Xerox Device Agent 2 -


Xerox Device Agent 2.0Security and Evaluation Guide

2009 Xerox Corporation. All rights reserved. Xerox, WorkCentre , Phaser and the sphere of connectivity design are trademarks of XeroxCorporation in the United States and/or other counties.Microsoft , Windows , Windows Vista , Windows Media , SQL Server , Microsoft .NET, Internet Explorer , and Windows NT are eitherregistered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.Linux is a registered trademark of Linus Torvalds.Macintosh is a registered trademark of Apple Inc.Hewlett-Packard, JetDirect , and HP LaserJet are trademarks of Hewlett-Packard Development Company, L.P.UNIX is a registered trademark of The Open Group.Changes are periodically made to this document. Changes, technical inaccuracies, and typographic errors will be corrected in subsequent editions.

Table of ContentsTables and Figures. v1 Overview and How to Use this Guide.1-12Goals and Objectives .1-1Intended Audience.1-1Using This Guide.1-1Limits to this Guide .1-2Introduction to Xerox Device Agent.2-1XDA Deployment Requirements.2-1Xerox Device Agent System Component Architecture .2-2Recommended Hardware and Operating System Requirements.2-2Database Requirements .2-2Browser Requirements .2-2Printer Requirements .2-2Network Printer Discovery/Monitoring Requirements.2-2Direct Printers Requirements.2-23Security .3-2Application .3-2Install.3-2Licensing .3-2Post Install Normal Operation.3-2Network Printer.3-2SNMP v1-v2 Security.3-2Xerox Services Manager Integration .3-2Device Information Communicated to XSM .3-2XDA Site Information Sent to XSM .3-2XSM Initiated Remote Commands to XDA.3-2XDA Remote Configuration.3-2Corporation Security Mode.3-24Network Impact .4-2Discovery.4-2Device Discovery Method Employed by Xerox Device Agent .4-2Managing Discovery.4-2Discovery Network Data Calculations.4-2Manufacturer Applicability .4-2Xerox Services Manager Integration .4-2Registration .4-2Security and Evaluation Guideiii

In Scope Device List Import .4-2Site Settings Export .4-2Site Settings Import.4-2Site Status Export.4-2Device Information Export .4-2Remote Command Check .4-2Xerox Device Agent Auto Upgrade.4-2Information Exchanged with Auto Upgrade Server .4-2XDA Version Check .4-2XDA Update Download .4-2ivSecurity and Evaluation Guide

Tables and FiguresFigure 1: Typical Xerox Device Agent Deployment .2-2Table 1: Printer Data Communicated to XSM.3-2Table 2: XDA Site Information Sent to XSM.3-2Table 3: Xerox Device Agent Remote Commands .3-2Table 4: XDA/XSM Data Transfer .3-2Table 5: Xerox Device Agent Remote Configuration .3-2Table 6: Xerox Device Agent Ports .4-2Table 7: Xerox Device Agent Data Sizes.4-2Table 8: Xerox Device Agent Data Gathering Frequencies .4-2Security and Evaluation Guidev

Xerox Device Agent 2.0viSecurity and Evaluation Guide

1 Overview and Howto Use this Guide11Goals and ObjectivesNetwork and data security are one of the many challenges that businesses face on a dailybasis. Recognizing this, Xerox continues to engineer and design all of its products to ensure thehighest level of security possible.This document provides additional background on the Xerox Device Agent (XDA) softwarecapabilities, and specifically focuses on the software’s security aspects. This document willhelp you better understand how XDA functions and help you feel confident that XDA transmitsdevice data in a secure and accurate manner. This guide will help you certify, evaluate, andapprove the deployment of XDA in support of your contract. It includes information on XDA’spotential impact on security and network infrastructure as well as calculations of theoreticalnetwork traffic.Xerox recommends that you read this document in its entirety and take appropriate actionsconsistent with your information technology security policies and practices. You have manyissues to consider in developing and deploying a security policy within your organization. Sincethese requirements will vary from customer to customer, you have the final responsibility forall implementations, re-installations, and testing of security configurations, patches, andmodifications.Intended AudienceIt is expected that this guide will be used by your network administrator before installing XDA.In order to get the most from this guide, you should have an understanding of: the network environment where you will install XDA, any restrictions placed on applications that are deployed on that network, and the Microsoft Windows operating systemUsing This GuideThere are two main scenarios for using this guide: if you are a customer who does not haveacceptance and evaluation procedures for this type of software or if you are a customer whohas defined guidelines. In both cases, the three identified areas of concern are security, impactto the network infrastructure, and what other resources might be required to install, use, andsupport XDA.Security and Evaluation Guide1-1

Overview and How to Use this GuideXerox Device Agent 2.0Use this guide to gather information about these areas and determine if you need toinvestigate XDA further. This document is divided into four main areas: This overview An introduction to XDA including system requirements Potential security-related impacts to a typical customer environment including:o Security information, implications, and recommendationso Roles and permission requirements of XDA users Information about features that impact the network, which may include estimates ofgenerated traffic, changes to the network infrastructure, or other required resources.Limits to this GuideThis guide is meant to help you evaluate XDA, but it cannot be a complete information sourcefor all potential customers. This guide proposes a hypothetical customer printer environment;if your network environment differs from the hypothetical environment, your networkadministration team and XDA Support Representative must understand the differences anddecide on any certification modifications and/or future steps. Additionally: This guide only describes those features within XDA that have some discernable impact tothe overall customer network environment, whether it be the overall network, security, orother customer resources. The guide’s information is related to the current XDA release. Although much of thisinformation will remain constant through the software’s life cycle, some of the data isrevision-specific, and will be revised periodically. IT organizations should check with theXerox Support Representative to obtain the appropriate version.1-2Security and Evaluation Guide

2 Introduction to XeroxDevice Agent2Product OverviewXDA discovers and monitors printing devices, specifically office printers and multi-functiondevices. XDA features a built-in alert detection system and has the capability to send an e-mailmessage to an appropriate user when certain conditions exist in the monitored devices. XDAprovides clear and concise status of all networked printers. You can do the following from XDA: Discover network-connected printers Discover direct-connected printers Monitor printers for status and alert conditions Notify users via e-mail when faults occurXDA supports industry-standard Simple Network Management Protocol (SNMP) MIBs fornetwork printers, however, the amount and type of management that XDA can provide isdependent on the printer’s level of conformance to those standards. The following featuresconform to these standards: Printer identity (i.e. model, serial number, manufacturer, etc.) Printer properties (i.e. input trays, output bins, serial number, etc.) Printer status including overall state, detailed status, UI messages, etc. Consumables levels (toner, fuser, print cartridge device unique parts) Supported print protocols (LPD, HTTP, Port 9100) TCP/IP protocol suite (SNMP, TCP, UDP, IP, NIC details)XDA Deployment RequirementsYou deploy XDA by installing the software on a desktop computer or server that shares thenetwork with those printers that you want to monitor.Note: The scheduled events for meter reads and alert activity may be affected by XDAconnectivity.Security and Evaluation Guide2-1

Introduction to Xerox Device AgentXerox Device Agent 2.0Xerox Device Agent System Component ArchitectureThis diagram shows a typical configuration that a customer may deploy within their network.In this example, XDA is installed on a networked computer that can access the printersthrough the local network.Figure 1: Typical Xerox Device Agent DeploymentRecommended Hardware and Operating System RequirementsOperating System (32-bit and 64-bit) Microsoft Windows XP Professional with Service Pack 3 Microsoft Windows Media Center with Service Pack 3 Microsoft Windows 2003 with Service Pack 2 Microsoft Windows 2008 Microsoft Windows Vista Service Pack 1 Ultimate, Business, and EnterpriseMemory 2-2Minimum 512 MB RAM (1 GB RAM Recommended) for Windows Media Center,Windows XP, and Windows 2003Security and Evaluation Guide

Xerox Device Agent 2.0 Introduction to Xerox Device AgentMinimum 1 GB RAM (1.5 GB RAM Recommended) for Windows Vista and Windows 2008Processor: 1.7 GHz processor or betterMicrosoft .NET framework 3.5 installedHard Disk: minimum free space is approximately 100 MB for XDA and up to 500 MB for theMicrosoft .NET framework, if not previously installed.Minimum Resolution: 1024x768Permissions: You must install the XDA software on the client machine using the administrativeaccount or an account with administrative privileges.Internet connection: RequiredNotes: recommend that you update your host computers with the latest critical patches andservice releases from Microsoft Corporation.The Network Transmission Control Protocol/Internet Protocol (TCP/IP) must be loadedand operational.Requires SNMP-enabled devices and the ability to route SNMP over the network.You must install Microsoft .NET 3.5 before you install the applicationUnsupported Configurations Installation of XDA on a domain controller. Installation of XDA on a computer with another Xerox device management application,such as Xerox Device Manager (XDM). Any version of Macintosh operating system, Unix operating systems, Windows NT 4.0, Windows Server 2008 R2, and Windows 2000.Database RequirementsXDA installs Microsoft SQL Server 2005 Compact Edition (SQL CE) database engine anddatabase files that store printer data and application settings within the installation directory.No database licensing is necessary for XDA.Browser RequirementsAlthough the XDA is a Windows application that does not require a Web browser to view,Xerox Services Portal (XSP) and Xerox Services Manager (XSM) are Web-based applicationsand require the use of a browser for access.Security and Evaluation Guide2-3

Introduction to Xerox Device AgentXerox Device Agent 2.0Printer RequirementsNetwork Printer Discovery/Monitoring RequirementsFor successful management by XDA, all SNMP-based printer devices should support themandatory MIB elements and groups as defined by the following standards: RFC 1157(SNMP Version 1) RFC 1213(MIB-II for TCP/IP-based Internet) RFC 2790(Host Resources MIB v1/v2) RFC 1759(Printer MIB v 1) RFC 3805(Printer MIB v 2) RFC 3806(Printer Finishing MIB)Direct Printers Requirements Queue-based discovery depends on user permissions on domain and/or across computers,NetBIOS File and Printer Sharing, and WMI. Gathering direct printer data via integration with Xerox Print Agent (XPA) depends ondeployment of XPA on each computer with a direct printer. For additional detailsregarding the integration with XPA, please refer to the Xerox Print Agent CertificationGuide.2-4Security and Evaluation Guide

33 SecuritySince security is an important consideration when evaluating tools of this class, this sectionprovides information about the security methods used by XDA.ApplicationXDA is compatible with the security features built into the Windows operating systems. Itrelies on a background Windows service running under the local system account credentialsto enable proactive monitoring of printers, gathering of data, and submission to XSM. The userinterface that displays the gathered data is accessible only to the power users andadministrators who have login access to the Windows operating system.InstallThe installer requires administrator privileges. A single Windows service, “Xerox Device AgentService” is installed and configured to run under the local system Windows account. Nospecial system level configuration change is required or made by the installer. XDA iscompatible with the security features built into the Windows operating system including: User authentication and authorization Secure terminal services support Group policy deployment and management Internet Connection Firewall (ICF) including:o Security logging settingso ICMP settingsNote: Make sure that the PC or server that is running XDA is continuously powered on duringcore business hours to prevent interruption of automatic communications between XDA andXSM, which supports alerting.LicensingXDA does not require any license for installation or for its SQL Server 2005 Compact Editiondatabase. XDA does require a Xerox services contract and an account on XSM. During thesoftware configuration process, you will need to pair XDA with an XSM account because youcannot activate XDA without XSM. For this reason, you are required to use an XSM registrationkey. Depending on your account, you may also be required to use a secondary registration key.Post Install Normal OperationThe XDA Windows service runs as a background process even when no user is logged in. Thisenables the application to monitor the devices on the network and generate alerts proactively.Security and Evaluation Guide3-1

SecurityXerox Device Agent 2.0If you are a power user or an administrator authenticated by Windows and you log in to thesystem, then you have access to XDA’s user interface. You can monitor the printers, viewprinter data, and change settings. The XDA user interface verifies that you are a power user oryou have administrative privilege as you attempt to run the application. If you are not anadministrator, XDA will display a message that states you need administrative privileges inorder to run the application.Network PrinterThe Simple Network Management Protocol (SNMP) is the most widely-used-networkmanagement tool for communication between network management systems and thenetworked printers. XDA utilizes SNMP during discovery operations to retrieve detailed datafrom output devices detected on the network. After discovery, SNMP is used to monitorprinters for faults, changes in status, configuration changes, and to support printertroubleshooting. XDA supports SNMP version 1 and version 2 protocols. The followingapplication properties will help you better understand the impact of XDA on printer security: XDA does not modify the settings on the printer; it only reads them. XDA does not register for SNMP traps. XDA does allow the prin

Introduction to Xerox Device Agent Xerox Device Agent 2.0 2-2 Security and Evaluation Guide Xerox Device Agent System Component Architecture This diagram shows a typical configuration that a customer may deploy within their network. In this example, XDA is installed on a networked compute