close How may I acquire security patches for my Xerox product?

Depending on which Xerox product requires a patch, you may be able to download security patches from the Xerox web site at www.xerox.com/security. For other Xerox products, the security patch will be made available as part of a new release version of system software. In the US, contact the Xerox Customer and Technical Support Center at (800) 821-2797 for questions regarding patch support. Outside the US, contact your local Xerox Support Center.

close How does Xerox discover and fix security problems?

In addition to our own extensive internal testing, Xerox regularly monitors vulnerability clearinghouses made available by such entities and resources as US-CERT, CVE, Sun Microsystems, Microsoft Security Bulletins for various software and operating system vulnerabilities, and bugtraq, for open source vulnerabilities. A robust internal security testing program is also engaged that involves vulnerability analysis and penetration testing to provide fully tested patches. Click this link to read the Xerox Vulnerability Management and Disclosure Policy from the Xerox Security web site.

close How does Xerox deploy patches for security vulnerabilities and how quickly does that happen?

Depending on the severity of the vulnerability, the size of the patch, and the product, the patch may be deployed separately or take the form of a new release of software for that product. Xerox developers follow a formal security development life cycle that manages security problems through identification, analysis, prioritization, coding, and testing. In all cases, Xerox strives to provide patches as expediently as possible, based on the nature, origin and severity of the vulnerability.

close How can someone learn more about the security features of a Xerox product?

Visit www.xerox.com/security web site and connect to the specific Xerox product page for product documentation concerning security for use the Selector to choose a that Xerox product. This tool will display all the security information available for the selected product. If this does not provide the required information, contact your Xerox Sales Representative. More documents are being added as they are released.

close Which Xerox products are Common Criteria certified?

A complete list of the Xerox products that have achieved Common Criteria Certification and a list of additional Xerox products that are currently under evaluation for Common Criteria Certification are available on the Common Criteria Certified Products page.

close What is Xerox doing to protect customer data?

Xerox is committed to protecting customer information. Xerox has developed a Disk Overwrite feature which repeatedly writes data patterns over job information on the devices hard drive. Many Xerox devices use encryption to protect the customer data at rest on internal hard disks and during transmission to and from the device. The Secure Print feature enables the user to hold a job until they enter a password at the device to release the job. A Removable Hard Drive kit is available as an option for a number of Xerox products that allows data to be locked away when needed. Visit www.xerox.com/security web site and use the Selector to choose a Xerox product. This tool will display all the security information available for the selected product. More documents are being added as they are released.

We put special emphasis on the care and handling of machines that are returned to us after lease expiration or otherwise. Disks in these devices are destroyed or completely re-mastered to remove any residual customer information before they are reused.

close How secure is the FAX feature on Xerox Products?

The FAX feature on the Xerox production products is frequently controlled by a third party system and the scanned images are passed through the Xerox device to be stored and forwarded by the third party system. The internal FAX feature of office Multi-Function Devices is designed to isolate the FAX subsystem and telephone interface from any network interface.

close Can network ports and services be disabled on Xerox devices?

Yes. Unnecessary ports and services can be shut off to prevent unauthorized or malicious access. On smaller desktop devices, these options can be adjusted through their control panel or PC-based configuration software. On production devices, tools are provided to set security levels and disable specific ports and services. Visit www.xerox.com/security web site and use the Selector to choose a Xerox product. This tool will display all the security information available for the selected product. More documents are being added as they are released.

close Can I contact Xerox with my product security questions?

Yes. It is recommended you first review the available information about specific products at the www.xerox.com web site where you can find a wealth of documents and whitepapers about Xerox products. If your question is not answered there, in the US, contact the Xerox Customer and Technical Support Center. Outside the US, contact your local Xerox Support Center. If you still need more information you may submit specific questions through the Contact Information link on the www.xerox.com/security web site.

close How does Xerox help me protect my data when in motion across my network? Can the network communication channels be encrypted to and from Xerox devices?

Yes. The Secure Sockets Layer (SSL) protocol is used for secure job submission and job status reporting. IPsec protocol may used to protect network channels including DNS, DHCP, FTP, IPP, lpr, Port 9100 printing. Xerox Office products use SNMPv3 for encrypted device management. Xerox Production devices support Secure Shell (ssh) for secure administrative access and secure FTP. Visit www.xerox.com/security web site and use the Selector to choose a Xerox product. This tool will display all the security information available for the selected product. If this does not provide the required information, contact your Xerox Sales Representative. More documents are being added as they are released.

close What is Xerox's policy on helping customers attain regulatory compliance for things such as Sarbanes-Oxley, Payment Card Industry Data Security Standard (PCI-DSS), and Health Insurance Portability and Accountability Act (HIPAA).

Xerox is proactive in providing features on its products that help customers comply with these types of regulation. Specific information about regulatory compliance is available on the www.xerox.com/security web site in the form of Articles and Whitepapers.

close How can I manage security alerts on my client after enabling a self-signed digital certificate on my Xerox Device?

The issue is that the client operating system doesn’t have a way to validate Xerox self-signed/self-generated certificates with an external CA (Certificate Authority) like Verisign for example. New operating systems now have features that ‘flag’ this as a concern and display a security alert when accessing the device from a web browser or using bi-directional features in print drivers. The solution is to download the ‘Generic Xerox Trusted CA Certificate’ from the device and identify it as a ‘Trusted Root Certification Authority’ to the client operating system. Specific Instructions for your device model can be found in the support page for that model using the Online Support Assistant tool.

Here’s an example of what the OSA will give them.

The printer must be configured with an IP Address before CentreWare Internet Services can be accessed. If necessary, print a Configuration Report to obtain the IP Address. See the Related Items below for additional information.

1. When the message is displayed, click on [Continue to this website (not recommended)]. The CentreWare Internet Services window will be displayed.
2. Click on the [Properties] tab.
3. Enter the username and password in the fields provided, and then click on the [Login] button.
   NOTE: The default user name is "admin" (case sensitive) an the default password is "1111".
4. Click on [Security] to expand the list of options.
5. Click on [Security Certificates]. The Security Certificates window will be displayed.
6. Click on the [Download the Generic Xerox Trusted CA Certificate] link.
7. Click on [Save] to save the file to the computer.
8. Browse to the location of the downloaded certificate file, and then double-click on the file.
9. Click on the [Install Certificate] button.
10. Click on [Next] on the Welcome to the Certificate Import Wizard window.
11. Click on the [Place all certificates in the following store] radio button, and then click on the [Browse] button to choose the correct folder to save the Certificate file to.
12. Click on the [Trusted Root Certification Authorities] folder to save the certificate in this folder, and then click [OK].
13. Click on [Next] on the Certificate Import Wizard screen.
14. Click on [Finish] on the Completing the Certificate Import Wizard screen.
15. Click [OK] twice to complete the import.
16. Click on the [Logout] link and logout of CWIS.
17. Close the browser window.

close How can I prevent my printer from being accessed from the Internet?

Xerox recommends that customers install a firewall between print devices and the Internet. Additional protection is available through appropriate configuration of security features on print devices. Xerox provides whitepapers and guidance documents for each particular device by choosing it from the product selector at www.xerox.com/security.