Common Security Questions
Does PaperCut store any passwords?
User authentication is performed by the operating system - usually via a directory service such as Active Directory or LDAP. PaperCut does not store any user passwords and instead interrogates the directory service in real-time. Caching or storing passwords is regarded as a security risk. The only exception to this rule is the built-in admin user account. This password is stored in a one-way hashed format in the server.properties file. This account is kept separate from the directory user accounts ensuring that administrator level login is still possible even during a directory outage.
What level of encryption does PaperCut use?
Client-server communication of sensitive data is conducted over an SSL link - this is an equivalent level of encryption to that used by a web browser connected on an https:// website.
How can I restrict access to the XML Web Service APIs?
Two levels of access control is provided for the web services APIs. The first is that any call needs to pass a valid authentication token (usually the admin user's built-in password). All calls not passing this will be rejected. The 2nd level of security is IP address level filtering. By default PaperCut will only allow calls from localhost (127.0.0.1), and optionally this can be extended to other servers by manually granting that server's IP address. Valid IP addresses/ranges are defined under the Options section.
Is PaperCut certified under security standard XYZ?
Formal security certification is a new an emerging industry. PaperCut is already developed in line with leading security guidelines and practices (see Tell me about PaperCut's security?). As formal standards emerge and if there is user demand, we will consider formal certification. At the current time, we don't have any concrete intentions. Issues such as our release-often policy and the fact that many certification standards focus on the installed setup rather than the product itself make certification difficult (e.g. PCI DSS).
Tell me about your security development practices?
More information here: Tell me about PaperCut's security?
Categories: Implementation / Deployment, Architecture, Security
Also see: Tell me about PaperCut's security?