Konica Minolta bizhub 367 User manual
Security Operations
2016. 3
Ver. 1.02
367/287/227
User’s Guide
bizhub 367/287/227 Contents-1
Contents
1 Security
1.1 Introduction ..................................................................................................................................... 1-2
Compliance with the ISO15408 Standard ......................................................................................... 1-2
Operating Precautions ....................................................................................................................... 1-2
INSTALLATION CHECKLIST.............................................................................................................. 1-3
1.2 Security Functions .......................................................................................................................... 1-6
Check Count Clear Conditions .......................................................................................................... 1-6
1.3 Precautions for Operation Control ................................................................................................ 1-8
Roles of the Owner of the Machine ................................................................................................... 1-8
Roles and Requirements of the Administrator of the machine .......................................................... 1-8
Password Usage Requirements ........................................................................................................ 1-8
External authentication server control requirements ......................................................................... 1-9
Security function operation setting operating requirements.............................................................. 1-9
Operation and control of the machine ............................................................................................... 1-9
Machine Maintenance Control......................................................................................................... 1-11
Precautions for using the printer driver............................................................................................ 1-11
1.4 Miscellaneous................................................................................................................................ 1-12
Password Rules ............................................................................................................................... 1-12
Precautions for Use of Various Types of Applications..................................................................... 1-12
Encrypting communications ............................................................................................................ 1-13
Print functions.................................................................................................................................. 1-13
IPP printing ...................................................................................................................................... 1-13
Items of Data Cleared by Overwrite All Data Function .................................................................... 1-14
Fax functions.................................................................................................................................... 1-15
USB keyboard.................................................................................................................................. 1-15
Different types of boxes................................................................................................................... 1-15
Hardware and software used in the machine .................................................................................. 1-15
Firmware integrity verification function............................................................................................ 1-16
IPsec setting .................................................................................................................................... 1-16
CS Remote Care function................................................................................................................ 1-16
Terminating a Session and Logging out .......................................................................................... 1-16
Authentication error during external server authentication.............................................................. 1-17
2 Administrator Operations
2.1 Accessing the Administrator Settings .......................................................................................... 2-2
2.1.1 Accessing the Administrator Settings................................................................................................ 2-2
2.1.2 Accessing the User Mode.................................................................................................................. 2-4
2.2 Enhancing the Security Function................................................................................................... 2-8
2.2.1 Items cleared by HDD Format ......................................................................................................... 2-10
2.2.2 Setting the Password Rules............................................................................................................. 2-11
2.2.3 Setting the Enhanced Security Mode .............................................................................................. 2-13
2.3 Preventing Unauthorized Access ................................................................................................ 2-16
Setting Prohibited Functions When Authentication Error ................................................................ 2-16
2.4 Canceling the Operation Prohibited State.................................................................................. 2-18
Performing Release Setting ............................................................................................................. 2-18
2.5 Setting the Authentication Method ............................................................................................. 2-20
2.5.1 Setting the Authentication Method .................................................................................................. 2-20
2.5.2 Setting the External Server .............................................................................................................. 2-23
2.6 ID & Print Setting Function........................................................................................................... 2-26
Setting ID & Print.............................................................................................................................. 2-26
2.7 System Auto Reset Function ....................................................................................................... 2-28
Setting the System Auto Reset function.......................................................................................... 2-28
2.8 User Setting Function ................................................................................................................... 2-30
Making user setting.......................................................................................................................... 2-31
bizhub 367/287/227 Contents-2
2.9 Account Track Setting Function.................................................................................................. 2-36
Making account setting.................................................................................................................... 2-36
2.10 User Box Function ........................................................................................................................ 2-41
2.10.1 Setting the User Box........................................................................................................................ 2-41
2.10.2 Changing the user/account attributes and box password .............................................................. 2-46
2.10.3 Setting Memory RX.......................................................................................................................... 2-51
2.11 Changing the Administrator Password....................................................................................... 2-54
Changing the Administrator Password ............................................................................................ 2-54
2.12 Protecting Data in the HDD.......................................................................................................... 2-57
2.12.1 Setting the Encryption Key (encryption word) ................................................................................. 2-57
2.12.2 Changing the Encryption Key .......................................................................................................... 2-61
2.12.3 Setting the Overwrite HDD Data ...................................................................................................... 2-63
2.13 Overwrite All Data Function ......................................................................................................... 2-65
Setting the Overwrite All Data function............................................................................................ 2-65
2.14 Obtaining Job Log......................................................................................................................... 2-68
2.14.1 Obtaining and deleting a Job Log.................................................................................................... 2-68
2.14.2 Downloading the Job Log data........................................................................................................ 2-70
Job Log data.................................................................................................................................... 2-72
2.15 Setting time/date in machine....................................................................................................... 2-79
2.15.1 Setting time/date.............................................................................................................................. 2-79
2.15.2 Setting daylight saving time............................................................................................................. 2-82
2.16 SSL Setting Function .................................................................................................................... 2-84
2.16.1 Device Certificate Setting ................................................................................................................ 2-84
2.16.2 SSL Setting ...................................................................................................................................... 2-86
2.16.3 Removing a Certificate..................................................................................................................... 2-87
2.17 TCP/IP Setting Function............................................................................................................... 2-88
2.17.1 Setting the IP Address ..................................................................................................................... 2-88
2.17.2 Registering the DNS Server ............................................................................................................. 2-89
2.18 AppleTalk Setting Function.......................................................................................................... 2-90
Making the AppleTalk Setting.......................................................................................................... 2-90
2.19 E-Mail Setting Function ................................................................................................................ 2-91
Setting the SMTP Server (E-Mail Server)......................................................................................... 2-91
3 User Operations
3.1 User Authentication Function ........................................................................................................ 3-2
3.1.1 Performing user authentication.......................................................................................................... 3-2
3.1.2 Accessing the ID & Print Document................................................................................................... 3-7
3.2 Change Password Function........................................................................................................... 3-9
Performing Change Password........................................................................................................... 3-9
3.3 Secure Print Function ................................................................................................................... 3-12
Accessing the Secure Print Document ............................................................................................ 3-12
3.4 User Box Function ........................................................................................................................ 3-15
3.4.1 Setting the User Box........................................................................................................................ 3-15
3.4.2 Changing the user/account attributes and box password .............................................................. 3-20
3.4.3 Accessing the User Box and User Box file ...................................................................................... 3-26
bizhub 367/287/227 Contents-3
4 Application Software
4.1 Data Administrator.......................................................................................................................... 4-2
4.1.1 Accessing from Data Administrator ................................................................................................... 4-2
4.1.2 Setting the user authentication method............................................................................................. 4-5
4.1.3 Changing the authentication mode.................................................................................................... 4-6
4.1.4 Making the user settings.................................................................................................................... 4-8
4.1.5 Making the account settings.............................................................................................................. 4-9
4.1.6 DNS Server Setting Function........................................................................................................... 4-10
4.1.7 AppleTalk Setting Function.............................................................................................................. 4-11
4.1.8 E-Mail Setting Function.................................................................................................................... 4-12
bizhub 367/287/227 1-2
1.1 Introduction 1
1 Security
1.1 Introduction
Thank you for purchasing our product.
This User's Guide contains the operating procedures and precautions to be used when using the security
functions offered by the bizhub 367/287/227 machine. To ensure the best possible performance and effective
use of the machine, read this manual thoroughly before using the security functions. The administrator of the
machine should keep this manual for ready reference. The manual should be of great help in finding solutions
to operating problems and questions.
This User's Guide (version 1.02) covers the following.
For any query, request, or opinion concerning the machine, please contact your dealer from which you pur-
chased your machine or Service Representative.
Any notice concerning this machine will be given in writing by the dealer from which you purchased your ma-
chine or Service Representative.
Compliance with the ISO15408 Standard
When the Enhanced Security Mode on this machine is set to [ON], more enhanced security functions are
available.
This machine offers the security functions that comply with the ISO/IEC15408 (level: EAL2) and U.S. Govern-
ment Approved Protection Profile - U.S. Government Protection Profile for Hardcopy Devices Version 1.0
(IEEE Std 2600.2TM-2009).
Operating Precautions
The machine gives an alarm message or an alarm sound (peep) when a wrong operation is performed or a
wrong entry is made during operation of the machine. (No "peep" alarm sound is issued if a specific sound
setting in Sound Setting of Accessibility Setting is set to [OFF].) If the alarm message or alarm sound is given,
perform the correct operation or make the correct entry according to the instructions given by the message
or other means.
The administrator of the machine should exit from the current mode to return to the basic screen whenever
the access to that mode is completed or if he or she leaves the machine with the mode screen left displayed.
The administrator of the machine should make sure that each individual general user exits from the current
mode to return to the basic screen whenever the access to that mode is completed or if the user leaves the
machine with the mode screen left displayed.
If an error message appears during operation of the machine, perform steps as instructed by the message.
For details of the error messages, refer to the User’s Guide furnished with the machine. If the error cannot be
remedied, contact your service representative.
The Web Connection functions can be used only if the setting is made to accept "Cookie."
Model name bizhub 367/bizhub 287/bizhub 227/bizhub 136DN/bizhub 128DN/bizhub
122DN/ineo 367/ineo 287/ineo 227/Sindoh N502/Sindoh N501/Sindoh
N500/Sindoh MF3091/Sindoh MF2101/Sindoh MF2041/Sindoh N512/Sindoh
N511/Sindoh N510/Sindoh N517/Sindoh N516/Sindoh N515
Version G00-27
bizhub 367/287/227 1-3
1.1 Introduction 1
INSTALLATION CHECKLIST
This Installation Checklist contains items that are to be check by the Service Engineer installing this machine.
The Service Engineer should check the following items, then explain each checked item to the administrator
of the machine.
To Service Engineer
Make sure that each of these items is properly carried out by checking the box on the right of each item.
1. Perform the following steps before installing this machine.
Check with the administrator to determine if the security functions of this machine should
be enhanced. If the functions should be enhanced, check the following.
If the security functions are not to be enhanced, quit the operation without checking the
following.
Before installing the machine, check with the administrator of the machine to determine if
the following is confirmed.
• Whether the Service Engineer has been informed that the unpacking procedure is to
be performed by the Service Engineer in the presence of the administrator of the ma-
chine.
• Whether the machine has been under the control of the administrator of the machine
with a check made to ensure that evidently the machine has not been unpacked or
used.
The Service Engineer should obtain the administrator's consent to the performance of this
item.
If the machine has been unpacked, check with the administrator that it was the adminis-
trator who unpacked the machine and nobody but the administrator has gain access to the
machine after the unpacking. Then, obtain the administrator's consent to the performance
of the installation procedure for the unpacked machine before attempting to start the pro-
cedure. If the administrator's consent cannot be obtained, call the dealer.
I swear that I would never disclose information as it relates to the settings of this machine
to anybody, or perform malicious or intentional act during setup and service procedures
for the machine.
When giving a copy of the User's Guide, explain the following to the administrator:
• A digital signature is assigned to the data certified by ISO15408. To ensure integrity of
the file, have the administrator of the machine confirm the digital signature using the
property of the provided data file in the user's PC environment.
Confirm the digital signature as follows.
Right click the provided exe file to display the property screen.
Select [Digital Signatures] - [Details] - [General], and check that Konica Minolta, Inc. is
displayed in the Name of signer field.
Select [View Certificate] - [General]. Then, check that the signing time is within the val-
idated date of the certificate and that the certificate has been issued by a reliable cer-
tification authority.
Write down the serial number shown in [View Certificate] - [Details]. Access to the URL
for CRL Distribution Points and confirm that the serial number is not shown in
[Revocation List]. For confirmation, the Internet environment is required.
• Two versions are available, the HTML version and User's Guide Security Operations
(this User's Guide).
• This User's Guide must first be read and the conditions described in this User's Guide
take precedence over the HTML version.
• If the security functions of the machine are to be enhanced, the machine and its sur-
rounding environment should be set up and operated according to this User's Guide.
Refer to the Service Manual and perform the required installation and setup steps.
During the installation and setup procedure, make sure that no unnecessary parts are
mounted on the machine and have the administrator of the machine confirm that no un-
necessary parts are mounted on the machine.
• Explain to the administrator making him/her check the cover of the Service Manual to
be referred that it is for bizhub 367/bizhub 287/bizhub 227/bizhub 136DN/bizhub
128DN/bizhub 122DN/ineo 367/ineo 287/ineo 227/Sindoh N502/Sindoh N501/Sindoh
N500/Sindoh MF3091/Sindoh MF2101/Sindoh MF2041/Sindoh N512/Sindoh
N511/Sindoh N510/Sindoh N517/Sindoh N516/Sindoh N515 (Version: G00-27). Ex-
plain to the administrator that the following settings must be performed referring to the
manuals above.
• The Service Engineer must have the administrator confirm that the digital signature is
assigned to the firmware and the version of the firmware to be updated is the one that
is written on the Service Manual.
bizhub 367/287/227 1-4
1.1 Introduction 1
2. After this machine is installed, refer to the Service Manual and perform the following steps.
Check that the HDD has been installed and set up correctly.
• Check the HDD for identification.
• After upgrading the firmware, check that the HDD can be accessed properly.
Check that the Fax Kit has been mounted and set up properly, if fax functions are to be
used.
After the installation, conduct transmission and reception tests to make sure that the Fax
Kit has been mounted and set up properly.
Let the machine read the Custom Function Pattern Selection setting file
XXX_v1.0_ISO15408.cpd.
Get the administrator of the machine to confirm that [ISO15408] is selected for [Send/Save]
of [Custom Function Pattern Selection] in the Administrator Settings and obtain his or her
consent not to change the setting.
Check that the model name and the Firmware version (card version, BOOT) checked with
the Service Manual agree with the value shown on the Firmware version display screen.
Check also that the MFP model name and the part numbers of the MFP board and the
eMMC board agree with those described in the Service Manual.
If there is a mismatch in the Firmware version number, explain to the administrator of the
machine that upgrading of the Firmware is necessary and perform upgrading of the Firm-
ware.
Set CE Authentication to [ON] and set the CE Password.
Make the service settings necessary for the Enhanced Security Mode.
Remove the USB extension cable from the USB port of the machine and set so that the
USB port on the right of the machine control panel cannot be used.
3. After this machine is installed, refer to this User’s Guide and perform the following steps.
Check that the Administrator Password has been set by the administrator of the machine.
Check that the Encryption Key has been set by the administrator of the machine.
Check that the Overwrite HDD Data has been set by the administrator of the machine.
Check that User Authentication has been set to [ON (MFP)], [External Server Authentica-
tion] (Active Directory only), or [Main + External Server] (Active Directory only) by the ad-
ministrator of the machine.
Check that the date and time have been correctly set in the machine by the administrator
of the machine.
Check that the Job Log Settings (Audit Log) has been set to [Yes] by the administrator of
the machine.
Check that the certificate for SSL communications has been registered by the administra-
tor of the machine.
In accordance with the security policies of the organization, register the certificate that is
issued by a reliable authentication authority.
Check that the ID & Print Settings has been set to [ON] by the administrator of the machine.
Check that the Memory RX Setting has been set to [Yes] by the administrator of the ma-
chine.
Check that IPsec has been set by the administrator of the machine for communications
between the machine and the external authentication server.
Check that IPsec has been set by the administrator of the machine for communications
between the machine and the DNS server.
Check that IPsec has been set by the administrator of the machine for communications
between the machine and the SMTP server.
Let the administrator of the machine set Enhanced Security Mode to [ON].
Check that the various functions to be disabled manually have been properly disabled by
the administrator of the machine.
bizhub 367/287/227 1-5
1.1 Introduction 1
When the above steps have been properly carried out, the Service Engineer should make a copy of this list
and give the original of this list to the administrator of the machine. The copy should be kept at the corre-
sponding Service Representative for filing.
Please direct your any queries about using the machine to the Service Representative shown below.
The languages, in which the contents of the User’s Guide Security Operations have been
evaluated, are Japanese and English.
The following lists the manuals compatible with bizhub 367/bizhub 287/bizhub 227/bizhub
136DN/bizhub 128DN/bizhub 122DN/ineo 367/ineo 287/ineo 227/Sindoh N502/Sindoh
N501/Sindoh N500/Sindoh MF3091/Sindoh MF2101/Sindoh MF2041/Sindoh N512/Sin-
doh N511/Sindoh N510/Sindoh N517/Sindoh N516/Sindoh N515 (Version: G00-27).
• bizhub 367/287/227 User’s Guide v1.00 A7AH-9590BA-00
• bizhub 367/287/227 User’s Guide Security Operations 2016. 3 Ver. 1.02
Explain to the administrator that the settings for the security functions for this machine
have been specified.
Product Name Company Name User Division Name,
Contact
Person in charge
Customer (administrator of machine)
Service Representative
bizhub 367/287/227 1-6
1.2 Security Functions 1
1.2 Security Functions
Setting the Enhanced Security Mode to [ON] will validate the security function of this machine. For details of
the settings of different security functions to be changed by turning [ON] the Enhanced Security Mode, see
page 2-8.
The following the major security functions when the Enhanced Security Mode is set to [ON].
Check Count Clear Conditions
The following are the conditions for clearing or resetting the check count of the number of wrong entries at
the time of authentication by the Enhanced Security Mode.
<Administrator Settings>
-Authentication of Administrator Settings is successful.
<User Authentication Mode>
-User Authentication mode is successful.
-Release of Prohibited Functions When Authentication Error is executed.
<Account Track Mode>
-Account Track mode is successful.
-Release of Prohibited Functions When Authentication Error is executed.
Function Description
Identification and au-
thentication function
Access control is then provided through password authentication for any ac-
cess to the Administrator Settings, User Authentication mode, User Box, a
User Box data file, and a Secure Print document. Access is thereby granted
only to the authenticated user. A password that can be set must meet the
Password Rules. The machine does not accept setting of an easily decipher-
able password. For details of the Password Rules, see page 1-12.
If a wrong password is entered, during password authentication, a predeter-
mined number of times (once to three times.) or more set by the administrator
of the machine, the machine determines that it is unauthorized access
through Prohibited Functions When Authentication Error, prohibiting any fur-
ther entry of the password. By prohibiting the password entry operation, the
machine prevents unauthorized use or removal of data. The administrator of
the machine is responsible for resetting the prohibition of the password entry
operation. For details, see page 2-18.
User limiting function Specific functions to be used by each user/account may be limited. For de-
tails, see page 2-30.
HDD encryption function By setting the Encryption Key, the data stored in the HDD is encrypted, there-
by protecting the data in the HDD. For details, see page 2-57.
Auditing function Information including operations performed on the machine and a job history
can be stored in the HDD. Setting the Job Log (Audit Log) allows an illegal
act or inadequate operation performed on the machine to be traced. The ob-
tained Job Log can be downloaded and viewed from the Web Connection.
For details, see page 2-68.
Residual information de-
leting function
When the machine is to be discarded or use of a leased machine is terminat-
ed at the end of the leasing contract, setting of the Overwrite HDD Data func-
tion while the machine was in use allows residual unnecessary data to be
deleted, because the machine overwrites a specific overwrite value over the
unnecessary data. This prevents data leakage. (Passwords, addresses, and
other data set while the machine was in use should, however, be deleted
manually.) For details, see page 2-63.
To delete data including the passwords, addresses, and other data all at
once, the Overwrite All Data function overwrites and erases all data stored in
all spaces of the HDD. The function also resets all passwords saved in the
flash memory and eMMC to factory settings, preventing data from leaking.
For details, see page 2-65. For details of items to be cleared by Overwrite All
Data function, see page 1-14.
Network communication
protecting function
Communication data transmitted to or from the machine and client PC can
be encrypted using the SSL/TLS, which prevents information leakage
through sniffing over the network. For details, see page 2-84.
bizhub 367/287/227 1-7
1.2 Security Functions 1
<Secure Print>
-Authentication of Secure Print is successful.
-Release of Prohibited Functions When Authentication Error is executed.
<Box>
-Authentication of User Box is successful.
-Authentication for execution of change of User Box Name and User Box Password is successful.
-Release of Prohibited Functions When Authentication Error is executed.
bizhub 367/287/227 1-8
1.3 Precautions for Operation Control 1
1.3 Precautions for Operation Control
This machine and the data handled by this machine should be used in an office environment that meets the
following conditions. The machine must be controlled for its operation under the following conditions to pro-
tect the data that should be protected.
Roles of the Owner of the Machine
The owner (an individual or an organization) of the machine should take full responsibility for controlling the
machine, thereby ensuring that no improper operations are performed.
-The owner of the machine should have the administrator of the machine recognize the organizational
security policy and procedure, educate him or her to comply with the guidance and documents pre-
pared by the manufacturer, and allow time for him or her to acquire required ability. The owner of the
machine should also operate and manage the machine so that the administrator of the machine can
configure and operate the machine appropriately according to the policy and procedure.
-The owner of the machine should have users of the machine recognize the organizational security policy
and procedure, educate them to follow the policy and procedure, and operate and manage the machine
so that the users acquire the required ability.
-The owner of the machine should vest the user with authority to use the machine according to the or-
ganizational security policy and procedure.
-The owner of the machine should operate and manage the machine so that the administrator of the ma-
chine checks the Job Log (Audit Log) data at appropriate timing to thereby determine whether a security
compromise or a faulty condition has occurred during an operating period.
-If the Job Log (Audit Log) data is to be exported to another product, the owner of the machine should
ensure that only the administrator of the machine performs the task. The owner of the machine should
also operate and manage the machine so that the Job Log (Audit Log) data is not illegally accessed,
deleted, or altered.
Roles and Requirements of the Administrator of the machine
The administrator of the machine should take full responsibility for controlling the machine, thereby ensuring
that no improper operations are performed.
-A person who is capable of taking full responsibility for controlling the machine should be appointed as
the administrator of the machine to make sure that no improper operations are performed.
-When using an SMTP server (mail server) or an DNS server, each server should be appropriately man-
aged by the administrator and should be periodically checked to confirm that settings have not been
changed without permission.
Password Usage Requirements
The administrator must control the Administrator Password, Encryption Key, and User Box Password appro-
priately so that they may not be leaked. These passwords should not be ones that can be easily guessed.
The user, on the other hand, should control the Secure Print Password and User Password appropriately so
that they may not be leaked. Again, these passwords should not be ones that can be easily guessed.
<To Achieve Effective Security>
-Make absolutely sure that only the administrator knows the Administrator Password, Encryption Key,
and User Box Password.
-The administrator must change the Administrator Password, Encryption Key, and User Box Password
at regular intervals.
-The administrator should make sure that any number that can easily be guessed from birthdays, em-
ployee identification numbers, and the like is not set for the Administrator Password, Account Pass-
word, Encryption Key, and User Box Password.
-If a User Password has been changed, the administrator should have the corresponding user change
the password as soon as possible.
-If the Administrator Password has been changed by the Service Engineer, the administrator should
change the Administrator Password as soon as possible.
-The administrator should have users ensure that the passwords set for the User Authentication, Secure
Print, and the box that can be used by the user are known only by the user concerned.
-The administrator should have users change the passwords set for the User Authentication at regular
intervals.
bizhub 367/287/227 1-9
1.3 Precautions for Operation Control 1
-The administrator should make sure that any user does not set any number that can easily be guessed
from birthdays, employee identification numbers, and the like for the passwords set for the User Au-
thentication and Secure Print.
-The administrator should disclose the Account Password to the user in accordance with the operating
environment of the machine and the security policies of the organization on his or her own responsibil-
ity.
External authentication server control requirements
The administrator of the machine and the server administrator are required to apply patches to, or perform
account control for, this machine and the external authentication server connected to the office LAN in which
the machine is installed to ensure operation control that achieves appropriate access control.
This machine can be used only after the user who uses this machine has been registered in the external au-
thentication server. The server administrator should also check registered users at regular intervals to thereby
ensure that any unnecessary users are left registered.
Security function operation setting operating requirements
The administrator of the machine should observe the following operating conditions.
-The administrator of the machine should make sure that the machine is operated with the settings de-
scribed in the installation checklist made properly in advance.
-The administrator of the machine should make sure of correct operation control so that the machine is
used with the Enhanced Security Mode set to [ON].
-When the Enhanced Security Mode is turned [OFF], the administrator of the machine is to make various
settings according to the installation checklist and then set the Enhanced Security Mode to [ON] again.
For details of settings made by the service engineer, contact your service representative.
-When the machine is to be discarded or use of a leased machine is terminated at the end of the leasing
contract, the administrator of the machine should use the Overwrite HDD Data function and the Over-
write All Data function to thereby prevent data to be protected from leaking.
Operation and control of the machine
The administrator of the machine should perform the following operation control.
-The administrator of the machine should log off from the Administrator Settings whenever the operation
in the Administrator Settings is completed. The administrator of the machine should also make sure that
each individual user logs off from the User Authentication mode after the operation in the User Authen-
tication mode is completed, including operation of the Secure Print document, User Box, and User Box
file.
-During user registration and box registration, the administrator of the machine should make sure that
the correct settings are made for the correct users, including functional restrictions and box attributes.
-The administrator of the machine should set the Encryption Key according to the environment, in which
this machine is used.
-The administrator of the machine should appropriately control the device certificate (SSL certificate)
registered in the machine.
-The administrator of the machine should ensure that no illegal connection or access is attempted when
the machine is to be connected to an external interface.
-The administrator of the machine should appropriately control the file of Job Log (Audit Log) data down-
loaded to, for example, a PC and ensure that none other than the administrator handles it.
-The administrator of the machine should check the Job Log (Audit Log) data at appropriate timing,
thereby determining whether a security compromise or a faulty condition has occurred during an oper-
ating period.
-When generating or deleting Job Log (Audit Log) and Job Log (Audit Log) data, the administrator of the
machine should check conditions of using this machine by the user.
-The administrator of the machine should make sure that each individual user updates the OS of the us-
er's terminal and applications installed in it to eliminate any vulnerabilities.
-The administrator of the machine should set the account track and make sure that the machine is op-
erated through operative association with the account track.
-The administrator of the machine should delete cache following the procedure specified for each
browser when seeing previews on a web browser because the contents can be cached on PCs and
make sure that users perform the same procedure.
bizhub 367/287/227 1-10
1.3 Precautions for Operation Control 1
The administrator of the machine disables the following functions and operates and manages the machine
under a condition in which those functions are disabled.
Function Name Setting Procedure
IP Address Fax Function * Using [Administrator Settings] - [Network Settings] - [Network Fax Set-
tings] - [Network Fax Function Settings], set [IP Address Fax Function] to
[OFF].
Internet Fax Function * Using [Administrator Settings] - [Network Settings] - [Network Fax Set-
tings] - [Network Fax Function Settings], set [Internet Fax Function] to
[OFF].
Relay User Box Using [Administrator Settings] - [Fax Settings] - [Function Settings] -
[Function ON/OFF Setting], set [Relay RX] to [OFF].
File Re-TX Box Using [Administrator Settings] - [Fax Settings] - [Function Settings], set
[Incomplete TX Hold] to [No].
PC-Fax Permission Using [Administrator Settings] - [Fax Settings] - [Function Settings], set
[PC-Fax Permission Setting] to [Restrict].
User Box Settings Using [Administrator Settings] - [System Settings] - [User Box Settings],
set [Allow/Restrict User Box] to [Prohibit].
Bulletin Board User Box • Do not create [Bulletin Board User Box] using [Utility] - [One-
Touch/User Box Registration] - [Create User Box].
• Do not create [Bulletin Board User Box] using [Administrator Settings]
- [One-Touch/User Box Registration] - [Create User Box].
Delete Other User Jobs Using [Administrator Settings] - [System Settings] - [Restrict User Ac-
cess] - [Restrict Access to Job Settings], set [Delete Other User Jobs] to
[Restrict].
RAW Port Number Using [Administrator Settings] - [Network Settings] - [TCP/IP Settings] -
[RAW Port Number], set [Port 1 to Port 6] to [OFF].
NetWare Settings • Using [Administrator Settings] - [Network Settings] - [NetWare Set-
tings], set [IPX Settings] to [OFF].
• Using [Administrator Settings] - [Network Settings] - [NetWare Set-
tings], set [NetWare Print Settings] to [OFF].
FTP TX Settings Using [Administrator Settings] - [Network Settings] - [FTP Settings], set
[FTP TX Settings] to [OFF].
SMB Settings • Using [Administrator Settings] - [Network Settings] - [SMB Settings],
set [Client Settings] to [OFF].
• Using [Administrator Settings] - [Network Settings] - [SMB Settings],
set [SMB Server Settings] to [OFF].
• Using [Administrator Settings] - [Network Settings] - [SMB Settings],
set [WINS/NetBIOS Settings] to [OFF].
E-Mail RX (POP) Using [Administrator Settings] - [Network Settings] - [E-Mail Settings], set
[E-Mail RX (POP)] to [OFF].
SNMP Settings Using [Administrator Settings] - [Network Settings], set [SNMP Settings]
to [OFF].
TCP Socket Settings • Using [Administrator Settings] - [Network Settings] - [Forward] - [TCP
Socket Settings], set [TCP Socket] to [OFF].
• Using [Administrator Settings] - [Network Settings] - [Forward] - [TCP
Socket Settings], set [TCP Socket (ASCII Mode)] to [OFF].
SSL/TLS Version Setting Start the Web Connection and, using [Security] - [PKI Settings] - [SSL
Setting] of the administrator mode, cancel the selection of [SSLv3] of
[SSL/TLS Version Setting].
WebDAV Settings • Using [Administrator Settings] - [Network Settings] - [WebDAV Set-
tings], set [WebDAV Client Settings] to [OFF].
• Using [Administrator Settings] - [Network Settings] - [WebDAV Set-
tings], set [WebDAV Server Settings] to [OFF].
DPWS Settings (Printer Set-
tings/Scanner Settings)
• Using [Administrator Settings] - [Network Settings] - [DPWS Settings],
set [Printer Settings] to [OFF].
• Using [Administrator Settings] - [Network Settings] - [DPWS Settings],
set [Scanner Settings] to [OFF].
LPD Setting Using [Administrator Settings] - [Network Settings] - [Detail Settings], set
[LPD Setting] to [Disable].
bizhub 367/287/227 1-11
1.3 Precautions for Operation Control 1
*: It will not be displayed in case of service mode where the setting is not configured (the function is set to
OFF when it is not displayed).
Machine Maintenance Control
The administrator of the machine should perform the following maintenance control activities.
-Provide adequate control over the machine to ensure that only the Service Engineer is able to perform
physical service operations on the machine.
-Provide adequate control over the machine to ensure that any physical service operations performed
on the machine by the Service Engineer are overseen by the administrator of the machine.
-Some options require that Enhanced Security Mode be turned [OFF] before they can be used on the
machine. If you are not sure whether a particular option to be additionally purchased is fully operational
with the Enhanced Security Mode turned [ON], contact your Service Representative.
-Install the machine at a safe site that can be monitored and operate and manage the machine while
ensuring that the machine is protected from unauthorized physical access.
Precautions for using the printer driver
The following precautions should be used when the printer driver is to be used in this machine:
-When a document is to be transmitted from the PC to the machine, user registration is necessary in
advance.
-With the external server authentication, a user is registered in this machine when he or she has been
successful in identification authentication on the control panel.
-Any document that has been transmitted by a user who is yet to be registered is discarded.
Manual destination entry
prohibition
The administrator of the machine registers only fax destinations.
Remote Access Setting Using [Administrator Settings] - [Network Settings], set [Remote Access
Setting] to [OFF].
LLMNR Setting Using [Administrator Settings] - [Network Settings] - [TCP/IP Settings],
set [LLMNR Setting] to [Disable].
AirPrint Setting Using [Administrator Settings] - [Network Settings] - [AirPrint Setting], set
[Print Settings] to [OFF].
Bonjour Setting Using [Administrator Settings] - [Network Settings], set [Bonjour Setting]
to [OFF].
Personal Data Security Set-
tings
Using [Administrator Settings] - [Security Settings] - [Security Details], set
[Job History] and [Current Job] under [Personal Data Security Settings] to
[No].
Function Name Setting Procedure
bizhub 367/287/227 1-12
1.4 Miscellaneous 1
1.4 Miscellaneous
Password Rules
Study the following table for details of the number and types of characters that can be used for each pass-
word. For details of the settings of the Password Rules, see page 2-11.
*: The minimum number of characters set in [Set Minimum Password Length] must be set for the password.
The default value is 12.
Precautions for Use of Umlaut
-Setting or entering an umlaut from the control panel may be disabled depending on the setting made
in this machine, but not on the client PC side including Web Connection. If an umlaut is set in a pass-
word on the PC side, therefore, the umlaut cannot be entered from the control panel, which means that
this particular password is not usable.
Precautions for Use of Various Types of Applications
Comply with the following requirements when using the Web Connection or an application of various other
types
The administrator of the machine should make sure that the user observes the following requirements.
-The password control function of each application stores the password that has been entered in the PC
being used. Disable the password management function of each application and perform an operation
without storing a password.
Use a web browser or an application of various other types that shows "*" or "-" for the password en-
tered.
-Once the password has been entered, do not leave your PC idle without logging on.
-Set the web browser so that cache files are not saved.
Types of
passwords
Number of
characters
Types of characters Conditions for set-
ting/changes
Administrator
Password
8 to 64
characters*• Numeric characters: 0 to 9
• Alpha characters: upper and
lower case letters
• Symbols: !, #, $, %, &, ', (, ),
*, ,, -, ., /, :, ;, <, =, >, ?, @, [,
\, ], ^, _, `, {, |, }, ~, +
• Special characters (98 char-
acters)
Selectable from among a total of
191 characters
• A password only consist-
ing of identical charac-
ters cannot be registered
or changed.
• The current password
must be entered before a
change can be made in
the setting.
• A new password to be
set should not be the
same as the current one.
User Password
Account Password
Public User Box
Password
Annotation User
Box Password
Secure Print
Password
8 to 64
characters*• Numeric characters: 0 to 9
• Alpha characters: upper and
lower case letters
• Symbols: !, #, $, %, &, ', (, ),
*, ,, -, ., /, :, ;, <, =, >, ?, @, [,
\, ], ^, _, `, {, |, }, ~, +
Selectable from among a total of
93 characters
• A password only consist-
ing of identical charac-
ters cannot be
registered.
Confidential RX
password
8 characters • Numeric characters: 0 to 9
• Symbols: *, #
• A password only consist-
ing of identical charac-
ters cannot be registered
or changed.
Memory RX User
Box Password
1 to 8
characters
• Numeric characters: 0 to 9 • The password rules are
not applicable.
Encrypted PDF
Password
- - • The password rules are
not applicable.
• Password that is set
when PDF document is
created.
bizhub 367/287/227 1-13
1.4 Miscellaneous 1
-Do not access any other site once you have logged onto the machine with the Web Connection. Ac-
cessing any other site or a link included in e-mail, in particular, can lead to execution of an unintended
type of operation. Whenever access to any other site is necessary, be sure first to log off from the ma-
chine through the Web Connection.
-Using the same password a number of times increases the risk of spoofing.
-If a web browser such as Internet Explorer is used on the client PC side, "TLS v1" should be used for
the SSL setting.
-Optional applications not described in this User’s Guide are not covered by certification of ISO15408.
Encrypting communications
The following are the cryptographic algorithms of key exchange and communications encryption systems
supported in generation of encryption keys.
-TLS_RSA_WITH_3DES_EDE_CBC_SHA
-TLS_RSA_WITH_AES_128_CBC_SHA
-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
-TLS_DHE_RSA_WITH_AES_256_CBC_SHA
NOTICE
The administrator of the machine should make sure that SSL encryption communication is not performed with
the SSL set in SSL v3.
Do not use an SSL certificate that is electronically signed by MD5, as an increased risk results of data to be
protected being tampered with or leaked.
To eliminate the risk of the data to be protected being tampered with or leaked, refer to the recommended
ciphers list disclosed by, for example, NIST and CRYPTREC and use the appropriate cryptographic tech-
nique.
Use the following browsers to ensure SSL encryption communication with appropriate strength. Use of any
of the following browsers achieves SSL encryption communication that ensures confidentiality of the image
data transmitted and received.
Microsoft Internet Explorer
-9/10/11
Mozilla Firefox
-20 or later
Microsoft Internet Explorer 11 is used for the ISO15408 evaluation for this machine.
Print functions
Only the following procedures are guaranteed for the print functions performed from the client PC.
-Use IPPS printing for the print functions performed using the printer driver.
-Use direct printing from the Web Connection for the print functions not performed via the printer driver.
IPP printing
IPP (Internet Printing Protocol) is a function that allows Secure Print documents and image data stored in
boxes to be printed via the Internet by using the HTTP (HyperText Transfer Protocol) of the TCP/IP Protocol.
IPPS (IPP over SSL/TLS) is the type of IPP that performs the SSL encryption communication.
<Installing printer driver>
To perform IPPS printing, the printer driver must be installed. Start the printer addition wizard of the Windows
Vista/7/8/8.1/Server 2008/Server 2008 R2/Server 2012/Server 2012 R2 and type the IP address of this ma-
chine in the following format in the "URL" field.
https://[host name].[domain name]/ipp
For [host name] and [domain name], specify the names set with the DNS server.
bizhub 367/287/227 1-14
1.4 Miscellaneous 1
<Registering the certificate in Windows Vista or later>
Windows Vista or later, which offers enhanced security functions, gives a certificate error message if the SSL
certificate is one that is not issued by a certification body. In such cases, it becomes necessary to register
the certificate of this machine as that issued by a reliable party for the computer account.
First, register Host Name and IP address of this machine in the DNS server in advance. Then, in TCP/IP Set-
tings of Web Connection, set the DNS Host Name and DNS Default Domain Name registered with the DNS
server.
It should also be noted that, for the certificate to be imported, a certificate for SSL encryption communication
should be registered in Web Connection and exported in advance as the certificate including the public key.
1From "Continue to this website," call the Web Connection window to the screen.
2Click "Certificate Error" to display the certificate. Then, click "Install Certificate" to install the certificate.
3Display the physical stores. Then, deploy the certificate, which has earlier been exported, in "Local
Computer" of "Trusted Root Certification Authorities" to thereby import the certificate.
Items of Data Cleared by Overwrite All Data Function
The Overwrite All Data function clears the following items of data.
Items of Data Cleared Description
Password Rules Sets [Disable] and disables [Set Minimum Password Length]
User registration data Deletes all user-related data that has been registered
Account track registration data Deletes all account track-related data that has been registered
Box registration data/file Deletes all User Box-related information and files saved in User Box
Secure Print ID/Password/
document
Deletes all Secure Print document-related information and files saved
ID & Print document Deletes all ID & Print documents saved in ID & Print User Box
Image files • Image files other than Secure Print documents, ID & Print docu-
ments, and User Box files
• Data files left in the HDD data space, used as image files and not
deleted through the general deletion operation
• Temporary data files generated during print image file processing
Destination recipient data files Deletes all destination recipient data including e-mail addresses and
telephone numbers
Encryption Key Clears the currently set Encryption Key
Administrator Password Clears the currently set password, resetting it to the factory setting
(1234567812345678)
Device certificate
(SSL certificate)
Deletes the currently set Device certificate (SSL certificate)
SSL encryption strength Deletes the SSL certificate to thereby clear the SSL encryption
strength
SSL-compliant protocol Makes the protocol not complying with SSL
Network Setting Clears the currently set network settings (DNS Server setting, IP Ad-
dress setting, SMTP Server setting, and AppleTalk Printer Name set-
ting), resetting it to the factory setting
Daylight Saving Time Set to [No]
Time Adjustment Setting (NTP) Set to [OFF]
Time/date data Varies corrected data, if the time-of-day data is corrected due to, for
example, the daylight saving time
bizhub 367/287/227 1-15
1.4 Miscellaneous 1
Fax functions
An optional Fax Kit is required for using fax functions. Contact your Service Representative.
USB keyboard
The USB keyboard is not used for the ISO15408 evaluation for this machine.
The USB keyboard cannot be used.
Different types of boxes
A box may be a user box or a system box. The user can store documents in the User Box. Also, the user can
print a file from the User Box or send a file to another user. The System Box is used by the system to tem-
porarily store files when the user uses the facsimile or print function together with the file storage function of
the box.
The User Box cannot be used under the operation and control of this machine.
Hardware and software used in the machine
The following lists the software, hardware, and their versions used for the ISO15408 evaluation for this ma-
chine and they are the same as those listed on the security target.
The ISO15408 evaluation assumes that the HDD is mounted in the machine. Any configuration not including
the HDD is not guaranteed by the ISO15408 evaluation.
The user should appropriately manage the hardware and software used with the machine on his or her own
responsibility.
Type Description
Public User Box This is the public box in which all users can store documents and use
them. Note that a password is set for the box and the set password
needs to be entered before access can be gained to the box.
Personal User Box This is a personal box. Only users who have logged in to the system
can store and use documents in the Personal User Box.
Group User Box This is a group box. Only users belonging to the same department (or
group) can store and use documents in the Group User Box.
Secure Print Box When you print a document from the PC or when you select the Se-
cure Print function using the printer driver, this data file is stored in the
Secure Print User Box.
Memory RX Box When a facsimile is received by the Memory RX function, it is stored
in the Memory RX User Box.
ID & Print Box When you print a document from the PC, the files transferred with the
ID & Print function are stored in the ID & Print User Box.
Annotation User Box When a stored file is printed out or sent to another user, its date, time
and any annotations are added to this box automatically.
Password Encrypted PDF Box When a password protected PDF file is printed out or stored in the
User Box, the file is stored in the Password Encrypted PDF User Box.
Hardware/software Version, etc.
FAX Kit FK-513
Printer Driver PCL: Ver. 1.1.0.0
PS: Ver. 1.1.0.0
XPS: Ver. 1.1.1.0
Data Administrator with De-
vice Set-Up and Utilities
1.0.06000
Data Administrator 4.1.32000
External authentication server Active directory mounted on Windows Server 2008 R2 Standard Ser-
vice Pack 1
DNS server Windows Server 2008 R2 Standard Service Pack1
bizhub 367/287/227 1-16
1.4 Miscellaneous 1
Firmware integrity verification function
When the main power switch is turned ON with the Enhanced Security Mode set to [ON], the machine
checks the encryption key and the hash value to thereby determine that its firmware is fully operational.
If a fault occurs in the firmware, a malfunction screen appears when the machine is started, warning that a
fault has occurred. To reset the fault condition, turn [OFF] the Enhanced Security Mode and restart the ma-
chine, or update the firmware. For more details, consult your Service Representative.
IPsec setting
This machine offers a choice of two authentication methods of [Pre-Shared Key] and [Digital Signature] for
authenticating the remote machine with which to communicate.
When [Pre-Shared Key] is to be used, control the pre-shared key appropriately to ensure that it is not leaked
to any third party other than the remote machine with which to communicate. For the shared key, set a value
that consists of a combination of eight or more alphanumeric characters and that cannot be easily guessed.
Do not set a value that can be easily guessed from your birthday, employee identification number, and the
like.
[Digital Signature] has a higher security strength than [Pre-Shared Key].
The ISO15408 evaluation for the machine is performed on the basis of the [Pre-Shared Key].
[Main Mode] and [Aggressive Mode] are available in [Negotiation Mode] of [IKE Settings]. The default setting
is [Main Mode]. The administrator of the machine should operate the machine with the [Main Mode] setting.
CS Remote Care function
CS Remote Care is a system that manages the machine through transmission and reception of various types
of data for managing the machine between the machine and the CS Remote Care center computer via a tele-
phone/fax line, a network, or E-mail. Functions are disabled to access the LAN from the telephone line and
to directly transfer received fax.
When the Enhanced Security Mode is set to [ON], the following functions are no longer usable: instructing to
rewrite the firmware, sending and receiving account counter information, rewriting settings of the machine,
and the Counter Remote Control function.
Terminating a Session and Logging out
The machine allows the operator to automatically log out from or terminate a session, if it is unable to detect
an operation on the control panel or a communication packet on the network. Additionally, if a user changes
the user password on the control panel while the same user accessing the machine via Web Connection,
the session of Web Connection is terminated.
The following shows the setting range and the default setting of each function. Set the time according to the
environment in which the machine is used.
The administrator of the machine should explain to the user that the following settings are made. The admin-
istrator of the machine should also explain to the user immediately as soon as the setting has been changed.
Function name/software, etc Description
System Auto Reset Setting range
• [1] to [9] minutes, Default setting: [1] minute
Setting procedure
• [Utility] - [Administrator Settings] - [System Settings] - [Reset Set-
tings] - [System Auto Reset]
Auto Logout
(Web Connection)
Setting range
• [Admin. Mode Logout Time]: [1] to [60] minutes
Default setting: [10] minutes
• [User Mode Logout Time]: [1] to [60] minutes
Default setting: [60] minutes
Setting procedure
• Start the Web Connection and, in the Administrator Mode, select
[Security] - [Auto Logout].
Data Administrator Default setting: [60] minutes (No change can be made in the setting)
The time setting represents consideration for the time-consuming
task, such as downloading the registered information. Be careful
about leaving your seat, because the time setting is rather long.
Other manuals for bizhub 367
4
This manual suits for next models
2
Table of contents
Other Konica Minolta MFC manuals
