Re: Xerox DocuTech problems

[kikaiju () kikaiju com]

As a former DocuTech operator and network admin at a small printer, I have 
some experience with these issues.  Some other details need to be added, IMO.

The Xerox printer and DigiPath scanner workstation are almost always leased 
equipment.  They are horribly expensive to BUY outright, edging toward half 
a million dollars for some of the more advanced DocuTech models 
(6100/6135/6180).  So most people lease.  That means that it's Xerox's 
problem if it breaks, and the first thing they'll tell you is, if you 
install software on the NT box and break it, well, all we are going to do 
is restore it back to the state it was at install.  They use a drive image 
stored on a data tape to do this.  All customer data is typically wiped out 
in the process, naturally.

This is generally not a problem IF the customer has properly setup their 
workflow.  For one, all scanned documents and their related SQL or Oracle 
database should be stored on another server.  They take up a LOT of space 
anyway, and the Xerox DigiPath scan workstation box doesn't have any 
meaningful hard drive space.

The Scan workstation does not need to have totally open shares.  Done 
correctly, all it needs to share is the printer driver and even that can be 
moved to another NT server if needed.

The web server application is totally optional and can and should also be 
run off another server, which CAN be secured as much as any other IIS 
server.  Unless Xerox has changed it very recently, there is no option to 
run it on any other web server.  The requirement was just hitting IIS 4 as 
of a year ago.  Higher versions were not supported. Naturally, One should 
always keep their IIS patched.   There are some Xerox reps who understand 
the need to keep this part secure and some that do not. It all depends on 
who does the install.  In truth, the DigiPath web stuff hardly works at 
all, so not installing it is probably the best idea.

For the printer Solaris boxes, what the original post said is generally 
correct.  However.  All the Sun box is supposed to do is run the printer 
using custom hardware interface and custom software.  It is not meant to be 
a totally secure machine.  A hardware firewall should be employed between 
the printer and public internet or even the rest of the lan for that matter.

By the way, Administ is the printer's UI password.  The NT scan workstation 
administrator password was administrator and CAN be changed without 
breaking anything.

If you try to secure the Solaris box and mess it up, well, Xerox will wipe 
the drive and do a reinstall. :)  A key part of Xerox service is that they 
need every machine to be the same at every site.

In truth, they need it to be the same because many of them barely 
understand how it works.  Any change risks breaking it.  Break it a lot and 
they'll give you a nice bill for putting it back.  The trick is to find an 
analyst who understands the security concerns and work with him or her to 
make it happen.

Also, once you have locked it down (and by some miracle, it still works), 
do not rub it in the faces of anyone at Xerox or they _will_ have a fit and 
come in and reinstall everything.

Xerox as a company is in pretty bad shape right now, with massive layoffs, 
selling of assets, customers closing down left and right (many of these 
pricey printers were in the dot-bombs), and intense competition from other 
companies willing to give away the farm for free to put their machines in 
print shops.  No excuses, just a sad fact.




At 02:50 PM 5/17/2002 -0400, you wrote:

> I'm forwarding this for people who would like to remain
> anonymous.
>
> This case illustrates why software product vendors should be
> held legally and financially accountable for the security
> problems caused by their reckless and sometimes arrogant
> disregard of known problems.
>
> Xerox replied with a document mirrored at
> http://totally.righteous.net/jedgar/overview_of_security.pdf
> which doesn't address many of the problems, and states that the
> ultimate responsibility for security lies with the customer.
>
> Kudos to Xerox for setting a new standard of incompetence.
>
>
> Begin forwarded (and edited) message
> ------------------------------------------
>
> The model is a Xerox DocuTech 6110 or 6115.
>
> These puppies are not old-fashioned optical copiers but
> basically two units, a high-speed scanner and a high speed laser
> printer.
>
> The laser printer is controlled by a dual-processor Sun Uitra 60
> running Solaris 8. The Scanner is controlled by an Intel box
> running Windows NT.
>
> The scanner sends jobs via ftp to the printer. Jobs can also be
> sent to the printer via lpd through a windows print driver or
> other means.
>
> So, they install it, first thing we do is ask what the root
> password is for the Solaris box. "Oh, no problem, it's
> "service!" -- it's the same for all of our machines."
>
> WTF?  First thing I say is "We will want to change that."
>
> "No, you can't. It will probably break things."
>
> Well, this puppy is WIDE OPEN like you wouldn't believe.
> Everything imaginable is running and listening, including such
> arcane services like sprayd.  Then I do a "rpcinfo -p" and see a
> shitload of unknown RPC services running. But best yet,
> showmount -e reveals numerous directories exported to the entire
> world, world writable!
>
> The NT box Administrator account password is "administ" and is
> wide open, so anyone can connect to C$. Copies of all jobs
> scanned are saved in case they are needed to be rerun later, so
> anyone wanting to grab that document doesn't have to wait for it
> to appear in the spool dir of the Solaris box, just grab it from
> the scanner box at your leisure.
>
> Go to the server's http port and there's a complete web page
> which is very helpful for allowing you to submit jobs over the
> web and directly into the "print now" queue so an operator
> doesn't even have to approve it before it prints out. Imagine
> the fun you can have. Also, there's a very helpful job history
> so you can see who has been copying what, all anonymous, no
> authentication required.
>
> So, we lock the box down tight, installing ssh, disabling
> telnet, finger, echo, chargen, and other shit you wouldn't
> believe. Also installed security updates from Microsoft on the
> NT box.  Xerox comes in today and has a fit and starts to
> reinstall everything from scratch.
>
> And scanning for these puppies would be easy as pie. Just do a
> finger against a block of addresses for xrxusr account and if it
> replies, you got yourself one...
>
> ------------------------------------------