Professional Documents
Culture Documents
White Paper - Security - UniFLOW - V4.8
White Paper - Security - UniFLOW - V4.8
Security - uniFLOW
–––––––––––––––––––––––––
Document
White Paper - Security - uniFLOW
Name
Knowledgebase MOMKB-462
Technologies uniFLOW, RPS, uniFLOW Client for Windows, uniFLOW Client for Mac, uniFLOW SmartClient, MEAP,
Concerned LDAP, uniFLOW Login Manager, Scan Processing Server, ICARUS Server for Web, uniFLOW AirPrint® &
IPP Service (previously known as uniFLOW Service for AirPrint), uniFLOW Internet Gateway, Email,
Acrobat Reader, Neevia, Foxit, RedTitan, Canon iW SAM, CRQM, DRQM, Database, Antivirus, IIS,
Firewall, Canon MFP Security, Hardware Security
Short Summary This white paper has been written to help you increase the security of your uniFLOW installation and
the corresponding network environment and servers. This white paper focuses on the configuration
options within uniFLOW and explains standard security features of uniFLOW. It also covers print data
NT-ware trademarks
uniFLOW®, mdsFLOW®, uniFLOW Serverless Secure Printing®, Helix Production Workflow®, MIND®,
microMIND®, and MiCard® are registered trademarks of NT-ware Systemprogrammierungs-GmbH.
Third-party trademarks
Adlib, Express, and Express Server are either registered trademarks or trademarks of Adlib Publishing
Systems Inc. Adobe®, Adobe® Reader®, Acrobat®, Distiller®, PostScript® and products of the CREATIVE
SUITE(S) are either registered trademarks or trademarks of Adobe Systems Incorporated in the United
States and/or other countries. Android™ is a trademark of Google LLC. Apple®, the Apple logo®, Mac®, mac
OS®, Macintosh®, iPhone®, iPad®, and AirPrint® are trademarks of Apple Inc. registered in the U.S. and
other countries and regions. Box is a trademark of Box Inc. CANON, iR-ADV, iR, imageRUNNER,
imageRUNNER ADVANCE, MEAP, iW and Canon product and services names are the trademark or registered
trademark of Canon Inc. and/or other members of the Canon Group. CBORD® and CS Gold® are registered
trademarks or service marks of the CBORD Group Inc. SAP® Crystal Reports® and SAP® Business Objects™
are trademarks or registered trademarks of SAP SE or its affiliates in Germany and several other countries.
Dropbox of Dropbox Inc. eCopy® and eCopy ShareScan® are trademarks and/or registered trademarks of
eCopy Inc. Evernote® of Evernote Corporation. FileNet® of IBM Corporation. FOXIT® is a registered
trademark of Foxit Corporation. Google Docs web-based word-processing program and Google Cloud Print™
web-printing service are trademarks of Google LLC. HP®, HEWLETT-PACKARD®, PCL®, and LASERJET® are
registered trademarks that belong to HP Inc. KONICA MINOLTA® is a registered trademark of KONICA
MINOLTA Inc. iOS® of Cisco Technology Inc. JAWS PDF Courier™ is a trademark of Global Graphics Software
Ltd. Microsoft, Windows, Windows Server, Internet Explorer, Internet Information Services, Microsoft Word,
Microsoft Excel, Microsoft SharePoint, Microsoft SharePoint Online, OneDrive, One Drive for Business, SQL
Server, Active Directory, Hyper-V are either registered trademarks or trademarks of Microsoft Corporation
and of the Microsoft group of companies in the United States and/or other countries. Mopria® is a
registered trademark of Mopria Alliance Inc. Neevia Document Converter Pro™ is a trademark or product
name of Neevia Technology. NetWare®, Novell®, Novell eDirectory™ of Novell Inc. are trademarks or
registered trademarks of Novell Inc. in the United States and other countries. MobileIron® is a registered
trademark of MobileIron Inc in the United States and/or other countries. Océ, Océ PlotWave®, Océ
ColorWave®, and PRISMA are trademarks or registered trademarks of Océ-Technologies B.V. Apache
OpenOffice™ of Apache Software Foundation. PosterJet® is copyrighted and an internationally registered
trademark of Eisfeld Datentechnik GmbH & Co. KG. RedTitan® and the RedTitan logo are registered
trademarks of RedTitan Technology Ltd. Netaphor SiteAudit™ and the Netaphor logo are trademarks of
Important Note
Serious problems might occur if you modify the registry of your Windows operating system incorrectly.
These problems might require that you reinstall the operating system. We strongly recommend to always
back up the registry of your Windows operating system before applying changes to it, just in case you do
something wrong. NT-ware does not assume any responsibility or liability for any impact on the operating
system after changing the registry. You understand and accept that you use this information and modify
the registry of your Windows operating system at your own risk.
uniFLOW and corresponding components like Web Submission and Internet Gateway rely heavily on their
SQL databases. We strongly suggest that you refrain from modifying these SQL databases manually
without prior consultation from the NT-ware support team. NT-ware does not assume responsibility or
liability for possible impact on your uniFLOW environment after modifying any of the SQL databases.
Feedback
Should you come across any relevant errors or have any suggestions, please contact documentation@nt-
ware.com or use the Send feedback button of the uniFLOW Online Help.
Technical Support
Your dealer will provide the first technical support services. Before contacting your dealer for technical
support, ensure you have read this document.
Pictograms
Important Note:
Information that is crucial for the correct functioning of the software.
Further Information:
Pointer to additional manuals, installation manuals, white papers or the NT-ware
Customer Portal.
External Link:
Link to an external web page.
Settings:
Detailed explanation of configuration settings or operational procedures.
Compass:
Path to the menu or configuration page in the software.
Send Feedback
Should you come across any relevant errors or have any suggestions, please contact documentation@nt-
ware.com or use the Send feedback button of the Online Help.
Contents
Versioning
Disclaimer
1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
3 Security Checklists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4 uniFLOW. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.1 uniFLOW and RPS Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.2 uniFLOW and RPS Web Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.2.1 Microsoft IIS Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.2.2 Usage of HTTPS in uniFLOW >= V5.2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.2.3 Internal Web Server of uniFLOW >= V5.3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.2.4 Obsolete Chapter Template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.3 uniFLOW Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.3.1 uniFLOW Client for Windows via HTTPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.3.2 uniFLOW Client for Mac via HTTPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.3.3 uniFLOW User Web. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.3.4 uniFLOW SmartClient. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.4 MEAP Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.4.1 Passwords challenged against LDAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.4.2 Emergency Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.4.3 Pass-through and Authentication Using the uniFLOW Login Manager. . . . . . . . . . . . . . . . . . . 12
4.4.4 MEAP Scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.5 uniFLOW Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.5.1 Scan Processing Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.5.2 ICARUS Server for Web. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.5.3 uniFLOW AirPrint® & IPP Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.5.4 uniFLOW Internet Gateway (IG). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.5.5 Email Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.5.5.1 SMTP/SMTPS/ESMTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
I
Confidentiality: Internal + Partner (R3P)
Contents
4.5.5.2 EWS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.5.5.3 POP3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.5.6 SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.6 Memory Exploit Mitigation Techniques in uniFLOW. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
6 Supporting Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
6.1 Canon iW SAM (Secure Audit Manager). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
7 Infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
7.1 Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
7.1.1 Database Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
7.1.2 Alternate Port and Database Instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
7.1.3 Encrypted Connection String. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
7.1.4 SQL Connection String and New DB User From uniFLOW V5.1.3 Onwards. . . . . . . . . . . . . . . . 24
7.1.5 Storage and Transmission of Sensitive Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
7.1.6 Database Rights and Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
7.2 Server Message Block (SMB) Signing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
7.3 File Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
7.4 Microsoft Windows RDP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
7.5 LDAP over SSL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
7.6 Web Browser. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
7.7 Windows OS Patching and Service Packs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
7.8 Antivirus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
7.8.1 Antivirus Scanner Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
7.8.2 Folder Exclusions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
7.8.3 NTLM V1 Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
7.9 IIS Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
7.9.1 Enabling Certificate Based Encryptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
7.9.2 IIS Identity of AspNetCoreWorkerPool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
7.9.3 Securing Cross Site Scripting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
7.9.4 Isolating Application Pools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
7.9.5 URL Authorization Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
7.9.6 HTTP Response Headers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
II
Confidentiality: Internal + Partner (R3P)
Contents
III
Confidentiality: Internal + Partner (R3P)
Introduction
1 Introduction
This white paper has been written to help you increase the security of your uniFLOW
installation and the corresponding network environment and servers. This white paper
focuses on the configuration options within uniFLOW >= V5.3 and explains standard
security features of uniFLOW. The goal is to reduce the attack surface by implementing
or enabling security countermeasures. This will harden your uniFLOW installation against
attacks.
Settings and actions described in this document should only be executed by qualified
personnel. This is especially true for any configurations outside the NT-ware product line.
NT-ware does not assume any warranty for damages or disadvantages suffered as a
result of the implementation of settings and actions described in this document.
We are constantly working on this document to keep it up-to-date. This includes
managing threats found in the field. To feedback threats to NT-ware or ask questions
please see chapter Submitting Security Information and Questions (on page 51).
1
Confidentiality: Internal + Partner (R3P)
How to use this document
2
Confidentiality: Internal + Partner (R3P)
Security Checklists
3 Security Checklists
uniFLOW and RPS
3
Confidentiality: Internal + Partner (R3P)
Security Checklists
uniFLOW SmartClient
MEAP Communication
General Printing
4
Confidentiality: Internal + Partner (R3P)
Security Checklists
General Consideration
5
Confidentiality: Internal + Partner (R3P)
uniFLOW
4 uniFLOW
Within this section, the uniFLOW/RPS communication and the communication and
implementation of the associated uniFLOW Client application are discussed.
6
Confidentiality: Internal + Partner (R3P)
uniFLOW
See chapter IIS Security (on page 32) for a detailed listing of security
countermeasures.
▪ In case a different certificate shall be used, this has to be manually acquired and
installed in the IIS manager. This may be required for example if you need a certificate
from a trusted root certification authority. You can get such certificates for example
from VeriSign, Symantec or others.
In case you need to replace or renew the certificate in the IIS, please refer to the
Microsoft Knowledge Base.
7
Confidentiality: Internal + Partner (R3P)
uniFLOW
The following components utilize the uniFLOW V5.3 Web Engine if configured to use
HTTPS.
▪ MEAP Applets requires V4.2.x applets
▪ Scan Processing Server (from uniFLOW >= V5.3)
▪ uniFLOW Client (from uniFLOW >= V5.3)
▪ CRQM/DRQM
▪ Universal Driver configuration communication
Important
Ensure all the uniFLOW components listed above are updated to uniFLOW V5.3
functionality before completely switching the site to HTTPS communication. For
detailed instructions on upgrading uniFLOW, please refer to the installation manual and
associated NT-ware Customer Portal articles for uniFLOW V5.3.
8
Confidentiality: Internal + Partner (R3P)
uniFLOW
PWRQM User secure print This is hosted on the uniFLOW server only. No
release queue. Access is managed under uniFLOW Server
Configuration > Server Config. > General
Settings > RQM Web.
PWRQM/ Mobile Print web page. The access to this page can be restricted or Yes
Mobile disabled via settings under uniFLOW Server
Configuration > Server Config. > General
Settings > Mobile Release Login Type
HelixOD CRD print room queue Access can be restricted via ACLs to this No
management. page.
For a detailed explanation on how to secure uniFLOW web pages via ACL (Access Control
Lists), please refer to the uniFLOW manual.
9
Confidentiality: Internal + Partner (R3P)
uniFLOW
To ensure the security of user information being transmitted on the network any "Form"
based authentication must be across HTTPS. If you access the uniFLOW User Web page
on the uniFLOW or RPS the below page will appear. In case a user opens the uniFLOW
User Web via HTTP, the user will be redirected to the HTTPS page.
10
Confidentiality: Internal + Partner (R3P)
uniFLOW
The CAPTCHA Mode and the Attack Detection and Reaction Time can be configured
under uniFLOW Server Configuration > Server Config. > General Settings > General >
System Security.
MEAP Communication for the uniFLOW MEAP Client < V4.2 and the Universal
Login Manager < V4.2
In general, the communication between MEAP clients and uniFLOW/RPS is in clear text
XML in both directions. Whenever it comes down to secure information such as e.g.
passwords, when a login against Active Directory or PIN codes is used, uniFLOW needs to
be configured to secure such data.
In order to determine the best option, the risk of network sniffing needs to be
ascertained and whether the software is used in a low risk or high-risk environment
needs to be ascertained.
Low-Risk
11
Confidentiality: Internal + Partner (R3P)
uniFLOW
In a low-risk environment, there is a low risk to data being accessed on the network or
too sensitive information being entered at the MFP such as passwords for self-
registration.
To provide a basic level of secrecy for data passed on the network a DES 56-bit
encryption is applied. While this is a relatively low level of encryption, it is still quite
secure and ensures secrecy of sensitive data from accidental or intentional exposure.
With the use of HTTPS the encryption mechanism described above is obsolete. Please
see below for further information.
High-Risk
In a high-risk environment, there is an imminent risk or a perceived risk that confidential
network data is subject to being accessed by unauthorized people.
In such an environment it is vital that uniFLOW is installed and configured to utilize
encrypted communication (HTTPS). During installation ensure that uniFLOW and any RPS
servers are set to use the Encrypted Web Server engine during the installer.
To ensure use of HTTPS after an update consult the uniFLOW User Manual.
To make use of the encrypted communication (HTTPS) the MEAP version on the Canon
MFP must be V4.2 or higher.
Update all components like servers, clients or RPSs to the most recent version to
ensure maximum security.
Note that on some MEAP devices, depending on the firmware version, 3DES encryption
is disabled by default. To use encrypted MEAP communication, 3DES has to be enabled
on the device. Please refer to your device manual for the exact procedure.
12
Confidentiality: Internal + Partner (R3P)
uniFLOW
After identification of the user at the device via the uniFLOW Login Manager, uniFLOW
forwards the password to the Therefore device RSA encrypted. The components of the
encryption keys need to be configured in the uniFLOW Server Configuration. This is
explained in the uniFLOW User Manual.
▪ Open uniFLOW Server Configuration > Server Config. > General Settings > MEAP
Scanning.
▪ Mailbox Number:
Enter the mailbox number where the temporary scan images should be stored.
▪ Mailbox Password:
Enter the password for the mailbox so that users logged in at the RUI of the machine
cannot open the mailbox folder to view the temporary scan file.
To become effective, you must refresh the MEAP behavior on the device. This can be
done by opening the MEAP & miniMIND Default Behavior under Server Configuration
> Agents/Terminals > MEAP & miniMIND > Default Behavior and clicking the Save
button.
13
Confidentiality: Internal + Partner (R3P)
uniFLOW
Please also note that if an incorrect password has been set, it is still possible to store
the temporary scan jobs in the specified mailbox, but the jobs will not be deleted after
the scan job has been completed. This can lead to memory problems.
Security Considerations
The ICARUS Server for Web can be installed utilizing HTTP or HTTPS. This is a
configuration option during installation.
The uniFLOW Service for AirPrint has been renamed to uniFLOW AirPrint® & IPP Service
with uniFLOW 2021 LTS.
This chapter provides some detailed security information about the uniFLOW AirPrint® &
IPP Service (MomApSvc).
14
Confidentiality: Internal + Partner (R3P)
uniFLOW
Please note that beginning with uniFLOW 2022 LTS, TLS versions below 1.2 are disabled
by default for the uniFLOW AirPrint® & IPP Service.
Additional Information
The credentials are encrypted with a 3DES key that changes on each login request. In
order for uniFLOW to be able to decrypt the credentials, the MomApSvc sends the 3DES
key to uniFLOW but is encrypted using an RSA key that both uniFLOW and MomApSvc
know.
4.5.5.1 SMTP/SMTPS/ESMTP
Outbound Emails
15
Confidentiality: Internal + Partner (R3P)
uniFLOW
SMTP is used for both sending and receiving emails within uniFLOW. Once configured
under uniFLOW Server Configuration > Server Config. > Notifications > SMTP Server the
uniFLOW system can send emails to the customers SMTP mail server for many system
tasks. In addition, this connection allows the Workflow Element Send Email to also send
emails from workflow driven tasks.
SMTPS (SMTP over Secure Tunnel) and ESMTP (Extended SMTP) were introduced in
uniFLOW V5.2 SR1 and V5.3. This allows for the email traffic to be sent over an
encrypted communication tunnel.
SMTP communication and the corresponding level of security can be configured under
uniFLOW Server Configuration > Server Config. > Notifications > SMTP Server. Further
details on the configuration and requirements for setting up the SMTP server are
detailed in the uniFLOW User Manual.
When you set ESMTP or SMTPS the information is encrypted using TLS to ensure data is
securely sent to the customer mail server.
Inbound Emails
When an email address is placed into the Device Agent Load Emails via SMTP, uniFLOW
will begin listening for email communication on port 25 (default). Please consult the
uniFLOW User Manual on how to configure ESMTP or SMTPS as Encryption Behavior for
incoming mail traffic.
Inbound emails received by uniFLOW will be placed into the mobile print queue that the
Device Agent is configured for.
4.5.5.2 EWS
Exchange Web Services (EWS) is used to collect emails from a POP3 mailbox and place
them into the uniFLOW Mobile Print workflow.
▪ uniFLOW < V5.4 support TLS 1.0.
▪ uniFLOW >= V5.4 supports TLS 1.2.
▪ The uniFLOW user account used to access the mailbox has a User Name / Password
stored within the uniFLOW database. The password storage complies with the
Multiple Identity engine high encryption password handling detailed within this
document.
The Workflow Element Send Email can also send emails via EWS.
4.5.5.3 POP3
The Device Agent Load Emails via POP3 is used to collect emails from a POP3 mailbox
and place them into the uniFLOW Mobile Print workflow.
Please keep in mind:
▪ User name and password are set in the Device Agent in clear text. Strict access
restrictions are advised.
▪ Encryption is not used by default.
Enforce the use of SSL by setting the parameter Use SSL to yes.
▪ Additionally, you can force the verification of certificates by providing the path to a
local copy of known certificates.
16
Confidentiality: Internal + Partner (R3P)
uniFLOW
Please consult the uniFLOW User Manual for more information on how to configure the
Device Agent.
4.5.6 SNMP
SNMP (Simple Network Management Protocol)
The SNMP protocol is used by many components and processes within uniFLOW.
Security Options
If there is a security concern by using SNMP within the customer's network you can
minimize the "internal risk" with firewall rules. These are applied that SNMP
communication is only possible between uniFLOW/RPS and MFPs.
17
Confidentiality: Internal + Partner (R3P)
Print Data Storage and Transmission
Encryption Details:
In both cases, the print traffic is secured using an AES-256 bit encryption.
18
Confidentiality: Internal + Partner (R3P)
Print Data Storage and Transmission
The Workflow Element Output to IP also transfers jobs via LPR. Please be aware that
this method of transfer is unencrypted and provides no security if the job is intercepted
in transit.
19
Confidentiality: Internal + Partner (R3P)
Supporting Applications
6 Supporting Applications
This chapter lists additional software which frequently runs on a uniFLOW server or RPS.
These applications and components are either used by uniFLOW to deliver functionality
or to support the product's usability.
Unless stated otherwise, it is always recommended that the latest version of a particular
software is installed including current service packs and patches. NT-ware does not
distribute or maintain these external applications (unless stated); this lies within the
responsibility of the customer.
For the exact versions of supported software please check the white paper Software
Compatibility List for NT-ware Products (MOMKB-471) in the NT-ware Customer Portal.
Note that registration is required to access the NT-ware Customer Portal. Access to the
NT-ware Customer Portal is limited to trained Canon personnel only. If you need the
above document and do not have access to the NT-ware Customer Portal, please
contact your Canon partner.
Product Notes
Adlib Express *
Adobe Acrobat *
Apache OpenOffice *
eCopy Share Scan *
Foxit Reader *
Foxit (SDK Embedded) Foxit SDK is distributed with the uniFLOW
Installer and with the uniFLOW Updater
(since uniFLOW V5.3). For this reason, it is
maintained and updated to the latest
supported and patched version.
Any security threats discovered will be
announced by Foxit via their "Security
Bulletin" page listed below. NT-ware monitors
this page to also stay current with known
security vulnerabilities.
https://www.foxitsoftware.com/support/
security-bulletins.php
FusionPro *
Canon iW Desktop *
Canon iW Prepress Manager (iW PPM) *
Canon POD Printer Driver *
Canon iW SAM See Canon iW SAM (Secure Audit Manager)
(on page 21)
Microsoft Office *
Microsoft Office SharePoint Server 2007 Used in uniFLOW versions before V5.4
(commercial extension) *
20
Confidentiality: Internal + Partner (R3P)
Supporting Applications
Product Notes
* No known security vulnerabilities at the time of writing. Therefore, no security measures are
required. Please check the vendor's websites for further information.
How are images stored on the MEAP device by the iR Agent and what format is
used to store the files?
After print, scan or copy the resulting image is stored in the hard disk space for iW SAM
on the device.
The format of the image data can be one of the following:
▪ Canon Original Format
▪ TIFF
▪ JBIG
▪ JPEG
▪ JFIF
21
Confidentiality: Internal + Partner (R3P)
Supporting Applications
▪ TEXT
How and in which format are images transferred by the iR Agent from the
MEAP device to the iW SAM Express Server?
The stored image data in one of the above-mentioned formats will be transferred from
the iR Agent to the iW SAM Express Server using SOAP Messages with Attachment (SwA
protocol).
Over which port is the imageRUNNER sending the files to the iW SAM Express
Server?
▪ With HTTP port number 80 is used.
▪ With HTTPS port numbers 80 and 443 are used.
How is the image transferred from the iW SAM Express Server to the uniFLOW
server?
The iW SAM Express Server will receive the image data and job log data from the iR
Agent by using SwA (SOAP Messages with Attachment). This data will be stored into the
spool folder on the iW SAM Express Server. The image format in the spool folder will be
the same as listed above.
Afterwards, the DataProcessService, which is one of the internal modules on the iW SAM
Express Server, will convert the image data format in the spool folder from the current
format to JPEG or TIFF and change the resolution respectively rotate the image.
The ExportService, which is also another internal module on the iW SAM Express Server,
will then store the newly formatted data into the ExportFolder which is configured in iW
SAM. uniFLOW will then retrieve that image data from the ExportFolder.
22
Confidentiality: Internal + Partner (R3P)
Infrastructure
7 Infrastructure
Ensure your web server platform is configured with defined security standards before
and after installing uniFLOW (e.g. IIS Lockdown, URL scan etc.).
Ensure the underlying operating system is also hardened and that the operating system's
patch level is kept up to date.
7.1 Database
7.1.1 Database Communication
Issue
The database communication between uniFLOW and the SQL server is unencrypted in a
standard installation. As an example, user information and statistical information is sent
in clear text across the network; however, passwords and PIN numbers are sent
encrypted see Storage and Transmission of Sensitive Data (on page 25). The
transmission of data to the SQL database only applies if uniFLOW is configured for a
remote SQL Database. Using a local SQL Express database (default install) negates
network security only if local data storage needs to be considered.
Resolution
It is recommended that the database network connections from the uniFLOW server to
the SQL server are encrypted using SSL. The following Microsoft article describes how to
enable SSL encryption for database connections:
http://support.microsoft.com/kb/316898/en-us
Examples
"Data Source" extracts from the uniFLOW connection string
▪ Data Source=(local);
◦ Local SQL Express install setting.
▪ Data Source=(<Server Name or IP>);
◦ Data Source=(MyServerName);
23
Confidentiality: Internal + Partner (R3P)
Infrastructure
Resolution
The NT-ware Customer Portal (ITS) contains a White Paper which describes how to
encrypt the connection string.
For more information, please refer to the white paper Encrypted Connection String
(MOMKB-337) in the NT-ware Customer Portal.
Note that registration is required to access the NT-ware Customer Portal. Access to the
NT-ware Customer Portal is limited to trained Canon personnel only. If you need the
above document and do not have access to the NT-ware Customer Portal, please
contact your Canon partner.
24
Confidentiality: Internal + Partner (R3P)
Infrastructure
introduced an additional connection string and a new additional database user with
uniFLOW V5.1.3.
The CONNECTIONSTRINGUI registry item has been added to the uniFLOW hive of the
Windows registry. This connection string is exclusively used for the uniFLOW UI to
introduce another layer of security. The "CONNECTIONSTRINGUI" will utilize a new
database user called "uFReader". Thus, any request to the uniFLOW database from the
uniFLOW UI will be handled via this user who has only read access.
The old CONNECTIONSTRING and "pbaip" user still exist and are required for normal
operation. This connection string will only be used by the kernel directly.
If the "CONNECTIONSTRINGUI" item is missing, uniFLOW will fall back to use the
"CONNECTIONSTRING". This is the case if you have updated from an older version. The
Windows registry item will not be added by the momupdate.exe. In this case, please use
the UI_ConnectionString_32-bit.reg or the UI_ConnectionString_64-bit.reg file which can
be downloaded from MOMKB-654 to create the respective Windows registry key. Please
keep in mind to change the "Data Source" within the file from "(local)" to your SQL
Server address if you are utilizing an external SQL Server.
Furthermore, the additional database user is required. The "uFReader" user will NOT be
created automatically. It will only be created when installing uniFLOW V5.1.3 or higher
with a new database (taken from http://www.nt-ware.com/mom/sql/momdb.zip).
If you are updating and using an existing database, please use the "Create_uFReader.sql"
script which is attached to the ITS issue MOMKB-654 in order to create the additional
database user "uFReader".
General Information
▪ Passwords cannot be requested via a COM call or database query from the uniFLOW
system or the uniFLOW database.
▪ The uniFLOW kernel stores encrypted passwords within the user's binary object
(BLOB) within the uniFLOW database for all user and multiple identity areas.
▪ Active Directory passwords are not stored in the uniFLOW database by default.
However, there are the following exceptions:
25
Confidentiality: Internal + Partner (R3P)
Infrastructure
Passwords are only stored in the uniFLOW database if there is an integration with an
application that needs to have a password passed as part of the MEAP login process
or if you explicitly select to store the password.
◦ Workflow Element Get User Authentication.
◦ Store user name and password against the user object. See uniFLOW Server
Configuration > Base Data > User > General Settings > Identities.
◦ Integration with Therefore. See Pass-through and Authentication Using the
uniFLOW Login Manager (on page 12).
◦ Integration with eCopy. See Pass-through and Authentication Using the uniFLOW
Login Manager (on page 12).
▪ All text-based information within the uniFLOW database is for reporting and support
purposes only and does not contain confidential data.
▪ PIN Codes are stored in the database. If Pre V5.4 Legacy Support is enabled, a simple
MD5 (56-bit) algorithm is used hash the PIN Codes.
If the Pre V5.4 Legacy Support is disabled for the RPS synchronization, PIN Codes are
stored as salted hash.
▪ Password storage in uniFLOW >= V5.1
Passwords saved against a user profile are encrypted with an AES-256 bit encryption,
e.g. LDAP password or email secret.
PBAIP User
DsPcDb: Database owner with read and write access.
uFReader User
DsPcDb: Database user who has read-only permission. See SQL Connection String and
New DB User From uniFLOW V5.1.3 Onwards (on page 24).
New Installation
▪ grant execute on sp_provider_types_rowset to PUBLIC
▪ grant execute on sp_changeobjectowner to PUBLIC
▪ grant execute on sp_tables_rowset to PUBLIC
26
Confidentiality: Internal + Partner (R3P)
Infrastructure
Issue
If SMB signing on the host computer is disabled, the SMB server is vulnerable to man-in-
the-middle attacks.
Resolution
Enforce SMB signing in your host's configuration.
▪ For SMB signing at least the following operating systems / platforms are required:
◦ Samba >= V3.0
◦ Windows XP or newer
▪ We highly recommend that you ensure beforehand that your file server in use
supports SMB signing.
27
Confidentiality: Internal + Partner (R3P)
Infrastructure
Resolution
▪ Force the use of SSL as a transport layer for this service if supported.
▪ In Server Manager, enable the Allow connections only from computers running
Remote Desktop with Network Level Authentication (NLA).
Configuring authentication and encryption:
http://technet.microsoft.com/en-us/library/cc782610.aspx
To configure authentication and encryption, follow the instructions in the linked
Microsoft Technet article. Change the RDP encryption level in the Terminal Services
Configuration to one of the following so that it uses strong cryptography:
▪ High
▪ FIPS Compliant
Note that with activated NLA (Network Level Authentication), RDP sessions are only
possible from Windows Vista (or higher). Windows XP can handle NLA after an update
of the RDP client to version 6.5 or higher (version 7 recommended). The full feature set
of the new RDP client is available with Windows 7 and Windows Server 2008 R2.
http://support.microsoft.com/kb/969084
28
Confidentiality: Internal + Partner (R3P)
Infrastructure
Resolution
Disable the auto-complete feature of your browser.
While the auto-complete feature may be helpful for some things, it can also seriously
compromise your security and privacy, because anyone who uses your computer can see
the websites you visited and the information you entered on web pages. Also, various
malicious software can use auto-complete data to steal your personal information such
as email addresses or passwords. If a hacker were to break into your PC, he or she can
easily retrieve website passwords stored as auto complete data.
You can disable the auto-complete feature under Tools > Internet Options within
Internet Explorer. Other browsers will have similar settings but under different menu
structures. For Chrome, Safari, Firefox and Opera please refer to their own manuals and
reference material.
Resolution
29
Confidentiality: Internal + Partner (R3P)
Infrastructure
We strongly recommend that you ensure that a Windows patch management policy is
robustly enforced on the production office environment. All missing patches and service
packs (for both the Windows operating system and other Microsoft software, e.g. IIS and
Office) should be applied as soon as possible.
In addition, we strongly recommend that you complement the patch management
process with a tool like the Microsoft Baseline Security Analyzer to check patch levels
regularly and ensure that patches are not accidentally missed.
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
7.8 Antivirus
As every virus scanner works differently, NT-ware cannot give detailed information on
specific virus scanner settings or behaviors.
One of the problems with antivirus software is that it locks files while scanning. So if a
new spool file is created by the spooler, the file will be scanned. uniFLOW will try to
access the spool file just after it has been created (through the spooler / ApjPrint print
processor). If the file is locked, this will fail. Note that this is only one of the possible
problems. For that reason and from these experiences, it is an installation requirement
that the following actions of the following subsections are taken.
In case of failure, the uniFLOW server and or the RPS and the antivirus scanner could
access the same files at the same time. This could lead to several errors caused by locked
files and access collisions.
30
Confidentiality: Internal + Partner (R3P)
Infrastructure
RPS
▪ RPS installation folder:
%ProgramFiles(x86)%\uniFLOW Remote Print Server
▪ Windows spool folder:
%SYSTEMROOT%\System32\spool
uniFLOW SmartClient
On machines where the uniFLOW SmartClient software is running, prevent the installed
antivirus scanner from scanning the following folders.
▪ uniFLOW SmartClient installation folder
◦ Contents: executables, DLLs, uniFLOW Universal Driver PCL XL driver files etc.
◦ General Path:
%ProgramFiles(x86)%\uniFLOW SmartClient
◦ Example: C:\Program Files\uniFLOW SmartClient
▪ uniFLOW SmartClient Application Data (application-specific)
◦ Contents: DIFs
◦ General Path: %ProgramData%\NT-ware\SmartClient
Example: C:\ProgramData\NT-ware\SmartClient
▪ uniFLOW SmartClient application data (user-specific)
◦ Contents: temporary files, configuration files
General Path: %APPDATA%\NT-Ware\SmartClient
◦ Example: C:\Users\Administrator\AppData\Roaming\NT-Ware\SmartClient
▪ Windows spool folder
◦ Contents: spool files
◦ General path:
%SYSTEMROOT%\System32\spool
Example: \Windows\System32\spool\PRINTERS
We recommend to disable on access scanning on these folders and enable a scheduled
scan at some non-critical point in time instead. If you do not do this, the uniFLOW
SmartClient software and the antivirus scanner might access the same files at the same
time. This could lead to several errors.
31
Confidentiality: Internal + Partner (R3P)
Infrastructure
Important
In the registry, many of the working directory paths within uniFLOW can be modified to
different storage locations. If you move a working directory such as the "Data" folder,
you must ensure that this directory has the same antivirus exclusions as the original
location mentioned within this section.
Risk Level
Medium
Resolution
The NTLMv1 authentication possibility should be disabled on the Windows server. This
can be done by changing the Local Security Policy on a Windows Server 2008.
▪ Open the Local Security Policy in Windows Server 2008.
▪ Browse to Local Policies / Security Options.
▪ Open Network security: LAN Manager authentication level
▪ You can disable NTLMv1 by changing the settings to Send NTLMv2 response only.
Refuse LM & NTLM (Level 5).
Note that client, service, and program incompatibilities may occur when you modify
these security settings. In a productive environment, we highly recommend to test
these settings before and to plan a maintenance slot carefully.
Please refer to the Microsoft Knowledge Base under:
http://support.microsoft.com/kb/823659.
32
Confidentiality: Internal + Partner (R3P)
Infrastructure
Certificate Information
▪ uniFLOW => V5.3 - SHA1 certificate
▪ uniFLOW => 2018 LTS - SHA256 certificate
Logs Folder
1. Open Windows Explorer.
2. Create a folder named "logs" under the folder C:\Program Files
(x86)\uniFLOW\WebUI\.
3. Right-click on the folder name and select Properties.
4. Select the Security tab.
5. Click the Edit button and then the Add button.
6. Click the Locations button and make sure that you select your computer.
7. Enter IIS AppPool\AspNetCoreWorkerPool in the Enter the object names to select text
box.
8. Click the Check Names button and click OK.
9. Mark the user AspNetCoreWorkerPool and check the Allow box in the permissions
section.
10. Click OK to close the Permissions window.
11. Click OK to close the Properties window.
33
Confidentiality: Internal + Partner (R3P)
Infrastructure
34
Confidentiality: Internal + Partner (R3P)
Infrastructure
Resolution
It is advised that each separate web application has its own application pool.
35
Confidentiality: Internal + Partner (R3P)
Infrastructure
4. Click on Add under Actions to add a Custom HTTP Response Header and add the
following values:
Name: Cache-Control
Value: no-cache, no-store, private
Acknowledge with OK.
5. Click on Add again to add another Custom HTTP Response Header and add the
following values:
Name: Pragma
Value: no-cache
Acknowledge with OK.
6. Click on Set Common Headers under Actions.
7. Uncheck Enable HTTP keep-alive.
8. Check Expire Web content and select the setting Immediately. Acknowledge with OK.
36
Confidentiality: Internal + Partner (R3P)
Infrastructure
37
Confidentiality: Internal + Partner (R3P)
Infrastructure
38
Confidentiality: Internal + Partner (R3P)
Infrastructure
5. Now each sub page of Default Web Site, e.g pwserver, has to be enabled individually.
To do so, follow the same procedure as above for each sub page, but enable each
Default.htm from the context menu.
39
Confidentiality: Internal + Partner (R3P)
Infrastructure
Additionally, the Canon RUI can have SSL enabled for additional security. Please see
Canon Device Security (on page 43).
40
Confidentiality: Internal + Partner (R3P)
Infrastructure
SSL Encryption And Certificate Options (uniFLOW 2018 LTS and higher)
In this section, you can configure the SSL encryption and additional options for new
certificates.
▪ SSL Key Length:
Here you can enter the SSL key length to be used for certificates.
▪ Use SHA256 algorithm for created certificates
◦ Yes:
Use SHA256 for new certificates.
41
Confidentiality: Internal + Partner (R3P)
Infrastructure
◦ No:
Use SHA1 for new certificates. Not recommended.
42
Confidentiality: Internal + Partner (R3P)
Canon MFP Security
Issues
The Encrypted Secure Print Software encrypts a print job on the client before it is sent to
the printer. The printer then decrypts the print data stream.
The printer driver will use the user name and password that the user enters to encrypt
the spoolfile. The printer will then decrypt the data after the user has entered his user
name and password again on the device. For this reason, the encrypted spoolfile cannot
be decrypted by uniFLOW. Hence it is not possible for uniFLOW to analyze and account
the spoolfiles for such print jobs. Furthermore, it is not possible to use Rule Based
Routing workflows or any other workflow which requires a spoolfile analysis.
Resolution
43
Confidentiality: Internal + Partner (R3P)
Canon MFP Security
The only possible method to account such print jobs with uniFLOW is CPCA accounting
instead of spoolfile accounting.
Issues
No known issues.
Issues
No known issues.
HDD Erase function does not delete job log information from the device so it has no
impact on uniFLOW.
For detailed information about the Canon Data Erase Kit, please refer to the respective
Canon manuals.
Issues
With the Canon Security Kit, you can enable or disable the job history. When this setting
is enabled, "0" will always be returned in response to a request for a job history from a
remote application. In other words, a type of software that manages the machine with
reference to the machine's job history (as for example uniFLOW) cannot be used.
Resolution
Enable the job history log on the machine to enable uniFLOW to read out meaningful
entries from the job log.
44
Confidentiality: Internal + Partner (R3P)
Canon MFP Security
uniFLOW offers a solution that user names and print job names can be decrypted so that
it is no longer possible for users to gather from the print job logs who has printed what
and when. To do so, the Workflow Element Encrypt Job Name in CPCA is required.
Please refer to the uniFLOW User Manual for more information about this Workflow
Element.
45
Confidentiality: Internal + Partner (R3P)
Canon MFP Security
Comments
The HDD Erase function does not delete job log information from the device i.e. it has no
impact on uniFLOW. This kit has been superseded by the HDD Data Encryption Kit and
HDD Data Erase Kit which conform to common criteria requirements.
46
Confidentiality: Internal + Partner (R3P)
Canon MFP Security
The encryption board encrypts the received signal sent from the controller board, and
then records it on the HDD. The encryption board receives and recovers the encrypted
data stored on the HDD and then sends it to the controller. By pairing up an encryption
board and an HDD, the encryption board becomes workable. Therefore, if there are a
number of HDDs, the same number of encryption boards is needed.
Issues
This kit should not cause problems with uniFLOW when reading out CPCA logs. When
this is enabled on the device and you encounter any problems, then please check that
the Job Log Conceal function is not enabled.
Successful tests with the following devices have taken place at NT-ware: iRC2380i/
iRC3080/iR3225n/iR5075.
The new certificate must include either the printer's IP address or the fully-qualified
domain name.
Note that the configuration slightly differs between Canon legacy devices and
imageRUNNERs of the Advanced series.
These differences will be outlined in the following description.
Legacy Printers
▪ Open the printer's RUI in a browser and log in with system manager credentials when
asked.
▪ Open Add.Func. > System and click on Edit.
▪ If Use SSL is checked under Remote UI Settings uncheck it, click on OK and restart the
device. Otherwise, continue with the next step.
▪ Open the printer's RUI in a browser and log in with system manager credentials when
asked.
▪ Open Add.Func. > Custom Settings > Network Settings > Key and Certificate Settings.
▪ If any other key than the Default Key was used before, check the radio button in front
of Default Key and click on Default Key Settings to set it as the standard SSL key.
Restart the device.
▪ Open Add.Func. > Custom Settings > Network Settings > Key and Certificate Settings
> Generate Key > SSL.
▪ In the field Shared Name, enter the device IP address or the fully-qualified domain
name , fill out the Certificate Settings and click on OK to create the new certificate.
▪ Open Add.Func. > Custom Settings > Network Settings > Key and Certificate Settings.
▪ Select the new key and click on Default Key Settings. Now this key is marked as the
active SSL key.
47
Confidentiality: Internal + Partner (R3P)
Canon MFP Security
Advanced Series
▪ Open the printer's RUI in a browser and log in with system manager credentials when
asked.
▪ Open Settings/Registration : Management Settings : License/Other > MEAP
Settings.
▪ If Use SSL is checked, uncheck it, click on OK and restart the device. Otherwise,
continue with the next step.
▪ Open the printer's RUI in a browser and log in with system manager credentials when
asked.
▪ Log in and open Settings/Registration : Preferences : Network Settings > SSL Settings
> Key and Certificate Settings.
▪ If any other key than the Default Key was used before, check the radio button in front
of Default Key and click on Default Key Settings to set it as the standard SSL key.
Restart the device.
▪ Log in again. In Settings/Registration : Management Settings : Device Management
> Key and Certificate Settings click on Generate Key, then open Network
Communication.
▪ In the field Common Name enter the device's IP address or the fully-qualified domain
name, fill out the Certificate Settings and click on OK to create the new certificate.
▪ Open Settings/Registration : Preferences : Network Settings > SSL Settings > Key and
Certificate Settings.
▪ Select the new key and click on Default Key Settings. Now [SSL] marks this key as the
active SSL key.
48
Confidentiality: Internal + Partner (R3P)
Canon MFP Security
This will change the connection settings for both MEAP connections and connections to
the standard RUI.
From now on the RUI is only accessible via SSL connections i.e. with the prefix
"HTTPS://"
▪ Click on OK and restart the device. Now SSL is active on the printer.
49
Confidentiality: Internal + Partner (R3P)
NT-ware Hardware Security
9.1 microMIND
The microMIND uses UDP and HTTP communication techniques.
Additionally, a Telnet session can be started on port 23215.
Since FW version 2.0.9 the user can change the telnet password.
The UDP port in use for the communication to the server is 53120. The data part of the
UDP communication is encrypted.
The HTTP access can be locked to one defined IPv4 address. If this is done only the
device with this IP can access the HTTP site of the microMIND. Additionally, the server
communication via UDP can be restricted to one server by specifying the server IP.
50
Confidentiality: Internal + Partner (R3P)
NT-ware Hardware Security
The uniFLOW Release Station supports HTTPS. You can lock the HTTPS access to one
defined IPv4 address. If you do this, only the device with this IP can access the HTTPS site
of the uniFLOW Release Station. The port to access the HTML site of the uniFLOW
Release Station is 8442.
The communication between a uniFLOW server / RPS with a uniFLOW Release Station
takes place over HTTPS while the actual payload is encrypted using a mechanism based
on RSA and 3DES.
51
Confidentiality: Internal + Partner (R3P)
Submitting Security Information and Questions
10 Submitting Security
Information and Questions
Often security concerns are raised in the field directly to Canon via customer
engagements. This document serves to answer these questions from the field. However,
as new threats and concerns are raised it is important to feed this back to NT-ware to
help us ensure uniFLOW remain secure and robust in today's modern networks.
For all security-related issues, please raise a PS ticket (formerly named MOMPS ticket) in
the NT-ware ITS. The issue type should be set to Security. It is important you provide as
much information on the topic as possible.
▪ A detailed description of the security threat or concern.
▪ Any reference material on the matter.
▪ Details on the customer's suggested countermeasure or request.
Often such field requests come about after the customer performs a security scan on
their network. Such scans list all possible threats and it is important to ask the following
questions.
1. Have these threats been checked against this document?
2. Are we sure the security threat is actually related to an NT-ware component and not
related to the customer's infrastructure?
3. Can any of the threats be ruled out because they are unlikely or not exploited in the
network?
4. Of the remaining threats do we know the severity and impact of these so the
appropriate priority can be set when creating a MOMPS security ticket within the ITS.
With this information, an appropriate PS ticket can be created, and NT-ware will work
with you to address the customer security requirements.
52
Confidentiality: Internal + Partner (R3P)
New Security Threats
For more information, please refer to MOMKB-580 in the NT-ware Customer Portal.
Note that registration is required to access the NT-ware Customer Portal. Access to the
NT-ware Customer Portal is limited to trained Canon personnel only. If you need the
above document and do not have access to the NT-ware Customer Portal, please
contact your Canon partner.
Public Website
http://nt-ware.com/home/products/uniflow/security-advisory.html
53
Confidentiality: Internal + Partner (R3P)
Definitions, Abbreviations and Acronyms
DES The Data Encryption Standard (DES) is a block cipher that uses shared
secret encryption.
DRQM The "Distributed Release Queue Management" (DRQM) functionality
takes the My Print Anywhere functionality of uniFLOW one step further.
It allows print jobs to follow users worldwide. Jobs are released
anywhere where the users identify themselves.
HTTPS HTTPS is a secure communication channel that is used to exchange
encrypted information between a client computer and a server. It uses
SSL/TLS
Secure Sockets Layer (SSL) or Transport Layer Security (TLS).
With HTTPS (Hypertext Transfer Protocol Secure) the connection
between a web browser and a web server is encrypted. Mostly 40, 128
or 256-bit, depending on the encryption key strength. Using an https:
URL indicates that HTTP is to be used, but with a different default TCP
port (443 / 8443) and an additional encryption/authentication layer
(Secure Sockets Layer (SSL)) connection between the HTTP and TCP. It is
not a separate protocol but refers to the combination of a normal HTTP
interaction over a secure layer.
IG The Internet Gateway module is used to submit jobs from the internet
via a web browser to the uniFLOW system. Generally, this is
implemented in a print room job submission environment.
LDAP LDAP (Lightweight Directory Access Protocol) is a protocol for accessing
on-line directory services. A directory service organizes computerized
content and runs on a directory server computer. Via LDAP it is possible
to read out all information about, for example, users and computers of
a directory server computer, such as the users of a Windows Server
2003 Active Directory or Mac OS X Server Open Directory or Novell
eDirectory. LDAP defines a relatively simple protocol for updating and
searching directories running over TCP/IP.
LDAPS Also called Secure LDAP or LDAP over TLS. Allows a secure connection
to an LDAP server over TLS (Transport Layer Security).
54
Confidentiality: Internal + Partner (R3P)
Definitions, Abbreviations and Acronyms
RSA RSA (which stands for Rivest, Shamir and Adleman who first publicly
described it) is an algorithm for public-key cryptography.
SQLite This is the local database server running on an RPS to store system
configuration, user, groups and printer configuration information.
55
Confidentiality: Internal + Partner (R3P)