Authenticating Lexmark Print Management

Configuring Apache using the httpd.conf file

From your computer, navigate to the <install-Dir>\Solutions\Apache2\conf folder, where <install-Dir> is the installation folder of Apache.

Using a text editor, configure any of the following:

Notes:

Some directives are not present or inactive by default.
For more information, see the Apache website.

Vulnerability	Directive
The web server response header of an HTTP response may contain the following: Web server type and version Operating system and version Associated ports Compiled-in modules	Set the ServerTokens directive to Prod, and the ServerSignature directive to Off.
Other files such as documentation, sample code and applications, and tutorials may be a threat.	Note: The list of sample files may change with the software versions. Remove the following sample code and documentation items: *<install-Dir>/apache2/manual/.* *<install-Dir>/apache2/conf/extra/.* **<install-Dir>/apache2/cgi-bin/printenv <install-Dir>/apache2/cgi-bin/test-cgi Where <install-Dir>** is the installation folder of Apache.
To help mitigate denial-of-service attacks, specify timeouts. Note: If necessary, adjust these settings for each server.	Do the following: Set Timeout directives to 300 or less. Set KeepAlive directives to On. Set KeepAliveTimeout to 15 or less.
CGI scripts are one of the most exploited vulnerabilities on web servers. Run CGI scripts in Apache using the following methods: ScriptAlias—Configures the server to read everything in a directory as a CGI script. Combination of the Options and AddHandler or SetHandler directives—When a combination of the Options and Handler directives is used, the ability to manage scripts centrally is lost, creating a vulnerability on the web server. We recommend managing scripts using the ScriptAlias directive.	Search for the following uncommented directives: SetHandler AddHandler Options For all instances of the SetHandler and AddHandler directives, query the web administrator to determine if the directives allow CGI scripts. If CGI scripts are used by the SetHandler or AddHandler directives, then it is a finding. For all instances of the Options directive that are using +ExecCGI or ExecCGI, it is a finding. If the Options directive is found with -ExecCGI, then it is not a finding. If the value does not exist, then it is a finding unless the Options statement is set to None. Locate the scripts in a ScriptAlias directory, and then add the appropriate symbol to disable ExecCGI, or set the Options directive to None.
The Options directive configures the web server features that are available in specific directories. The FollowSymLinks feature lets you reference a file or directory using a symbolic name, raising a potential hazard when the symbol is linked to sensitive data. The includesNoOEXEC feature enables server-side includes but disables the exec command to help prevent the execution of malware. The Multiviews feature may respond with all available files in a directory that are not meant for browsing. If a URL maps to a directory without a DirectoryIndex (index.html), then a list of directories that are not meant for browsing may be returned.	Set all Options directives to the following, respectively: –FollowSymLinks -includes, -includesNOEXEC, or +includesNOEXEC -MultiViews -indexes Note: Setting the Options directive to None disables all extra features.
The following directives mitigate buffer overflow and denial-of-service attacks by limiting the amount of accepted data: The LimitRequestBody directive lets you set a limit on the allowed size of an HTTP request message body. The LimitRequestFields directive lets you limit the number of request header fields. The LimitRequestFieldSize directive lets you set a limit on the allowed size of an HTTP request header field. The LimitRequestLine directive lets you set a limit on the allowed size of a client's HTTP request-line. Note: If errors occur, then adjust these values for each server.	Do any of the following: Set the LimitRequestBody directive to any number greater than 0. Set the LimitRequestFields directive to any number greater than 0. Set the LimitRequestFieldSize directive to 8190. Set the LimitRequestLine directive to 8190. Note: Some of these values are the default values, but they must be explicitly set.
Web servers get their capabilities using modules. Minimizing the enabled modules to only the required modules reduces the number of vulnerable points. The Apache proxy modules let the server act as a forward or reverse proxy of HTTP and other protocols.	To show a list of loaded modules, do the following: From your computer, open the command prompt. Navigate to the **<install-Dir>/apache2/bin/ folder, where <install-Dir>** is the installation folder of Apache. Run the httpd –M command. The following modules are required core Apache modules: core_module win32_module mpm_winnt_module http_module so_module
Scanning for web servers that send proxy requests is a common attack. Proxy servers can anonymize attacks on other servers or send proxy requests to a protected network. The following modules are Apache proxy modules and are not required for LPM: proxy_module proxy_ajp_module proxy_balancer_module proxy_ftp_module proxy_http_module proxy_connect_module Disable the UserDir directive to prevent access to user home directories. userdir_module Content that is specific to the web server can be used to identify the type and version of the web server. Disable access to various content to help mitigate attacks. autoindex_module	To disable modules that are not required for LPM, in the httpd.conf file, add # before appropriate modules.
Access to the root of the web server must be secured. The Apache Directory directive enables directory-specific configuration. Create a default deny policy that does not allow access to the root directory of the operating system. Use the Apache Options directive to create a default minimal options policy for the root directory where permissions may be enabled. Use the Apache OverRide directive to let a .htaccess file specify previous configuration directives that can be changed. Note: The authz_core_module uses the Require all denied directive.	Set the root Directory directive (<Directory />) to the following, respectively: Order deny,allow Deny from all Options None AllowOverride None If these root directory entries do not exist, then add them.
The TRACE method is not necessary and must be disabled.	Set the TraceEnable directive to Off. If this directive does not exist, then add it.
The Apache Listen directive specifies the IP addresses and port numbers that the Apache web server listens to for requests. Configure the server to listen only to expected addresses and port numbers.	Specify the IP address and the port number for each Listen directive.
The ScriptAlias directive specifies which directories the Apache server recognizes as containing scripts. If the directive uses a URL-path name that is different than the actual file system path, then the script source code may be exposed.	Verify whether URL-path and file-path/directy-path of the ScriptAlias directive match. Sample of a correct path *ScriptAlias/cgi-bin/<install-Dir>/cgi-bin/, where <install-Dir>* is the installation folder of Apache. Sample of an incorrect path *ScriptAlias/script-cgi-bin/<install-Dir>/cgi-bin/, where <install-Dir>* is the installation folder of Apache.
HTTP Request Methods such as PUT and DELETE modify resources and are not required for LPM to function. Disable these methods.	For each Directory directive except root, set the following: Order allow,deny <LimitExcept GET POST OPTIONS> Deny from all </LimitExcept>

Vulnerability

Directive

The web server response header of an HTTP response may contain the following:

Web server type and version
Operating system and version
Associated ports
Compiled-in modules

Set the ServerTokens directive to Prod, and the ServerSignature directive to Off.

Other files such as documentation, sample code and applications, and tutorials may be a threat.

Note: The list of sample files may change with the software versions.

Remove the following sample code and documentation items:

<install-Dir>/apache2/manual/*.*
<install-Dir>/apache2/conf/extra/*.*
<install-Dir>/apache2/cgi-bin/printenv
<install-Dir>/apache2/cgi-bin/test-cgi

Where <install-Dir> is the installation folder of Apache.

To help mitigate denial-of-service attacks, specify timeouts.

Note: If necessary, adjust these settings for each server.

Do the following:

Set Timeout directives to 300 or less.
Set KeepAlive directives to On.
Set KeepAliveTimeout to 15 or less.

CGI scripts are one of the most exploited vulnerabilities on web servers.

Run CGI scripts in Apache using the following methods:

ScriptAlias—Configures the server to read everything in a directory as a CGI script.
Combination of the Options and AddHandler or SetHandler directives—When a combination of the Options and Handler directives is used, the ability to manage scripts centrally is lost, creating a vulnerability on the web server. We recommend managing scripts using the ScriptAlias directive.

Search for the following uncommented directives:

SetHandler
AddHandler
Options

For all instances of the SetHandler and AddHandler directives, query the web administrator to determine if the directives allow CGI scripts.

If CGI scripts are used by the SetHandler or AddHandler directives, then it is a finding.

For all instances of the Options directive that are using +ExecCGI or ExecCGI, it is a finding.

If the Options directive is found with -ExecCGI, then it is not a finding.

If the value does not exist, then it is a finding unless the Options statement is set to None.

Locate the scripts in a ScriptAlias directory, and then add the appropriate symbol to disable ExecCGI, or set the Options directive to None.

The Options directive configures the web server features that are available in specific directories.

The FollowSymLinks feature lets you reference a file or directory using a symbolic name, raising a potential hazard when the symbol is linked to sensitive data.

The includesNoOEXEC feature enables server-side includes but disables the exec command to help prevent the execution of malware.

The Multiviews feature may respond with all available files in a directory that are not meant for browsing.

If a URL maps to a directory without a DirectoryIndex (index.html), then a list of directories that are not meant for browsing may be returned.

Set all Options directives to the following, respectively:

–FollowSymLinks
-includes, -includesNOEXEC, or +includesNOEXEC
-MultiViews
-indexes

Note: Setting the Options directive to None disables all extra features.

The following directives mitigate buffer overflow and denial-of-service attacks by limiting the amount of accepted data:

The LimitRequestBody directive lets you set a limit on the allowed size of an HTTP request message body.
The LimitRequestFields directive lets you limit the number of request header fields.
The LimitRequestFieldSize directive lets you set a limit on the allowed size of an HTTP request header field.
The LimitRequestLine directive lets you set a limit on the allowed size of a client's HTTP request-line.

Note: If errors occur, then adjust these values for each server.

Do any of the following:

Set the LimitRequestBody directive to any number greater than 0.
Set the LimitRequestFields directive to any number greater than 0.
Set the LimitRequestFieldSize directive to 8190.
Set the LimitRequestLine directive to 8190.

Note: Some of these values are the default values, but they must be explicitly set.

Web servers get their capabilities using modules. Minimizing the enabled modules to only the required modules reduces the number of vulnerable points.

The Apache proxy modules let the server act as a forward or reverse proxy of HTTP and other protocols.

To show a list of loaded modules, do the following:

From your computer, open the command prompt.
Navigate to the <install-Dir>/apache2/bin/ folder, where <install-Dir> is the installation folder of Apache.
Run the httpd –M command.

The following modules are required core Apache modules:

core_module
win32_module
mpm_winnt_module
http_module
so_module

Scanning for web servers that send proxy requests is a common attack. Proxy servers can anonymize attacks on other servers or send proxy requests to a protected network.

The following modules are Apache proxy modules and are not required for LPM:

proxy_module
proxy_ajp_module
proxy_balancer_module
proxy_ftp_module
proxy_http_module
proxy_connect_module

Disable the UserDir directive to prevent access to user home directories.

userdir_module

Content that is specific to the web server can be used to identify the type and version of the web server.

Disable access to various content to help mitigate attacks.

autoindex_module

To disable modules that are not required for LPM, in the httpd.conf file, add # before appropriate modules.

Access to the root of the web server must be secured.

The Apache Directory directive enables directory-specific configuration. Create a default deny policy that does not allow access to the root directory of the operating system.
Use the Apache Options directive to create a default minimal options policy for the root directory where permissions may be enabled.
Use the Apache OverRide directive to let a .htaccess file specify previous configuration directives that can be changed.

Note: The authz_core_module uses the Require all denied directive.

Set the root Directory directive (<Directory />) to the following, respectively:

Order deny,allow
Deny from all
Options None
AllowOverride None

If these root directory entries do not exist, then add them.

The TRACE method is not necessary and must be disabled.

Set the TraceEnable directive to Off.

If this directive does not exist, then add it.

The Apache Listen directive specifies the IP addresses and port numbers that the Apache web server listens to for requests. Configure the server to listen only to expected addresses and port numbers.

Specify the IP address and the port number for each Listen directive.

The ScriptAlias directive specifies which directories the Apache server recognizes as containing scripts. If the directive uses a URL-path name that is different than the actual file system path, then the script source code may be exposed.

Verify whether URL-path and file-path/directy-path of the ScriptAlias directive match.

Sample of a correct path

ScriptAlias/cgi-bin/<install-Dir>/cgi-bin/, where <install-Dir> is the installation folder of Apache.

Sample of an incorrect path

ScriptAlias/script-cgi-bin/<install-Dir>/cgi-bin/, where <install-Dir> is the installation folder of Apache.

HTTP Request Methods such as PUT and DELETE modify resources and are not required for LPM to function. Disable these methods.

For each Directory directive except root, set the following:

Order allow,deny

Save the file.
Restart the Apache service.

Note: Some common security-related configuration, such as WebDAV, and Apache mod_info and mod_status modules, may be in conflict with LPM or LDD.

Supported port numbers and protocols

Make sure that the firewall allows the following port numbers and protocols:

Component	Port number	Protocol	Function
Database (Firebird)	3050	TCP	Database communications
Database (Firebird)	8001	TCP	Backup and Restore agent
Load balancer	443	TCP	Load balancer HTTPS TLS communications, including Lexmark Management Console
	4113	TCP	Web adapter (JMX)
	9700	TCP	Profile submission to e-Task printers Web adapter (JMX)
	9705	TCP	Apache agent
	9780	TCP	Load balancer communications, including Lexmark Management Console
	9783	TCP	Load balancer HTTPS TLS communications, including Lexmark Management Console
Server	4111	TCP	JMX
	5111	TCP	RMI
	8009	TCP	AJP and Tomcat connector (load balancer worker)
	9743	TCP	HTTPS TLS profile job submission from printers or client software to a server, including Lexmark Management Console
	9788	TCP	Profile job submission from printers or client software to a server, including Lexmark Management Console
Printer	79	TCP	Finger
	161	UDP	SNMP Printer discovery
	5000	TCP	Policy updates ObjectStore plain text communication
	5353	UDP	Multicast DNS
	6000	UDP	Printer discovery ObjectStore communication using XML protocol
	6100	UDP	Printer discovery Policy updates Lexmark Secure Transport (LST) encrypted data
	6110	TCP	Printer discovery Policy updates LST authentication and negotiation
	9100	TCP	Printing Policy updates
	9300	UDP	Printer discovery NPA protocol UDP communications
	9500	TCP	NPA protocol TCP communications
LPM	631	TCP	IPP
	5672	TCP	ActiveMQ
	9780	TCP	MFPAuth
	61614	TCP	ActiveMQ
	61616	TCP	ActiveMQ

Standard port numbers for LDAP and LDAPS

Port number	Function
389	LDAP communications
636	LDAPS communications