Be aware that in configuring SNMPv3 there is the option of resetting both the Privacy and Authentication passwords
back to their default values. This option should only be used if necessary since if the default passwords are not known no
one will be able to access the SNMP administrator account
j.
Initiate the software verification test feature by following the instructions for "Verifying the Software" in Section 4 of
the SAG.
k.
Users should be aware that correct remote repository document pathnames for the receipt of workflow scanning jobs
should start with one '\' as opposed to the two '\'s shown in the SAG (e.g., page 140).
l.
Users should be provided with appropriate training on how to use the device in a secure manner before being assigned
user accounts to access the device.
m. Before upgrading software on the device via the Manual/Automatic Customer Software Upgrade, please check for the
latest certified software versions. Otherwise, the machine may not remain in its evaluated configuration.
n.
Users experiencing problems logging in to the device using the Web UI only on a particular web browser are advised to
switch to a different web browser.
o.
The device should be installed in a standard office environment. Office personnel should be made aware of authorized
service calls (for example through appropriate signage) in order to discourage unauthorized physical attacks such as
attempts to remove the internal hard disk drive(s). Ensure that office personnel are made aware to pick up the outputs
of print and copy jobs in a timely manner.
p.
Caution: The device allows an authenticated System Administrator to disable functions like Image Overwrite Security
that are necessary for secure operation. Periodically review the configuration of all installed machines in your
environment to verify that the proper evaluated configuration is maintained.
IV.
Secure Operation
of Device Services/Functions Not Part of the Evaluated Configuration
a.
Change the SNMPv1/v2c public/private community strings from their default string names to random un-guessable
string names of at least 8 characters in length.
b.
Customers should sign up for the RSS
www.xerox.com/security that permits customers to view the latest Xerox Product Security Information and receive timely
reporting of security information about Xerox products, including the latest security patches.
c.
Customers who encounter or suspect software problems should immediately contact the Xerox Customer Support Center
to report the suspected problem and initiate the SPAR (Software Problem Action Request)
problems found by Xerox customers.
d.
Depending upon the configuration of the device, two IPv4 addresses, a primary IPv4 address and a secondary IPv4
address, may be utilized. Select whether the primary IPv4 address will be obtained statically or dynamically via DHCP
from the IP (Internet Protocol) page on the Web UI
Administrator enables the 'Self Assigned Address' option from the IP (Internet Protocol) page on the Web UI. If the
'Self Assigned Address' option is enabled (which is the default case), this secondary IPv4 address will not be visible to the
12
SA
. The 'Self Assigned Address' option from the Web UI IP (Internet Protocol) page should be disabled unless either
APIPA is used or Apple Rendezvous/Bonjour support is required.
e.
If IPv6 is disabled and then a software upgrade is performed by a Xerox Service Technician using an AltBoot, IPv6 will be
disabled even though both the Control Panel and Web UI show that IPv6 is enabled. IPv6 can be enabled again via the
Web UI by first disabling and then re-enabling it.
f.
If use of the Embedded Device Security is desired, from the Web UI check that Embedded Device Security is enabled by
following the instructions under "McAfee Embedded Control" in Section 4 of the SAG. If the default Enhanced Security is
desired, select the Enhanced Security for the 'Security Level'; if the 'Integrity Control' option is desired, select Integrity
Control for the 'Security Level'. Do not select the Disable McAfee Secure Device 'Security Level' option.
8
The SNMP administrator account is strictly for the purposes of accessing and modifying the MIB objects via SNMP; it is separate from the
System Administrator "admin" user account or user accounts given SA privileges by the System Administrator "admin" user. The administrator
account cannot perform any System Administrator functions.
9
Really Simple Syndication – A lightweight XML format for distributing news headlines and other content on the Web. Details for signing up for
this RSS Service are provided in the Security@Xerox RSS Subscription Service guide posted on the Security@Xerox site at
http://www.xerox.com/go/xrx/template/009.jsp?view=Feature&ed_name=RSS_Security_at_Xerox&Xcntry=USA&Xlang=en_US.
10
A SPAR is the software problem report form used internally within Xerox to document customer-reported software problems found in
products in the field.
11
The primary IPv4 address can also be assigned dynamically via DHCP from the Dynamic Addressing screen on the Control Panel.
12
The primary IPv4 address will always be displayed on the Configuration Report that can be printed for the device.
8
.
9
subscription service available via the Xerox Security Web Site (Security@Xerox) at
11
. The second IPv4 address is assigned via APIPA when the System
10
process for addressing
10