security level setting for the MarkVision Server in conjunction with the communication security setting applied to the device.
Communication security tasks are:
Administrative Settings—Specifies the Server-to-Device Security level and establishes a MarkVision Server password.
Communication Password—Synchronizes a device communication password and a server communication password to open a secure communication channel.
| Note: Secure communication is limited to configuration commands between the host computer and the device. |
Printer Lockdown—Restricts printer access.
Notes:
MVP administrators can use the company LDAP server to authenticate user IDs and passwords. This eliminates the need for users to maintain separate MVP logon IDs and passwords.
When enabling LDAP server authentication, administrators have three modes of LDAP authentication. The following authentication mechanisms bind to the LDAP server in increasing order of security:
Anonymous LDAP Bind—Binds to LDAP server without a password
Simple LDAP Bind—Binds to LDAP server with credentials in cleartext, or by using an encrypted channel (if an SSL certificate is supplied)
Kerberos—Authenticates to a Kerberos KDC
Make sure that the administrator password is defined before proceeding with LDAP Server authentication setup. LDAP Server authentication is only accessible through the Master Administrator account. LDAP authentication works for all user accounts with the exception of the Master Administrator account. The Master Administrator account must have a unique MVP password.
From the MarkVision Professional Home screen, select User Accounts and Groups from the All Tasks list.
Click Add.
Type the existing network log on for the user ID in the Account Name box.
| Note: This ID must match the user ID which exists in the LDAP database. |
Leave the password field blank.
| Note: No password entry is required or permitted because LDAP will be used for authentication when the user logs on. |
Click the Authenticate using LDAP Server/Kerberos KDC box to select it, then select Simple LDAP Bind from the Authentication Mechanism drop-down list.
Click Next.
Enter the information for the LDAP server in the LDAP Settings text boxes:
LDAP Server Address—Enter the IP Address or the Host Name of the LDAP Directory Server where the authentication will be performed.
Port Number—The port used by the local computer to communicate with the LDAP Directory Server. The default LDAP port is 389.
Search Base—The Search Base (sometimes called the Distinguished Name, or DN) is the node in the LDAP Directory Server where user accounts exist.
| Note: A Search Base consists of multiple attributes—such as cn (common name), ou (organizational unit), o (organization), c (country), or dc (domain)—separated by commas. |
User Attributes—Enter a value of cn, userid, or userdefined, where cn stands for “common name.”
Distinguished Name—Enter the distinguished name of the LDAP Account for the MVP Server. Typical examples include ou (organizational unit) and o (organization name), where o could be a company's name and ou could be a certain group of employees at the company (example: ).
Password and Confirm Password—The indicator light changes to green when the two passwords are identical. If the passwords do not match, the indicator light remains red.
To use SSL, click the Use SSL box to select it, and then type the Certificate Store password in the text box.
| Note: MVP administrators can make their Certificate Store password protected by entering a password before importing the first trusted certificate. |
Click Next.
Select a certificate from the list, or click Import to import a new certificate.
Click Finish.
Have the user access MVP and enter their user ID and password that they use for the company local network. The MarkVision Server will access the company LDAP server directory service and authenticate the user login through a simple bind protected by SSL.
From the MarkVision Professional Home screen, select User Accounts and Groups from the All Tasks list.
Click Add.
Type the existing network log on for the user ID in the Account Name box.
| Note: This ID must match the user ID which exists in the LDAP database. |
Leave the password field blank.
| Note: No password entry is required or permitted because LDAP will be used for authentication when the user logs on. |
Click the Authenticate using LDAP Server/Kerberos KDC box to select it, then select Secure from the Authentication Mechanism drop-down list.
Click Next.
Enter the information for the Kerberos server in the Kerberos Settings text boxes:
KDC IP/HostName—Enter the Hostname or IP address of the Kerberos Server (Kerberos Key Distribution Center).
Realm—Enter the Kerberos Realm or a domain name that includes all of the components that are used to identify the domain on your network; for example, camelot.ap.england.com.
User Name—Enter the user name of the LDAP Account for the MVP Server.
| Note: When using Kerberos LDAP authentication, an associated MarkVision Server account may be necessary depending on the Kerberos configuration. For information on MarkVision Server accounts for Kerberos, see the Kerberos documentation. |
Password and Confirm Password—The indicator light changes to green when the two passwords are identical. If the passwords do not match, the indicator light remains red.
Click Finish.
Setting server communication security involves:
Establishing a communication security password for the server
Turning server-to-device security on or off
Use the “Administrative Settings” task in the All Tasks list on the MVP Home screen to set the server communication security password and server-to-device security.
From the MarkVision Professional Home screen, select Administrative Settings from the All Tasks List.
Select the Communication Security tab at the top of the dialog.
Click Communication Password.
When prompted, click Yes to continue.
Type the new password in the New Password box.
| Note: If there is no password assigned, leave the Old Password box empty. |
Confirm the password by typing it again.
| Note: The indicator light will change to green when the two passwords match; it will remain red if the passwords do not match. |
Click Apply.
From the MarkVision Professional Home screen, select Administrative Settings from the All Tasks list.
Select the Communication Security tab at the top of the dialog box.
Move the slider to indicate the desired communication security level for the server.
Server communication security consists of four security levels:
Server security level | Effect |
|---|---|
On | Allows both secure and insecure communication Communication is secure only if the device is capable and locked down. Most other communication is insecure, with the exception of sensitive information (such as communication passwords, or scan and copy page counts). Sensitive information is always transmitted across an encrypted channel, even if the device is not locked down. Note: Advanced devices do not support the “Security - Printer Lockdown” task. For more information, see Overview. |
Off | Secure features are not available. Devices that are locked down will not be discovered. |
| Note: The MarkVision Server security level is displayed in the bottom right corner of the MarkVision Professional Home screen. |
Click Apply, and then click OK.
| Note: This setting takes effect immediately, and does not require a service restart. |
The Communication Security tab on the Administrative Settings Dialog provides an administrator with the option to use SSL for communication between the MarkVision Server and MarkVision Client.
From the MarkVision Professional Home screen, select Administrative Settings from the All Task list.
Click the Communication Security tab at the top of the dialog.
Select the Use SSL for Server-Client Communications check box to enable SSL communication.
Click Apply, and then click OK.
| Note: SSL will be used the next time a client connects to the MarkVision Server. The current session will not be affected. |
MarkVision Professional allows administrators to secure or disable remote management on certain newer devices. Securing remote management on a device requires that a security template be applied to the Remote Management access control.
For users creating a new security template, setting up an access control to disable remote management is a three-step process. For instructions on disabling remote management completely, skip to “Step 3: Configure Remote Management access control for the device(s).”
| Note: Disabling remote management effectively ends communication between a selected device and the MVP Server. Though the device will appear in the device list following discovery, MVP may not be able to determine its capabilities and/or characteristics because the device itself will prevent such data from being read. |
MVP supports seven building blocks: Password, PIN, Internal Accounts, Kerberos, NTLM, LDAP, and LDAP + GSSAPI. Building blocks are the fundamental elements used to create security templates. The steps below describe how to create a PIN building block, but any of the other six building blocks could just as easily be used.
From the MarkVision Professional Home screen, select Security - PIN from the All Tasks list.
Select devices using the Quick Find or Folders tabs.
Use Ctrl + click and Shift + click to select multiple devices.
| Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device. |
Click Add.
Enter a name and PIN in the PIN Setup dialog.
Click OK.
Once configured, one or two building blocks can be combined with a unique name of up to 128 characters to create a security template. Each device can support up to 140 security templates. Though the names of security templates must be different from one another, building blocks and security templates can share a namė.
From the MarkVision Professional Home screen, select Security - Security Templates from the All Tasks list.
Select devices using the Quick Find or Folders tabs.
Use Ctrl + click and Shift + click to select multiple devices.
| Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device. |
Click Add.
Type a name for the security template, and then choose the appropriate building block from the Authentication Setup list.
Click OK.
The final step in limiting access to devices from the MVP Server is to apply a security template to the Remote Management access control, or to disable it altogether.
| Note: This disables only remote host software management (MarkVision Professional), not the Embedded Web Server for the device. |
From the MarkVision Professional Home screen, select Security - Access Controls from the All Tasks list.
Select devices using the Quick Find or Folders tabs.
Use Ctrl + click and Shift + click to select multiple devices.
Notes:
Select the newly created security template from the Remote Management drop-down list, and then click Apply.
| Note: To disable remote management for the device, select Disabled from the Remote Management drop-down list, and then click Apply. |
For MVP to manage devices securely, the passwords must match between the server and each managed device. Synchronizing a device password sets the communication password for the device to the same password that is used by the server.
| Note: The password is set via an encrypted data channel. |
From the MarkVision Professional Home screen, select Security - Communication Password from the All Tasks list.
Select devices using the Quick Find or Folders tabs.
Use Ctrl + click and Shift + click to select multiple devices.
| Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device. |
Synchronize or remove the device password.
To synchronize the device communication password with the MarkVision Server:
Click Synchronize with Server.
Click Yes.
To synchronize the device communication password with a new server password:
Click Synchronize with Server.
From the “Confirm Synchronize with Server” dialog, click the check box to confirm synchronization.
Click Yes.
Type the old server communication password.
Type a new server communication password.
Type the new password again to confirm it.
Click OK, and then click Yes.
To remove the device communication password:
Click Remove Password.
Make sure the device is not locked down.
| Note: Devices that are not capable of secure communication are displayed with a black line through them in the results area. |
The Printer Lockdown task lets a user force one or more supported devices to communicate exclusively over a secure channel. This enables a firewall on the device, turning off most network ports such as HTTP, SNMP, and FTP. Only secure ports will remain open. The Printer Lockdown task is not available on devices that support building blocks and security templates.
From the MarkVision Professional Home screen, select Security - Printer Lockdown from the All Tasks list.
Select devices using the Quick Find or Folders tabs.
Use Ctrl + click and Shift + click to select multiple devices.
| Note: When a device managed by MVP is not supported by a specific task, its name will appear with a black line through it in the Quick Find or Folders tabs. Password-protected network devices are displayed in red. Enter the device password to gain access to the device. |
Select the Lockdown check box to lock down the device.
To remove lockdown from a device, clear the Lockdown check box.
| Note: The Generic File Download and Printer Resource tasks will not be available when the Printer Lockdown option is enabled. |
Some supported devices contain encrypted hard disk drives to protect information stored on the devices. MVP allows information retrieval from hard disk drives without interfering with device security. If the device has an encrypted hard disk drive and is communicating over a secure channel, an administrator can use the Storage Devices task to view the drive. As a precaution, if the hard disk drive is encrypted and the device is not communicating securely, the task will not display the hard disk drive information. Although MVP is able to view encrypted hard disk drives, MVP will not allow a user to change the encryption for the device.