|
|
|---|
Introduction
Tufts University signed an agreement with Konica-Minolta in 2010. These new Konica-Minolta multi-function devices replaced many of the previous Toshiba E-Series multi-function copiers that were purchased under the Danka contract
Basic Information
- Default Password is "12345678"
Best Practices
- Change default password to prevent unauthorized access
- Note: You must be physically at the machine to change the Administrator password. This cannot be done from the remote Konica Web Connection Page Scope.
- Enable NTLMv2 Authenication
- Disable unused procotols such as AppleTalk/Bonjour/WebDAV/FTP/NetWare
- Require Departmental Code before allowing Printing/Scanning/Copying
- Use of Print Server for centralized administration
- Enable IP Filtering to limit direct IP printing and only allow authorized clients to print
- Set Copier to DHCP and assign DHCP Reservation using Proteus (This will insure that the copier always pulls the correct DNS, WINS, and gateway from DHCP server.
- Note: Configuring copiers with a Manual IP may causes issues in the future if the Tufts DNS or WINS servers change as they have in the past)
- Enable internal Hard Drive encryption or disable scanning to internal hard drive
Documentation
*
*
Drivers
- Konica Minolta Bizhub 423/363/283/223 Macintosh Drivers (bizhub_423Series_mac107_driver_v141_Letter.zip)
- Release Notes: bizhub 223, 283, 363, 423 Mac 10.7 Driver Version 1.4.1
- Konica Minolta Bizhub 423/363/283/223 Macintosh Drivers (423_Series_MacOS_v1.3.0.sit)
- Release Notes: bizhub 223, 283, 363, 423 Mac 10.2, 10.3, 10.4, 10.5, 10.6 Postscript Driver Version 1.3.0
- Konica Minolta Bizhub 423/363/283/223 Windows Drivers (423_Series_PCL_PS_FAX_XPS_v1.2.zip)
- Release Notes: bizhub 223, 283, 363, 423 PCL Driver Version 1.2.0.0
- http://onyxftp.mykonicaminolta.com/download/SearchResults.aspx?productname=bizhub%20423
How-Tos
- How to change default Administrator password
- How to enable NTLMv2 (used for more secure authenication)
- How to enable LDAP (Tufts Directory)
- How to Configure Email SMTP (Scanning to Email)
- How to Enable Scan to SMB (Scaning to Network Shares/Q Drive)
- How to Create a Group Policy Object (GPO) for Mass Deployment of Copiers using a Windows-based Print Server
- Enable Scan to Home Directory (Requires authentication to copier using Active Directory)
- Scan to External Memory (USB)
- Secure Printing on Konica Minolta Copiers
Open Questions
- Can we bypass "Track Account" login to login as admin at the touch panel?
- Does sending e-mail require a scanner e-mail account?
- *Answer:*Currently since the Tufts SMTP server allows sending without authentication you do not need an account to configure the copiers to send email. However a best practice in the future would be to create a scanner service account (either a Trumpeter email account or a Exchange Account (disable interactive login) and enable SSL/TLS to ensure email traffic is encrypted on the Tufts network.
- Are there any documents stored locally during scan to usb, e-mail or network share?
- How to reset the admin password if it's lost, without resetting entire system?
- Answer: According to Konica Security Operations Manual, "If the Administrator Password is forgotten, it must be set again by the Service Engineer."
Untested Solution from Old Konica Minolta Copiers To reset the admin password:
1. Enter Service mode by pressing the Utility key then the Details button followed by pressing stop 0, 0, stop 0, 1.
2. Press stop, 0 then Clear to access the admin security mode. This will allow changing the admin password back to the default setting of
12345678 or it can be changed to a unique password
- Answer: According to Konica Security Operations Manual, "If the Administrator Password is forgotten, it must be set again by the Service Engineer."
- Can we use command-lines to deploy the driver silently?
- How do we program the department code into the printer driver?
- If you are scanning to a shared network drive, a proc account is required. What is the best practice for locking down a proc account?
- Scanners should have their own AD service account so that they
can be audited and the account can be disabled if compromised. - Service account should be denied Interactive Logon. (Can be done through GPO in a separate OU). This prevents service account from being able to log into local computers or through Remote Desktop Connection.
- Account should have least administrative privileges needed perform job. Only change access to folder it needs to scan to or list access to root directory if scanning to specific folder.
- Account should have complex password and set not to expire however password should be changed on all copiers in a cycle.
- Scanners should have their own AD service account so that they
- When and how are firmware updates done?
- Can monitoring of these devices be centrally logged?
Known Issues
- When configuring scanning, the scanner picks up tufts.edu as the domain and attempts to authenticate the account using tufts.edu/utln
- tufts.edu must be corrected to Tufts or blank?
- When installing the Universal print driver manually, the driver configures the port to print to the IP address of the printer.
- Best practice is to print to a DNS Hostname in case the printer moves, or the subnet changes.
Potential Additional Services to be documented
- Faxing capabilites
- Page Scope Administration (Ability to look at all copiers through one interface)