White Paper

White Paper
Security - uniFLOW
–––––––––––––––––––––––––
uniFLOW V5.3 - uniFLOW 2023 LTS

Document version 4.8 – 13-Apr-2023
Confidentiality: Internal + Partner (R3P)
Versioning
Document Version Date Author(s) Reviewer(s)
Versioning
André Meß, Thomas Lemmer, Thomas Wilkens,
3.0 20-Oct-2016 Jason Apel Thomas Stock, Christian Plegge, Michael
Rosemann
3.1 30-Mar-2017 Sebastian Husnik Thomas Lemmer
3.2 15-Jun-2017 Jason Apel Thomas Lemmer
3.3 22-Dec-2017 Felix Schlick Thomas Lemmer
3.4 13-Feb-2018 Felix Schlick Thomas Lemmer
3.5 26-Feb-2018 Felix Schlick Thomas Lemmer
3.6 02-May-2018 Thomas Lemmer Thomas Lemmer
Felix Schlick, Jason
3.7 28-Aug-2018 Thomas Lemmer
Apel
3.8 24-Sep-2018 Felix Schlick Thomas Lemmer
3.9 09-Nov-2018 Felix Schlick Thomas Lemmer
4.0 26-Nov-2018 Felix Schlick Thomas Lemmer
4.1 15-Apr-2019 Sebastian Husnik Thomas Lemmer
4.2 23-Aug-2019 Felix Schlick Thomas Lemmer
4.3 28-Aug-2019 Felix Schlick Thomas Lemmer
4.4 12-Aug-2020 Thomas Lemmer André Meß, Sebastian Husnik
Claudia
4.5 17-Feb-2021 Thomas Lemmer
Kleinekemper
4.6 19-Jan-2022 Felix Schlick Thomas Lemmer
4.6.1 03-Mar-2022 Thomas Lemmer Thomas Lemmer
4.7 31-Aug-2022 Sebastian Husnik Thomas Lemmer
4.8 13-Apr-2023 Felix Schlick Thomas Lemmer
Document
White Paper - Security - uniFLOW
Name
Knowledgebase MOMKB-462
File Name White Paper - Security - uniFLOW.pdf
Technologies uniFLOW, RPS, uniFLOW Client for Windows, uniFLOW Client for Mac, uniFLOW SmartClient, MEAP,
Concerned LDAP, uniFLOW Login Manager, Scan Processing Server, ICARUS Server for Web, uniFLOW AirPrint® &
IPP Service (previously known as uniFLOW Service for AirPrint), uniFLOW Internet Gateway, Email,
Acrobat Reader, Neevia, Foxit, RedTitan, Canon iW SAM, CRQM, DRQM, Database, Antivirus, IIS,
Firewall, Canon MFP Security, Hardware Security
Short Summary This white paper has been written to help you increase the security of your uniFLOW installation and
the corresponding network environment and servers. This white paper focuses on the configuration
options within uniFLOW and explains standard security features of uniFLOW. It also covers print data

storage and transmission, supporting applications, questions regarding the infrastructure security and
hardware.
This white paper focuses on uniFLOW >= V5.3.
Document Version Topic(s) Changes

Changes
3.1 SSL/TLS Supported Level (on page 41) Minor rephrasing.
uniFLOW User Web (on page 9)
Enabling Certificate Based Encryptions (on
page 32)
3.2 Storage and Transmission of Sensitive Updated and added new topics.
Data (on page 25)
Print Job Transfer (see Print Job Transfer
(Output to IP) on page 18)
Storage and Transmission of Sensitive Updated information regarding PIN Code
3.3
Data (on page 25) storage.
How to prevent security problems with
3.4 HTTP Response Headers (on page 35)
cached data.
3.5 Disable Default Site (on page 37) Reduce information delivered by Default Site.
3.6 Canon MFP Security (on page 42) Updated external link.
uniFLOW Internet Gateway (IG) (on page
15), SNMP (on page 17), Print Job
3.7 Minor changes.
Transfer (Output to IP) (on page 18),
Supporting Applications (on page 19)
3.8 Minor changes.
SSL/TLS Certificate Information (on page
3.9 Updated.
41)
4.0 Advanced Space for SMB (on page 19) New topic.
Added note that the Windows security policy
Windows Local Security Policy (on page
4.1 setting "Accounts: Guest account status"
40)
needs to be set to "Disabled".
4.2 File Access (on page 27) Issues with file access.
4.3 HTTP Response Headers (on page 35) Added parameter to Cache-Control.
Memory Exploit Mitigation Techniques in
4.4 New topic.
uniFLOW (on page 17)
Changed uniFLOW AirPrint Service to
uniFLOW AirPrint® & IPP Service (on page uniFLOW AirPrint® & IPP Service because the
4.5
14) name of the service has been changed with
uniFLOW 2021 LTS.
uniFLOW AirPrint® & IPP Service (on page
4.6 Information regarding TLS version.
14)
Alternate Port and Database Instance (on
4.6.1 Corrected an error.
page 23)
4.7 uniFLOW Release Station (on page 50) Added HTTPS support.
IIS Identity of AspNetCoreWorkerPool (on Added topic IIS Identity of
4.8
page 33) AspNetCoreWorkerPool.

Disclaimer
NT-ware Systemprogrammierungs-GmbH, all its affiliates, partners, and licensors disclaim all warranties,
including, but not limited to, warranties about the accuracy or completeness of statements of this site's/
document's content or the content of any site or external sites for a particular purpose. This site/document
and the materials, information, services, and products at this site/document, including, without limitation,
text, graphics, and links, are provided 'as is' and without warranties of any kind, whether expressed or
implied.
All rights reserved. No parts of this work may be reproduced in any form or by any means - graphic,
electronic, or mechanical, including photocopying, recording, taping, or information storage and retrieval
systems - without the prior written permission of NT-ware Systemprogrammierungs-GmbH (hereinafter also
referred to as NT-ware).
Company and product names mentioned herein are registered or unregistered trademarks of their
respective companies. Mention of third-party products is for information purposes only and constitutes
neither an endorsement nor a recommendation. NT-ware assumes no responsibility with regard to the
performance or use of these products. Also, NT-ware makes no claim to these trademarks. Any use of
trademarks, logos, service marks, trade names, and product names is prohibited without the written
permission of the respective owners.
NT-ware trademarks
uniFLOW®, mdsFLOW®, uniFLOW Serverless Secure Printing®, Helix Production Workflow®, MIND®,
microMIND®, and MiCard® are registered trademarks of NT-ware Systemprogrammierungs-GmbH.
Third-party trademarks
Adlib, Express, and Express Server are either registered trademarks or trademarks of Adlib Publishing
Systems Inc. Adobe®, Adobe® Reader®, Acrobat®, Distiller®, PostScript® and products of the CREATIVE
SUITE(S) are either registered trademarks or trademarks of Adobe Systems Incorporated in the United
States and/or other countries. Android™ is a trademark of Google LLC. Apple®, the Apple logo®, Mac®, mac
OS®, Macintosh®, iPhone®, iPad®, and AirPrint® are trademarks of Apple Inc. registered in the U.S. and
other countries and regions. Box is a trademark of Box Inc. CANON, iR-ADV, iR, imageRUNNER,
imageRUNNER ADVANCE, MEAP, iW and Canon product and services names are the trademark or registered
trademark of Canon Inc. and/or other members of the Canon Group. CBORD® and CS Gold® are registered
trademarks or service marks of the CBORD Group Inc. SAP® Crystal Reports® and SAP® Business Objects™
are trademarks or registered trademarks of SAP SE or its affiliates in Germany and several other countries.
Dropbox of Dropbox Inc. eCopy® and eCopy ShareScan® are trademarks and/or registered trademarks of
eCopy Inc. Evernote® of Evernote Corporation. FileNet® of IBM Corporation. FOXIT® is a registered
trademark of Foxit Corporation. Google Docs web-based word-processing program and Google Cloud Print™
web-printing service are trademarks of Google LLC. HP®, HEWLETT-PACKARD®, PCL®, and LASERJET® are
registered trademarks that belong to HP Inc. KONICA MINOLTA® is a registered trademark of KONICA
MINOLTA Inc. iOS® of Cisco Technology Inc. JAWS PDF Courier™ is a trademark of Global Graphics Software
Ltd. Microsoft, Windows, Windows Server, Internet Explorer, Internet Information Services, Microsoft Word,
Microsoft Excel, Microsoft SharePoint, Microsoft SharePoint Online, OneDrive, One Drive for Business, SQL
Server, Active Directory, Hyper-V are either registered trademarks or trademarks of Microsoft Corporation
and of the Microsoft group of companies in the United States and/or other countries. Mopria® is a
registered trademark of Mopria Alliance Inc. Neevia Document Converter Pro™ is a trademark or product
name of Neevia Technology. NetWare®, Novell®, Novell eDirectory™ of Novell Inc. are trademarks or
registered trademarks of Novell Inc. in the United States and other countries. MobileIron® is a registered
trademark of MobileIron Inc in the United States and/or other countries. Océ, Océ PlotWave®, Océ
ColorWave®, and PRISMA are trademarks or registered trademarks of Océ-Technologies B.V. Apache
OpenOffice™ of Apache Software Foundation. PosterJet® is copyrighted and an internationally registered
trademark of Eisfeld Datentechnik GmbH & Co. KG. RedTitan® and the RedTitan logo are registered
trademarks of RedTitan Technology Ltd. Netaphor SiteAudit™ and the Netaphor logo are trademarks of

Netaphor Software, Inc. SAMSUNG® is a trademark of SAMSUNG ELECTRONICS Co. Ltd. in the United States
or other countries. Therefore™, Therefore™ Online are trademarks of Therefore Corporation GmbH. UNIX®
is a registered trademark of The Open Group. pcProx®, AIR ID® are registered trademarks of rf IDEAS Inc.
CASI-RUSCO® is a registered trademark of ID Card Group. Radio Key® is a registered trademark of Secura
Key, a Division of Soundcraft, Inc. GProx™ II is an unregistered trademark of Interlogix (part of Carrier). HID®
is a registered trademark of HID Global Corporation, part of ASSA ABLOY. Indala® is a registered trademark
of Motorola, part of ASSA ABLOY. ioProx™ is a trademark or product name of Tyco Security Products.
VMware vSphere® and VMware vSphere® Motion® are registered trademarks of VMware Inc. Xerox®, Xerox
and Design, and Fuji Xerox and Design, are registered trademarks or trademarks of Xerox Corporation in
Japan and/or other countries.
All other trademarks, trade names, product names, service marks are the property of their respective
owners and are hereby acknowledged.
While every precaution has been taken in the preparation of this document, NT-ware assumes no
responsibility for errors or omissions, or for damages resulting from the use of information contained in this
document or from the use of programs and source code that may accompany it. NT-ware does not assume
any responsibility or liability for any malfunctions or loss of data caused by the combination of at least one
NT-ware product and the used operating system and/or third-party products. In no event shall NT-ware be
liable for any loss of profit or any other commercial damage caused or alleged to have been caused directly
or indirectly by this document.
In addition, this manual provides links to the sites of affiliated or independent companies and certain other
businesses. NT-ware is not responsible for examining or evaluating, and NT-ware does not warrant the
offerings of any of these businesses or individuals or the content of their websites. NT-ware does not
assume any responsibility or liability for the actions, product, and content of all these and any other third
parties. You should carefully review their privacy statements and other conditions of use.
Monday, April 17, 2023, Bad Iburg (Germany)
Important Note
Serious problems might occur if you modify the registry of your Windows operating system incorrectly.
These problems might require that you reinstall the operating system. We strongly recommend to always
back up the registry of your Windows operating system before applying changes to it, just in case you do
something wrong. NT-ware does not assume any responsibility or liability for any impact on the operating
system after changing the registry. You understand and accept that you use this information and modify
the registry of your Windows operating system at your own risk.
uniFLOW and corresponding components like Web Submission and Internet Gateway rely heavily on their
SQL databases. We strongly suggest that you refrain from modifying these SQL databases manually
without prior consultation from the NT-ware support team. NT-ware does not assume responsibility or
liability for possible impact on your uniFLOW environment after modifying any of the SQL databases.
Copyright and Contact

NT-ware Systemprogrammierungs-GmbH
Niedersachsenstraße 6
49186 Bad Iburg
Germany
www.nt-ware.com
Tel: +49 - 54 03 - 7243 - 0
Fax: +49 - 54 03 - 78 01 03
Email: info@nt-ware.com
Register of Companies: Amtsgericht Osnabrück
No. of entry in Register of Companies: HRB 110944
Chief Executive Officer: Karsten Huster

Responsible according to § 6 MDStV: Karsten Huster
VAT registration no. according to §27 a Umsatzsteuergesetz: DE 230932141
©1998-2023 NT-ware Systemprogrammierungs-GmbH.
Feedback
Should you come across any relevant errors or have any suggestions, please contact documentation@nt-
ware.com or use the Send feedback button of the uniFLOW Online Help.
Technical Support
Your dealer will provide the first technical support services. Before contacting your dealer for technical
support, ensure you have read this document.

How to use this Document
Text Styles
This style is used for text that is displayed on the screen.
This style is used for text the user has to enter.
This style is used for hyperlinks to web pages, internal links to other pages in this manual.
This style is used for code examples: XML code, variables, or regular
expressions.
Pictograms
Important Note:
Information that is crucial for the correct functioning of the software.
Further Information:
Pointer to additional manuals, installation manuals, white papers or the NT-ware
Customer Portal.
Region Specific Feature:

Indicator for features that are not available worldwide.
External Link:
Link to an external web page.
Settings:
Detailed explanation of configuration settings or operational procedures.
Compass:
Path to the menu or configuration page in the software.
Screenshots and Diagrams

This manual contains screenshots of the software, diagrams explaining relations, and pictures of products.
Even though all visuals are up-to-date at the time of writing, they are subject to change.
Language and Translations

This document has originally been written in English language. Translations of this document are based on
the English original. Some screenshots, diagrams, and pictures in this document may not be translated and
appear in English language only.
Send Feedback
Should you come across any relevant errors or have any suggestions, please contact documentation@nt-
ware.com or use the Send feedback button of the Online Help.
About this Document

This document is delivered as part of the device / the software from NT-ware. Please read this document
before using the device / the software and keep this document or the link to an online version of this
document for future reference. Please make sure that all persons operating the device / the software are
familiar with this document. Please observe all instructions given in this document. Installation,
configuration, and maintenance must only be performed by sufficiently qualified personnel. Failure to
comply with this document may void the warranty.
Every effort has been made to ensure that the contents of this manual are accurate. However, NT-ware
reserves the right to make changes without notice.

Contents
Contents
Versioning
Disclaimer
How to use this Document
1 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2 How to use this document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3 Security Checklists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4 uniFLOW. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.1 uniFLOW and RPS Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.2 uniFLOW and RPS Web Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.2.1 Microsoft IIS Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.2.2 Usage of HTTPS in uniFLOW >= V5.2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.2.3 Internal Web Server of uniFLOW >= V5.3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
4.2.4 Obsolete Chapter Template. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.3 uniFLOW Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.3.1 uniFLOW Client for Windows via HTTPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.3.2 uniFLOW Client for Mac via HTTPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.3.3 uniFLOW User Web. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.3.4 uniFLOW SmartClient. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.4 MEAP Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.4.1 Passwords challenged against LDAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.4.2 Emergency Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.4.3 Pass-through and Authentication Using the uniFLOW Login Manager. . . . . . . . . . . . . . . . . . . 12
4.4.4 MEAP Scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.5 uniFLOW Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.5.1 Scan Processing Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.5.2 ICARUS Server for Web. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.5.3 uniFLOW AirPrint® & IPP Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.5.4 uniFLOW Internet Gateway (IG). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.5.5 Email Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.5.5.1 SMTP/SMTPS/ESMTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
I
Contents
4.5.5.2 EWS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.5.5.3 POP3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.5.6 SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.6 Memory Exploit Mitigation Techniques in uniFLOW. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
5 Print Data Storage and Transmission. . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

5.1 Storage Print Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
5.2 Print Job Transfer (Output to IP). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
5.3 CRQM (Collective Release Queue Management). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
5.4 DRQM (Distributed Release Queue Management). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
5.5 Advanced Space for SMB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
6 Supporting Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
6.1 Canon iW SAM (Secure Audit Manager). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
7 Infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
7.1 Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
7.1.1 Database Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
7.1.2 Alternate Port and Database Instance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
7.1.3 Encrypted Connection String. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
7.1.4 SQL Connection String and New DB User From uniFLOW V5.1.3 Onwards. . . . . . . . . . . . . . . . 24
7.1.5 Storage and Transmission of Sensitive Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
7.1.6 Database Rights and Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
7.2 Server Message Block (SMB) Signing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
7.3 File Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
7.4 Microsoft Windows RDP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
7.5 LDAP over SSL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
7.6 Web Browser. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
7.7 Windows OS Patching and Service Packs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
7.8 Antivirus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
7.8.1 Antivirus Scanner Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
7.8.2 Folder Exclusions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
7.8.3 NTLM V1 Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
7.9 IIS Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
7.9.1 Enabling Certificate Based Encryptions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
7.9.2 IIS Identity of AspNetCoreWorkerPool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
7.9.3 Securing Cross Site Scripting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
7.9.4 Isolating Application Pools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
7.9.5 URL Authorization Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
7.9.6 HTTP Response Headers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
II
Contents
7.9.7 Disable Default Site. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

7.10 Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
7.11 Windows Local Security Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
7.12 uniFLOW Firewall Required Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
7.13 SSL/TLS Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
7.13.1 SSL/TLS Supported Level. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
7.13.2 SSL/TLS Certificate Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
8 Canon MFP Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

8.1 Canon Device Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
8.1.1 Canon Encrypted Secure Print Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
8.1.2 Canon Secure Watermark. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
8.1.3 Canon Data Erase Kit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
8.1.4 Canon Security Kit (B2/A2). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
8.1.5 Canon HDD Data Encryption Kit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
8.2 Importing a Certificate to a Canon Device.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
9 NT-ware Hardware Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

9.1 microMIND. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
9.2 uniFLOW Release Station. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
9.3 NT-ware MoneyLoader. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
10 Submitting Security Information and Questions. . . . . . . . . . . . . . . . . . 52
11 New Security Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
12 Definitions, Abbreviations and Acronyms. . . . . . . . . . . . . . . . . . . . . . . 54
III
Introduction
1 Introduction
This white paper has been written to help you increase the security of your uniFLOW
installation and the corresponding network environment and servers. This white paper
focuses on the configuration options within uniFLOW >= V5.3 and explains standard
security features of uniFLOW. The goal is to reduce the attack surface by implementing
or enabling security countermeasures. This will harden your uniFLOW installation against
attacks.
Settings and actions described in this document should only be executed by qualified
personnel. This is especially true for any configurations outside the NT-ware product line.
NT-ware does not assume any warranty for damages or disadvantages suffered as a
result of the implementation of settings and actions described in this document.
We are constantly working on this document to keep it up-to-date. This includes
managing threats found in the field. To feedback threats to NT-ware or ask questions
please see chapter Submitting Security Information and Questions (on page 51).
1
How to use this document
2 How to use this document

This document is separated into several key sections. These sections are based on the
technology in question and functionality they offer. In order to get to the right section in
the document, you should first work through the Security Checklists (on page 2).
The Security Checklists are separated into logical key technologies of uniFLOW, external
components and the environment. Work through the checklist and look-up the related
information for each section.
When designing a strong security platform there are several key areas which need to be
considered. Listed below are the high-level areas to consider and break down in the
checklist section in this document.
▪ MFP Device Level Security:
Physical access and content auditing (iW SAM).
▪ Application and Operating System Security:
Patching, antivirus, web security, strong communication protocols.
▪ Network Security:
Encryption, port restrictions and physical access security.
2
Security Checklists
3 Security Checklists
uniFLOW and RPS
Technology Description Document Link
uniFLOW Microsoft ▪ Securing Application pools. IIS Security (on

Web Server (IIS) ▪ Enabling certificate based encryptions. page 32)
uniFLOW and RPS ▪ Microsoft IIS Security. uniFLOW and RPS

Web Servers ▪ uniFLOW Internal Web Server. Communication
(on page 6)
▪ uniFLOW Web Pages Access.
uniFLOW and RPS
Web Servers (on
page 6)
uniFLOW Web
Pages Access (see
Obsolete Chapter
Template on page
8)
LDAP ▪ Enable LDAPS (LDAP over SSL LDAP over SSL (on
Communication). page 28)
Email ▪ Email Communication (SMTP, ESMTP, POP3, Email
EWS). Communication
(on page 15)
SQL ▪ Database Connection/Communication. Database (on page
▪ Data storage and handling. 23)
RDP ▪ Secure the RDP connection and possible Microsoft

Man in the Middle Attacks. Windows RDP
Server (on page
28)
RPS ▪ RPS Communication Packet Signing < uniFLOW and RPS
uniFLOW V5.3. Communication
▪ RPS Communication over SSL/TLS >= (on page 6)
uniFLOW V5.3.
▪ RPS local database considerations.
▪ Antivirus requirements.
Scan Processing Server
SPS ▪ Communication uniFLOW/RPS <> SPS. Scan Processing

▪ Temp file handling. Server (on page
14)
▪ Antivirus requirements (Remote SPS).
uniFLOW Client for Windows
3
Security Checklists
Communication ▪ Communication with uniFLOW/RPS. uniFLOW Client

(on page 9)
Web Site Access ▪ uniFLOW server IIS Risk Assessment. uniFLOW Web
Pages Access (see
Obsolete Chapter
Template on page
8)
uniFLOW Client for Mac
Communication ▪ Communication with uniFLOW/RPS. uniFLOW Client for

Mac via HTTPS (on
page 9)
uniFLOW SmartClient
Communication ▪ Communication with uniFLOW/RPS. uniFLOW

SmartClient (on
page 11)
Local Files ▪ Considerations for local file storage.
AV ▪ AV Considerations for local files.
MEAP Communication
Communication ▪ Communication to uniFLOW/RPS. MEAP

Communication
(on page 11)
Data Integrity ▪ Password and PIN handling considerations. Passwords
challenged against
LDAP (on page
12)
Pass-through and
Authentication
Using the
uniFLOW Login
Manager (on page
12)
General Printing
Encrypted Print ▪ Encrypting print data. Print Data Storage

and Transmission
(on page 17)
4
Security Checklists
Operating System and Other
Antivirus ▪ Antivirus considerations and application. Antivirus (on page

30)
OS Patching ▪ Considerations on applying patching. Windows OS
Patching and
Service Packs (on
page 29)
uniFLOW IG ▪ uniFLOW Internet Gateway. uniFLOW Internet
Gateway (IG) (on
page 15)
iW SAM ▪ Canon iW SAM considerations. Canon iW SAM
(Secure Audit
Manager) (on
page 21)
Supporting ▪ Supporting applications and external NT- Supporting
Application ware component considerations. Applications (on
page 19)
General Consideration
MFP Device Security ▪ Network access. Canon MFP

Security (on page
42)
MFP Physical ▪ Device access.
Security ▪ Activity monitoring.
Hardware Security ▪ NT-ware Hardware Security. NT-ware Hardware
Security (on page
49)
5
uniFLOW
4 uniFLOW
Within this section, the uniFLOW/RPS communication and the communication and
implementation of the associated uniFLOW Client application are discussed.
4.1 uniFLOW and RPS Communication

From uniFLOW V5.2 on, the synchronization of connected Remote Print Servers is
secured with signed communication packets. This process is implemented to verify that
an RPS server (and not any other application) is requesting the data. Please be aware
that this functionality is completely independent of any HTTPS setting used in an
installation.
Note that this is only valid for a new installation. If you have updated from a previous
version, the functionality might be different, depending on the settings you have
chosen while using the uniFLOW Update Wizard.
Please refer to the uniFLOW User Manual, chapter uniFLOW Update for further details.
In addition to the data synchronization between a uniFLOW server and an RPS, there is
also Resource Management running in parallel and maintaining DIF files and MEAP
behaviors.
4.2 uniFLOW and RPS Web Servers

Microsoft IIS is used on a uniFLOW server for hosting the uniFLOW administration
interface and other subpages. There are some server factors to consider regarding the
security on the uniFLOW server. An important point is to decide if you are securing
uniFLOW using the uniFLOW administration or using the Microsoft IIS infrastructure.
Both uniFLOW and RPS servers run their own separate, internal web server. This is not to
be confused with the Microsoft IIS Web Service running only on the uniFLOW server. The
uniFLOW internal web server does not host any administration web pages but manages
many other functions such as RPS communication, MEAP Communication, etc.
Details on the uniFLOW internal web server can be found in the chapter: Internal Web
Server of uniFLOW >= V5.3 (on page 7)
4.2.1 Microsoft IIS Security

In some cases, user and administration security is not enough. This can be due to the site
being in a high-security environment or easily open to malicious attacks. In some cases,
we need to simply secure IIS to meet a customer’s current security policy or address any
real or anticipated risks. In section IIS Security (on page 32) all currently supported and
documented security countermeasures are listed. Please use this as a reference and
discuss with your customer the level and reason for implementing these features.
This only applies to a uniFLOW server.
6
uniFLOW
See chapter IIS Security (on page 32) for a detailed listing of security
countermeasures.
4.2.2 Usage of HTTPS in uniFLOW >= V5.2

Usage of HTTPS in uniFLOW >= V5.2
In order to provide a secure communication, uniFLOW makes use of HTTPS as default
communication protocol. For that reason, please consider the following:
▪ HTTPS is the required default communication protocol for uniFLOW. A redirection
mechanism from HTTP to HTTPS is in place.
▪ In order to use HTTPS as a communication protocol, a self-signed certificate is created
and installed in the IIS during the installation of uniFLOW. You can replace the
certificate in the IIS afterwards, in case a different certificate should be used. The self-
signed certificate is unique to each installation and is valid for 10 years. Afterwards, it
needs to be renewed.
▪ We recommend adding this self-signed certificate to the "Trusted Root Certification
Authorities" certificate store, in order to prevent messages like "There is a problem
with this website's security certificate" when accessing uniFLOW web pages in a
browser. This should be done after the uniFLOW installation.
▪ See chapter Certificate Installation in the uniFLOW User Manual / Installation
Manual.
▪ In case a different certificate shall be used, this has to be manually acquired and
installed in the IIS manager. This may be required for example if you need a certificate
from a trusted root certification authority. You can get such certificates for example
from VeriSign, Symantec or others.
In case you need to replace or renew the certificate in the IIS, please refer to the
Microsoft Knowledge Base.
Updating uniFLOW and HTTPS

In case you want to update uniFLOW using the uniFLOW Update Wizard, please note that
the wizard will not set the "Require Secure Channel" flag in IIS by default. Otherwise, this
would lead to the problem that RPSs and clients which have not been updated yet are
not able to connect to the uniFLOW server anymore.
▪ Please refer to chapter HTTP/HTTPS Communication in the uniFLOW User Manual /
Installation Manual for details.
▪ For details about upgrading Remote Print Servers, please refer to the respective
subchapter of the uniFLOW Update/Upgrade chapter in the uniFLOW User Manual /
Installation Manual.
4.2.3 Internal Web Server of uniFLOW >= V5.3

uniFLOW Internal Web Server
From uniFLOW V5.3 on the uniFLOW internal web engine was extended to support
HTTPS. This is by default installed with an OpenSSL certificate but if you have a trusted
company certificate this can be used.
7
uniFLOW
The following components utilize the uniFLOW V5.3 Web Engine if configured to use
HTTPS.
▪ MEAP Applets requires V4.2.x applets
▪ Scan Processing Server (from uniFLOW >= V5.3)
▪ uniFLOW Client (from uniFLOW >= V5.3)
▪ CRQM/DRQM
▪ Universal Driver configuration communication
Updating uniFLOW and HTTPS

In case you want to update uniFLOW using the uniFLOW Update Wizard, please take
note of the upgrade security options. Also, if you have a mixed installation where not all
components can utilize the new security, ensure you have backward compatibility
options set.
Important
Ensure all the uniFLOW components listed above are updated to uniFLOW V5.3
functionality before completely switching the site to HTTPS communication. For
detailed instructions on upgrading uniFLOW, please refer to the installation manual and
associated NT-ware Customer Portal articles for uniFLOW V5.3.
4.2.4 Obsolete Chapter Template

On a uniFLOW server, several websites are exposed via IIS. In order to restrict access and
ensure user and administration level security to these websites, these can be managed
via configuration. Below are the well-known sites and some suggestions on how to
manage access to them. Some of the listed sites are also hosted on an RPS where their
control restrictions equally apply. This is noted in the column Available on RPS.
Site Purpose Recommendation Available
on RPS
PWServer Main uniFLOW Should be restricted, ACLs can be used to No

administration web provide access to groups within the
page. organization to manage individual features
such as users, cost centers or printers.
PWClient The user interface to This site has no ACL as it is secured to the No
receive notifications, locally logged in user. The display of specific
manage identities and pwclient web pages can be restricted on a
other user-level per page basis under uniFLOW Server
functions. Configuration > Server Config. > General
Settings > Client Web Interface.
PWBudget Budget Management This site is disabled by default and needs to No
page to administer be enabled under uniFLOW Server
budgets within Configuration > Server Config. > General
uniFLOW by a cashier Settings > General > Budget Management
or the like. Web.
Once enabled it has its own ACL
management page to control access to
required staff.
8
uniFLOW
PWRQM User secure print This is hosted on the uniFLOW server only. No
release queue. Access is managed under uniFLOW Server
Configuration > Server Config. > General
Settings > RQM Web.
PWRQM/ Mobile Print web page. The access to this page can be restricted or Yes
Mobile disabled via settings under uniFLOW Server
Configuration > Server Config. > General
Settings > Mobile Release Login Type
HelixOD CRD print room queue Access can be restricted via ACLs to this No
management. page.
For a detailed explanation on how to secure uniFLOW web pages via ACL (Access Control
Lists), please refer to the uniFLOW manual.
4.3 uniFLOW Client

4.3.1 uniFLOW Client for Windows via HTTPS
uniFLOW >= V5.3
From uniFLOW V5.3 on, the uniFLOW and RPS servers can be configured during
installation to communicate over SSL/TLS. To configure a uniFLOW server and RPS to
communicate with a uniFLOW Client for Windows over SSL/TLS, please make sure you
enable the Encrypted Web Server options. No change needs to be made on the uniFLOW
Client for Windows to enable this functionality. For further information, please refer to
the uniFLOW User Manual (V5.3 or newer).
4.3.2 uniFLOW Client for Mac via HTTPS

Since uniFLOW V5.2, the communication between the uniFLOW Client for Mac and the
uniFLOW server runs via HTTPS by default with a fallback mechanism to HTTP. This is the
case for any fresh standard installation of uniFLOW. For that reason, the uniFLOW Client
for Mac version can communicate with the uniFLOW server only via the HTTPS protocol.
If you have upgraded the uniFLOW server from an older version than V5.2 and the
default communication runs via HTTP, the uniFLOW Update Wizard will install a
certificate to enable a communication via HTTPS but does not enable the "Require
Secure Channel" flag in the IIS. This makes a communication via HTTP and HTTPS
possible. This means that in case you have upgraded uniFLOW, all old uniFLOW Clients
for Mac will still work, although they still communicate via HTTP. In case a secure
communication is required, you can upgrade all clients to the new version which
communicates via HTTPS.
4.3.3 uniFLOW User Web

uniFLOW >= 2018 LTS
While not a uniFLOW Client application the uniFLOW User Web is mentioned here due to
some security enhancements which have been implemented since uniFLOW 2018 LTS.
9
uniFLOW
To ensure the security of user information being transmitted on the network any "Form"
based authentication must be across HTTPS. If you access the uniFLOW User Web page
on the uniFLOW or RPS the below page will appear. In case a user opens the uniFLOW
User Web via HTTP, the user will be redirected to the HTTPS page.
uniFLOW User Web CAPTCHA

uniFLOW >= V5.3
In uniFLOW V5.3 the requirement for a CAPTCHA was added to the uniFLOW Client Web
Interface page to when the PIN code entry was used. This was a hard coded addition and
could only be removed by remarking out the client side code.
uniFLOW >= 2018 LTS
With uniFLOW 2018 LTS the CAPTCHA is only shown when certain login attempt
threshold are met indicating a single or distributed brute force attack.
Detection Metrics
It is important to note that this security layer has been implemented to detect a targeted
or distributed attack to gain access too a working user PIN code. It is not to block or
detect the incorrect entry of a PIN code. All values provided are presently set as defaults
and no UI to change these is available.
Single Targeted Attack
50 (InvalidLoginAttemptThreshold) failed attempts against a user account within a 60
(AttackReactionTime) minute period the CAPTCHA is shown to that account only until
(AttackReactionTime) expires.
Distributed Attack
Here there are 2 conditions of detection:
▪ The "Single Targeted Attacked" criteria is met buy 10 users accounts with a 60 minute
(AttackReationTime).
▪ There are 1000 failed login attempts within the 60 (AttackReactionTime) minutes. A
failed login is at least 1 or more attempts.
10
uniFLOW
The CAPTCHA Mode and the Attack Detection and Reaction Time can be configured
under uniFLOW Server Configuration > Server Config. > General Settings > General >
System Security.
4.3.4 uniFLOW SmartClient

Communication (Sync and Updates)
For the uniFLOW SmartClient to receive and maintain its configuration information, this
data is requested by the uniFLOW SmartClient from the uniFLOW management server.
This communication is done via HTTPS.
Communication (Print Data)

uniFLOW SmartClient to MFP (output) is sent via the Workflow Element Output Job to
IP! utilizing LPR and is not encrypted.
In secure environments, NT-ware recommends:
Installing MEAP V4.2 or higher which allows the uniFLOW SmartClient to send the print
job utilizing the Output to MEAP (OutputToMeap.exe) which transmits the data in an
encrypted form.
For more details on the print encryption please review Print Job Transfer (On the Wire)
(see Print Job Transfer (Output to IP) on page 18).
uniFLOW SmartClient to Server (Default Group)

Dependent on the configuration of a uniFLOW SmartClient, jobs may be forwarded to
the management server if the uniFLOW SmartClient starts and is not in a defined group.
If the uniFLOW SmartClient is in the default group, jobs will be forwarded to the
Management Server input queue, if configured. These jobs are always transmitted over
HTTPS.
4.4 MEAP Communication

If you have the most recent version of the MEAP software (>= V4.2) installed on all
Canon MFPs, and all servers, clients and RPSs are set to use HTTPS, then all network
communication is encrypted with state-of-the-art technology. If, for any reason, it is not
possible to update to the latest versions, please read the following information to assess
your need for encryption.
MEAP Communication for the uniFLOW MEAP Client < V4.2 and the Universal
Login Manager < V4.2
In general, the communication between MEAP clients and uniFLOW/RPS is in clear text
XML in both directions. Whenever it comes down to secure information such as e.g.
passwords, when a login against Active Directory or PIN codes is used, uniFLOW needs to
be configured to secure such data.
In order to determine the best option, the risk of network sniffing needs to be
ascertained and whether the software is used in a low risk or high-risk environment
needs to be ascertained.
Low-Risk
11
uniFLOW
In a low-risk environment, there is a low risk to data being accessed on the network or
too sensitive information being entered at the MFP such as passwords for self-
registration.
To provide a basic level of secrecy for data passed on the network a DES 56-bit
encryption is applied. While this is a relatively low level of encryption, it is still quite
secure and ensures secrecy of sensitive data from accidental or intentional exposure.
With the use of HTTPS the encryption mechanism described above is obsolete. Please
see below for further information.
High-Risk
In a high-risk environment, there is an imminent risk or a perceived risk that confidential
network data is subject to being accessed by unauthorized people.
In such an environment it is vital that uniFLOW is installed and configured to utilize
encrypted communication (HTTPS). During installation ensure that uniFLOW and any RPS
servers are set to use the Encrypted Web Server engine during the installer.
To ensure use of HTTPS after an update consult the uniFLOW User Manual.
To make use of the encrypted communication (HTTPS) the MEAP version on the Canon
MFP must be V4.2 or higher.
Update all components like servers, clients or RPSs to the most recent version to
ensure maximum security.
Note that on some MEAP devices, depending on the firmware version, 3DES encryption
is disabled by default. To use encrypted MEAP communication, 3DES has to be enabled
on the device. Please refer to your device manual for the exact procedure.
4.4.1 Passwords challenged against LDAP

If authenticating on an MFP via the uniFLOW Login Manager and an LDAP source, the
password entered is transferred in the following chain:
MFP > uniFLOW/RPS > LDAP Service
The validity of a password is always checked by the uniFLOW server / RPS against the
LDAP service, but it is not transferred back to the MFP.
4.4.2 Emergency Accounts

With uniFLOW V5.1 SR2 onwards, for emergency accounts, all data is sent with salted
hashing, such that it is not possible to recreate the plaintext value by cracking the MD5
hashes.
4.4.3 Pass-through and Authentication Using the

uniFLOW Login Manager
Automatic Login to Therefore
12
uniFLOW
After identification of the user at the device via the uniFLOW Login Manager, uniFLOW
forwards the password to the Therefore device RSA encrypted. The components of the
encryption keys need to be configured in the uniFLOW Server Configuration. This is
explained in the uniFLOW User Manual.
Password Storage Therefore

These RSA public keys are centrally stored as ASCII hexadecimal representation. For
further information on how these public keys are set, please refer to the Therefore
manual MFP Connector.
http://www.therefore.net
Automatic Login to eCopy

If the Identification Service is configured via the eCopy SSOP Management Interface to
use Triple DES encryption for the device specified in Address of the configured uniFLOW
Device Agent, the following applies: this parameter has to contain the content (one line)
of the file into which eCopy SSOP Management Service stores the Triple DES Key.
▪ The key is a string with the length of 24 which means a 96-bit encryption.
▪ The communication with the identification services is handled via Port 9425 (default).
▪ It is possible that no encryption is used (depending on the eCopy implementation).
Password Storage eCopy

Please see Database and Data Storage (see Storage and Transmission of Sensitive Data
on page 25)
4.4.4 MEAP Scanning

By default, the scan jobs are stored in the mailbox 00 which is not secured in a particular
way. MEAP scanning should be secured by setting the parameters below. Beforehand,
you have to configure an individual mailbox on the device and protect it with an
individual password.
Note that this mailbox number and password must be the same on all devices where
the uniFLOW MEAP Client is running.
▪ Open uniFLOW Server Configuration > Server Config. > General Settings > MEAP
Scanning.
▪ Mailbox Number:
Enter the mailbox number where the temporary scan images should be stored.
▪ Mailbox Password:
Enter the password for the mailbox so that users logged in at the RUI of the machine
cannot open the mailbox folder to view the temporary scan file.
To become effective, you must refresh the MEAP behavior on the device. This can be
done by opening the MEAP & miniMIND Default Behavior under Server Configuration
> Agents/Terminals > MEAP & miniMIND > Default Behavior and clicking the Save
button.
13
uniFLOW
Please also note that if an incorrect password has been set, it is still possible to store
the temporary scan jobs in the specified mailbox, but the jobs will not be deleted after
the scan job has been completed. This can lead to memory problems.
4.5 uniFLOW Components

In this chapter, you can find a breakdown of uniFLOW components, details on their
purpose and related security precautions.
4.5.1 Scan Processing Server

The Scan Processing Server can be implemented to transfer data across the network via
HTTP or HTTPS. This is configured during installations.
There are no further security considerations for the Scan Processing Server at this time.
4.5.2 ICARUS Server for Web

The ICARUS Server for Web provides a web interface for several technologies within the
uniFLOW platform offer. For example, the uniFLOW Scan Simulator or the uniFLOW
Embedded Applet for Océ Large Format Printers.
This ICARUS Server for Web is installed in addition to the uniFLOW main website under
IIS. This can be hosted on any server running a compatible version of IIS.
Security Considerations
The ICARUS Server for Web can be installed utilizing HTTP or HTTPS. This is a
configuration option during installation.
4.5.3 uniFLOW AirPrint® & IPP Service
The uniFLOW Service for AirPrint has been renamed to uniFLOW AirPrint® & IPP Service
with uniFLOW 2021 LTS.
This chapter provides some detailed security information about the uniFLOW AirPrint® &
IPP Service (MomApSvc).
iOS Device to uniFLOW AirPrint® & IPP Service

When the uniFLOW AirPrint® & IPP Service (MomApSvc) is configured with "user name /
password" user identification, the MomApSvc requires the iOS device to use a secure
connection (TLS) for each print job request. If the connection is not secured, then the
MomApSvc will reject the print job request.
For other user identification methods than "user name / password", the MomApSvc
allows print jobs coming over non-secure connections.
In the current version, the MomApSvc certificate is self-signed and generated on every
service restart.
14
uniFLOW
Please note that beginning with uniFLOW 2022 LTS, TLS versions below 1.2 are disabled
by default for the uniFLOW AirPrint® & IPP Service.
uniFLOW AirPrint® & IPP Service to uniFLOW Server

In order to verify received credentials, the uniFLOW AirPrint® & IPP Service makes a
request to the uniFLOW server. Before doing that, the payload of the credentials is
encrypted using a custom encryption method that uses a key that changes for each
request.
Starting with uniFLOW V5.3, the MomApSvc can verify credentials using a secure
connection to uniFLOW.
Credentials are never stored by MomApSvc, but they might be cached or remembered
on an iOS device.
Additional Information
The credentials are encrypted with a 3DES key that changes on each login request. In
order for uniFLOW to be able to decrypt the credentials, the MomApSvc sends the 3DES
key to uniFLOW but is encrypted using an RSA key that both uniFLOW and MomApSvc
know.
For uniFLOW >= V5.4

The uniFLOW AirPrint® & IPP Service supports IPP and IPPS. Communication takes place
over an encrypted TLS connection.
The uniFLOW AirPrint® & IPP Service certificate is persistent and there is an option to
import key/certificate pairs.
4.5.4 uniFLOW Internet Gateway (IG)

The uniFLOW Internet Gateway is used to provide a secure intranet and internet facing
interface to extend the uniFLOW mobility platform outside an organization's firewall. To
achieve this the Internet Gateway is built on an Apache web server and MySQL database
engine. This is combined in a WampServer package for simplified installation and
configuration.
General security considerations when implementing the Internet Gateway are detailed in
a separate white paper because this is a specialized technology. The WampServer
package, installation guide and security white paper can be found here.
4.5.5 Email Communication

Email is widely used within uniFLOW for both sending information and receiving
information.
4.5.5.1 SMTP/SMTPS/ESMTP
Outbound Emails
15
uniFLOW
SMTP is used for both sending and receiving emails within uniFLOW. Once configured
under uniFLOW Server Configuration > Server Config. > Notifications > SMTP Server the
uniFLOW system can send emails to the customers SMTP mail server for many system
tasks. In addition, this connection allows the Workflow Element Send Email to also send
emails from workflow driven tasks.
SMTPS (SMTP over Secure Tunnel) and ESMTP (Extended SMTP) were introduced in
uniFLOW V5.2 SR1 and V5.3. This allows for the email traffic to be sent over an
encrypted communication tunnel.
SMTP communication and the corresponding level of security can be configured under
uniFLOW Server Configuration > Server Config. > Notifications > SMTP Server. Further
details on the configuration and requirements for setting up the SMTP server are
detailed in the uniFLOW User Manual.
When you set ESMTP or SMTPS the information is encrypted using TLS to ensure data is
securely sent to the customer mail server.
Inbound Emails
When an email address is placed into the Device Agent Load Emails via SMTP, uniFLOW
will begin listening for email communication on port 25 (default). Please consult the
uniFLOW User Manual on how to configure ESMTP or SMTPS as Encryption Behavior for
incoming mail traffic.
Inbound emails received by uniFLOW will be placed into the mobile print queue that the
Device Agent is configured for.
4.5.5.2 EWS
Exchange Web Services (EWS) is used to collect emails from a POP3 mailbox and place
them into the uniFLOW Mobile Print workflow.
▪ uniFLOW < V5.4 support TLS 1.0.
▪ uniFLOW >= V5.4 supports TLS 1.2.
▪ The uniFLOW user account used to access the mailbox has a User Name / Password
stored within the uniFLOW database. The password storage complies with the
Multiple Identity engine high encryption password handling detailed within this
document.
The Workflow Element Send Email can also send emails via EWS.
4.5.5.3 POP3
The Device Agent Load Emails via POP3 is used to collect emails from a POP3 mailbox
and place them into the uniFLOW Mobile Print workflow.
Please keep in mind:
▪ User name and password are set in the Device Agent in clear text. Strict access
restrictions are advised.
▪ Encryption is not used by default.
Enforce the use of SSL by setting the parameter Use SSL to yes.
▪ Additionally, you can force the verification of certificates by providing the path to a
local copy of known certificates.
16
uniFLOW
Please consult the uniFLOW User Manual for more information on how to configure the
Device Agent.
4.5.6 SNMP
SNMP (Simple Network Management Protocol)
The SNMP protocol is used by many components and processes within uniFLOW.
uniFLOW Components where SNMP is used

▪ Device Agents:
◦ SNMP Status Monitor
◦ SNMP Job Status Monitor
◦ SNMP Copy Control
◦ SNMP Counter Reader
▪ Message board capability for the CPCA Log Reader
▪ Activation of CMFP devices
▪ Detailed job status (for controllers like the PRISMAsync)
▪ The printer wizard can be used as this uses SNMP discovery during the creation of the
printer. Without SNMP enabled, the wizard will not complete successfully.
Security Options
If there is a security concern by using SNMP within the customer's network you can
minimize the "internal risk" with firewall rules. These are applied that SNMP
communication is only possible between uniFLOW/RPS and MFPs.
4.6 Memory Exploit Mitigation Techniques in

uniFLOW
uniFLOW uses the following standard security measures in the kernel to prevent the
exploitation of software vulnerabilities:
▪ Data Execution Prevention (DEP):
Memory checks are performed to help avoid buffer overflows and malicious code
execution in the memory of the application.
▪ Address Space Layout Randomization (ASLR):
Prevents the exploitation of memory-corruption vulnerabilities.
17
Print Data Storage and Transmission
5 Print Data Storage and

Transmission
This section serves to describe the handling of print jobs by uniFLOW for storage and
transfer on the network. Traditional print transport options such as LPR and RAW are not
documented here as their details are commonly available.
5.1 Storage Print Server

Print jobs are stored on the Microsoft Print Server in an unencrypted state. uniFLOW
utilizes the Microsoft Print Spooler architecture to store and process print jobs. These
print jobs are not available unless access to the print server is possible. In general, this is
not the case and should be considered secure. In environments where this is not secure
enough, change the following:
1. Move the spooler print location to another folder.
2. Utilize the Microsoft Encrypting File System (EFS) functionality.
5.2 Print Job Transfer (Output to IP)

uniFLOW V5.3 > Output to MEAP
Introduced in uniFLOW V5.3 was the ability to encrypt print traffic. This is possible with
the following components and only applies to the print job during transport.
▪ Between Client and Server:
uniFLOW Universal Driver (PostScript and PCL XL).
▪ Between Server and MFD:
Devices must support and run MEAP V4.2 or higher.
Encryption Details:
In both cases, the print traffic is secured using an AES-256 bit encryption.
uniFLOW 2018 LTS > Output to IPP

Introduced in uniFLOW 2018 LTS was the ability to output jobs directly to an IPP enabled
device or server. This is another selectable configuration option in the Workflow Element
Output to IP.
Between Client and Server:
uniFLOW Universal Driver (PCL XL), only presently used as part of the resilience client
side fail over functionality.
Between Server and MFP:
Devices must support and be enabled an IPP service.
18
Print Data Storage and Transmission
The Workflow Element Output to IP also transfers jobs via LPR. Please be aware that
this method of transfer is unencrypted and provides no security if the job is intercepted
in transit.
5.3 CRQM (Collective Release Queue

Management)
Printing within a CRQM environment can be secured by utilizing the uniFLOW Universal
Driver with print encryption turned on. This is available from uniFLOW V5.3 forward. For
more details see Print Job Transfer (On the Wire) (see Print Job Transfer (Output to IP) on
page 18).
Transfer between servers or job information can be encapsulated in an SSL/TLS transfer if
the NT-ware internal encrypted web server is enabled during installation from uniFLOW
V5.3 forward.
5.4 DRQM (Distributed Release Queue

Management)
From uniFLOW V5.3 the communication and the transfer of jobs between servers can be
encrypted across SSL/TLS communication if enabled.
Print Job Encryption (uniFLOW >= V5.3)

When using the uniFLOW Universal Driver with print job encryption enabled:
▪ Print jobs printed from client to server will be encrypted.
▪ Print Jobs that are released on the server they were submitted to will be sent to the
MFD in an encrypted state if the device is running MEAP V4.2 or above.
▪ Released print jobs which have been transferred to the releasing server via DRQM will
be submitted encrypted in case HTTPS is configured for uniFLOW's internal web
server (see also Internal Web Server of uniFLOW >= V5.3 (on page 7)).
5.5 Advanced Space for SMB

Advanced Space for SMB can be used for spoolfiles, for instance, in the uniFLOW
SmartClient. Please note that Advanced Space for SMB is automatically encrypted with
RSA + AES.
19
Supporting Applications
6 Supporting Applications
This chapter lists additional software which frequently runs on a uniFLOW server or RPS.
These applications and components are either used by uniFLOW to deliver functionality
or to support the product's usability.
Unless stated otherwise, it is always recommended that the latest version of a particular
software is installed including current service packs and patches. NT-ware does not
distribute or maintain these external applications (unless stated); this lies within the
responsibility of the customer.
For the exact versions of supported software please check the white paper Software
Compatibility List for NT-ware Products (MOMKB-471) in the NT-ware Customer Portal.
Note that registration is required to access the NT-ware Customer Portal. Access to the
NT-ware Customer Portal is limited to trained Canon personnel only. If you need the
above document and do not have access to the NT-ware Customer Portal, please
contact your Canon partner.
Product Notes
Adlib Express *
Adobe Acrobat *
Apache OpenOffice *
eCopy Share Scan *
Foxit Reader *
Foxit (SDK Embedded) Foxit SDK is distributed with the uniFLOW
Installer and with the uniFLOW Updater
(since uniFLOW V5.3). For this reason, it is
maintained and updated to the latest
supported and patched version.
Any security threats discovered will be
announced by Foxit via their "Security
Bulletin" page listed below. NT-ware monitors
this page to also stay current with known
security vulnerabilities.
https://www.foxitsoftware.com/support/
security-bulletins.php
FusionPro *
Canon iW Desktop *
Canon iW Prepress Manager (iW PPM) *
Canon POD Printer Driver *
Canon iW SAM See Canon iW SAM (Secure Audit Manager)
(on page 21)
Microsoft Office *
Microsoft Office SharePoint Server 2007 Used in uniFLOW versions before V5.4
(commercial extension) *
20
Product Notes
Microsoft SharePoint Enterprise 2010 Used in uniFLOW versions before V5.4

(commercial extension for Server) *
Microsoft SharePoint Server 2010 Used in uniFLOW versions before V5.4
(commercial extension for Foundation) *
Microsoft SharePoint Foundation 2013 Used in uniFLOW V5.4 and higher
*
Microsoft SharePoint Server 2013 Used in uniFLOW V5.4 and higher
(extension on top of Foundation) *
Microsoft SharePoint Online *
Neevia Document Converter Pro *
Netaphor SiteAudit *
Océ PRISMAprepare *
Océ PRISMAdirect *
RedTitan EscapeE *
Therefore *
Therefore Online *
* No known security vulnerabilities at the time of writing. Therefore, no security measures are
required. Please check the vendor's websites for further information.
6.1 Canon iW SAM (Secure Audit Manager)

This chapter gives security-related information and background information about iW
SAM. It answers FAQs about how iW SAM works in the background.
For more information, please refer to the white paper Integrating iW SAM Express
Server V2.1 with uniFLOW (MOMKB-719) in the NT-ware Customer Portal.
How are images stored on the MEAP device by the iR Agent and what format is
used to store the files?
After print, scan or copy the resulting image is stored in the hard disk space for iW SAM
on the device.
The format of the image data can be one of the following:
▪ Canon Original Format
▪ TIFF
▪ JBIG
▪ JPEG
▪ JFIF
21
▪ TEXT
How and in which format are images transferred by the iR Agent from the
MEAP device to the iW SAM Express Server?
The stored image data in one of the above-mentioned formats will be transferred from
the iR Agent to the iW SAM Express Server using SOAP Messages with Attachment (SwA
protocol).
Over which port is the imageRUNNER sending the files to the iW SAM Express
Server?
▪ With HTTP port number 80 is used.
▪ With HTTPS port numbers 80 and 443 are used.
How is the image transferred from the iW SAM Express Server to the uniFLOW
server?
The iW SAM Express Server will receive the image data and job log data from the iR
Agent by using SwA (SOAP Messages with Attachment). This data will be stored into the
spool folder on the iW SAM Express Server. The image format in the spool folder will be
the same as listed above.
Afterwards, the DataProcessService, which is one of the internal modules on the iW SAM
Express Server, will convert the image data format in the spool folder from the current
format to JPEG or TIFF and change the resolution respectively rotate the image.
The ExportService, which is also another internal module on the iW SAM Express Server,
will then store the newly formatted data into the ExportFolder which is configured in iW
SAM. uniFLOW will then retrieve that image data from the ExportFolder.
22
Infrastructure
7 Infrastructure
Ensure your web server platform is configured with defined security standards before
and after installing uniFLOW (e.g. IIS Lockdown, URL scan etc.).
Ensure the underlying operating system is also hardened and that the operating system's
patch level is kept up to date.
7.1 Database
7.1.1 Database Communication
Issue
The database communication between uniFLOW and the SQL server is unencrypted in a
standard installation. As an example, user information and statistical information is sent
in clear text across the network; however, passwords and PIN numbers are sent
encrypted see Storage and Transmission of Sensitive Data (on page 25). The
transmission of data to the SQL database only applies if uniFLOW is configured for a
remote SQL Database. Using a local SQL Express database (default install) negates
network security only if local data storage needs to be considered.
Resolution
It is recommended that the database network connections from the uniFLOW server to
the SQL server are encrypted using SSL. The following Microsoft article describes how to
enable SSL encryption for database connections:
http://support.microsoft.com/kb/316898/en-us
7.1.2 Alternate Port and Database Instance

uniFLOW installs and connects to SQL via a default SQL port 1443. SQL can be configured
with alternative ports to hide it on the network. uniFLOW can be configured to connect
to the alternate port during installation or after installation by editing the Database
connection string to explicitly define an alternate port. In addition, an alternate database
instance can be set to further isolate and secure the uniFLOW database.
Examples
"Data Source" extracts from the uniFLOW connection string
▪ Data Source=(local);
◦ Local SQL Express install setting.
▪ Data Source=(<Server Name or IP>);
◦ Data Source=(MyServerName);
23
Infrastructure
◦ Local or remote connection to server.

▪ Data Source=(<Server Name or IP\<Instance Name>);
◦ Data Source=(MyServerName\SQLInstanceName);
◦ Local or remote connection to server with SQL instance defined.
In each case, the port can be appended as the below examples show.
▪ Data Source=(<Server Name or IP>,<NewPort>);
◦ Data Source=(MyServerName,1999);
◦ Local or remote connection to server.
▪ Data Source=(<Server Name or IP>\<Instance Name>,<NewPort>);
◦ Data Source=(MyServerName\SQLInstanceName,1999);
◦ Local or remote connection to server with SQL instance defined.
Ensure you make these changes in both uniFLOW connection strings,
"CONNECTIONSTRING" and "CONNECTIONSTRINGUI" should they both exist.
7.1.3 Encrypted Connection String

Issue
The CONNECTIONSTRING and the CONNECTIONSTRINGUI entries in the Windows
registry contain all data necessary for uniFLOW to access the uniFLOW database.
The above connection strings are installed in each uniFLOW installation by default. As
you can see, the user name and the password for the database access are written in
clear text. In almost all cases this is no problem as the CONNECTIONSTRING and the
CONNECTIONSTRINGUI are based on the uniFLOW server, which is not accessible to
users other than the administrator.
However, the security guidelines of some companies require an encrypted connection
string.
Resolution
The NT-ware Customer Portal (ITS) contains a White Paper which describes how to
encrypt the connection string.
For more information, please refer to the white paper Encrypted Connection String
(MOMKB-337) in the NT-ware Customer Portal.
7.1.4 SQL Connection String and New DB User From

uniFLOW V5.1.3 Onwards
uniFLOW uses a connection string stored in the Windows registry to connect the
uniFLOW kernel and web pages (UI) to the database. Until uniFLOW V5.1.3, only one
connection string was used. In order to increase the security of uniFLOW, NT-ware
24
Infrastructure
introduced an additional connection string and a new additional database user with
uniFLOW V5.1.3.
The CONNECTIONSTRINGUI registry item has been added to the uniFLOW hive of the
Windows registry. This connection string is exclusively used for the uniFLOW UI to
introduce another layer of security. The "CONNECTIONSTRINGUI" will utilize a new
database user called "uFReader". Thus, any request to the uniFLOW database from the
uniFLOW UI will be handled via this user who has only read access.
The old CONNECTIONSTRING and "pbaip" user still exist and are required for normal
operation. This connection string will only be used by the kernel directly.
If the "CONNECTIONSTRINGUI" item is missing, uniFLOW will fall back to use the
"CONNECTIONSTRING". This is the case if you have updated from an older version. The
Windows registry item will not be added by the momupdate.exe. In this case, please use
the UI_ConnectionString_32-bit.reg or the UI_ConnectionString_64-bit.reg file which can
be downloaded from MOMKB-654 to create the respective Windows registry key. Please
keep in mind to change the "Data Source" within the file from "(local)" to your SQL
Server address if you are utilizing an external SQL Server.
Furthermore, the additional database user is required. The "uFReader" user will NOT be
created automatically. It will only be created when installing uniFLOW V5.1.3 or higher
with a new database (taken from http://www.nt-ware.com/mom/sql/momdb.zip).
If you are updating and using an existing database, please use the "Create_uFReader.sql"
script which is attached to the ITS issue MOMKB-654 in order to create the additional
database user "uFReader".
Encryption of the CONNECTIONSTRINGUI Connection String

▪ uniFLOW V5.3 SR4 or older - String is in clear text.
▪ uniFLOW V5.3 SR5 or newer - String can be encrypted. See Encrypted Connection
String (on page 24).
7.1.5 Storage and Transmission of Sensitive Data

Certain features within uniFLOW require passwords to be entered and passwords need
to be stored within the uniFLOW database. The following applies to the uniFLOW
database (DsPcDb):
System Stored Password

1. LDAP password
2. SMTP password
3. Network user password
General Information
▪ Passwords cannot be requested via a COM call or database query from the uniFLOW
system or the uniFLOW database.
▪ The uniFLOW kernel stores encrypted passwords within the user's binary object
(BLOB) within the uniFLOW database for all user and multiple identity areas.
▪ Active Directory passwords are not stored in the uniFLOW database by default.
However, there are the following exceptions:
25
Infrastructure
Passwords are only stored in the uniFLOW database if there is an integration with an
application that needs to have a password passed as part of the MEAP login process
or if you explicitly select to store the password.
◦ Workflow Element Get User Authentication.
◦ Store user name and password against the user object. See uniFLOW Server
Configuration > Base Data > User > General Settings > Identities.
◦ Integration with Therefore. See Pass-through and Authentication Using the
uniFLOW Login Manager (on page 12).
◦ Integration with eCopy. See Pass-through and Authentication Using the uniFLOW
Login Manager (on page 12).
▪ All text-based information within the uniFLOW database is for reporting and support
purposes only and does not contain confidential data.
▪ PIN Codes are stored in the database. If Pre V5.4 Legacy Support is enabled, a simple
MD5 (56-bit) algorithm is used hash the PIN Codes.
If the Pre V5.4 Legacy Support is disabled for the RPS synchronization, PIN Codes are
stored as salted hash.
▪ Password storage in uniFLOW >= V5.1
Passwords saved against a user profile are encrypted with an AES-256 bit encryption,
e.g. LDAP password or email secret.
7.1.6 Database Rights and Permissions

This section details the required permissions and rights which uniFLOW requires
interacting with the Microsoft SQL Server.
PBAIP User
DsPcDb: Database owner with read and write access.
uFReader User
DsPcDb: Database user who has read-only permission. See SQL Connection String and
New DB User From uniFLOW V5.1.3 Onwards (on page 24).
SQL Users and Role

In high-security environments, the practice of reducing or removing rights from the
"PUBLIC" user role in Microsoft SQL Server may take place.
Public User Permissions

Below are the known required permissions which need to be re-granted to the Public
user for uniFLOW in order to function correctly in a typically hardened environment
which removes all permissions from the "PUBLIC" role.
New Installation
▪ grant execute on sp_provider_types_rowset to PUBLIC
▪ grant execute on sp_changeobjectowner to PUBLIC
▪ grant execute on sp_tables_rowset to PUBLIC
26
Infrastructure
▪ grant execute on sp_columns_rowset to PUBLIC

▪ grant execute on sp_indexes_rowset to PUBLIC
Statistics Report Generation

▪ grant execute on sp_tables_rowset to PUBLIC
▪ grant execute on sp_columns_rowset to PUBLIC
▪ grant execute on sp_procedures_rowset to PUBLIC
7.2 Server Message Block (SMB) Signing

The Server Message Block (SMB) protocol is used for providing and obtaining network
file services. It makes it possible to copy files between network computers. In case the
server is in a network with untrusted clients, security issues can arise. These can be e.g.
man-in-the-middle attacks or active message attacks. However, enabled SMB signing will
add security to the SMB protocol and prevent man-in-the-middle attacks. With SMB
signing, a signature will be added to each network package so that a receiver is able to
determine whether a package comes from a particular sender, which in turn prevents
security issues.
Due to the recent appearance of ransomware cryptoworms using exploits of the SMBv1
protocol, it is important to state that the advanced scanning workflows of uniFLOW
only use SMBv2 and SMBv3, which are not affected by these exploits.
Issue
If SMB signing on the host computer is disabled, the SMB server is vulnerable to man-in-
the-middle attacks.
Resolution
Enforce SMB signing in your host's configuration.
▪ For SMB signing at least the following operating systems / platforms are required:
◦ Samba >= V3.0
◦ Windows XP or newer
▪ We highly recommend that you ensure beforehand that your file server in use
supports SMB signing.
Learn more about SMB signing here:

▪ Overview of SMB signing:
http://support.microsoft.com/kb/887429/EN-US
▪ How to set up the SMB policy settings on a Windows Server.
▪ "Step 4 - Set up the SMB policy settings" of the following Microsoft Knowledge Base
article explains how to enable the SMB signing:
▪ Possible SMB communication problems:
27
Infrastructure
7.3 File Access

Weak file permissions permit users with interactive logon to view a private key file as
well as view and edit file uploads from the application.
To prevent this, make sure the Windows user group Everyone does not have access to
the folders used by uniFLOW and its components.
Usually, that would be the following folders and their subfolders:
▪ %ProgramFiles%\Common Files\NT-ware Shared
▪ %ProgramFiles%\uniFLOW
And for components like the Scan Processing Server:
▪ %ProgramFiles%\uniFLOW Scan Processing Server
7.4 Microsoft Windows RDP Server

Issue - Microsoft Windows RDP Server Man-in-the-Middle Weakness
It is possible to access remote hosts because the version of Remote Desktop Protocol
Server (Terminal Service) running is vulnerable to Man-in-the-Middle (MITM) attacks.
This flaw exists because the RDP server stores a hard-coded RSA private key in the
mstlsapi.dll library. Any local user with access to this file (on any Windows system) can
retrieve the key.
The RDP client makes no effort to validate the identity of the server when setting up
encryption; therefore, an attacker who can intercept traffic from the RDP server can
establish encryption with the client and server without being detected. A MITM attack of
this nature would allow the attacker to obtain any sensitive information transmitted,
including authentication credentials.
Resolution
▪ Force the use of SSL as a transport layer for this service if supported.
▪ In Server Manager, enable the Allow connections only from computers running
Remote Desktop with Network Level Authentication (NLA).
Configuring authentication and encryption:
http://technet.microsoft.com/en-us/library/cc782610.aspx
To configure authentication and encryption, follow the instructions in the linked
Microsoft Technet article. Change the RDP encryption level in the Terminal Services
Configuration to one of the following so that it uses strong cryptography:
▪ High
▪ FIPS Compliant
Note that with activated NLA (Network Level Authentication), RDP sessions are only
possible from Windows Vista (or higher). Windows XP can handle NLA after an update
of the RDP client to version 6.5 or higher (version 7 recommended). The full feature set
of the new RDP client is available with Windows 7 and Windows Server 2008 R2.
http://support.microsoft.com/kb/969084
28
Infrastructure
7.5 LDAP over SSL

When importing user data from an Active Directory, Open LDAP or Novell eDirectory,
LDAP over SSL can be used on uniFLOW and RPS servers.
Further information regarding setup and configuration can be found in the uniFLOW
User Manual. Please keep in mind that certificates are mandatory.
The connection to the LDAP system is a read-only connection.
7.6 Web Browser

Issue
Most browsers have a facility to remember user credentials that are entered into HTML
forms (auto-complete). This function can be configured by the user and also by
applications which employ user credentials. If the function is enabled, then credentials
entered by the user are stored on their local computer and retrieved by the browser on
future visits to the same application. The stored credentials can be captured by an
attacker who gains access to the computer, either locally or through some remote
compromise. Further, methods have existed whereby a malicious website can retrieve
the stored credentials for other applications, by exploiting browser vulnerabilities or
through application-level cross-domain attacks.
Resolution
Disable the auto-complete feature of your browser.
While the auto-complete feature may be helpful for some things, it can also seriously
compromise your security and privacy, because anyone who uses your computer can see
the websites you visited and the information you entered on web pages. Also, various
malicious software can use auto-complete data to steal your personal information such
as email addresses or passwords. If a hacker were to break into your PC, he or she can
easily retrieve website passwords stored as auto complete data.
You can disable the auto-complete feature under Tools > Internet Options within
Internet Explorer. Other browsers will have similar settings but under different menu
structures. For Chrome, Safari, Firefox and Opera please refer to their own manuals and
reference material.
7.7 Windows OS Patching and Service Packs

Issue - Missing operating system security patches.
Windows servers are often found to be missing a number of Windows operating system
security updates, leaving them at risk from publicly-disclosed vulnerabilities.
The majority of the vulnerabilities that affect the servers can only be triggered if a user
on the system were to visit a malicious website or access a malicious file. Remote code
execution is not possible without some level of user interaction on the server. As it is
unlikely the servers would be used in this way the probability of exploitation is rather
low.
Resolution
29
Infrastructure
We strongly recommend that you ensure that a Windows patch management policy is
robustly enforced on the production office environment. All missing patches and service
packs (for both the Windows operating system and other Microsoft software, e.g. IIS and
Office) should be applied as soon as possible.
In addition, we strongly recommend that you complement the patch management
process with a tool like the Microsoft Baseline Security Analyzer to check patch levels
regularly and ensure that patches are not accidentally missed.
http://www.microsoft.com/technet/security/tools/mbsahome.mspx
7.8 Antivirus
As every virus scanner works differently, NT-ware cannot give detailed information on
specific virus scanner settings or behaviors.
One of the problems with antivirus software is that it locks files while scanning. So if a
new spool file is created by the spooler, the file will be scanned. uniFLOW will try to
access the spool file just after it has been created (through the spooler / ApjPrint print
processor). If the file is locked, this will fail. Note that this is only one of the possible
problems. For that reason and from these experiences, it is an installation requirement
that the following actions of the following subsections are taken.
In case of failure, the uniFLOW server and or the RPS and the antivirus scanner could
access the same files at the same time. This could lead to several errors caused by locked
files and access collisions.
7.8.1 Antivirus Scanner Settings

Disable the On-Access Scanning
On-access scanning only needs to be disabled for the specified folders listed in chapter
Folder Exclusions (on page 30). These are the working directories of uniFLOW and the
Microsoft Print System.
Run Scheduled Scans

NT-ware highly recommends that these folders still remain part of the overall antivirus
scanning solution. Ensure the excluded folders are scanned nightly or in a period of the
day where there is no or minimal print activity.
Exclusions Controlled by Policy

Often antivirus software is managed by a policy engine which centrally manages settings
and configuration on multiple systems within an organization. Please pay attention to set
exclusions within the system such that the exclusions are not overridden when the
server is restarted or the policy engine pushes out a new update.
7.8.2 Folder Exclusions

uniFLOW
30
Infrastructure
▪ uniFLOW installation folder:

%ProgramFiles(x86)%\uniFLOW
▪ uniFLOW installation folder:
%CommonProgramFiles(x86)%\NT-ware Shared
▪ Windows spool folder:
%SYSTEMROOT%\System32\spool
▪ SQL Server data folder:
User-defined
RPS
▪ RPS installation folder:
%ProgramFiles(x86)%\uniFLOW Remote Print Server
▪ Windows spool folder:
uniFLOW SmartClient
On machines where the uniFLOW SmartClient software is running, prevent the installed
antivirus scanner from scanning the following folders.
▪ uniFLOW SmartClient installation folder
◦ Contents: executables, DLLs, uniFLOW Universal Driver PCL XL driver files etc.
◦ General Path:
%ProgramFiles(x86)%\uniFLOW SmartClient
◦ Example: C:\Program Files\uniFLOW SmartClient
▪ uniFLOW SmartClient Application Data (application-specific)
◦ Contents: DIFs
◦ General Path: %ProgramData%\NT-ware\SmartClient
Example: C:\ProgramData\NT-ware\SmartClient
▪ uniFLOW SmartClient application data (user-specific)
◦ Contents: temporary files, configuration files
General Path: %APPDATA%\NT-Ware\SmartClient
◦ Example: C:\Users\Administrator\AppData\Roaming\NT-Ware\SmartClient
▪ Windows spool folder
◦ Contents: spool files
◦ General path:
Example: \Windows\System32\spool\PRINTERS
We recommend to disable on access scanning on these folders and enable a scheduled
scan at some non-critical point in time instead. If you do not do this, the uniFLOW
SmartClient software and the antivirus scanner might access the same files at the same
time. This could lead to several errors.
Scan Processing Server

The required Windows Firewall rules are automatically set and configured during the
installation. This works as of Windows Server 2008.
When uninstalling the software, these rules are automatically removed.
31
Infrastructure
Important
In the registry, many of the working directory paths within uniFLOW can be modified to
different storage locations. If you move a working directory such as the "Data" folder,
you must ensure that this directory has the same antivirus exclusions as the original
location mentioned within this section.
7.8.3 NTLM V1 Considerations

Issue
NTLMv1 is accepted for authentication against protected web applications by a Windows
server with default security settings.
Though the application can make use of NTLMv2, a fallback to accept NTLMv1 is present.
NTLMv1 is considered as an insecure authentication protocol and should not be made
use of as it can potentially expose Windows domain credentials.
Note that this is not a uniFLOW security leak, but is related to the allowed and the used
Windows server authentication methods.
Risk Level
Medium
Resolution
The NTLMv1 authentication possibility should be disabled on the Windows server. This
can be done by changing the Local Security Policy on a Windows Server 2008.
▪ Open the Local Security Policy in Windows Server 2008.
▪ Browse to Local Policies / Security Options.
▪ Open Network security: LAN Manager authentication level
▪ You can disable NTLMv1 by changing the settings to Send NTLMv2 response only.
Refuse LM & NTLM (Level 5).
Note that client, service, and program incompatibilities may occur when you modify
these security settings. In a productive environment, we highly recommend to test
these settings before and to plan a maintenance slot carefully.
Please refer to the Microsoft Knowledge Base under:
http://support.microsoft.com/kb/823659.
7.9 IIS Security

7.9.1 Enabling Certificate Based Encryptions
From uniFLOW V5.3 HTTPS communication has been possible. During installation you
have the options to enable HTTPS communication at which point uniFLOW will create a
self-signed certificate. This certificate is valid for 10 years at which point it will need to be
reissued. The self-generated certificate can be replaced with a valid company certificate
if required, further instructions on this are available in the uniFLOW User Manual.
32
Infrastructure
Certificate Information
▪ uniFLOW => V5.3 - SHA1 certificate
▪ uniFLOW => 2018 LTS - SHA256 certificate
7.9.2 IIS Identity of AspNetCoreWorkerPool

The standard identity setting for AspNetCoreWorkerPool poses a security risk because it
runs with LocalSystem user account privileges. Therefore, the identity has to be changed
to the ApplicationPoolIdentity identity. Also, a logs folder with write access for
AspNetCoreWorkerPool has to be created.
Change IIS Identity of AspNetCoreWorkerPool

1. Open the Internet Information Services (IIS) Manager.
2. Open the tree of your server under Connections on the left side.
3. Click on Application Pools.
4. Right-click on AspNetCoreWorkerPool and open Advanced Settings from the context
menu.
5. Find and click on Identity under Generate Process Model Event Log Entry.
6. Click on the three dots in the right column. A new window, Application Pool Identity,
opens.
7. From the drop-down menu under Built-in account, select ApplicationPoolIdentity
and click OK.
8. Close the Advanced Settings window by clicking OK.
Logs Folder
1. Open Windows Explorer.
2. Create a folder named "logs" under the folder C:\Program Files
(x86)\uniFLOW\WebUI\.
3. Right-click on the folder name and select Properties.
4. Select the Security tab.
5. Click the Edit button and then the Add button.
6. Click the Locations button and make sure that you select your computer.
7. Enter IIS AppPool\AspNetCoreWorkerPool in the Enter the object names to select text
box.
8. Click the Check Names button and click OK.
9. Mark the user AspNetCoreWorkerPool and check the Allow box in the permissions
section.
10. Click OK to close the Permissions window.
11. Click OK to close the Properties window.
33
Infrastructure
7.9.3 Securing Cross Site Scripting

There are certain technologies like cross-site-scripting that can exploit a security
vulnerability where cookies are set without the HttpOnly flag.
The following instructions show how to configure the IIS to prevent this.
The following procedure works with IIS V7.0 (Windows Server 2008) or higher. It was
tested by NT-ware with IIS V7.5 on Windows 2008 R2.
▪ Download and install the URL Rewrite Module from

http://www.iis.net/learn/extensions/url-rewrite-module/using-the-url-rewrite-
module.
▪ In the root WWW directory (usually C:\inetpub\wwwroot), open the file web.config in
a text editor. If it does not exist, create an empty text file with this name and copy the
complete XML code listed below into the file. If the file already exists, copy only the
<rewrite> section from below into the section <system.webserver> as seen
below.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<outboundRules>
<rule name="Add HttpOnly" preCondition="No HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*"
negate="false" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
<conditions>
</conditions>
</rule>
<preConditions>
<preCondition name="No HttpOnly">
<add input="{RESPONSE_Set_Cookie}" pattern=".*" />
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly"
negate="true" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
To finish the configuration save the file and restart IIS and uniFLOW server.
7.9.4 Isolating Application Pools

Issue
All Web Applications make use of the same application pool within uniFLOW. This
vulnerability makes accessing shared resources easy should an individual application
function become compromised.
34
Infrastructure
Resolution
It is advised that each separate web application has its own application pool.
7.9.5 URL Authorization Rules

Configuring URL Authorization Rules in IIS 7
This chapter applies to Windows Server 2008 and Windows Server 2008 R2.
You can grant or deny specific computers, groups of computers, users, groups or
domains access to sites, applications, directories, or files on your uniFLOW server. To
achieve that, you need to install and configure the URL Authorization role feature of IIS
7.
For more information about this IIS security feature, please refer to:
http://technet.microsoft.com/en-us/library/cc772206%28v=ws.10%29.aspx
7.9.6 HTTP Response Headers

To prevent browsers from caching sensitive data, the IIS on the server should be
configured as follows.
1. Open the Internet Information Services (IIS) Manager.
2. Open the Default Web Site.
The following settings are inherited down to each web site in the tree.
If you have other web services running aside of uniFLOW, you should
configure these steps for each site individually, e.g., for pwserver.
3. Double-click on HTTP Response Headers.
35
Infrastructure
4. Click on Add under Actions to add a Custom HTTP Response Header and add the
following values:
Name: Cache-Control
Value: no-cache, no-store, private
Acknowledge with OK.
5. Click on Add again to add another Custom HTTP Response Header and add the
following values:
Name: Pragma
Value: no-cache
Acknowledge with OK.
6. Click on Set Common Headers under Actions.
7. Uncheck Enable HTTP keep-alive.
8. Check Expire Web content and select the setting Immediately. Acknowledge with OK.
36
Infrastructure
9. Restart your web server.
7.9.7 Disable Default Site

To reduce the exposition of possibly critical information like version or configuration data
about the installed components, the Default Web Site should be configured as follows.
1. Open the IIS Manager.
2. Open Default Web Site.
37
Infrastructure
3. Open Default Document.

4. Right-click on Default.htm and click on Disable in the context menu.
38
Infrastructure
5. Now each sub page of Default Web Site, e.g pwserver, has to be enabled individually.
To do so, follow the same procedure as above for each sub page, but enable each
Default.htm from the context menu.
7.10 Network Security

When considering network security, you need to consider both access security and
transport protocols. In this section, we will list aspects to consider and secure to address
this.
uniFLOW Required Ports

See uniFLOW Firewall Required Ports (on page 40).
Encrypt all MFP to Server Traffic

It is possible to use IPsec (an optional hardware board is required in the MFP) between
MFP and the uniFLOW server(s) to ensure that no interception of this traffic could result
in data being compromised.
Implementing IPsec could be too much effort for many customers. As an alternative, you
could layer application level security to provide similar network security.
uniFLOW V5.3 or higher:
▪ Ability to send print data encrypted to supported Canon devices running uniFLOW
MEAP V4.2 or higher.
▪ uniFLOW MEAP communication can be SSL/TLS encrypted if the encryption is enabled
in uniFLOW's internal web server.
39
Infrastructure
Additionally, the Canon RUI can have SSL enabled for additional security. Please see
Canon Device Security (on page 43).
Logically Separate Your MFPs if Possible

As explained in the hardening guide, you can limit and control what traffic is possible by
only allowing uniFLOW to communicate with your MFPs. This can be done by using
separate VLANs for your MFPs and restricting access to these segments.
Restrict Access to the Physical Network Ports

Use MAC addresses or 802.1x authentication to verify the MFP’s access onto the
network segments if possible. This can stop unauthorized devices from collecting data on
these segments.
7.11 Windows Local Security Policy

When using the username/password login method in uniFLOW, make sure that on the
Windows server uniFLOW is running on Local Security Policy > Security Settings > Local
Policies > Security Options > Accounts: Guest account status is set to Disabled. Enabling
this settings may cause unwanted security issues.
7.12 uniFLOW Firewall Required Ports

uniFLOW requires several different ports and protocols to communicate with clients,
printers, the database and other network devices. The white paper TCP Ports of uniFLOW
lists all these different communication protocols and ports. The firewall should never be
disabled unless for fault finding and testing purposes. NT-ware always recommends the
firewall is enabled and only the required ports are exclusively opened.
Use this document, in order to configure your firewall(s).
For more information, please refer to the white paper TCP Ports of uniFLOW
(MOMKB-99) in the NT-ware Customer Portal.
uniFLOW <= V5.3

For all installations, prior to uniFLOW V5.4, it is necessary to explicitly define the inbound
and outbound ports for all access to the uniFLOW/RPS and associated components.
uniFLOW >= V5.4

With uniFLOW V5.4 there is no longer the need to explicitly define the inbound and
outbound ports for the below-listed components as the executable for each of the below
components has been added to the firewall during installation allowing inbound and
outbound access. Please see the ports document in MOMKB-99 for further details and
the remaining ports which are needed for external components.
▪ uniFLOW/RPS (MomSvc)
40
Infrastructure
▪ Scan Processing Server (MomSpaceSuit)

▪ uniFLOW SmartClient
7.13 SSL/TLS Information

7.13.1 SSL/TLS Supported Level
In general, the highest encryption level (TLS 1.2) will be attempted by uniFLOW. If this
fails, a lower level of encryption is used (fallback to SSL).
Most components in uniFLOW are using encryption level TLS 1.2 with the exception of
SQL Server Native Client (OLE DB), Email EWS and IRISConnect which only support TLS
1.0. We therefore do not recommend to disable the automatic fallback (and enforcing
the use of TLS 1.2) as this might lead to problems with uniFLOW.
7.13.2 SSL/TLS Certificate Information

Disable SSL Fallback
If uniFLOW or RPS cannot negotiate at a TLS level they will fall back to SSL. As this can be
seen as a security risk uniFLOW can have this fall back functionality disabled. The ability
to disable SSL fall back has been introduced in the following uniFLOW versions.
▪ uniFLOW V5.2 SR4 (SMTPS Component).
▪ uniFLOW V5.3 SR2 (uniFLOW Web Engine).
▪ uniFLOW V5.2 SR6 and V5.3 SR4 (uniFLOW Internet Gateway and Web Submissions
Server).
SSL Encryption And Certificate Options (uniFLOW V5.4 SR14)

Since uniFLOW V5.4 SR14, new certificates are created by default with a 2048 bit RSA key
and with an SHA256 algorithm.
For compatibility reasons you can set this to 1024 bit RSA key and SHA1 algorithm by
setting a new registry key.
▪ Create the key UseOutdatedOptionsForGeneratedKeyCertificatePairs of type DWORD
under HKLM\SOFTWARE\NT-ware\Mom.
▪ Set the value of this key to 1 to change the parameters as follows:
1024 bit RSA key and SHA1 algorithm.
▪ You can revert the setting to default by deleting the key.
SSL Encryption And Certificate Options (uniFLOW 2018 LTS and higher)
In this section, you can configure the SSL encryption and additional options for new
certificates.
▪ SSL Key Length:
Here you can enter the SSL key length to be used for certificates.
▪ Use SHA256 algorithm for created certificates
◦ Yes:
Use SHA256 for new certificates.
41
Infrastructure
◦ No:
Use SHA1 for new certificates. Not recommended.
Removing Deprecated SSL Protocols

See chapter Removing Deprecated SSL Protocols (SSL 2.0 and SSL 3.0).
42
Canon MFP Security
8 Canon MFP Security

Canon provides a Security Hardening Guide for MFPs which provides an initial guide to
configuring the MFP services. Ensure that services you do not intend to use are disabled
and that the remaining services are left are correctly configured for your environment.
Canon imageRUNNER ADVANCE - Hardening Guide 2016
8.1 Canon Device Security

Canon has placed an increased focus on the topic of security. For this reason, Canon
offers several application software tools for their printing devices, such as for example:
▪ Canon Encrypted Secure Print Software (on page 43)
▪ Canon Secure Watermark (on page 44)
▪ Canon Data Erase Kit (on page 44)
▪ Canon Security Kit (B2/A2) (on page 44)
▪ Canon HDD Data Encryption Kit (on page 46)
Please refer to the Canon website for more information about the specific applications
or other security-related documents or applications for Canon devices.
In the following, we list known issues and resolutions with the application software listed
above in conjunction with uniFLOW.
8.1.1 Canon Encrypted Secure Print Software

Canon Encrypted Secure Print Software enables you to encrypt print data sent from a
computer using the Secured Print function and decrypt it at the device. This can
strengthen the security of print data by helping to prevent the contents of your printed
documents from being seen by other users, and helping to prevent the unauthorized use
of confidential information.
Issues
The Encrypted Secure Print Software encrypts a print job on the client before it is sent to
the printer. The printer then decrypts the print data stream.
The printer driver will use the user name and password that the user enters to encrypt
the spoolfile. The printer will then decrypt the data after the user has entered his user
name and password again on the device. For this reason, the encrypted spoolfile cannot
be decrypted by uniFLOW. Hence it is not possible for uniFLOW to analyze and account
the spoolfiles for such print jobs. Furthermore, it is not possible to use Rule Based
Routing workflows or any other workflow which requires a spoolfile analysis.
Resolution
43
Canon MFP Security
The only possible method to account such print jobs with uniFLOW is CPCA accounting
instead of spoolfile accounting.
8.1.2 Canon Secure Watermark

Canon Secure Watermark enables users to embed hidden text in the background of
copies. Examples include: "CONFIDENTIAL," the date and time, or a department name.
The embedded text becomes visible when copies of the document are made on a copier.
Issues
No known issues.
8.1.3 Canon Data Erase Kit

The relevant job data is automatically and completely erased following each print, copy,
and scan job. Document data is also overwritten when an item is manually deleted.
Three automatic methods can be selected:
▪ Overwrite null data one time.
▪ Overwrite random data one time.
▪ Overwrite random data three times.
Issues
No known issues.
HDD Erase function does not delete job log information from the device so it has no
impact on uniFLOW.
For detailed information about the Canon Data Erase Kit, please refer to the respective
Canon manuals.
8.1.4 Canon Security Kit (B2/A2)

The Canon Security Kit is optional software for the Canon imageRUNNER series which
adds security enhancements to the multifunction printer (MFP).
The Security Kit is a device control software, providing users with hard disk drive
encryption and hard disk drive erasure functions. The security of the existing
identification and authentication functions is also enhanced by this installation.
Issues
With the Canon Security Kit, you can enable or disable the job history. When this setting
is enabled, "0" will always be returned in response to a request for a job history from a
remote application. In other words, a type of software that manages the machine with
reference to the machine's job history (as for example uniFLOW) cannot be used.
Resolution
Enable the job history log on the machine to enable uniFLOW to read out meaningful
entries from the job log.
44
Canon MFP Security
uniFLOW offers a solution that user names and print job names can be decrypted so that
it is no longer possible for users to gather from the print job logs who has printed what
and when. To do so, the Workflow Element Encrypt Job Name in CPCA is required.
Please refer to the uniFLOW User Manual for more information about this Workflow
Element.
Enabling/Disabling display of Job Log

You can disable the display of logs (Job Log) stored by the machine. This affects not only
the local UI but also the remote UI. It is important to keep in mind that log collection (job
account log / fax communication log) otherwise possible with a specific application (for
example uniFLOW) will no longer be available, as there will be no response to a
command for data collection. Data in the form of a jam log, error log, and alarm log,
however, will be available for collection.
If the setting of the additional functions item explained below is disabled, the display of
the copy, send, fax, print and receive logs is disabled.
Whether or not the Job Log will be displayed depends on whether the function is
enabled or disabled in Additional Functions.
Service Mode Item (level 2)

COPIER > Option > USER > LGSW-DSP
▪ 0: disable display in Additional Functions (default)
▪ 1: enable display in Additional Functions
Changing the setting from 0 to 1 enables the display in Additional Functions. Change the
setting value according to the user's request.
Additional Functions > System Settings > System Monitor Screen Restrictions > Job
display
Additional Functions Items

Additional Functions > System Settings > Job Log Display=on/off
on: enable the display of Job Log (default)
off: disable the display of Job Log
45
Canon MFP Security
Comments
The HDD Erase function does not delete job log information from the device i.e. it has no
impact on uniFLOW. This kit has been superseded by the HDD Data Encryption Kit and
HDD Data Erase Kit which conform to common criteria requirements.
8.1.5 Canon HDD Data Encryption Kit

Canon HDD Data Encryption Kit is also known as:
▪ Canon HDD Data Encryption & Mirroring Kit
▪ Canon imageRUNNER Hard Disk Drive Data Security and Encryption
The encryption board identifies and authenticates the machine; it is only enabled with
the imageRUNNER at the installation.
A device's HDD temporarily records image data like scanned images and PDL data etc. at
any time. After the printing operation is completed, the normal operation is that only
management information is deleted, so that the image data information remains on the
HDD.
Therefore, there is some concern that the HDD could be taken by a third party, the data
analyzed by accessing it directly using Disk Editor, and the original data recovered. As a
countermeasure, information is always encrypted in areas where the data such as
images and PDL data are temporarily saved . By doing so, recovering the original image
data on the HDD is made difficult.
With the existing iR Security Kit, the function is enabled with the registration of the
license key and only the area user data is encrypted. With the HDD Encryption Kit,
instead of the license option form, the encryption board encrypts all data recorded on
the HDD.
Mechanism of data encryption
46
Canon MFP Security
The encryption board encrypts the received signal sent from the controller board, and
then records it on the HDD. The encryption board receives and recovers the encrypted
data stored on the HDD and then sends it to the controller. By pairing up an encryption
board and an HDD, the encryption board becomes workable. Therefore, if there are a
number of HDDs, the same number of encryption boards is needed.
Issues
This kit should not cause problems with uniFLOW when reading out CPCA logs. When
this is enabled on the device and you encounter any problems, then please check that
the Job Log Conceal function is not enabled.
Successful tests with the following devices have taken place at NT-ware: iRC2380i/
iRC3080/iR3225n/iR5075.
8.2 Importing a Certificate to a Canon Device.

The SSL configuration also applies to MEAP connections.
The new certificate must include either the printer's IP address or the fully-qualified
domain name.
Note that the configuration slightly differs between Canon legacy devices and
imageRUNNERs of the Advanced series.
These differences will be outlined in the following description.
Legacy Printers
▪ Open the printer's RUI in a browser and log in with system manager credentials when
asked.
▪ Open Add.Func. > System and click on Edit.
▪ If Use SSL is checked under Remote UI Settings uncheck it, click on OK and restart the
device. Otherwise, continue with the next step.
asked.
▪ Open Add.Func. > Custom Settings > Network Settings > Key and Certificate Settings.
▪ If any other key than the Default Key was used before, check the radio button in front
of Default Key and click on Default Key Settings to set it as the standard SSL key.
Restart the device.
▪ Open Add.Func. > Custom Settings > Network Settings > Key and Certificate Settings
> Generate Key > SSL.
▪ In the field Shared Name, enter the device IP address or the fully-qualified domain
name , fill out the Certificate Settings and click on OK to create the new certificate.
▪ Open Add.Func. > Custom Settings > Network Settings > Key and Certificate Settings.
▪ Select the new key and click on Default Key Settings. Now this key is marked as the
active SSL key.
47
Canon MFP Security
Advanced Series
asked.
▪ Open Settings/Registration : Management Settings : License/Other > MEAP
Settings.
▪ If Use SSL is checked, uncheck it, click on OK and restart the device. Otherwise,
continue with the next step.
asked.
▪ Log in and open Settings/Registration : Preferences : Network Settings > SSL Settings
> Key and Certificate Settings.
▪ If any other key than the Default Key was used before, check the radio button in front
of Default Key and click on Default Key Settings to set it as the standard SSL key.
Restart the device.
▪ Log in again. In Settings/Registration : Management Settings : Device Management
> Key and Certificate Settings click on Generate Key, then open Network
Communication.
▪ In the field Common Name enter the device's IP address or the fully-qualified domain
name, fill out the Certificate Settings and click on OK to create the new certificate.
▪ Open Settings/Registration : Preferences : Network Settings > SSL Settings > Key and
Certificate Settings.
▪ Select the new key and click on Default Key Settings. Now [SSL] marks this key as the
active SSL key.
48
Canon MFP Security
Activating SSL on the Printer

▪ On a printer of the Advanced series open Settings/Registration : Management
Settings : License/Other > MEAP Settings and check Use SSL.
▪ On a legacy printer open Add.Func. > System and click on Edit. Under Remote UI
Settings activate Use SSL.
This will change the connection settings for both MEAP connections and connections to
the standard RUI.
From now on the RUI is only accessible via SSL connections i.e. with the prefix
"HTTPS://"
▪ Click on OK and restart the device. Now SSL is active on the printer.
49
NT-ware Hardware Security
9 NT-ware Hardware Security

There are several hardware components which make up a uniFLOW solution. Within this
chapter, the NT-ware built hardware components and descriptions of the security points
to consider when installing these to a network are listed.
9.1 microMIND
The microMIND uses UDP and HTTP communication techniques.
Additionally, a Telnet session can be started on port 23215.
Since FW version 2.0.9 the user can change the telnet password.
The UDP port in use for the communication to the server is 53120. The data part of the
UDP communication is encrypted.
The HTTP access can be locked to one defined IPv4 address. If this is done only the
device with this IP can access the HTTP site of the microMIND. Additionally, the server
communication via UDP can be restricted to one server by specifying the server IP.
9.2 uniFLOW Release Station

The uniFLOW Release Station uses the EAI Protocol to communicate with the server.
50
NT-ware Hardware Security
The uniFLOW Release Station supports HTTPS. You can lock the HTTPS access to one
defined IPv4 address. If you do this, only the device with this IP can access the HTTPS site
of the uniFLOW Release Station. The port to access the HTML site of the uniFLOW
Release Station is 8442.
The communication between a uniFLOW server / RPS with a uniFLOW Release Station
takes place over HTTPS while the actual payload is encrypted using a mechanism based
on RSA and 3DES.
9.3 NT-ware MoneyLoader

The NT-ware Moneyloader uses the same communication mechanisms to the server as
the microMIND but the UDP communication is not encrypted.
The telnet port is the standard port 23.
The access to the HTTP site can be restricted with a password.
An IP address can be entered so that the device communicates only to one server.
51
Submitting Security Information and Questions
10 Submitting Security
Information and Questions
Often security concerns are raised in the field directly to Canon via customer
engagements. This document serves to answer these questions from the field. However,
as new threats and concerns are raised it is important to feed this back to NT-ware to
help us ensure uniFLOW remain secure and robust in today's modern networks.
For all security-related issues, please raise a PS ticket (formerly named MOMPS ticket) in
the NT-ware ITS. The issue type should be set to Security. It is important you provide as
much information on the topic as possible.
▪ A detailed description of the security threat or concern.
▪ Any reference material on the matter.
▪ Details on the customer's suggested countermeasure or request.
Often such field requests come about after the customer performs a security scan on
their network. Such scans list all possible threats and it is important to ask the following
questions.
1. Have these threats been checked against this document?
2. Are we sure the security threat is actually related to an NT-ware component and not
related to the customer's infrastructure?
3. Can any of the threats be ruled out because they are unlikely or not exploited in the
network?
4. Of the remaining threats do we know the severity and impact of these so the
appropriate priority can be set when creating a MOMPS security ticket within the ITS.
With this information, an appropriate PS ticket can be created, and NT-ware will work
with you to address the customer security requirements.
52
New Security Threats
11 New Security Threats

As soon as new security threats are found or reported to NT-ware these are registered in
the ITS and tracked within both the ITS and NT-ware public website. The below ITS
knowledgebase article should be watched for security announcements and updates.
NT-ware ITS Knowledgebase
For more information, please refer to MOMKB-580 in the NT-ware Customer Portal.
Public Website
http://nt-ware.com/home/products/uniflow/security-advisory.html
53
Definitions, Abbreviations and Acronyms
12 Definitions, Abbreviations and

Acronyms
Acronym Description
DES The Data Encryption Standard (DES) is a block cipher that uses shared
secret encryption.
DRQM The "Distributed Release Queue Management" (DRQM) functionality
takes the My Print Anywhere functionality of uniFLOW one step further.
It allows print jobs to follow users worldwide. Jobs are released
anywhere where the users identify themselves.
HTTPS HTTPS is a secure communication channel that is used to exchange
encrypted information between a client computer and a server. It uses
SSL/TLS
Secure Sockets Layer (SSL) or Transport Layer Security (TLS).
With HTTPS (Hypertext Transfer Protocol Secure) the connection
between a web browser and a web server is encrypted. Mostly 40, 128
or 256-bit, depending on the encryption key strength. Using an https:
URL indicates that HTTP is to be used, but with a different default TCP
port (443 / 8443) and an additional encryption/authentication layer
(Secure Sockets Layer (SSL)) connection between the HTTP and TCP. It is
not a separate protocol but refers to the combination of a normal HTTP
interaction over a secure layer.
IG The Internet Gateway module is used to submit jobs from the internet
via a web browser to the uniFLOW system. Generally, this is
implemented in a print room job submission environment.
LDAP LDAP (Lightweight Directory Access Protocol) is a protocol for accessing
on-line directory services. A directory service organizes computerized
content and runs on a directory server computer. Via LDAP it is possible
to read out all information about, for example, users and computers of
a directory server computer, such as the users of a Windows Server
2003 Active Directory or Mac OS X Server Open Directory or Novell
eDirectory. LDAP defines a relatively simple protocol for updating and
searching directories running over TCP/IP.
LDAPS Also called Secure LDAP or LDAP over TLS. Allows a secure connection
to an LDAP server over TLS (Transport Layer Security).
RPS uniFLOW Remote Print Server: this component can be installed on

additional print servers and communicate back to a central uniFLOW
server. The RPS does not have a user interface and is administered
through the primary uniFLOW system.
54
Definitions, Abbreviations and Acronyms
RSA RSA (which stands for Rivest, Shamir and Adleman who first publicly
described it) is an algorithm for public-key cryptography.
SMTP Simple Mail Transfer Protocol is an Internet standard for email

transmission across Internet Protocol (IP) networks.
WAMP WAMP is an acronym that stands for (Microsoft®) Windows, Apache,

MySQL and PHP (or Perl or Python). This software stack contains all the
key elements for setting up a fully functional web server: Windows for
the operating system, Apache for the web server, MySQL for the
database and PHP as the scripting language. If Linux or Mac OS are
used as the operating system, the acronym changes accordingly (LAMP,
MAMP).
There are a numerous preconfigured WAMP packages available for
download - like WampServer - , which feature their own GUIs for ease
of installation and configuration.
For more information on which WAMP packages are recommended for
components of uniFLOW like Web Submission or Internet Gateway,
please refer to the NT-ware Resources - Web Server website.
Attack The exposed part or component of a product which makes it
Surface susceptible to malicious attacks by hackers or viruses.
SQLite This is the local database server running on an RPS to store system
configuration, user, groups and printer configuration information.
AV Is an industry acronym for Antivirus Applications.
55

White Paper - Security - UniFLOW - V4.8

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

White Paper - Security - UniFLOW - V4.8

Uploaded by

Copyright:

Available Formats

uniFLOW V5.3 - uniFLOW 2023 LTS

File Name White Paper - Security - uniFLOW.pdf

Confidentiality: Internal + Partner (R3P)

Document Version Topic(s) Changes

Confidentiality: Internal + Partner (R3P)

Confidentiality: Internal + Partner (R3P)

Copyright and Contact

Confidentiality: Internal + Partner (R3P)

Confidentiality: Internal + Partner (R3P)

Region Specific Feature:

Screenshots and Diagrams

Language and Translations

About this Document

Confidentiality: Internal + Partner (R3P)

Confidentiality: Internal + Partner (R3P)

How to use this Document

2 How to use this document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

5 Print Data Storage and Transmission. . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

7.9.7 Disable Default Site. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

8 Canon MFP Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

9 NT-ware Hardware Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

10 Submitting Security Information and Questions. . . . . . . . . . . . . . . . . . 52

11 New Security Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

12 Definitions, Abbreviations and Acronyms. . . . . . . . . . . . . . . . . . . . . . . 54

2 How to use this document

Technology Description Document Link

uniFLOW Microsoft ▪ Securing Application pools. IIS Security (on

uniFLOW and RPS ▪ Microsoft IIS Security. uniFLOW and RPS

RDP ▪ Secure the RDP connection and possible Microsoft

Scan Processing Server

Technology Description Document Link

SPS ▪ Communication uniFLOW/RPS <> SPS. Scan Processing

uniFLOW Client for Windows

Technology Description Document Link

Communication ▪ Communication with uniFLOW/RPS. uniFLOW Client

uniFLOW Client for Mac

Technology Description Document Link

Communication ▪ Communication with uniFLOW/RPS. uniFLOW Client for

Technology Description Document Link

Communication ▪ Communication with uniFLOW/RPS. uniFLOW

Technology Description Document Link

Communication ▪ Communication to uniFLOW/RPS. MEAP

Technology Description Document Link

Encrypted Print ▪ Encrypting print data. Print Data Storage

Operating System and Other

Technology Description Document Link

Antivirus ▪ Antivirus considerations and application. Antivirus (on page

Technology Description Document Link

MFP Device Security ▪ Network access. Canon MFP

4.1 uniFLOW and RPS Communication

4.2 uniFLOW and RPS Web Servers

4.2.1 Microsoft IIS Security

4.2.2 Usage of HTTPS in uniFLOW >= V5.2

Updating uniFLOW and HTTPS

4.2.3 Internal Web Server of uniFLOW >= V5.3

Updating uniFLOW and HTTPS

4.2.4 Obsolete Chapter Template

PWServer Main uniFLOW Should be restricted, ACLs can be used to No

4.3 uniFLOW Client

4.3.2 uniFLOW Client for Mac via HTTPS

4.3.3 uniFLOW User Web

uniFLOW User Web CAPTCHA

4.3.4 uniFLOW SmartClient