canon imagerunner advance hardening guide

Canon imageRUNNER ADVANCE Hardening Guide

1

Canon imageRUNNER ADVANCE Hardening Guide 2016

2



3

Introduction Modern Canon Multifunction Devices (MFDs) provide print, copy, scan, send and fax functionality. MFDs are computer servers in their own right, providing a number of networked services along with significant hard drive storage.

When an organisation introduces these devices into their infrastructure, there are a number of areas that should be addressed as part of the wider security strategy, which should look to protect the confidentiality, integrity and availability of your networked systems.

Clearly, deployments will differ and organisations will have their own specific security requirements. While we work together to ensure that Canon devices are shipped with appropriate initial security settings, we aim to further support this by providing a number of configuration settings to enable you to more closely align the device to the requirements of your specific situation.

This document is designed to provide sufficient information to enable you to discuss with Canon or Canon partner the most appropriate settings for your environment. Once decided, the final configuration can be applied to your device or fleet. Please feel free to contact Canon or a Canon partner for further information and support.

Who is this document meant for?This document is aimed at anybody who is concerned with the design, implementation and securing of office multifunction devices (MFDs) within a network infrastructure. This might include IT and network specialists, IT security professionals, and service personnel.

Scope and coverage The guide explains and advises on the configuration settings for two typical network environments, so that organisations can securely implement an MFD solution based on best practice. These settings have been tested and validated by Canon’s ICT Security team.

We make no assumptions about specific industry sector regulatory requirements that may impose other security considerations and are out of scope of this document.

This guide was created based upon the typical feature set of the imageRUNNER ADVANCE C5255i, and while the information here applies to all models and series within the imageRUNNER ADVANCE range, some features may differ between models.

Implementing appropriate MFD security for your environment

To explore the security implications of implementing a multifunction device as part of your network, we have considered two typical scenarios:

• A typical small office environment

• An enterprise office environment

4


Typically, this will be a small business environment with an un-segmented network topology. It uses one or two MFDs for its internal use and these devices are not accessible on the Internet.

While mobile printing is available, additional solution components will be required. For those users requiring printer services outside of a LAN environment, a secure connection is required, but this will not be covered in this guide. However, attention should be paid to the security of the data in transit between the remote device and the print infrastructure.

Figure 1 Small Office Network

PSTN

www

Internet

Mobile device:External user

Mobile device:Internal user

File serverFirewall

Wireless Access Point

Multi-functionaldevice

Client PC

Fax

Small office environment


5

Configuration Considerations

Please note that unless a feature of the imageRUNNER ADVANCE is mentioned below, it is regarded as being sufficient in the default settings for this business and network environment.

imageRUNNERADVANCE Feature Description Consideration

Service Mode Allows access to Service Mode settings

Password protect with a non-default, non-trivial and maximum length password

Service Management Mode

Allows access to various non- standard device settings


SMB Browse/Send Store and retrieve to and from Windows /SMB network shares

System administrators should, by policy, disallow any users from creating local accounts on their client machine for use in sharing documents with the imageRUNNER ADVANCE over SMB

Remote UI Web-based configuration tool

The imageRUNNER ADVANCE administrator should enable HTTPS for the remote UI and disable HTTP access. Enable the use of PIN authentication unique to each device

SNMP Network monitoring integration Disable version 1 and enable version 3 only

Send to e-mail and/or IFAX

Send emails from the device with attachments

Enable SSLDo not use the POP3 authentication before SMTP send Use SMTP authentication

POP3 Automatically fetch and print documents from mailbox

Enable SSLEnable POP3 authentication

Address book / LDAPUse directory service to look up home number or email addresses to send scans to

Enable SSLDo not use domain credentials to authenticate against the LDAP server; use LDAP specific credentials

FTP PrintUpload & download documents to and from the embedded FTP server

Turn on FTP authentication. Be aware that FTP traffic will always travel in clear text over the network

WebDAV Send Scan and Store documents on a remote location Enable authentication for WebDAV shares

Encrypted PDF Encrypt documents By policy sensitive documents should only be encrypted using PDF version 1.6 (AES-128)

Secure Print

Print job is sent to the device but locked in the print queue until the corresponding PIN number is entered

Enable PIN protected print jobs

Embedded web browser Browser access to Internet

Enforce through administration, the use of a content filtering web proxy to avoid malicious or viral content being accessed. Disable the creation of favourites

Wireless LAN Provides Wireless access Use WPA-PSK/WPA2-PSK with strong passwords

Table 1 Small Office Environment Configuration Considerations

6


This is typically a multi-site, multi-office environment with segmented network architecture. It has multiple MFDs deployed on a separate VLAN accessible for internal use via print server(s). These MFDs are not accessible from the Internet.

This environment will usually have a permanent team to support its networking and back- office requirements along with general computer- issues but it is assumed they will not have specific MFD training.

Figure 2 Enterprise Office work

PSTN

www

Internet



File server

Firewall




Client PC

Fax

General network infrastructure

Dedicated Print VLAN

An Enterprise Office Environment


7

Table 2 Enterprise Office Environment Configuration Considerations

Configuration considerations

Please note that unless a feature of the imageRUNNER ADVANCE is mentioned below it isregarded as being sufficient in the default settings for this business and network environment.

imageRUNNERADVANCE Feature Description Consideration

Service Mode Allows access to Service Mode settings


Service Management Mode

Allows access to various non- standard device settings


SMB Browse/Send

Store and retrieve to and from Windows /SMB network shares

System administrators should, by policy, disallow any users from creating local accounts on their machine for use in sharing documents with the imageRUNNER ADVANCE over SMB

Remote UI Web-based configuration tool

Following initial device configurations disable the Remote UI completely by disabling HTTP and HTTPS

SNMP Network monitoring integration Disable version 1 and enable version 3 only

Send to e-mail and/or IFAX

Send emails from the device with attachments

Enable SSLEnable:- Certificate verification at the SMTP serverOr if not viable: - Only use this feature in an environment where a Network Intruder Detection System collector is presentDo not use the POP3 authentication before SMTP sendUse SMTP authentication

POP3Automatically fetch and print documents from mailbox

Enable SSLEnable:- Certificate verification at the POP3 serverOr if not viable: - Only use this feature in an environment where a Network Intruder Detection System collector is presentEnable POP3 authentication

Address book / LDAPUse directory service to look up phone number or email addresses to send scans to

Enable SSL Enable:- Certificate verification at the LDAP server OR if not viable - Only use this feature in an environment where a Network Intruder Detection System collector is present Do not use domain credentials to authenticate against the LDAP server; use LDAP specific credentials

IPP Connect and send printing jobs over the network Disable IPP

WebDAV Send Scan and Store documents on a remote location

Enable authentication for the WebDAV sharesEnable SSLEnforce the printer to only allow files ending with the “file printing extensions” to be uploaded

IEEE802.1X Network access authentication mechanism EAPOL V1 supported

Encrypted PDF Encrypt documents By policy sensitive documents should only be encrypted using PDF version 1.6 (AES-128)

Encrypted Secure Print

Enhance the protection of Secure Print by encrypting the file and the password during transmission

Configure the username in the Printer tab on the client printer configuration to a different username than the LDAP/domain credentials of that user. Ensure “Restrict printer jobs” is turned off

Wireless LAN Provides Wireless access Use WPA-PSK/WPA2-PSK with strong passwords

8


For Canon or a Canon Partner to be able to provide efficient service, the imageRUNNER ADVANCE is capable of transmitting service related data, as well as receiving firmware updates or software applications. It should be noted that no image or image metadata is sent.

Shown below are two possible implementations of Canon’s remote services within a company network.

Implementation scenario 1: Dispersed connection

In this setting, each MFD allows direct connection to the remote service through the Internet.

Figure 3 Dispersed connection

PSTN

wwwCanon

Universal Gateway

InternetCanon Remote Services Mobile device:

External user


File serverFirewall



Embedded e-Maintenance, Content Delivery System, Remote Support Operator’s Kit

Client PC

Fax

Remote Device Support


9

Figure 4 Centralized managed connection

PSTN

www

Internet



Print server

Firewall




Client PC

Fax

iW MC


Dedicated Print VLAN

Canon Universal Gateway

Canon Remote Services

Embedded Remote Support Operator’s Kit

With supportingplug-ins

Implementation Scenario 2: Centralised Managed Connection

In an enterprise environment scenario, where multiple MFDs are installed, there is a need to be able to efficiently manage these devices from one central point, and this includes the connection to Canon’s remote services. To facilitate the holistic management approach, individual devices would establish management connections through a single iW Management Console (iWMC) connection point. For communication between the Device Firmware Upgrade (DFU) plug-in and Multi-Functional Devices, UDP port 47545 is used.

e-Maintenance

The e-Maintenance system provides an automated way of collecting device usage counters for billing purposes, consumables management and remote device monitoring through status and error alerts.

The e-Maintenance system consists of an Internet facing server (UGW) and either an embedded Multi-Functional Device software (eRDS) and/or additional server-based software (RDS plug-in) to collect device service related information. The eRDS is a monitoring program which runs inside the imageRUNNER ADVANCE. If the monitoring

option is enabled in the device settings, the eRDS obtains its own device information and sends it to the UGW. The RDS plug-in is a monitoring program which is installed in a general PC, and can monitor 1 to 3000 devices. It obtains the information from each device via network and sends it to the UGW.

The table shown on the next page overviews the data transferred, protocols (depends upon options selected during the design and implementation) and ports used. At no point is any copy, print, scan or fax image data transferred.

10


Description Data Handled Proctocol/Port Port

Communication between eMaintenance (eRDS or RDS plug-in) and UGW

UGW web service addressProxy server address / port numberProxy account / passwordUGW mail destination addressSMTP server addressPOP server address

Device status, counter and model informationSerial numberRemaining toner/Ink informationFirmware informationRepair request informationLogging informationService callService alarmJamEnvironmentCondition log

HTTP HTTPS SMTP POP3

TCP/80TCP/443TCP/25TCP/110

Communication between eMaintenance and Device (only RDS plug-in, as eRDS is embedded software)

SNMP Canon proprietary

SLP SLP HTTPS

UDP/161TCP/47546, UDP/47545, TCP9007UDP/427UDP/11427TCP/443

Description Data Sent Proctocol/Port Port

Communication between the MFD and UGW

Device serial numberFirmware versionLanguageCountryInformation relating to the device EULA

HTTP HTTPS

TCP/80TCP/443

Communication between the UGW and MFD

Test file (Binary random data) for communication testing

Firmware or MEAP application binary data

HTTP HTTPS

TCP/80TCP/443

Table 3 E-Maintenance Data Overview

Table 4 Content Delivery System Data Overview

Content Delivery System

The Content Delivery System (CDS) establishes a connection between the MFD and Canon Universal Gateway (UGW). It provides device firmware and application updates.

A specific CDS access URL is pre-set in the device configuration.If there is a requirement to provide centralised device firmware and application management from within the infrastructure, a local installation of iWMC with Device Firmware Upgrade (DFU) plug-in and Device Application Management plug-in will be required.


11

Description Data Sent Proctocol Port

VNC password authentication User password DES encryption 5900

Operation ViewerDevice control panel- screen data- hardware key operation

Version 3.3 RFB protocol

5900

Table 5 Remote Support Operator’s Kit Data Overview

Remote Support Operator’s Kit

The Remote Support Operator’s Kit (RSOK) provides remote access to the device control panel. This server-client type system consists of a VNC server running on MFP and Remote Operation Viewer VNC Microsoft Windows client application.

Figure 5 Remote Support Operator’s Kit (RSOK) Setup

MFD with RSOKenabled (VNC server)

User

PC with RSOK Viewer VNC

client


MFD operating panel accessed via the PC

MFD Operating Panel

12


AppendixFactory defaults

The tables listed in this section provide an overview of selected key configuration options available in the imageRUNNER ADVANCE, and the factory defaults for each option. This information is based on the imageRUNNER ADVANCE C5255i model. For the full list of configuration options or other models from the imageRUNNER ADVANCE range please refer to the Settings/Registration table in the relevant device User Manual.

Explanation:

Setting description – This defines the User Mode setting allowing configuration. These settings are only available to administrators and not accessible to general device users.

Can be set in Remote UI – The imageRUNNER ADVANCE platform provides remote configuration through a web services interface (Remote UI). This interface provides access to a number of device configuration settings. It can be disabled if not permitted and password protected to prevent unauthorised access.

Device Information Delivery Available - Various machine settings can be sent over the network and automatically applied to other Canon multifunction printers. With this function, a host machine is designated whose registered information (such as the settings in the Settings/Registration menu and address lists) is distributed to other client machines, enabling automated alignment of configuration settings with the host machine.

We recommend that any services not in use are disabled. Please contact your local Canon representative for further information.

Network table

If you are configuring the settings for the first time in “Interface Settings,” “TCP/IPv4 Set-tings,” “TCP/IPv6 Settings,” or “Settings Common to TCP/IPv4 and TCP/IPv6,” use the control panel of the machine. After configuring the TCP/IP settings, you can change them using the Remote UI.

In the NetWare or AppleTalk network, the TCP/IP protocol must be used to specify the set-tings with software other than the control panel of the machine. The setting items are shown below.

Some items can be set using the Remote UI. Use the control panel of the device to set items which cannot be set using the Remote UI.

*Default Settings*1 Indicates items that appear only when the appropriate optional equipment is attached.


13

Item Setting Description Can be set in Remote UI

User Data List Print List Yes

Confirm Network Connection Set. Changes On, Off* No

TCP/IP Settings

IPv4 Settings

Use IPv4 On*, Off Yes

IP Address Settings

IP Address:0.0.0.0*

Yes

Subnet Mask:0.0.0.0*

Gateway Address:0.0.0.0*

DHCP: On, Off*

RARP: On, Off*

BOOTP: On, Off*

PING Command IP Adress:0.0.0.0* No

IPv6 Settings

Use IPv6 On, Off* Yes

Stateless Address Settings Use Stateless Address: On*, Off Yes

Manual Address Settings

Use Manual Address: On, Off*

YesManual Address:IPv6 Address(39characters maximum)

Prefix Length:0 to 128(64*)

Default Router Address(39 characters maximum)

Use DHCPv6 On, Off* Yes

PING Command IPv6 Address:(39characters maximum) Yes

Host Name 48 characters maximum Yes

DNS Settings

DNS Server Address Settings

IPv4Primary DNS Server: IP Address:0.0.0.0*

YesSecondary DNS Server: IP Address:0.0.0.0*

IPv6Primary DNS Server:IPv6 Address

YesSecondary DNS Server:IPv6 Address

DNS Host/Domain Name Settings

IPv4Host Name:47 characters maximum

YesDomain Name:47 characters maximum

IPv6Use Same Host Name/Domain Name as IPv4:On, Off*

YesHost Name:47 characters maximum

DNS Dynamic Update Settings

IPv4 DNS Dynamic Update: On, Off* Yes

IPv6

DNS Dynamic Update: On, Off*

YesRegister Stateless Address: On, Off*

Register Manual Address: On, Off*

Register Stateless Address: On, Off:

WINS Settings

WINS Resolution On, Off* Yes

WINS Server Address IP Address:0.0.0.0* Yes

Node Type Auto Set, display only No

Scope ID 63 characters maximum Yes

LPD Print Settings

LPD Print Settings On*, Off Yes

LPD Banner Page*1 On, Off* Yes

RAW Print Settings

RAW Print Settings On*, Off Yes

Bidirectional Communication On, Off* Yes

14



SNTP Settings

Use SNTP On, Off* Yes

Polling Interval Interval for performing time synchronization (1 to 48 hours)(24hours*) Yes

NTP Server Address IP address or host name Yes

Check NTP Server - Yes

FTP Print Settings

Use FTP Print On, Off* Yes

User User name for FTP server login (24 characters maximum) (guest*) Yes

Password Password for FTP server login (24 characters maximum) (7654321*) Yes

WSD Print Settings

Use WSD Print On*, Off Yes

Use WSD Browsing On*, Off Yes

Use Multicast Discovery On*, Off Yes

Use FTP PASV Mode

Use FTP PASV Mode On, Off* Yes

BMLinkS Settings

Use BMLinkS On, Off* Yes

Discovery Sending Interval 30 mins*, 1, 3, 6, 12, 24 hrs Yes

Location InformationCountry / Region Yes

Company/Org. Name, Dept. Name, Bldg. Name, Floor No., Block Name Yes

IPP Print Settings

IPP Print Settings On* Off Yes

Use SSL On, Off* Yes

Use Authentication On, Off* Yes

User User name for FTP server login (24 characters maximum) (guest*) Yes

Password Password for FTP server login (24 characters maximum) (7654321*) Yes

Multicast Discovery Settings

Response On* Off Yes

Scope name Scope name to be used for a multicast discovery (32 charac-ters maximum) Yes

Use HTTP On* Off Yes

Use Web DAV Server On, Off* Yes

SSL Settings Functions using SSL encrypted communications Yes

Key and Certificate

Set as the Default Key - Yes

Certificate DetailsVersion/Serial Number/Signature Algorithm/Issue Destination/Start Date of Validity/End Date of Validity/ Issuer/Public Key/Cert Thumbprint/ Certificate

Yes

Display Use Location Displays what the key pair is being used for Yes

Proxy Settings

Use proxy On, Off* Yes

Server Address IP address or FQDN(128 characters maximum) Yes

Port Number 1to 65535(80*) Yes

Use Proxy within the Same Domain On, Off* Yes

Set Authentication

Use Proxy Auth. On, Off* Yes

User Name 24 characters maximum Yes

Password 24 characters maximum Yes


15


Confirm Dept. ID PIN On*, Off Yes

IPSec Settings

Use IPSec On, Off* Yes

Receive Non-policy Packets Allow/Reject Yes

Edit Yes

Delete Yes

Policy On, Off Yes

Register

Policy Name 24 characters maximum Yes

Register: Selector Settings

Local Address: Yes

All IP Addresses*/IPv4 Address/IPv6 Address/IPv4 Manual Settings/IPv6 Manual Settings Yes

Remote Address: Yes

All IP Addresses*,All IPv4Address,All IPv6Address,IPv4 Manual Settings,IPv6 Manual Settings Yes

Port: Specify by Port Number*/Specify by Service Name Yes

IKE Settings

IKE mode : Main*/Aggressive Yes

Authentication Method : Pre-Shared Key Method*/Digital sig. Method Yes

Auth./Encryption Algorithm : Auto*/Manual Settings Yes

IPSec Network Settings

Validity : Time(1to65535minuites)(480minuites*) Yes

Validity : Size(1to65535 MB)(65535 MB*) Yes

PFS : On, Off* Yes

Auth./Encryption Algorithm : Auto*/Manual Settings Yes

Connect. Mode : Transport, display only -

NetWare Settings

Use NetWare On, Off* Yes

Frame Type Auto Detect*/Ethernet II/Ethernet 802.2/Ethernet 802.3/Ethernet SNAP Yes

IPX External Network Number Auto Set, display only -

Node Number Auto Set, display only -

Print Service Bindery PServer,R Printer,NDS Pserver*,Nprinter Yes

Packet Signature Auto Set, display only -

Bindery Pserver Settings

Print Server Name 47 characters maximum Yes

File Server Name 47 characters maximum Yes

Print Server Password 20 characters maximum Yes

Printer Number 0to15(0*) Yes

Polling Interval 1to15seconds(5sedonds*) Yes

Printer Form 0to255(0*) Yes

Buffer Size 1to20KB(20KB*) Yes

Service ModeService only currently mounted form/Change forms as needed/Minimize form changes across print queues/Mini-mize form changes within print queues*

Yes

Rprinter Settings

Print ServerName 47 characters maximum Yes

File ServerName 47 characters maximum Yes


NDS PServer Settings


Tree Name 32 characters maximum Yes

Context 256 characters maximum Yes

16



Print Server Password 20 characters maximum Yes


Polling Interval 1to255seconds(5seconds*) Yes

Printer Form 0to255(0*) Yes

Buffer Size 3to20KB(20KB*) Yes

Service ModeService only currently mounted form/Change forms as needed/Minimize form changes across print queues/ Minimize form changes within print queues*

Yes

NPrinter Settings


Tree Name 32 characters maximum Yes

Context 256 characters maximum Yes


AppleTalkSettings

Use Apple Talk On, Off* Yes

Phase Phase 2(fixing) -

Service Name 32 characters maximum Yes

Zone 32 characters maximum Yes

Print Mode Both*, Spool, Direct Yes Yes

SMB Server Settings

Use SMB Server On, Off* Yes

ServerName 15 characters maximum(Canon+represents the last six digits of a MAC address) Yes

Workgroup 15 characters maximum(WORKGROUP*) Yes

Comment 48 characters maximum Yes

LM Announce On, Off* Yes

SMB Printer Settings

Use SMB Print On, Off* Yes

Printer Name 13 characters maximum(PRINTER) Yes

SMB Auth. Settings

Use SMB Authentication On, Off* Yes

Authentication Type NTLMv1*,NTLMv2* Yes

SNMP Settings

Get Printer Mgmt Info from Host On, Off* Yes

Use SNMPv1 On*, Off Yes

Dedicated Community Settings

Dedicated Community On*, Off

MIB Access Permission Read/write, Read Only

Community Name1Settings

Community Name1 On*, Off Yes

MIB Access Permission Read/Write/Read Only* Yes

Community Name Community Name(32 characters maximum)(public*) Yes

Community Name2 Settings

Community Name2 On, Off* Yes

MIB Access Permission Read/Write/Read Only* Yes

Community Name Community Name(32 characters maximum)(public2*) Yes

Use SNMPv3 On, Off* Yes

User Settings

User On, Off - Yes

RegisterUser/MIB Access Permission/Security Settings/Authent. Algorithm/Authent.Password/Encryption Algorithm/ Encryption Password

Yes

Details/EditUser/MIB Access Permission/Security Settings/Authent. Algorithm/Authent.Password/Encryption Algorithm/ Encryption Password

Yes


17


Delete - Yes

Context Settings Context Name(32 characters maximum)

Register Context Name(32 characters maximum) Yes

Edit - Yes

Delete Yes

Dedicated Port Settings

Dedicated Port Settings On*, Off Yes

Use Spool Function

Use Spool Function On, Off* Yes

Startup Settings

Startup Settings 30 to 300 seconds (30*) Yes

Ethernet Driver Settings

Auto Detect On*, Off Yes

Communication Mode Half Duplex*/Full Duplex Yes

Ethernet Type 10 Base-T*,100 Base-TX,1000 Base-T Yes

MAC Address Display only -

IEEE802.1X Settings

Use IEEE802.1X On, Off* Yes

User Name of the user to be authenticated with IEEE802.1X authentication Yes

Password Password of the user to be authenticated with IEEE802.1X authentication Yes

TLS Settings

Use TLS On, Off* Yes

Key and Certificate

Set as the Default Key - Yes

Certificate DetailsVersion/Serial Number/Signature Algorithm/Issue Destination/Start Date of Validity/End Date of Validity/ Issuer/Public Key/Cert.Thumbprint/ Certificate

Yes

Display Use Location Displays what the key pair is being used for. Yes

TTLS Settings

Use TTL Use TTL On, Off* Yes

TTLS Settings MSCHAPv2*,PAP Yes

PEAP Settings

Use PEAP On, Off* Yes

Same User Name as Login Name - Yes

User Name 24 characters maximum Yes

Password 24 characters maximum Yes

Firewall Settings

IPv4 Address Filter

Send Filter - Yes

Use Filter On, Off* Yes

Default Policy Allow/Reject Yes

IPv4 Address Up to 16 IPv4 addresses can be stored. Yes

Receive Filter



IPv4 Address Up to 16 IPv4 addresses can be stored. Yes

IPv6 Address Filter

Send Filter



IPv6Address Up to 16 IPv4 addresses can be stored. Yes

18



RecieveFilter



IPv6Address Up to 16 IPv4 addresses can be stored. Yes

MACAddressFilter

Send Filter



MACAddress Up to 100 IPv4 addresses can be stored. Yes

RecieveFilter



MACAddress Up to 100 IPv4 addresses can be stored. Yes

IP Address Block Log Time, Category, IP Address, Result Yes

Item Setting Description Device Information Delivery Available

USB Settings

Use USB Device On*, Off Yes

Use USB Host On*, Off Yes

Use MEAP Driver for USB Device On*, Off Yes

Use MEAP Driver for USB External Drive On*, Off Yes


Output Report

TX/RX User Data List Print No

Fax User Data List*1 Print No

Common Settings

Register Favourite Settings Edit Fa-vourite Settings Register/Edit, Delete (M1 to M18), Check Content Yes

Show Comment On, Off* Yes

Display Confirmation for Favourite Settings On*, Off No

Change Default Screen Standard*, Address Book, One-touch, Favourite Settings No

Change Default Settings Register, Initialize No

Register [Options] Shortcuts

Shortcut 1 2-Sided*, No Settings No

Shortcut 2 Different Size Originals*, No Settings No

TX Report For Error Only*,On, Off Yes

Report with TX Image On*, Off Yes

Report with Colour TX Image On, Off* Yes

External Interface

* Default Settings

Send

* Default Settings*1 Indicates items that appear only when the appropriate optional equipment is attached.*4 Indicates item that appears only if the Super G3 2nd Line Fax Board is installed in addition to installing the Super G3 FAX Board.*5 Indicates item that appears only if the Super G3 3rd/4th Line Fax Board is installed in addition to installing the Super G3 FAX Board


19


Communication Activity Report

Auto Print (100 Transmissions) On*, Off Yes

Specify Print Time On, Off* Yes

Timer Setting 00 : 00 to 23 : 59(00 : 00*) Yes

Send/Receive Separate On, Off* Yes

TX Terminal ID

Print*, Do Not Print Yes

Printing Position: Inside, Outside*, Display Destination Unit Name: On*, Off Telephone # Mark*1: Fax*, TEL

Yes

Delete Failed TX Jobs On*, Off Yes

Retry Times 0 to 5times(3times*) Yes

Data Compression Ratio Compact, Normal*, Low Ratio Yes

YCbCr TX Gamma Value Gamma 1.0, Gamma 1.4, Gamma 1.8*, Gamma 2.2 Yes

Use Chunked Encoding with WebDAV Sending On*, Off Yes

Limit New Destinations

Fax On, Off* Yes

E-mail On, Off* Yes

I-Fax On, Off* Yes

File On, Off* Yes

Always Add Device Signature to Send*1 On, Off* Yes

Restrict File Formats On, Off* Yes

E-mail/Ifax Settings

Register Unit Name 24 characters maximum No

Communication Settings

SMTP Receive On*, Off Yes

POP On* Off Yes

SMTP Server Server name or IP Address(48characters maximum) No

E-mail Address 64 characters maximum No

POP Server Server name or IP Address(48characters maximum) No

POP Address 32 characters maximum No

POP Password 32 characters maximum No

POP Interval 0* to 99(If the interval is set to ‘0’, the incoming e-mail is not checked automatically.) No

POP AUTH Method Standard*/APOP/POP AUTH Yes

POP Authentication before Sending On, Off* No

SMTP Authentication (SMTP AUTH) On, Off* No

User User name for SMTP authentication (64 characters maximum) No

Password Password for SMTP authentication(32 characters maximum) No

Allow SSL(POP) On, Off* No

Display Auth. Screen When Send On*, Off No

Allow SSL(SMTP Receive) Always SSL, On, Off* No

Maximum Data Size for Sending 0 =(Off)/1 to 99 MB(3MB*) Yes

Default Subject 40 characters maximum (Attached Image*) Yes

Use SMTP Authentication for Each User On*, Off No

Specify Authentication User Dest. to Reply On, Off* No

Set Authorized User Destination to Sender On*, Off No

Allow Sending to Unregistered Destinations On, Off* Yes

Full Mode TX Timeout 1 to 99hours (24hours*) Yes

20



Print MDN/DSN upon Receipt On, Off* Yes

Use Send via Server On, Off* Yes

Allow MDN Not via Server On*, Off Yes

Restrict TX Destination Domain

Restrict TX Destination Domains On, Off* Yes

Permitted Domains Register, Details/Edit, Delete No

Autocomplete for Entering E-mail Addresses On*, Off Yes

Fax Settings

Default Screen Standard*, Address Book No


Register [Options] Shortcuts

Shortcut 1 Density*, No Settings No

Shortcut 2 Original Type*, No Settings No

Shortcut 3 2-Sided Original*, No Settings No

Shortcut 4 Different Size Originals*, No Settings No

Register Sender Name (TTI) 01 to 99 : Register/Edit, Delete No

Off-Hook Alarm On*, Off No

ECM TX On*, Off Yes

Set Pause Time 1 to 15seconds (2seconds*) Yes

Auto Redial On, Off Yes

Redial Times 1 to 15times (2times*) Yes

Redial Interval 2 to 99minutes (2minutes*) Yes

Redial When TX Error Error and 1st page*, All pages, Off Yes

Check Dial Tone Before Sending On*, Off Yes

Fax TX Report For Error Only*,On, Off Yes

Report with TX Image On*, Off Yes

Fax Activity Report

Auto Print (40 Transmissions) On*, Off Yes

Specify Print Time On, Off* Yes

Timer Setting 00 : 00 to 23 : 59(00 : 00*) Yes

Send/Receive Separate On, Off* Yes

Set Line

Register User Telephone No. 20 digits maximum No

Register Unit Name 24 characters maximum No

Select Line Type Pulse, Tone* No

Line (2 to 8)

If the Super G3 FAX Board and Super G3 2nd Line Fax Board are installed:• Line 2

No

If the Super G3 FAX Board, Super G3 2nd Line Fax Board, and Super G3 3rd/4th Line Fax Board are installed:• Line 2, Line 3, Line 4

No

Select TX Line

If the Super G3 FAX Board is installed:• Line 1: Priority TX, Prohibit TX* No

If the Super G3 FAX Board and Super G3 2nd Line Fax Board are installed:• Line 1: Priority TX, Prohibit TX*• Line 2: Priority TX, Prohibit TX

No

If the Super G3 FAX Board, Super G3 2nd Line Fax Board, and Super G3 3rd/4th Line Fax Board are installed:• Line 1: Priority TX, Prohibit TX*• Line 2: Priority TX, Prohibit TX• Line 3: Priority TX, Prohibit TX• Line 4: Priority TX, Prohibit TX

No

TX Start Speed 33600 bps*,14400 bps,9600 bps,7200 bps,4800 bps,2400 bps Yes

FIS Switch On, Off* Yes


21


PIN Code Access On, Off* Yes

Line1 On, Off* Yes

Line2*8 On, Off* Yes



Confirm Entered Fax Numbers On, Off* Yes

Allow Fax Driver TX On*, Off Yes

Remote Fax TX Settings

Remote Fax Server Address Host name or the IP address (48 characters maximum) No

TX Timeout 1 to 99hours(24hours*) Yes

Select TX Line 1 to 4Line(1*) No

Select Priority Line Auto*, Line1,Line2*10,Line3*10,Line4*10 No

Remote Fax Settings

Use Remote Fax On*, Off Yes


Output Report

TX/RX User Data List Print No

Fax User Data List*1 Print No

Common Settings

Print on Both Side On, Off* Yes

Select Drawer

SwitchA On*, Off Yes

SwitchB On*, Off Yes

SwitchC On*, Off Yes

SwitchD On*, Off Yes

Reduce Fax RX Size On*, Off Yes

On• Reduction Mode: Auto*, Fixed• Reduction %: 75 to 97% (90%*)• Reduction Direction: Vertical & Horizontal, Vertical Only*

Yes

2 On 1 Log On, Off* Yes

Received Page Footer On, Off* Yes

YCbCr RX Gamma Value Gamma 1.0, Gamma 1.4, Gamma 1.8*, Gamma 2.2 Yes

Handle Files with Forwarding Errors Always Print, Store/Print, Off* Yes

Forwarding SettingsReceive Type, Validate/Invalidate, Register (Registered For-warding Settings), Forward w/o Conditions, E-Mail Priority, Details/Edit, Delete, Print List

Yes*11

Receive Tray Settings

Set Fax/I-Fax Inbox

Set/Register Confidential Fax Inboxes 00 to 49 Yes

Register Box Name: 24 characters maximum Yes

PIN Seven digits maximum Yes

URL Send Settings - Yes

Initialize - No

Memory RX Inbox PIN Seven digit number No

Receive/Forward

* Default Setting*1 Indicates items that appear only when the appropriate optional equipment is attached. *7 Indicates item that is not delivered as device information. Receive Type, Details/Edit, Delete, Print List, E-Mail Priority

22



Use Fax Memory Lock*1 On, Off* Yes

Use I-Fax Memory Lock On, Off* Yes

Memory Lock Start Time Every day, Select Days, Off* Yes

Memory Lock End Time Every day, Select Days, Off* Yes

Divided Data RX Timeout 0 to 99 hours(24hours*) Yes

Always Send Notice for RX Errors *On, Off Yes

Fax Settings*1

ECM RX *On, Off Yes

Select RX Mode

Auto RX*, Fax/Tel Auto Switch Yes

Fax/Tel Auto Switch• Ring Start Time: 0 to 30 sec (8 sec*)• Ring Time: 15 to 300 sec (17 sec*)• F/T Switch Action: End, Receive*• Outgoing Message: On, Off*

Yes

Remote RXOn, Off* No

On• Remote RX ID: 00 to 99 (25*) No

RX Manual/Auto Switch

On, Off* Yes

On• F/T Ring Time: 1 to 99 sec (15 sec*) Yes

Fax RX Report For Error Only, On, Off* Yes

Confidential Fax Inbox RX Report On*, Off Yes

Receive Start Speed 33600 bps*,14400 bps,9600 bps,7200 bps,4800 bps,2400 bps Yes

Receive Password 20 digits maximum No

Set Number Display Yes






Common Settings

Scan and Store Settings

Register/Edit Favorite Settings Register/Edit, Delete (Up to 9 Set Keys), Check Content No


Settings of Access Stored File

Register/Edit Favorite Settings Register/Edit, Delete (Up to 9 Set Keys), Check Content No


Mail Box Settings

Mail Box Settings

Mail Box No. 00 to 99 No

Register Box Name 24 characters maximum Yes

PIN Seven digits Yes

Time Until Document Auto Delete 0 (Off), 1, 2, 3*, 6, 12 hours, 1, 2, 3, 7, 30 days No

URL Send Settings - Yes

Print upon Storing from Printer Driver On, Off* Yes

Initialize - No

Store/Access Files

* Default Setting


23


Address ListAddress Book 1 to 10, One-touch No

Print List: Print No

Register Destinations Register New Dest., Details/Edit, Delete, Search by Name Yes

Register Address List Name Register Name Yes

Register One-touch Register/Edit, Delete Yes

Change Default Display of Address Book Local*, LDAP Server, Remote No

Address Book PIN Seven digit number Yes

Manage Address Book Access Number On, Off* Yes


Settings for All Mail Boxes

Time Until Document Auto Delete 0 (Off), 1, 2, 3*, 6, 12 hours, 1, 2, 3, 7, 30 days No

Print upon Storing from Printer Driver On, Off* No

Box Security Settings

Limit Box PIN to 7 Digits/Re-strict Access On, Off* Yes

Disp. Print When Storing form Printer Driver On*, Off Yes

Advanced Box Settings

Open to Public By SMB, By WebDAV, Off* Yes

Allow to Create Personal Space On*, Off Yes

WebDAV Server Settings

Authentication Type Basic, Off* Yes

Use SSL On, Off* Yes

Delete All Personal Spaces Delete No

Initialize Shared Space Initialize No

Prohibit Writing from External On*, Off Yes

Authentication Management On, Off* Yes

File Formats Allowed for Storing Printable Formats Only, Common Office Formats, All Yes

Network Settings

Network Place Settings Register, Details, Delete No

Protocol for External Reference

SMB On*, Off No

WebDAB On*, Off No

Memory Media Settings

Use Scan/Print Function

Use Scan Function On*, Off Yes

Use Print Function On*, Off Yes


Only Allow Encrypted Print Jobs*1 On, Off* Yes

Encrypted Secure Print

* Default Setting*1 Indicates items that appear only when the appropriate optional equipment is attached.

Set Destination

*Default Setting*1 Indicates items that appear only when the appropriate optional equipment is attached.

24



Require Password for Exporting Address Book On*, Off Yes

Register LDAP Server Receive Type, Validate/Invalidate, Register, Details/Edit, Delete, Forward w/o Conditions, Print List, E-Mail Priority No

Auto Search When Using LDAP Server On* Off Yes

Acquire Remote Address Book

Acquire Address Book On, Off* Yes

Remote Address Book Server Address IP Address or Host Name (128 characters maximum) No

Communication Timeout 15 to 120seconds (30seconds*) Yes

Fax TX Line Auto Select Adjustment On*, Off Yes

Make Remote Address Book Open

Make Remote Address Book Open On, Off* Yes


System Manager Information Settings

System Manager ID Seven digit number maximum (7654321*) Yes

System PIN Seven digit number maximum (7654321*) Yes

System Manager 32 characters maximum Yes

E-Mail Address 64 characters maximum Yes

Contact Information 32 characters maximum Yes

Comment 32 characters maximum Yes

Department ID Management

Department ID Management On, Off* Yes

Register PIN Register, Edit, Delete, Limit Functions Yes

Page Totals Clear, Print List, Clear All Totals, Large2 Count Management No

Allow Printer Jobs With Unknown IDs On*, Off Yes

Allow Remote Scan Jobs With Unknown IDs On*, Off Yes

Allow Black Copy/ Mail Box Print Jobs On, Off* Yes

Allow Black Printer Jobs On, Off* Yes

Management Settings/User Management


Management Settings/Device Management



Device Information Settings

Device Name 32 characters maximum No

Location 32 characters maximum No

Device Information Delivery Settings

Register Destinations

Auto Search/Register, Register, Details, Delete, Print List

Auto Search/Register• List• Select All• Search Depth (Router): 1 to 8• Display Host Name: On, Off• Start Auto Search


25


Set Auto Delivery Every day, Specify Days, Off*

Settings/Registration Value On, Off*Network Settings: Include, Exclude

Dept. ID On, Off*

Address Book On, Off*

Web Access Favorites On, Off*

Printer Settings On, Off*

Paper Information On, Off*

Workflow Composer On, Off*

Manual Delivery

Settings/Registration Value On, Off*Network Settings: Include, Exclude

Dept. ID On, Off*

Address Book On, Off*

Web Access Favorites On, Off*

Printer Settings On, Off*

Paper Information On, Off*

Workflow Composer On, Off*

Restrictions for Receiving Device Info. On*, Off

Restore Data Settings/Registration Value, Dept. ID, Address Book, Printer Settings, Paper Information

Receive Restriction for Each Function

Settings/Registration Value On*, Off

Dept. ID On*, Off

Address Book On*, Off

Web Access Favorites On*, Off

Printer Settings On*, Off

Paper Information On*, Off

Workflow Composer On*, Off

Communication Log

Details, Print List, Report Settings

Report Settings• Auto Print (100 transmissions): On*, Off

• Specify Print Time: On, Off*

• 00: 00* to 23:59

• Separate Report Type: On, Off*

Limited Functions Mode On, Off* No

Limit Functions When Security Key is Off* Partial Functions*, All Functions Yes

Confirm Device Signature Certificate Certificate Details: Certificate No

Check User Signature Certificate Certificate Details: Certificate No

Certificate Settings

Generate Key

Generate Network Communication Key

Key Name 24 characters maximum No

Signature Algorithm SHA1*, SHA256, SHA384, SHA512 No

Key Algorithm RSA, Display only No

Key Length(bit) 512*,1024, 2048, 4096 No

Start Date of Validity Month, Date, Year (2000/01/01-2037/12/31) No

End Date of Validity Month, Date, Year (2000/01/01-2037/12/31) No

Country/Region Country/Region name and code (2 characters maximum) No

State 24 characters maximum No

City 24 characters maximum No

Organization 24 characters maximum No

Organization Unit 24 characters maximum No

26



Common Name IP address or FQDN (41 characters maximum) No

Generate/Update Device Signature Key - No

Key and Certificate List: Key and Certificate List for this Machine Editing Key Pairs and Server Certificates Confirming a Key Pair and Device Certificate

Certificate DetailsVersion/Serial Number/Signature Algorithm/IssueDestination/Start Date of Validity/End Date of Validity/ Issuer/ Public Key/Cert. Thumbprint/Certificate

No

Delete -

Display Use Location Displays what the key pair is being used for No

Certificate Settings: Key and Certificate List: Key and Certificate List for Users*

Certificate DetailsVersion/Serial Number/Signature Algorithm/Issue Destination/Start Date of Validity/End Date of Validity/ Issuer/Public Key/Cert. Thumbprint/Certificate

No

Delete - No

Certificate Settings: CA Certificate List

Certificate DetailsVersion/Serial Number/Signature Algorithm/Issue Destination/Start Date of Validity/End Date of Validity/ Issuer/Public Key/Cert. Thumbprint/Certificate

No

Delete - No

Certificate Settings: Register Key and Certificate

Register Key Name (24 characters maximum) Password (24 characters maximum) No

Delete - No

Display Asterisks For Confidential Info. On*, Off Yes

Display Status Before Authentication On*, Off No

Display Log

On*, Off No

On• Obtain Job Log From Management Software: Permit, Do Not Allow*

No

Audit Log Retrieval On, Off* No

Format Encryption Method to FIPS 140-2 On, Off* No


Register License 24 characters maximum No

MEAP Settings

Print System Information Print No

Use SSL On, Off* No

Remote UI On*, Off Yes

Use SSL On, Off* No

Use Reference Print On, Off* Yes

Delete Message Board Contents Clear No

Remote Operation SettingsOn, Off*

NoOn: Password (Max 8 characters)

Register/Update Software

Install Applications/Options License Access Number (4 digits at a time.) No

Software Management Settings

Select Log Display Display Update Logs, Display System Logs No

Test Communication - No

Management Settings: License and other

Default Setting*1 Indicates items that appear only when the appropriate optional equipment is attached.


27


HDD Data Complete Deletion*

Timing of Deletion During Job*, After Job No

Deletion ModeOverwrite Once With 0 (Null) Data*, Overwrite 1 Time With Random Data, Overwrite 3 Times With Random Data, DOD Standard

No

Initialize All Data/Settings License cannot be reused No

TPM Settings Backup TPM Key, Restore TPM Key No

Management Settings: Data management

Default Setting*1 Indicates items that appear only when the appropriate optional equipment is attached.

28


canon imagerunner advance hardening guide

Documents