1. No category

Canon imageRUNNER ADVANCE Hardening

Canon imageRUNNER ADVANCE
Hardening Guide 2016
1
Canon imageRUNNER ADVANCE Hardening Guide
2
Canon imageRUNNER ADVANCE Hardening Guide
Introduction
Modern Canon Multifunction Devices (MFDs) provide print, copy, scan, send and fax functionality.
MFDs are computer servers in their own right, providing a number of networked services
along with significant hard drive storage.
When an organisation introduces these devices into their infrastructure, there are a number
of areas that should be addressed as part of the wider security strategy, which should look
to protect the confidentiality, integrity and availability of your networked systems.
Clearly, deployments will differ and organisations will have their own specific security
requirements. While we work together to ensure that Canon devices are shipped with
appropriate initial security settings, we aim to further support this by providing a number
of configuration settings to enable you to more closely align the device to the requirements
of your specific situation.
This document is designed to provide sufficient information to enable you to discuss with
Canon or Canon partner the most appropriate settings for your environment. Once decided,
the final configuration can be applied to your device or fleet. Please feel free to contact
Canon or a Canon partner for further information and support.
Who is this document meant for?
This document is aimed at anybody who is
concerned with the design, implementation
and securing of office multifunction devices
(MFDs) within a network infrastructure. This
might include IT and network specialists, IT
security professionals, and service personnel.
Implementing appropriate MFD security
for your environment
Scope and coverage
The guide explains and advises on the
configuration settings for two typical
network environments, so that organisations
can securely implement an MFD solution
based on best practice. These settings have
been tested and validated by Canon’s ICT
Security team.
• A typical small office environment
To explore the security implications of
implementing a multifunction device as
part of your network, we have considered
two typical scenarios:
• An enterprise office environment
We make no assumptions about specific
industry sector regulatory requirements that
may impose other security considerations
and are out of scope of this document.
This guide was created based upon the
typical feature set of the imageRUNNER
ADVANCE C5255i, and while the information
here applies to all models and series within
the imageRUNNER ADVANCE range, some
features may differ between models.
3
Canon imageRUNNER ADVANCE Hardening Guide
Small office
environment
Typically, this will be a small business
environment with an un-segmented network
topology. It uses one or two MFDs for its
internal use and these devices are not
accessible on the Internet.
While mobile printing is available, additional
solution components will be required. For
those users requiring printer services outside
of a LAN environment, a secure connection
is required, but this will not be covered in this
guide. However, attention should be paid to
the security of the data in transit between the
remote device and the print infrastructure.
Figure 1 Small Office Network
www
Internet
Mobile device:
External user
Client PC
Firewall
File server
Fax
Wireless
Access
Point
PSTN
Multi-functional
device
4
Canon imageRUNNER ADVANCE Hardening Guide
Mobile device:
Internal user
Configuration Considerations
Please note that unless a feature of the
imageRUNNER ADVANCE is mentioned
below, it is regarded as being sufficient in
the default settings for this business and
network environment.
Table 1 Small Office Environment Configuration Considerations
imageRUNNER
ADVANCE Feature
Description
Consideration
Service Mode
Allows access to Service Mode
settings
Password protect with a non-default, non-trivial
and maximum length password
Service Management
Mode
Allows access to various
non- standard device settings
Password protect with a non-default, non-trivial
and maximum length password
Store and retrieve to and from
Windows /SMB network shares
System administrators should, by policy,
disallow any users from creating local
accounts on their client machine for use in sharing
documents with the imageRUNNER ADVANCE
over SMB
Remote UI
Web-based configuration tool
The imageRUNNER ADVANCE administrator
should enable HTTPS for the remote UI and
disable HTTP access. Enable the use of PIN
authentication unique to each device
SNMP
Network monitoring
integration
Disable version 1 and enable version 3 only
Send to e-mail and/or
IFAX
Send emails from the device
with attachments
Enable SSL
Do not use the POP3 authentication
before SMTP send
Use SMTP authentication
POP3
Automatically fetch and print
documents from mailbox
Enable SSL
Enable POP3 authentication
Address book / LDAP
Use directory service to look up
home number or email addresses
to send scans to
Enable SSL
Do not use domain credentials to authenticate
against the LDAP server; use LDAP specific
credentials
FTP Print
Upload & download documents
to and from the embedded FTP
server
Turn on FTP authentication. Be aware that FTP
traffic will always travel in clear text over the
network
WebDAV Send
Scan and Store documents on a
remote location
Enable authentication for WebDAV shares
Encrypted PDF
Encrypt documents
By policy sensitive documents should only
be encrypted using PDF version 1.6 (AES-128)
Secure Print
Print job is sent to the device
but locked in the print queue
until the corresponding PIN
number is entered
Enable PIN protected print jobs
Embedded web
browser
Browser access to Internet
Enforce through administration, the use
of a content filtering web proxy to avoid malicious
or viral content being accessed. Disable the
creation of favourites
Wireless LAN
Provides Wireless access
Use WPA-PSK/WPA2-PSK with strong
passwords
SMB Browse/Send
5
Canon imageRUNNER ADVANCE Hardening Guide
An Enterprise
Office
Environment
This is typically a multi-site, multi-office
environment with segmented network
architecture. It has multiple MFDs deployed
on a separate VLAN accessible for internal
use via print server(s). These MFDs are not
accessible from the Internet.
This environment will usually have a permanent
team to support its networking and backoffice requirements along with general computerissues but it is assumed they will not have
specific MFD training.
Figure 2 Enterprise Office work
Mobile device:
External user
Client PC
www
General network infrastructure
Firewall
Internet
File server
Dedicated Print VLAN
Wireless
Access
Point
Mobile device:
Internal user
PSTN
Multi-functional
device
Multi-functional
device
6
Canon imageRUNNER ADVANCE Hardening Guide
Fax
Configuration considerations
Please note that unless a feature of the imageRUNNER ADVANCE is mentioned below it is
regarded as being sufficient in the default settings for this business and network environment.
Table 2 Enterprise Office Environment Configuration Considerations
imageRUNNER
ADVANCE Feature
Description
Consideration
Service Mode
Allows access
to Service Mode settings
Password protect with a non-default, non-trivial and
maximum length password
Service
Management
Mode
Allows access to various
non- standard device
settings
Password protect with a non-default, non-trivial and
maximum length password
SMB Browse/Send
Store and
retrieve to and from
Windows /SMB network
shares
System administrators should, by policy, disallow any
users from creating local accounts on their machine for
use in sharing documents with the imageRUNNER
ADVANCE over SMB
Remote UI
Web-based
configuration tool
Following initial device configurations disable the Remote
UI completely by disabling HTTP and HTTPS
SNMP
Network monitoring
integration
Disable version 1 and enable version 3 only
Send emails from the device
with attachments
Enable SSL
Enable:
-
Certificate verification at the SMTP server
Or if not viable:
-
Only use this feature in an environment where a
Network Intruder Detection System collector is present
Do not use the POP3 authentication before SMTP send
Use SMTP authentication
POP3
Automatically fetch and
print documents from
mailbox
Enable SSL
Enable:
-
Certificate verification at the POP3 server
Or if not viable:
-
Only use this feature in an environment where a
Network Intruder Detection System collector is present
Enable POP3 authentication
Address book / LDAP
Enable SSL
Enable:
-
Certificate verification at the LDAP server
Use directory service to look
OR if not viable
up phone number or email
-
Only use this feature in an environment where a
addresses to send scans to
Network Intruder Detection System collector is present
Do not use domain credentials to authenticate against
the LDAP server; use LDAP specific credentials
IPP
Connect and send printing
jobs over the network
Disable IPP
WebDAV Send
Scan and Store documents
on a remote location
Enable authentication for the WebDAV shares
Enable SSL
Enforce the printer to only allow files ending with the
“file printing extensions” to be uploaded
IEEE802.1X
Network access
authentication mechanism
EAPOL V1 supported
Encrypted PDF
Encrypt documents
By policy sensitive documents should only be encrypted
using PDF version 1.6 (AES-128)
Encrypted Secure
Print
Enhance the protection
of Secure Print by
encrypting the file and
the password during
transmission
Configure the username in the Printer tab on the client
printer configuration to a different username than the
LDAP/domain credentials of that user.
Ensure “Restrict printer jobs” is turned off
Wireless LAN
Provides Wireless access
Use WPA-PSK/WPA2-PSK with strong passwords
Send to e-mail
and/or IFAX
Canon imageRUNNER ADVANCE Hardening Guide
7
Remote Device
Support
For Canon or a Canon Partner to be able to
provide efficient service, the imageRUNNER
ADVANCE is capable of transmitting service
related data, as well as receiving firmware
updates or software applications. It should
be noted that no image or image metadata
is sent.
Shown below are two possible implementations
of Canon’s remote services within a company
network.
Implementation scenario 1: Dispersed
connection
In this setting, each MFD allows direct
connection to the remote service through
the Internet.
Figure 3 Dispersed connection
Canon
Universal
Gateway
www
Internet
Canon Remote
Services
Mobile device:
External user
Client PC
Fax
PSTN
Firewall
Embedded
e-Maintenance,
Content Delivery
System, Remote
Support
Operator’s Kit
Multi-functional
device
8
Canon imageRUNNER ADVANCE Hardening Guide
File server
Wireless
Access
Point
Mobile device:
Internal user
Implementation Scenario 2: Centralised Managed Connection
In an enterprise environment scenario, where multiple MFDs are installed, there is a need
to be able to efficiently manage these devices from one central point, and this includes the
connection to Canon’s remote services. To facilitate the holistic management approach,
individual devices would establish management connections through a single iW Management
Console (iWMC) connection point. For communication between the Device Firmware Upgrade
(DFU) plug-in and Multi-Functional Devices, UDP port 47545 is used.
Figure 4 Centralized managed connection
Mobile device:
External user
Client PC
www
General network infrastructure
Firewall
Internet
With supporting
plug-ins
iW MC
Print server
Dedicated Print VLAN
Wireless
Access
Point
Mobile device:
Internal user
PSTN
Embedded
Remote Support
Operator’s Kit
Multi-functional
device
Canon
Universal
Gateway
Canon Remote
Services
Fax
Multi-functional
device
e-Maintenance
The e-Maintenance system provides an
automated way of collecting device usage
counters for billing purposes, consumables
management and remote device monitoring
through status and error alerts.
The e-Maintenance system consists of an
Internet facing server (UGW) and either an
embedded Multi-Functional Device software
(eRDS) and/or additional server-based
software (RDS plug-in) to collect device
service related information. The eRDS is a
monitoring program which runs inside the
imageRUNNER ADVANCE. If the monitoring
option is enabled in the device settings, the
eRDS obtains its own device information
and sends it to the UGW. The RDS plug-in is
a monitoring program which is installed in a
general PC, and can monitor 1 to 3000 devices.
It obtains the information from each device
via network and sends it to the UGW.
The table shown on the next page overviews
the data transferred, protocols (depends
upon options selected during the design and
implementation) and ports used. At no point
is any copy, print, scan or fax image data
transferred.
Canon imageRUNNER ADVANCE Hardening Guide
9
Table 3 E-Maintenance Data Overview
Description
Communication between
eMaintenance (eRDS or RDS
plug-in) and UGW
Communication between
eMaintenance and Device
(only RDS plug-in, as eRDS is
embedded software)
Data Handled
UGW web service address
Proxy server address / port number
Proxy account / password
UGW mail destination address
SMTP server address
POP server address
Device status, counter and model
information
Serial number
Remaining toner/Ink information
Firmware information
Repair request information
Logging information
Service call
Service alarm
Jam
Environment
Condition log
Proctocol/
Port
Port
HTTP
HTTPS
SMTP
POP3
TCP/80
TCP/443
TCP/25
TCP/110
SNMP
Canon
proprietary
SLP
SLP
HTTPS
UDP/161
TCP/47546,
UDP/47545, TCP9007
UDP/427
UDP/11427
TCP/443
Content Delivery System
The Content Delivery System (CDS) establishes
a connection between the MFD and Canon
Universal Gateway (UGW). It provides device
firmware and application updates.
Table 4 Content Delivery System Data Overview
Description
Data Sent
Communication between the
MFD and UGW
Device serial number
Firmware version
Language
Country
Information relating to the device
EULA
Communication between the
UGW and MFD
Test file (Binary random data) for
communication testing
Firmware or MEAP application
binary data
Proctocol/
Port
Port
HTTP
HTTPS
TCP/80
TCP/443
HTTP
HTTPS
TCP/80
TCP/443
A specific CDS access URL is pre-set in the device configuration.
If there is a requirement to provide centralised device firmware and application management
from within the infrastructure, a local installation of iWMC with Device Firmware Upgrade
(DFU) plug-in and Device Application Management plug-in will be required.
10
Canon imageRUNNER ADVANCE Hardening Guide
Remote Support Operator’s Kit
The Remote Support Operator’s Kit (RSOK)
provides remote access to the device control
panel. This server-client type system consists
of a VNC server running on MFP and Remote
Operation Viewer VNC Microsoft Windows
client application.
Figure 5 Remote Support Operator’s Kit (RSOK) Setup
PC with RSOK
Viewer VNC
client
MFD operating panel
accessed via the PC
User
General network infrastructure
MFD with RSOK
enabled (VNC server)
MFD Operating Panel
Table 5 Remote Support Operator’s Kit Data Overview
Description
Data Sent
Proctocol
Port
VNC password authentication
User password
DES
encryption
5900
Operation Viewer
Device control panel
- screen data
- hardware key operation
Version
3.3 RFB
protocol
5900
11
Canon imageRUNNER ADVANCE Hardening Guide
Appendix
Factory defaults
The tables listed in this section provide an overview of selected key configuration options
available in the imageRUNNER ADVANCE, and the factory defaults for each option. This
information is based on the imageRUNNER ADVANCE C5255i model. For the full list of
configuration options or other models from the imageRUNNER ADVANCE range please refer
to the Settings/Registration table in the relevant device User Manual.
Explanation:
Setting description – This defines the User Mode setting allowing configuration. These
settings are only available to administrators and not accessible to general device users.
Can be set in Remote UI – The imageRUNNER ADVANCE platform provides remote
configuration through a web services interface (Remote UI). This interface provides access
to a number of device configuration settings. It can be disabled if not permitted and
password protected to prevent unauthorised access.
Device Information Delivery Available Various machine settings can be sent over the network and automatically applied to other
Canon multifunction printers. With this function, a host machine is designated whose registered
information (such as the settings in the Settings/Registration menu and address lists) is
distributed to other client machines, enabling automated alignment of configuration settings
with the host machine.
We recommend that any services not in use are disabled. Please contact your local Canon
representative for further information.
Network table
If you are configuring the settings for the first time in “Interface Settings,” “TCP/IPv4 Settings,” “TCP/IPv6 Settings,” or “Settings Common to TCP/IPv4 and TCP/IPv6,” use
the control panel of the machine. After
configuring the TCP/IP settings, you can change them using the Remote UI.
In the NetWare or AppleTalk network, the TCP/IP protocol must be used to specify the settings with software other than the control panel of the machine. The setting items are shown
below.
Some items can be set using the Remote UI. Use the control panel of the device to set items
which cannot be set using the Remote UI.
12
*Default Settings
*1 Indicates items that appear only when the appropriate optional equipment is attached.
Canon imageRUNNER ADVANCE Hardening Guide
Item
Setting Description
Can be set in Remote UI
User Data List
Print List
Yes
Confirm Network Connection Set. Changes
On, Off*
No
On*, Off
Yes
TCP/IP Settings
IPv4 Settings
Use IPv4
IP Address:0.0.0.0*
Subnet Mask:0.0.0.0*
IP Address Settings
Gateway Address:0.0.0.0*
Yes
DHCP: On, Off*
RARP: On, Off*
BOOTP: On, Off*
PING Command
IP Adress:0.0.0.0*
No
Use IPv6
On, Off*
Yes
Stateless
Address Settings
Use Stateless Address: On*, Off
Yes
IPv6 Settings
Use Manual Address: On, Off*
Manual Address Settings
Manual Address:IPv6 Address(39characters maximum)
Prefix Length:0 to 128(64*)
Yes
Default Router Address(39 characters maximum)
Use DHCPv6
On, Off*
Yes
PING Command
IPv6 Address:(39characters maximum)
Yes
Host Name
48 characters maximum
Yes
DNS Settings
DNS Server Address Settings
IPv4
IPv6
Primary DNS Server: IP Address:0.0.0.0*
Yes
Secondary DNS Server: IP Address:0.0.0.0*
Primary DNS Server:IPv6 Address
Yes
Secondary DNS Server:IPv6 Address
DNS Host/Domain Name Settings
IPv4
IPv6
Host Name:47 characters maximum
Yes
Domain Name:47 characters maximum
Use Same Host Name/Domain Name as IPv4:On, Off*
Host Name:47 characters maximum
Yes
DNS Dynamic Update Settings
IPv4
DNS Dynamic Update: On, Off*
Yes
DNS Dynamic Update: On, Off*
IPv6
Register Stateless Address: On, Off*
Register Manual Address: On, Off*
Yes
Register Stateless Address: On, Off:
WINS Settings
WINS Resolution
On, Off*
Yes
WINS Server Address
IP Address:0.0.0.0*
Yes
Node Type
Auto Set, display only
No
Scope ID
63 characters maximum
Yes
LPD Print Settings
On*, Off
Yes
LPD Banner Page*1
On, Off*
Yes
RAW Print Settings
On*, Off
Yes
Bidirectional Communication
On, Off*
Yes
LPD Print Settings
RAW Print Settings
13
Canon imageRUNNER ADVANCE Hardening Guide
Item
Setting Description
Can be set in Remote UI
Use SNTP
On, Off*
Yes
Polling Interval
Interval for performing time synchronization (1 to 48 hours)
(24hours*)
Yes
NTP Server Address
IP address or host name
Yes
Check NTP Server
-
Yes
Use FTP Print
On, Off*
Yes
User
User name for FTP server login (24 characters maximum)
(guest*)
Yes
Password
Password for FTP server login (24 characters maximum)
(7654321*)
Yes
Use WSD Print
On*, Off
Yes
Use WSD Browsing
On*, Off
Yes
Use Multicast Discovery
On*, Off
Yes
On, Off*
Yes
Use BMLinkS
On, Off*
Yes
Discovery Sending Interval
30 mins*, 1, 3, 6, 12, 24 hrs
Yes
Country / Region
Yes
Company/Org. Name, Dept. Name, Bldg. Name, Floor No.,
Block Name
Yes
IPP Print Settings
On* Off
Yes
Use SSL
On, Off*
Yes
Use Authentication
On, Off*
Yes
User
User name for FTP server login (24 characters maximum)
(guest*)
Yes
Password
Password for FTP server login (24 characters maximum)
(7654321*)
Yes
Response
On* Off
Yes
Scope name
Scope name to be used for a multicast discovery (32 characters maximum)
Yes
Use HTTP
On* Off
Yes
Use Web DAV Server
On, Off*
Yes
SSL Settings
Functions using SSL encrypted communications
Yes
Set as the Default Key
-
Yes
Certificate Details
Version/Serial Number/Signature Algorithm/Issue
Destination/Start Date of Validity/End Date of Validity/
Issuer/Public Key/Cert Thumbprint/ Certificate
Yes
Display Use Location
Displays what the key pair is being used for
Yes
Use proxy
On, Off*
Yes
Server Address
IP address or FQDN(128 characters maximum)
Yes
Port Number
1to 65535(80*)
Yes
Use Proxy within the Same
Domain
On, Off*
Yes
Use Proxy Auth.
On, Off*
Yes
User Name
24 characters maximum
Yes
Password
24 characters maximum
Yes
SNTP Settings
FTP Print Settings
WSD Print Settings
Use FTP PASV Mode
Use FTP PASV Mode
BMLinkS Settings
Location Information
IPP Print Settings
Multicast Discovery Settings
Key and Certificate
Proxy Settings
Set Authentication
14
Canon imageRUNNER ADVANCE Hardening Guide
Item
Setting Description
Can be set in Remote UI
On*, Off
Yes
Use IPSec
On, Off*
Yes
Receive Non-policy Packets
Allow/Reject
Yes
Confirm Dept. ID PIN
IPSec Settings
Edit
Yes
Delete
Yes
Policy On, Off
Yes
Register
Policy Name
24 characters maximum
Yes
Local Address:
Yes
All IP Addresses*/IPv4 Address/IPv6 Address/IPv4 Manual
Settings/IPv6 Manual Settings
Yes
Remote Address:
Yes
All IP Addresses*,All IPv4Address,All IPv6Address,IPv4
Manual Settings,IPv6 Manual Settings
Yes
Port: Specify by Port Number*/Specify by Service Name
Yes
IKE mode : Main*/Aggressive
Yes
Authentication Method : Pre-Shared Key Method*/Digital sig.
Method
Yes
Auth./Encryption Algorithm : Auto*/Manual Settings
Yes
Validity : Time(1to65535minuites)(480minuites*)
Yes
Validity : Size(1to65535 MB)(65535 MB*)
Yes
PFS : On, Off*
Yes
Auth./Encryption Algorithm : Auto*/Manual Settings
Yes
Connect. Mode : Transport, display only
-
Use NetWare
On, Off*
Yes
Frame Type
Auto Detect*/Ethernet II/Ethernet 802.2/Ethernet 802.3/
Ethernet SNAP
Yes
IPX External Network Number
Auto Set, display only
-
Node Number
Auto Set, display only
-
Print Service
Bindery PServer,R Printer,NDS Pserver*,Nprinter
Yes
Packet Signature
Auto Set, display only
-
Print Server Name
47 characters maximum
Yes
File Server Name
47 characters maximum
Yes
Print Server Password
20 characters maximum
Yes
Printer Number
0to15(0*)
Yes
Polling Interval
1to15seconds(5sedonds*)
Yes
Printer Form
0to255(0*)
Yes
Buffer Size
1to20KB(20KB*)
Yes
Service Mode
Service only currently mounted form/Change forms as
needed/Minimize form changes across print queues/Minimize form changes within print queues*
Yes
Print ServerName
47 characters maximum
Yes
File ServerName
47 characters maximum
Yes
Printer Number
0to15(0*)
Yes
Print ServerName
64 characters maximum
Yes
Tree Name
32 characters maximum
Yes
Context
256 characters maximum
Yes
Register: Selector Settings
IKE Settings
IPSec Network Settings
NetWare Settings
Bindery Pserver Settings
Rprinter Settings
NDS PServer Settings
15
Canon imageRUNNER ADVANCE Hardening Guide
Item
Setting Description
Can be set in Remote UI
Print Server Password
20 characters maximum
Yes
Printer Number
0to254(0*)
Yes
Polling Interval
1to255seconds(5seconds*)
Yes
Printer Form
0to255(0*)
Yes
Buffer Size
3to20KB(20KB*)
Yes
Service Mode
Service only currently mounted form/Change forms as
needed/Minimize form changes across print queues/
Minimize form changes within print queues*
Yes
Print ServerName
64 characters maximum
Yes
Tree Name
32 characters maximum
Yes
Context
256 characters maximum
Yes
Printer Number
0to254(0*)
Yes
Use Apple Talk
On, Off*
Yes
Phase
Phase 2(fixing)
-
Service Name
32 characters maximum
Yes
Zone
32 characters maximum
Yes
Print Mode
Both*, Spool, Direct Yes
Yes
Use SMB Server
On, Off*
Yes
ServerName
15 characters maximum(Canon+represents the last six digits
of a MAC address)
Yes
Workgroup
15 characters maximum(WORKGROUP*)
Yes
Comment
48 characters maximum
Yes
LM Announce
On, Off*
Yes
Use SMB Print
On, Off*
Yes
Printer Name
13 characters maximum(PRINTER)
Yes
Use SMB Authentication
On, Off*
Yes
Authentication Type
NTLMv1*,NTLMv2*
Yes
Get Printer Mgmt Info from Host
On, Off*
Yes
Use SNMPv1
On*, Off
Yes
NPrinter Settings
AppleTalkSettings
SMB Server Settings
SMB Printer Settings
SMB Auth. Settings
SNMP Settings
Dedicated Community Settings
Dedicated Community
On*, Off
MIB Access Permission
Read/write, Read Only
Community Name1Settings
Community Name1
On*, Off
Yes
MIB Access Permission
Read/Write/Read Only*
Yes
Community Name
Community Name(32 characters maximum)(public*)
Yes
Community Name2
On, Off*
Yes
MIB Access Permission
Read/Write/Read Only*
Yes
Community Name
Community Name(32 characters maximum)(public2*)
Yes
On, Off*
Yes
User On, Off
-
Yes
Register
User/MIB Access Permission/Security Settings/Authent.
Algorithm/Authent.Password/Encryption Algorithm/
Encryption Password
Yes
Details/Edit
User/MIB Access Permission/Security Settings/Authent.
Algorithm/Authent.Password/Encryption Algorithm/
Encryption Password
Yes
Community Name2 Settings
Use SNMPv3
User Settings
16
Canon imageRUNNER ADVANCE Hardening Guide
Item
Delete
Context Settings
Setting Description
Can be set in Remote UI
-
Yes
Context Name(32 characters maximum)
Register
Context Name(32 characters maximum)
Yes
Edit
-
Yes
Delete
Yes
Dedicated Port Settings
Dedicated Port Settings
On*, Off
Yes
On, Off*
Yes
30 to 300 seconds (30*)
Yes
Auto Detect
On*, Off
Yes
Communication Mode
Half Duplex*/Full Duplex
Yes
Ethernet Type
10 Base-T*,100 Base-TX,1000 Base-T
Yes
MAC Address
Display only
-
Use IEEE802.1X
On, Off*
Yes
User
Name of the user to be authenticated with IEEE802.1X
authentication
Yes
Password
Password of the user to be authenticated with IEEE802.1X
authentication
Yes
On, Off*
Yes
Set as the Default Key
-
Yes
Certificate Details
Version/Serial Number/Signature Algorithm/Issue
Destination/Start Date of Validity/End Date of Validity/
Issuer/Public Key/Cert.Thumbprint/ Certificate
Yes
Display Use Location
Displays what the key pair is being used for.
Yes
Use TTL
Use TTL On, Off*
Yes
TTLS Settings
MSCHAPv2*,PAP
Yes
Use PEAP
On, Off*
Yes
Same User Name as Login
Name
-
Yes
User Name
24 characters maximum
Yes
Password
24 characters maximum
Yes
-
Yes
Use Filter
On, Off*
Yes
Default Policy
Allow/Reject
Yes
IPv4 Address
Up to 16 IPv4 addresses can be stored.
Yes
Use Filter
On, Off*
Yes
Default Policy
Allow/Reject
Yes
IPv4 Address
Up to 16 IPv4 addresses can be stored.
Yes
Use Filter
On, Off*
Yes
Default Policy
Allow/Reject
Yes
IPv6Address
Up to 16 IPv4 addresses can be stored.
Yes
Use Spool Function
Use Spool Function
Startup Settings
Startup Settings
Ethernet Driver Settings
IEEE802.1X Settings
TLS Settings
Use TLS
Key and Certificate
TTLS Settings
PEAP Settings
Firewall Settings
IPv4 Address Filter
Send Filter
Receive Filter
IPv6 Address Filter
Send Filter
Canon imageRUNNER ADVANCE Hardening Guide
17
Item
Setting Description
Can be set in Remote UI
Use Filter
On, Off*
Yes
Default Policy
Allow/Reject
Yes
IPv6Address
Up to 16 IPv4 addresses can be stored.
Yes
Use Filter
On, Off*
Yes
Default Policy
Allow/Reject
Yes
MACAddress
Up to 100 IPv4 addresses can be stored.
Yes
Use Filter
On, Off*
Yes
Default Policy
Allow/Reject
Yes
MACAddress
Up to 100 IPv4 addresses can be stored.
Yes
Time, Category, IP Address, Result
Yes
Setting Description
Device Information
Delivery Available
Use USB Device
On*, Off
Yes
Use USB Host
On*, Off
Yes
Use MEAP Driver for USB Device
On*, Off
Yes
Use MEAP Driver for USB External
Drive
On*, Off
Yes
RecieveFilter
MACAddressFilter
Send Filter
RecieveFilter
IP Address Block Log
External Interface
* Default Settings
Item
USB Settings
Send
* Default Settings
*1 Indicates items that appear only when the appropriate optional equipment is attached.
*4 Indicates item that appears only if the Super G3 2nd Line Fax Board is installed in addition
to installing the Super G3 FAX Board.
*5 Indicates item that appears only if the Super G3 3rd/4th Line Fax Board is installed in
addition to installing the Super G3 FAX Board
Item
Setting Description
Device Information
Delivery Available
TX/RX User Data List
Print
No
Fax User Data List*1
Print
No
Register/Edit, Delete (M1 to M18), Check Content
Yes
Output Report
Common Settings
Register Favourite Settings Edit Favourite Settings
On, Off*
Yes
Display Confirmation for Favourite
Settings
Show Comment
On*, Off
No
Change Default Screen
Standard*, Address Book, One-touch, Favourite Settings
No
Change Default Settings
Register, Initialize
No
Shortcut 1
2-Sided*, No Settings
No
Shortcut 2
Different Size Originals*, No Settings
No
For Error Only*,On, Off
Yes
Report with TX Image
On*, Off
Yes
Report with Colour TX Image
On, Off*
Yes
Register [Options] Shortcuts
TX Report
18
Canon imageRUNNER ADVANCE Hardening Guide
Item
Setting Description
Device Information
Delivery Available
Auto Print (100 Transmissions)
On*, Off
Yes
Specify Print Time
On, Off*
Yes
Timer Setting
00 : 00 to 23 : 59(00 : 00*)
Yes
Send/Receive Separate
On, Off*
Yes
Print*, Do Not Print
Yes
TX Terminal ID
Printing Position: Inside, Outside*,
Display Destination Unit Name: On*, Off Telephone # Mark*1:
Fax*, TEL
Yes
Delete Failed TX Jobs
On*, Off
Yes
Retry Times
0 to 5times(3times*)
Yes
Data Compression Ratio
Compact, Normal*, Low Ratio
Yes
YCbCr TX Gamma Value
Gamma 1.0, Gamma 1.4, Gamma 1.8*, Gamma 2.2
Yes
Use Chunked Encoding with WebDAV
Sending
On*, Off
Yes
Fax
On, Off*
Yes
E-mail
On, Off*
Yes
I-Fax
On, Off*
Yes
File
On, Off*
Yes
On, Off*
Yes
On, Off*
Yes
24 characters maximum
No
SMTP Receive
On*, Off
Yes
POP
On* Off
Yes
SMTP Server
Server name or IP Address(48characters maximum)
No
E-mail Address
64 characters maximum
No
POP Server
Server name or IP Address(48characters maximum)
No
POP Address
32 characters maximum
No
POP Password
32 characters maximum
No
POP Interval
0* to 99(If the interval is set to ‘0’, the incoming e-mail is not
checked automatically.)
No
POP AUTH Method
Communication Activity Report
Limit New Destinations
Always Add Device Signature to
Send*1
Restrict File Formats
E-mail/Ifax Settings
Register Unit Name
Communication Settings
Standard*/APOP/POP AUTH
Yes
POP Authentication before
Sending
On, Off*
No
SMTP Authentication (SMTP
AUTH)
On, Off*
No
User
User name for SMTP authentication (64 characters maximum)
No
Password
Password for SMTP authentication(32 characters maximum)
No
Allow SSL(POP)
On, Off*
No
Display Auth. Screen When
Send
On*, Off
No
Allow SSL(SMTP Receive)
Always SSL, On, Off*
No
Maximum Data Size for Sending
0 =(Off)/1 to 99 MB(3MB*)
Yes
Default Subject
40 characters maximum (Attached Image*)
Yes
Use SMTP Authentication for Each
User
On*, Off
No
Specify Authentication User Dest. to
Reply
On, Off*
No
Set Authorized User Destination to
Sender
On*, Off
No
Allow Sending to Unregistered
Destinations
On, Off*
Yes
Full Mode TX Timeout
1 to 99hours (24hours*)
Yes
Canon imageRUNNER ADVANCE Hardening Guide
19
Item
Setting Description
Device Information
Delivery Available
Print MDN/DSN upon Receipt
On, Off*
Yes
Use Send via Server
On, Off*
Yes
Allow MDN Not via Server
On*, Off
Yes
Restrict TX Destination Domains
On, Off*
Yes
Permitted Domains
Register, Details/Edit, Delete
No
On*, Off
Yes
Default Screen
Standard*, Address Book
No
Change Default Settings
Register, Initialize
No
Shortcut 1
Density*, No Settings
No
Shortcut 2
Original Type*, No Settings
No
Shortcut 3
2-Sided Original*, No Settings
No
Shortcut 4
Different Size Originals*, No Settings
No
Register Sender Name (TTI)
01 to 99 : Register/Edit, Delete
No
Off-Hook Alarm
On*, Off
No
ECM TX
On*, Off
Yes
Set Pause Time
1 to 15seconds (2seconds*)
Yes
Auto Redial
Restrict TX Destination Domain
Autocomplete for Entering E-mail
Addresses
Fax Settings
Register [Options] Shortcuts
On, Off
Yes
Redial Times
1 to 15times (2times*)
Yes
Redial Interval
2 to 99minutes (2minutes*)
Yes
Redial When TX Error
Error and 1st page*, All pages, Off
Yes
Check Dial Tone Before Sending
On*, Off
Yes
Fax TX Report
For Error Only*,On, Off
Yes
On*, Off
Yes
Auto Print (40 Transmissions)
On*, Off
Yes
Specify Print Time
On, Off*
Yes
Timer Setting
00 : 00 to 23 : 59(00 : 00*)
Yes
Send/Receive Separate
On, Off*
Yes
Register User Telephone No.
20 digits maximum
No
Register Unit Name
24 characters maximum
No
Select Line Type
Pulse, Tone*
No
If the Super G3 FAX Board and Super G3 2nd Line Fax Board
are installed:
•
Line 2
No
If the Super G3 FAX Board, Super G3 2nd Line Fax Board,
and Super G3 3rd/4th Line Fax Board are installed:
•
Line 2, Line 3, Line 4
No
If the Super G3 FAX Board is installed:
•
Line 1: Priority TX, Prohibit TX*
No
If the Super G3 FAX Board and Super G3 2nd Line Fax Board
are installed:
•
Line 1: Priority TX, Prohibit TX*
•
Line 2: Priority TX, Prohibit TX
No
If the Super G3 FAX Board, Super G3 2nd Line Fax Board,
and Super G3 3rd/4th Line Fax Board are installed:
•
Line 1: Priority TX, Prohibit TX*
•
Line 2: Priority TX, Prohibit TX
•
Line 3: Priority TX, Prohibit TX
•
Line 4: Priority TX, Prohibit TX
No
TX Start Speed
33600 bps*,14400 bps,9600 bps,7200 bps,4800 bps,2400
bps
Yes
FIS Switch
On, Off*
Yes
Report with TX Image
Fax Activity Report
Set Line
Line (2 to 8)
Select TX Line
20
Canon imageRUNNER ADVANCE Hardening Guide
Item
Setting Description
Device Information
Delivery Available
On, Off*
Yes
Line1
On, Off*
Yes
Line2*8
On, Off*
Yes
Line3*9
On, Off*
Yes
Line4*9
On, Off*
Yes
Confirm Entered Fax Numbers
On, Off*
Yes
Allow Fax Driver TX
On*, Off
Yes
Remote Fax Server Address
Host name or the IP address (48 characters maximum)
No
TX Timeout
1 to 99hours(24hours*)
Yes
Select TX Line
1 to 4Line(1*)
No
Select Priority Line
Auto*, Line1,Line2*10,Line3*10,Line4*10
No
On*, Off
Yes
PIN Code Access
Remote Fax TX Settings
Remote Fax Settings
Use Remote Fax
Receive/Forward
* Default Setting
*1 Indicates items that appear only when the appropriate optional equipment is attached.
*7 Indicates item that is not delivered as device information. Receive Type, Details/Edit,
Delete, Print List, E-Mail Priority
Item
Setting Description
Device Information
Delivery Available
TX/RX User Data List
Print
No
Fax User Data List*1
Print
No
On, Off*
Yes
SwitchA
On*, Off
Yes
SwitchB
On*, Off
Yes
SwitchC
On*, Off
Yes
SwitchD
On*, Off
Yes
On*, Off
Yes
On
•
Reduction Mode: Auto*, Fixed
•
Reduction %: 75 to 97% (90%*)
•
Reduction Direction: Vertical & Horizontal, Vertical Only*
Yes
2 On 1 Log
On, Off*
Yes
Received Page Footer
On, Off*
Yes
YCbCr RX Gamma Value
Gamma 1.0, Gamma 1.4, Gamma 1.8*, Gamma 2.2
Yes
Handle Files with Forwarding Errors
Always Print, Store/Print, Off*
Yes
Forwarding Settings
Receive Type, Validate/Invalidate, Register (Registered Forwarding Settings), Forward w/o Conditions, E-Mail Priority,
Details/Edit, Delete, Print List
Yes*11
Set/Register Confidential
Fax Inboxes
00 to 49
Yes
Register Box Name:
24 characters maximum
Yes
PIN
Seven digits maximum
Yes
URL Send Settings
-
Yes
Initialize
-
No
Seven digit number
No
Output Report
Common Settings
Print on Both Side
Select Drawer
Reduce Fax RX Size
Receive Tray Settings
Set Fax/I-Fax Inbox
Memory RX Inbox PIN
Canon imageRUNNER ADVANCE Hardening Guide
21
Item
Setting Description
Device Information
Delivery Available
Use Fax Memory Lock*1
On, Off*
Yes
Use I-Fax Memory Lock
On, Off*
Yes
Memory Lock Start Time
Every day, Select Days, Off*
Yes
Memory Lock End Time
Every day, Select Days, Off*
Yes
Divided Data RX Timeout
0 to 99 hours(24hours*)
Yes
*On, Off
Yes
*On, Off
Yes
Auto RX*, Fax/Tel Auto Switch
Yes
Fax/Tel Auto Switch
•
Ring Start Time: 0 to 30 sec (8 sec*)
•
Ring Time: 15 to 300 sec (17 sec*)
•
F/T Switch Action: End, Receive*
•
Outgoing Message: On, Off*
Yes
On, Off*
No
On
•
Remote RX ID: 00 to 99 (25*)
No
On, Off*
Yes
RX Manual/Auto Switch
On
•
F/T Ring Time: 1 to 99 sec (15 sec*)
Yes
Fax RX Report
For Error Only, On, Off*
Yes
Confidential Fax Inbox RX Report
On*, Off
Yes
Receive Start Speed
33600 bps*,14400 bps,9600 bps,7200 bps,4800 bps,2400
bps
Yes
Receive Password
20 digits maximum
No
Always Send Notice for RX Errors
Fax Settings*1
ECM RX
Select RX Mode
Remote RX
Set Number Display
Yes
Line1*1
On, Off*
Yes
Line2*1
On, Off*
Yes
Line3*1
On, Off*
Yes
Line4*1
On, Off*
Yes
Setting Description
Device Information
Delivery Available
Register/Edit Favorite Settings
Register/Edit, Delete (Up to 9 Set Keys), Check Content
No
Change Default Settings
Register, Initialize
No
Register/Edit Favorite Settings
Register/Edit, Delete (Up to 9 Set Keys), Check Content
No
Change Default Settings
Register, Initialize
No
Mail Box No.
00 to 99
No
Register Box Name
24 characters maximum
Yes
PIN
Seven digits
Yes
Time Until Document Auto
Delete
0 (Off), 1, 2, 3*, 6, 12 hours, 1, 2, 3, 7, 30 days
No
URL Send Settings
-
Yes
Print upon Storing from Printer
Driver
On, Off*
Yes
Initialize
-
No
Store/Access Files
* Default Setting
Item
Common Settings
Scan and Store Settings
Settings of Access Stored File
Mail Box Settings
Mail Box Settings
22
Canon imageRUNNER ADVANCE Hardening Guide
Item
Setting Description
Device Information
Delivery Available
Time Until Document Auto
Delete
0 (Off), 1, 2, 3*, 6, 12 hours, 1, 2, 3, 7, 30 days
No
Print upon Storing from Printer
Driver
On, Off*
No
Limit Box PIN to 7 Digits/Restrict Access
On, Off*
Yes
Disp. Print When Storing form
Printer Driver
On*, Off
Yes
Open to Public
By SMB, By WebDAV, Off*
Yes
Allow to Create Personal Space
On*, Off
Yes
Authentication Type
Basic, Off*
Yes
Use SSL
Settings for All Mail Boxes
Box Security Settings
Advanced Box Settings
WebDAV Server Settings
On, Off*
Yes
Delete All Personal Spaces
Delete
No
Initialize Shared Space
Initialize
No
Prohibit Writing from External
On*, Off
Yes
Authentication Management
On, Off*
Yes
File Formats Allowed for Storing
Printable Formats Only, Common Office Formats, All
Yes
Register, Details, Delete
No
SMB
On*, Off
No
WebDAB
On*, Off
No
Use Scan Function
On*, Off
Yes
Use Print Function
On*, Off
Yes
Network Settings
Network Place Settings
Protocol for External Reference
Memory Media Settings
Use Scan/Print Function
Encrypted Secure Print
* Default Setting
*1 Indicates items that appear only when the appropriate optional equipment is attached.
Item
Setting Description
Device Information
Delivery Available
Only Allow Encrypted Print Jobs*1
On, Off*
Yes
Set Destination
*Default Setting
*1 Indicates items that appear only when the appropriate optional equipment is attached.
Item
Address List
Setting Description
Device Information
Delivery Available
Address Book 1 to 10, One-touch
No
Print List: Print
No
Register Destinations
Register New Dest., Details/Edit, Delete, Search by Name
Yes
Register Address List Name
Register Name
Yes
Register One-touch
Register/Edit, Delete
Yes
Change Default Display of Address Book
Local*, LDAP Server, Remote
No
Address Book PIN
Seven digit number
Yes
Manage Address Book Access Number
On, Off*
Yes
Canon imageRUNNER ADVANCE Hardening Guide
23
Item
Setting Description
Device Information
Delivery Available
Require Password for Exporting Address
Book
On*, Off
Yes
Register LDAP Server
Receive Type, Validate/Invalidate, Register, Details/Edit,
Delete, Forward w/o Conditions, Print List, E-Mail Priority
No
Auto Search When Using LDAP Server
On* Off
Yes
Acquire Address Book
On, Off*
Yes
Remote Address Book Server
Address
IP Address or Host Name (128 characters maximum)
No
Communication Timeout
15 to 120seconds (30seconds*)
Yes
Fax TX Line Auto Select Adjustment
On*, Off
Yes
On, Off*
Yes
Acquire Remote Address Book
Make Remote Address Book Open
Make Remote Address Book Open
Management Settings/User Management
* Default Setting
*1 Indicates items that appear only when the appropriate optional equipment is attached.
Item
Setting Description
Device Information
Delivery Available
System Manager ID
Seven digit number maximum (7654321*)
Yes
System PIN
Seven digit number maximum (7654321*)
Yes
System Manager
32 characters maximum
Yes
E-Mail Address
64 characters maximum
Yes
Contact Information
32 characters maximum
Yes
Comment
32 characters maximum
Yes
Department ID Management
On, Off*
Yes
Register PIN
Register, Edit, Delete, Limit Functions
Yes
Page Totals
Clear, Print List, Clear All Totals, Large2 Count Management
No
Allow Printer Jobs With Unknown IDs
On*, Off
Yes
Allow Remote Scan Jobs With
Unknown IDs
On*, Off
Yes
Allow Black Copy/ Mail Box Print
Jobs
On, Off*
Yes
Allow Black Printer Jobs
On, Off*
Yes
System Manager Information Settings
Department ID Management
Management Settings/Device Management
* Default Setting
*1 Indicates items that appear only when the appropriate optional equipment is attached.
Item
Setting Description
Device Information
Delivery Available
Device Name
32 characters maximum
No
Location
32 characters maximum
No
Device Information Settings
Device Information Delivery Settings
Auto Search/Register, Register, Details, Delete, Print List
Register Destinations
24
Canon imageRUNNER ADVANCE Hardening Guide
Auto Search/Register
•
List
•
Select All
•
Search Depth (Router): 1 to 8
•
Display Host Name: On, Off
•
Start Auto Search
Item
Setting Description
Set Auto Delivery
Device Information
Delivery Available
Every day, Specify Days, Off*
Settings/Registration Value
On, Off*
Network Settings: Include, Exclude
Dept. ID
On, Off*
Address Book
On, Off*
Web Access Favorites
On, Off*
Printer Settings
On, Off*
Paper Information
On, Off*
Workflow Composer
On, Off*
Manual Delivery
Settings/Registration Value
On, Off*
Network Settings: Include, Exclude
Dept. ID
On, Off*
Address Book
On, Off*
Web Access Favorites
On, Off*
Printer Settings
On, Off*
Paper Information
On, Off*
Workflow Composer
On, Off*
Restrictions for Receiving Device
Info.
On*, Off
Restore Data
Settings/Registration Value, Dept. ID, Address Book, Printer Settings, Paper Information
Receive Restriction for Each Function
Settings/Registration Value
On*, Off
Dept. ID
On*, Off
Address Book
On*, Off
Web Access Favorites
On*, Off
Printer Settings
On*, Off
Paper Information
On*, Off
Workflow Composer
On*, Off
Details, Print List, Report Settings
Report Settings
•
Auto Print (100 transmissions): On*, Off
Communication Log
•
Specify Print Time: On, Off*
•
00: 00* to 23:59
•
Separate Report Type: On, Off*
Limited Functions Mode
On, Off*
No
Limit Functions When Security Key is Off*
Partial Functions*, All Functions
Yes
Confirm Device Signature Certificate
Certificate Details: Certificate
No
Check User Signature Certificate
Certificate Details: Certificate
No
Certificate Settings
Generate Key
Generate Network Communication Key
Key Name
24 characters maximum
No
Signature Algorithm
SHA1*, SHA256, SHA384, SHA512
No
Key Algorithm
RSA, Display only
No
Key Length(bit)
512*,1024, 2048, 4096
No
Start Date of Validity
Month, Date, Year (2000/01/01-2037/12/31)
No
End Date of Validity
Month, Date, Year (2000/01/01-2037/12/31)
No
Country/Region
Country/Region name and code (2 characters maximum)
No
State
24 characters maximum
No
City
24 characters maximum
No
Organization
24 characters maximum
No
Organization Unit
24 characters maximum
No
25
Canon imageRUNNER ADVANCE Hardening Guide
Item
Common Name
Generate/Update Device
Signature Key
Setting Description
Device Information
Delivery Available
IP address or FQDN (41 characters maximum)
No
-
No
Key and Certificate List: Key and Certificate List for this Machine Editing Key Pairs and Server Certificates Confirming a Key Pair
and Device Certificate
Certificate Details
Version/Serial Number/Signature Algorithm/Issue
Destination/Start Date of Validity/End Date of Validity/
Issuer/ Public Key/Cert. Thumbprint/Certificate
Delete
-
Display Use Location
Displays what the key pair is being used for
No
No
Certificate Settings: Key and Certificate List: Key and Certificate List for Users*
Certificate Details
Version/Serial Number/Signature Algorithm/Issue
Destination/Start Date of Validity/End Date of Validity/
Issuer/Public Key/Cert. Thumbprint/Certificate
No
Delete
-
No
Certificate Details
Version/Serial Number/Signature Algorithm/Issue
Destination/Start Date of Validity/End Date of Validity/
Issuer/Public Key/Cert. Thumbprint/Certificate
No
Delete
-
No
Certificate Settings: CA Certificate List
Certificate Settings: Register Key and Certificate
Register
Key Name (24 characters maximum) Password
(24 characters maximum)
No
Delete
-
No
Display Asterisks For Confidential Info.
On*, Off
Yes
Display Status Before Authentication
On*, Off
No
On*, Off
No
Display Log
On
•
Obtain Job Log From Management Software: Permit,
Do Not Allow*
No
Audit Log Retrieval
On, Off*
No
Format Encryption Method to FIPS 140-2
On, Off*
No
Management Settings: License and other
Default Setting
*1 Indicates items that appear only when the appropriate optional equipment is attached.
Item
Setting Description
Device Information
Delivery Available
Register License
24 characters maximum
No
Print System Information
Print
No
Use SSL
On, Off*
No
MEAP Settings
Remote UI
On*, Off
Yes
Use SSL
On, Off*
No
Use Reference Print
On, Off*
Yes
Clear
No
Delete Message Board Contents
Remote Operation Settings
On, Off*
On: Password (Max 8 characters)
No
Register/Update Software
Install Applications/Options
License Access Number (4 digits at a time.)
No
Select Log Display
Display Update Logs, Display System Logs
No
Test Communication
-
No
Software Management Settings
26
Canon imageRUNNER ADVANCE Hardening Guide
Management Settings: Data management
Default Setting
*1 Indicates items that appear only when the appropriate optional equipment is attached.
Item
Setting Description
Device Information
Delivery Available
Timing of Deletion
During Job*, After Job
No
Deletion Mode
Overwrite Once With 0 (Null) Data*, Overwrite 1 Time With
Random Data, Overwrite 3 Times With Random Data, DOD
Standard
No
Initialize All Data/Settings
License cannot be reused
No
TPM Settings
Backup TPM Key, Restore TPM Key
No
HDD Data Complete Deletion*
27
Canon imageRUNNER ADVANCE Hardening Guide
28
Canon imageRUNNER ADVANCE Hardening Guide

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz