Depending on which Xerox product requires a patch, you may be able to download security patches from the Xerox web site at www.xerox.com/security. For other Xerox products, the security patch will be made available as part of a new release version of system software. In the US, contact the Xerox Customer and Technical Support Center at (800) 821-2797 for questions regarding patch support. Outside the US, contact your local Xerox Support Center. If you have a managed services account, either through Xerox or another provider, your contract will tell you who has the responsibility to obtain and install these patches
In addition to our own extensive internal testing, Xerox regularly monitors vulnerability clearinghouses made available by such entities and resources as US-CERT, CVE, Sun Microsystems, Microsoft Security Bulletins for various software and operating system vulnerabilities, and bugtraq, for open source vulnerabilities. A robust internal security testing program is also engaged that involves vulnerability analysis and penetration testing to provide fully tested patches. Click this link to read the Xerox Vulnerability Management and Disclosure Policy from the Xerox Security web site.
Depending on the severity of the vulnerability, the size of the patch, and the product, the patch may be deployed separately or take the form of a new SPAR or General release of software for that product. Xerox developers follow a formal security development life cycle that manages security problems through identification, analysis, prioritization, coding, and testing. In all cases, Xerox strives to provide patches as expediently as possible, based on the nature, origin and severity of the vulnerability.
Visit the www.xerox.com/support web site and input your specific Xerox product, then choose Documentation to search for documents related to security. You can also use the Selector on www.xerox.com/security and select your Xerox product family and then your specific product. This tool will display all the security information available for the selected product as well. If this does not provide the required information, contact your Xerox Sales Representative. More documents are being added as they are released.
A complete list of the Xerox products that have achieved Common Criteria Certification and a list of additional Xerox products that are currently under evaluation for Common Criteria Certification are available on the Common Criteria Certified Products page.
Xerox is committed to protecting customer information. Xerox has developed a Disk Overwrite feature which repeatedly writes data patterns over job information on the devices hard drive. Many Xerox devices use encryption to protect the customer data at rest on internal hard disk.
We employ TLS, IPsec, SFTP and other secure protocols to protect customer data during transmission to and from the device.
The Secure Print feature enables the user to hold a job until they enter a password at the device to release the job. A Removable Hard Drive kit is available as an option for a number of Xerox products that allows data to be locked away when needed. Visit www.xerox.com/security website and use the Selector to choose a Xerox product. This tool will display all the security information available for the selected product. More documents are being added as they are released.
We put special emphasis on the care and handling of machines that are returned to us after lease expiration or otherwise. Disks in these devices are destroyed or completely re-mastered to remove any residual customer information before they are reused. For more information on hard drive security, see Data Protection: Image Overwrite, Encryption and Disk Removal. Xerox also has a Hard Drive Retention offering that allows customers particularly concerned about the security of their data to keep the device hard drive when the machine is returned. Check with your Xerox Sales Representative for pricing and availability.
The FAX feature on the Xerox production products is frequently controlled by a third party system and the scanned images are passed through the Xerox device to be stored and forwarded by the third party system. The internal FAX feature of office Multi-Function Devices is designed to isolate the FAX subsystem and telephone interface from any network interface.
Yes. Unnecessary ports and services can be shut off to prevent unauthorized or malicious access. On smaller desktop devices, these options can be adjusted through their control panel or Web User Interface. On Production and Office devices, tools are provided to set security levels and disable specific ports and services. Visit www.xerox.com/security web site and use the Selector to choose a Xerox product. This tool will display all the security information available for the selected product. More documents are being added as they are released.
Yes. It is recommended you first review the available information about specific products at the www.xerox.com web site where you can find a wealth of documents and whitepapers about Xerox products. If your question is not answered there, in the US, contact the Xerox Customer and Technical Support Center. Outside the US, contact your local Xerox Support Center. If you still need more information you may submit specific questions through the Contact Us link on the www.xerox.com/security web site.
Yes. The Transport Layer Security (TLS) and (on older equipment) Secure Sockets Layer (SSL) protocols are used to secure job submission and job status reporting. IPsec protocol may be used to protect network channels including DNS, DHCP, FTP, IPP, LPR and Port 9100 printing. Xerox Office products use SNMPv3 for encrypted device management. Hyper-Text Transfer Protocol Secure (HTTPS) is used to secure communication between Xerox devices and web applications. Xerox Office and Production devices support Secure Shell (SSH) for secure administrative access and secure FTP. Visit www.xerox.com/security site and use the Selector to choose a Xerox product. This tool will display all the security information available for the selected product. If this does not provide the required information, contact your Xerox Sales Representative. More documents are being added as they are released.
Xerox is proactive in providing features on its products that help customers comply with these types of regulation. Specific information about regulatory compliance is available on the www.xerox.com/security web site in the form of Articles and Whitepapers.
The issue is that the client operating system doesn’t have a way to validate Xerox self-signed/self-generated certificates with an external CA (Certificate Authority) like Verisign for example. New operating systems now have features that ‘flag’ this as a concern and display a security alert when accessing the device from a web browser or using bi-directional features in print drivers. The solution is to download the ‘Generic Xerox Trusted CA Certificate’ from the device and identify it as a ‘Trusted Root Certification Authority’ to the client operating system.
Specific Instructions for your device model can be found in the System Administrator Guide by going to www.xerox.com/support and inputting your specific Xerox product, then choose Documentation and search for the System Administrator. You can also use the Online Support Assistant tool by going to www.xerox.com/support and inputting your specific product and selecting Support from the menu, then typing in your search term.
Xerox recommends that customers install a firewall between print devices and the Internet and enable the internal device firewall by enabling features such as IP Filtering to limit IP addresses that can access the device. Additional protection is available through appropriate configuration of security features on print devices. Xerox provides whitepapers and guidance documents for each particular device by choosing it from the product selector at www.xerox.com/security.