PDA

View Full Version : Disable or Protect 'Public User' web account


Custom Search


AndrewPO
02-07-2013, 10:52 PM
I'm looking for a way to protect or disable the 'Public User' account as far as the web interface goes.

EarthKmTech
02-07-2013, 11:03 PM
in admin mode at the machine you can either disable the web interface completely, or you can also prevent user mode from being able to add / edit / manually input scan destinations. no idea what else you'd want to block them from but that's a start.

AndrewPO
02-07-2013, 11:49 PM
in admin mode at the machine you can either disable the web interface completely, or you can also prevent user mode from being able to add / edit / manually input scan destinations. no idea what else you'd want to block them from but that's a start.

Disabling the web interface wouldn't be acceptable as that would block the admin web interface as well.

The problem we're having with public mode is that it's showing way too much information.
Anything about jobs, settings, or direct print, should NOT be accessible publicly.

We would much rather that there is no public user and the only access to the web interface was the administrative one, baring that, restricting the public user to only being able to view things like toner and paper levels would be the next best step, but there is way too much access allowed as it currently is.

blackcat4866
02-08-2013, 02:06 AM
Andrew, I'm thinking that you're an IT professional. Correct?

=^..^=

AndrewPO
02-08-2013, 03:38 PM
Andrew, I'm thinking that you're an IT professional. Correct?

=^..^=

That's correct.
Does that change the options on the printer?
I can print this topic if it does, maybe it'll notice ;)

emujo
02-08-2013, 04:55 PM
Anyone with access to your intranet has access to the pubic page. You can remove the store address tab, and use only password protected user boxes to control the page, but there is really nothing else there other than paper setting, toner levels and some really tame settings...You could firewall the ip address and restrict access..similar to many companies that block hotmail, pandora etc...Disabling the page through ADMIN works, but nw if you need to get in you have to go back to the MFP and re-enable it. Emujo

AndrewPO
02-08-2013, 05:02 PM
Anyone with access to your intranet has access to the pubic page. You can remove the store address tab, and use only password protected user boxes to control the page, but there is really nothing else there other than paper setting, toner levels and some really tame settings...You could firewall the ip address and restrict access..similar to many companies that block hotmail, pandora etc...Disabling the page through ADMIN works, but nw if you need to get in you have to go back to the MFP and re-enable it. Emujo


We can't find anywhere to limit access to the Jobs page. That provides entirely too much information to be public. It shows the username and the file name of any print jobs as well as allows anyone to modify priority and delete the jobs. This is not acceptable. And again, disabling the web interface completely, or blocking it is not an option either.

And the job history section of the jobs page, is one giant security risk.

Simply put, that entire section should never be available to anyone public. And blocking access to the IP is not possible as we need it for the admin web interface.

It's inconceivable that there's no way to disable this.

Darren King
02-08-2013, 06:21 PM
What kind of info are you trying to hide? Who cares how many pages, or what print settings someone used? Is paranoia a prerequisite to becoming an IT person?

AndrewPO
02-08-2013, 06:34 PM
What kind of info are you trying to hide? Who cares how many pages, or what print settings someone used? Is paranoia a prerequisite to becoming an IT person?

I keep saying it, let me put it in a list this time
Here is what SHOULD NOT be accessible to any sort of public login


Listing of current jobs
Listing of past jobs
Name of user who sent jobs
Name of file for sent jobs
Ability to delete jobs
Ability to change priority on jobs


This isn't paranoia. The options are there. We can't restrict it from our network or we disable the admin login as well. Therefore anyone on our network can do anything on that list. It's a security risk, plain and simple.

Setting that aside for a moment, I asked a technical question, I'd rather not have to explain every possible motivation for what I need to do.

Darren King
02-08-2013, 06:46 PM
Wow! And you say it isn't paranoia? lol

The answer is NO. You can't change or restrict what is seen on the user login for pagescope. Sorry.
Now go back to you bunker and put on you aluminium foil hat. lol

AndrewPO
02-08-2013, 06:56 PM
Wow! And you say it isn't paranoia? lol

The answer is NO. You can't change or restrict what is seen on the user login for pagescope. Sorry.
Now go back to you bunker and put on you aluminium foil hat. lol

I'm guessing you don't work somewhere where confidential documents need to be printed, well I do.
Security is a major concern, and so is not having to go to the printer and back just to add an address to the address book.

EarthKmTech
02-08-2013, 07:29 PM
I haven't tried it in regards to your requirements, but have you tried secure printing ? it may achieve what you are after.

but then the person has to enter a password in to release their secure print jobs.

Failing that, you will need to contact your dealer and request customised firmware. There may be a cost associated with this service. Depending on your dealer they may not be interested in doing this either.

AndrewPO
02-08-2013, 07:38 PM
I haven't tried it in regards to your requirements, but have you tried secure printing ? it may achieve what you are after.

but then the person has to enter a password in to release their secure print jobs.

Failing that, you will need to contact your dealer and request customised firmware. There may be a cost associated with this service. Depending on your dealer they may not be interested in doing this either.

I'm pretty sure custom firmware will be the route we are going to take.
I imagine it shouldn't be too big of a cost to simply remove the ability for the user to login.
Seems the easiest way would be to just make a check if it's not the admin user logging it, just fail the login.
Though, I'm not a programmer.

Still, I'm pretty sure if there's no way to block those sections or disable the login, that will be the route we attempt to take.

Secure printing isn't a good option in this case as many of the people doing the confidential printing aren't computer savvy. They just use basic functions.

blackcat4866
02-08-2013, 09:02 PM
I've just found that some IT personnel can be control freaks. They want me to do the setup, but will not provide administrative rights or logins. I know a specific IT guy who doesn't even want me looking at his screen, and never ever touch a keyboard.

The funny thing about the security functions are that when they're working properly they're never convenient or simple. If it was it wouldn't be security.

Couldn't you block that specific IP address for the browser?

Have you taken into account that 99.9% of the individuals in your office have no idea that there even is a web interface, let alone how to get to it? Even when I attempt to train individuals how to use it, within a week they cannot remember a thing.

In my humble opinion the username does not tell you anything particularly interesting. So what if so-and-so printed or scanned a document? Nobody can see the document. Is the time that crucial? or # of MB?

I too think your paranoid. =^..^=

darry1322
02-08-2013, 09:16 PM
Some of the newer machines have the ability to set Security Settings to a higher level. At that level Job Logs are hidden. Earlier models were not as security minded.

oldschool
02-08-2013, 10:12 PM
I've done a lot of IT work in my day and I understand privacy concerns. When it boils down to it I was the one in charge of security. Any IT professional knows that you can block a website only for PCs within a range of IP addresses. Most routers have this built in and you just need to input the address/IPs you want blocked. Just be sure the admin user's PC's IP address is not blocked. There are other ways to block a website from certain users. Most companies already have this type of system in place.

No matter how small the change; getting custom firmware is not a quick or easy solution.

If you truly care about security than you should already be using secure printing. Set it up in the driver by default and they'll have to enter a set username and password for that PC when they pick up their print job. Otherwise print jobs are just laying on the copier to be seen or taken by anyone before the person that printed it shows up!

kingarthur
02-11-2013, 09:53 AM
I'm pretty sure custom firmware will be the route we are going to take.
I imagine it shouldn't be too big of a cost to simply remove the ability for the user to login.
Seems the easiest way would be to just make a check if it's not the admin user logging it, just fail the login.
Though, I'm not a programmer.

Still, I'm pretty sure if there's no way to block those sections or disable the login, that will be the route we attempt to take.

Secure printing isn't a good option in this case as many of the people doing the confidential printing aren't computer savvy. They just use basic functions.

If..as you say the "people doing the confidential printing aren't computer savvy"...then why the need for so much security...

AndrewPO
02-11-2013, 03:25 PM
I've done a lot of IT work in my day and I understand privacy concerns. When it boils down to it I was the one in charge of security. Any IT professional knows that you can block a website only for PCs within a range of IP addresses. Most routers have this built in and you just need to input the address/IPs you want blocked. Just be sure the admin user's PC's IP address is not blocked. There are other ways to block a website from certain users. Most companies already have this type of system in place.

This is really not an option in our case. There are plenty of people on VMs which need access.



If..as you say the "people doing the confidential printing aren't computer savvy"...then why the need for so much security...
I said many. There are still those that are.
To be blunt, this is the only device on our network that hasn't been secured.

emujo
02-11-2013, 11:32 PM
If you're willing to experimant, try turning on account track...when enabled, any user accessing the web page will need to log in with their code to get to the user page...I haven't tried it on any of our MFPs, but it might block any info pertaining to other users...might only see your own jobs/print records...Emujo

kronical
02-11-2013, 11:47 PM
I keep saying it, let me put it in a list this time
Here is what SHOULD NOT be accessible to any sort of public login


Listing of current jobs
Listing of past jobs
Name of user who sent jobs
Name of file for sent jobs
Ability to delete jobs
Ability to change priority on jobs


This isn't paranoia. The options are there. We can't restrict it from our network or we disable the admin login as well. Therefore anyone on our network can do anything on that list. It's a security risk, plain and simple.

Setting that aside for a moment, I asked a technical question, I'd rather not have to explain every possible motivation for what I need to do.

Let me ask you this,

What makes you think this access is in any way different than what users can access on the machine itself?
You really are being overly paranoid.
Maybe your company should have looked into this beforehand?
Maybe your company shouldn't have been so cheap and paid the massive amount of extra money for the remote administration package (which, btw, would allow you to turn off the web interface for both sides, and manage the equipment from the package)
Or maybe you should be using 3rd party security solutions such as Equitrack.

Point being, you get what you pay for. You didn't want to pay for the extra security features, then don't bitch about not having them.

kronical
02-11-2013, 11:49 PM
I'm guessing you don't work somewhere where confidential documents need to be printed, well I do.
Security is a major concern, and so is not having to go to the printer and back just to add an address to the address book.

Seriously?!? We techs deal with ALL INDUSTRIES. Confidential documents included. Even GOVERNMENT offices. None of them seems to have this problem.

kronical
02-11-2013, 11:51 PM
I'm pretty sure custom firmware will be the route we are going to take.
I imagine it shouldn't be too big of a cost to simply remove the ability for the user to login.
Seems the easiest way would be to just make a check if it's not the admin user logging it, just fail the login.
Though, I'm not a programmer.

Still, I'm pretty sure if there's no way to block those sections or disable the login, that will be the route we attempt to take.

Secure printing isn't a good option in this case as many of the people doing the confidential printing aren't computer savvy. They just use basic functions.

Really?! So the brain surgeon that requires an electronic scope to probe your brain during surgery can just "not use it" because he's not tech-savvy? Reeally?!
How about, "learn how to do it or find another job"

God Damn IT people are so useless.

kronical
02-12-2013, 12:00 AM
I've just found that some IT personnel can be control freaks. They want me to do the setup, but will not provide administrative rights or logins. I know a specific IT guy who doesn't even want me looking at his screen, and never ever touch a keyboard.

The funny thing about the security functions are that when they're working properly they're never convenient or simple. If it was it wouldn't be security.

Couldn't you block that specific IP address for the browser?

Have you taken into account that 99.9% of the individuals in your office have no idea that there even is a web interface, let alone how to get to it? Even when I attempt to train individuals how to use it, within a week they cannot remember a thing.

In my humble opinion the username does not tell you anything particularly interesting. So what if so-and-so printed or scanned a document? Nobody can see the document. Is the time that crucial? or # of MB?

I too think your paranoid. =^..^=

Oh Blackcat, you hit the nail on the head.
The users aren't tech savvy enough to use secure print (which takes 2 clicks extra from where they already are, and that's pending that IT DIDN'T pre-program the print driver with the users information), but they are savvy enough to know how to get into the web interface, which requires them to know the exact IP address of the machine... that makes alot of sense.
And very true, it only contains a log of who printed and how many pages. Not what was on each page.

That being said, I was able to find some information for you that may prove helpful
Paranoia Support Group - DailyStrength (http://bit.ly/o9K7yy)

kronical
02-12-2013, 12:03 AM
If you're willing to experimant, try turning on account track...when enabled, any user accessing the web page will need to log in with their code to get to the user page...I haven't tried it on any of our MFPs, but it might block any info pertaining to other users...might only see your own jobs/print records...Emujo

No this won't help, as all information is available once logged in. The accounts will be designated as public users.

B0265
02-12-2013, 09:30 AM
Depending on the model you could try this:
Press the Utility/Counter key > Administrator Settings > Security Settings > Security Details > Hide Personal Information.
This setting hides the file names in the job list.

AndrewPO
02-12-2013, 03:39 PM
Depending on the model you could try this:
Press the Utility/Counter key > Administrator Settings > Security Settings > Security Details > Hide Personal Information.
This setting hides the file names in the job list.

This is definitely a step in the right direction for us. Ours had that option and we have it enabled now.
Thank you.

dallas
02-12-2013, 06:59 PM
... and that is the reason why there are user manuals.
If I knew just someone who reads me from it.

AndrewPO
02-12-2013, 07:01 PM
... and that is the reason why there are user manuals.
If I knew just someone who reads me from it.

I don't get the manual. My boss does.

kingarthur
02-13-2013, 01:31 PM
I don't get the manual. My boss does.

Is that for security reasons.......:D

Darren King
02-13-2013, 01:46 PM
I don't get the manual. My boss does.

Seems to be an office full of paranoia. lol.

AndrewPO
02-13-2013, 03:15 PM
Seems to be an office full of paranoia. lol.
No, this is just because I get tasks assigned. We're in different locations.
I'll have the manual when we end up in the same place.

Kidaver
02-13-2013, 03:34 PM
The manuals you need for these types of questions and such are free downloads on Konica Minolta's site....

AndrewPO
02-13-2013, 03:41 PM
The manuals you need for these types of questions and such are free downloads on Konica Minolta's site....
Ok, I'll check there and read through it.

Custom Search