So setting up a color scanner/printer/copier and setting up the scan to smb/scan to ftp …and I thought I’d be nice to myself and set the scan “to” to end up in the same folder that my other black and white scanner/printer/copier is scanning to… so step one I renamed the folder I was scanning the other stuff to [note to self, do not call a scan to folder the same name as the copier as invariably you’ll get another copier by another vendor and want to scan to the same folder].  So after I renamed it, made sure everything was working on the old scanner, I went to the new one… so I’m trying to set up an address book…and dang… can we have a bit more step by step SBSized instructions please? 


Bottom line… somehow while setting the address book so end users could just press a button and scan to ‘their’ shared spot…I’ve ended up getting a master login and password to the scanner.  Now…do I know what login and password it wants as the login to this device?  Of course not.  Is is any of the usernames and passwords that I think it should be?  Of course not.  And of course right now I’m half BLIND in typing in info into the onscreen digital keyboard.


Dr. Jesper Johansson rolled over in his not yet entered into grave when I said I was setting up scan to FTP for the old Konica scanner/copier/printer… man I’m rolling over in MY not yet entered into grave setting up this copier.


To get the functionality that I KNOW I will need to have… I have to leave a password…an authentication means…an entry point…  to my network ON that device.  I can guarantee you right now that there is no way in God’s green earth [or in the case of where I live… a little brown and dry these days with the summer heat] that I am going to get people to ‘log’ into this sucker.  So in order for it to scan what it needs to do…and shove it up to the network where I need it to go…. I will have to leave behind …ON THIS DEVICE… a user that has right.  Now… what I WILL be doing after I figure out how to get myself full access back to that copier and finish setting up the buttons… is reviewing what rights that user has on my system.  I already have such a ‘generic’ user account because next to my Konica copier/scanner/printer is a flat screen monitor, a small keyboard, and one of those small form factor Dell machines so that as people scan, they can open up Adobe acrobat and check the process of the scanning.  I’m planning to do the same for this new color printer copier.  The real question is…I just used the standard ‘SBS’ normal user template and I probably need to triple check that the wizardized template is as locked down as it can be.  Like for example.. I need to give access from that user account to ONLY THAT one folder on the server.  There’s no need for it to have the full rights and accesses that the rest of my users have at all.  Especially now that I’m hardcoding the dang thing into the operating panel of a copier on lease for heavens sake. 


Maybe that’s something we all need to ask ourselves more of… for every user that we set up…. do they really need everything that we’re setting up for them.  Lock such access accounts down…and in my network diagram.. I’ll be putting a BIG RED X on that copier reminding myself that there’s a username and password on that device.  In fact… if we aren’t doing that already… on your network diagrams that you are building for your clients… make sure you include copiers/scanner/printers, phones, and anything else hanging off that network with a password.  Document EXACTLY all the devices, all the systems, all the locations where those passwords are stored. 


Remember that as you change the passwords … they too need to be changed.  Don’t forget to manually adjust your DSRM Administrator password too in the meantime until we get that DSrestore fix.


Well… I’m off to go see if I can hack my way into a Ricoh copier…


Oh and Vista/Longhorn ..whatever you guys up in Redmond are calling the next server… you guys thinking about making an uber uber lowered rights user account for such access like this?  If not… can ya think about it?





P.S.  Page 84 in the security reference book… login name for the Ricoh copier…lower case admin..no password… in case you accidentally do what I did…and yeah..we’ll be changing that from the default and documenting that on our master password listing…….oh and.. I ..um.. found out I don’t have to go blind… I can log in via IP and enter this stuff in the address book that way via a web browser…. you would think by now I’d be geeky enough to learn..wouldn’t ya…

 

2 Responses to So now we have a little too much security….but maybe not enough?

  1. Anonymous Dog says:

    With our new Ricoh / Gestetner machine, I use no user account at all for scan-to-smb. The shared scan folder on the SBS is setup with (in addition to our "normal" acls) Guests deny delete, Everyone create files and write attributes (and extended attributes) for folder and files only, Everyone allow read/exec for folder and subs only. Works fine and allows no really disasterous possibilities (since that folder is on a partition with nothing critical on it — so the worst would be some anon user filling up the partition). Anon can’t read files or create new folders, can’t delete files, can only read folder contents and write new files. Seemed perfect for the problem and requires no passwords on the Ricoh (which is running a modded FreeBSD BTW, so it’s pretty secure anyhow).

  2. Susan says:

    Are you talking about SBS 2000 or 2003? As 2000 "Everyone" allows for Anon access. In 2003, the "Everyone" account is equivalent to authenticated users.

    I just am not thrilled with a device [FreeBSD or no FreeBSD] that I don’t have a patch tool that can touch it with any passwords on there… expect a revisit and a reblog….