Skip to main contentClick to view our Accessibility Statement or contact us with accessibility-related questions.
Man looking between the shelves in a secure server room

Security at Xerox

Xerox Product Security Frequently Asked Questions

How may I acquire security patches for my Xerox product?

Depending on which Xerox product requires a patch, you may be able to download security patches from the Xerox web site at Xerox Security. For other Xerox products, the security patch will be made available as part of a new release version of system software. In the US, contact the Xerox Customer and Technical Support Center at (800) 821-2797 for questions regarding patch support. Outside the US, contact your local Xerox Support Center. If you have a managed services account, either through Xerox or another provider, your contract will tell you who has the responsibility to obtain and install these patches

How does Xerox discover and fix security problems?

In addition to our own extensive internal testing, Xerox regularly monitors vulnerability clearinghouses made available by such entities and resources as US-CERT, CVE, Sun Microsystems, Microsoft Security Bulletins for various software and operating system vulnerabilities, and bugtraq, for open source vulnerabilities. A robust internal security testing program is also engaged that involves vulnerability analysis and penetration testing to provide fully tested patches. Click this link to read the Xerox Vulnerability Management and Disclosure Policy from the Xerox Security web site. 

How does Xerox deploy patches for security vulnerabilities and how quickly does that happen?

Depending on the severity of the vulnerability, the size of the patch, and the product, the patch may be deployed separately or take the form of a new SPAR or General release of software for that product. Xerox developers follow a formal security development life cycle that manages security problems through identification, analysis, prioritization, coding, and testing. In all cases, Xerox strives to provide patches as expediently as possible, based on the nature, origin and severity of the vulnerability. 

How can someone learn more about the security features of a Xerox product?

Visit the Xerox Support website and input your specific Xerox product, then choose Documentation to search for documents related to security. You can also use the Selector on Xerox Security and select your Xerox product family and then your specific product. This tool will display all the security information available for the selected product as well. If this does not provide the required information, contact your Xerox Sales Representative. More documents are being added as they are released.

Which Xerox products are Common Criteria certified?

A complete list of the Xerox products that have achieved Common Criteria Certification and a list of additional Xerox products that are currently under evaluation for Common Criteria Certification are available on the Common Criteria Certified Products page

What is Xerox doing to protect customer data?

Xerox is committed to protecting customer information. Xerox has developed a Disk Overwrite feature which repeatedly writes data patterns over job information on the devices hard drive. Many Xerox devices use encryption to protect the customer data at rest on internal hard disk.  We employ TLS, IPsec, SFTP and other secure protocols to protect customer data during transmission to and from the device.  The Secure Print feature enables the user to hold a job until they enter a password at the device to release the job. A Removable Hard Drive kit is available as an option for a number of Xerox products that allows data to be locked away when needed. Visit Xerox Security and use the Selector to choose a Xerox product. This tool will display all the security information available for the selected product. More documents are being added as they are released.  We put special emphasis on the care and handling of machines that are returned to us after lease expiration or otherwise. Disks in these devices are destroyed or completely re-mastered to remove any residual customer information before they are reused. For more information on hard drive security, see Data Protection: Image Overwrite, Encryption and Disk Removal. Xerox also has a Hard Drive Retention offering that allows customers particularly concerned about the security of their data to keep the device hard drive when the machine is returned. Check with your Xerox Sales Representative for pricing and availability. 

How secure is the FAX feature on Xerox Products?

The FAX feature on the Xerox production products is frequently controlled by a third party system and the scanned images are passed through the Xerox device to be stored and forwarded by the third party system. The internal FAX feature of office Multi-Function Devices is designed to isolate the FAX subsystem and telephone interface from any network interface.

Can network ports and services be disabled on Xerox devices?

Yes. Unnecessary ports and services can be shut off to prevent unauthorized or malicious access. On smaller desktop devices, these options can be adjusted through their control panel or Web User Interface. On Production and Office devices, tools are provided to set security levels and disable specific ports and services. Visit Xerox Security and use the Selector to choose a Xerox product. This tool will display all the security information available for the selected product. More documents are being added as they are released. 

Can I contact Xerox with my product security questions?

Yes. It is recommended you first review the available information about specific products at the Xerox website where you can find a wealth of documents and whitepapers about Xerox products. If your question is not answered there, in the US, contact the Xerox Customer and Technical Support Center. Outside the US, contact your local Xerox Support Center. If you still need more information you may submit specific questions through the Contact Us link on the Xerox Security website.

How does Xerox help me protect my data when in motion across my network? Can the network communication channels be encrypted to and from Xerox devices?

Yes. The Transport Layer Security (TLS) and (on older equipment) Secure Sockets Layer (SSL) protocols are used to secure job submission and job status reporting. IPsec protocol may be used to protect network channels including DNS, DHCP, FTP, IPP, LPR and Port 9100 printing. Xerox Office products use SNMPv3 for encrypted device management. Hyper-Text Transfer Protocol Secure (HTTPS) is used to secure communication between Xerox devices and web applications. Xerox Office and Production devices support Secure Shell (SSH) for secure administrative access and secure FTP. Visit the Xerox Security site and use the Selector to choose a Xerox product. This tool will display all the security information available for the selected product. If this does not provide the required information, contact your Xerox Sales Representative. More documents are being added as they are released.

What is Xerox's policy on helping customers attain regulatory compliance for things such as Sarbanes-Oxley, Payment Card Industry Data Security Standard (PCI-DSS), and Health Insurance Portability and Accountability Act (HIPAA)?

Xerox is proactive in providing features on its products that help customers comply with these types of regulation. Specific information about regulatory compliance is available on the Xerox Security website in the form of Articles and Whitepapers. 

How can I manage security alerts on my client after enabling a self-signed digital certificate on my Xerox Device?

The issue is that the client operating system doesn’t have a way to validate Xerox self-signed/self-generated certificates with an external CA (Certificate Authority) like Verisign for example. New operating systems now have features that ‘flag’ this as a concern and display a security alert when accessing the device from a web browser or using bi-directional features in print drivers. The solution is to download the ‘Generic Xerox Trusted CA Certificate’ from the device and identify it as a ‘Trusted Root Certification Authority’ to the client operating system.  Specific Instructions for your device model can be found in the System Administrator Guide by going to Xerox Support and inputting your specific Xerox product, then choose Documentation and search for the System Administrator. You can also use the Online Support Assistant tool by going to Xerox Support and inputting your specific product and selecting Support from the menu, then typing in your search term.

How can I prevent my printer from being accessed from the Internet?

Xerox recommends that customers install a firewall between print devices and the Internet and enable the internal device firewall by enabling features such as IP Filtering to limit IP addresses that can access the device. Additional protection is available through appropriate configuration of security features on print devices. Xerox provides whitepapers and guidance documents for each particular device by choosing it from the product selector at Xerox Security.

Поделиться