CN116455751A - Information processing apparatus, control method for information processing apparatus, and storage medium - Google Patents

Information processing apparatus, control method for information processing apparatus, and storage medium Download PDF

Info

Publication number
CN116455751A
CN116455751A CN202310025745.2A CN202310025745A CN116455751A CN 116455751 A CN116455751 A CN 116455751A CN 202310025745 A CN202310025745 A CN 202310025745A CN 116455751 A CN116455751 A CN 116455751A
Authority
CN
China
Prior art keywords
setting
information processing
communication interface
processing apparatus
environment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310025745.2A
Other languages
Chinese (zh)
Inventor
伊藤勇气
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Canon Inc
Original Assignee
Canon Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from JP2022163765A external-priority patent/JP2023103955A/en
Application filed by Canon Inc filed Critical Canon Inc
Publication of CN116455751A publication Critical patent/CN116455751A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/084Configuration by using pre-existing information, e.g. using templates or copying from other elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL

Abstract

The invention provides an information processing apparatus, a control method of the information processing apparatus, and a storage medium. An information processing apparatus stores a plurality of setting values prepared for setting the information processing apparatus, receives selection of one of a plurality of items associated with a plurality of use environments from a user as a use environment corresponding to the first communication interface, receives selection of one of the plurality of items associated with the plurality of use environments from the user as a use environment corresponding to the second communication interface, sets the information processing apparatus based on a first setting value group and a second setting value group, the first setting value group being included in the plurality of setting values and corresponding to an environment selected as a use environment corresponding to the first communication interface, the second setting value group being included in the plurality of setting values and corresponding to an environment selected as a use environment corresponding to the second communication interface.

Description

Information processing apparatus, control method for information processing apparatus, and storage medium
Technical Field
The present invention relates to an information processing apparatus connected to a network.
Background
Recently, the number of information processing apparatuses including a plurality of communication interfaces is increasing, and each information processing apparatus is connected to a plurality of Local Area Networks (LANs) to be used. For example, in some cases, since the connected users of the respective networks are different, security function settings different for the respective communication interfaces need to be made.
Japanese patent application laid-open No. 2020-154832 discloses a technique of setting a network filter function for each communication interface.
Meanwhile, information processing apparatuses have been used in various environments such as a remote work environment and a public space shared by unspecified users, and required settings have become complicated.
Disclosure of Invention
The present invention aims to provide a structure for collectively making settings suitable for use environments corresponding to communication interfaces in an information processing apparatus having a plurality of communication interfaces.
According to an aspect of the present invention, an information processing apparatus including a first communication interface and a second communication interface includes: a storage unit configured to store a plurality of setting values prepared for setting the information processing apparatus; a first receiving unit configured to receive, from a user, a selection of one item among a plurality of items associated with a plurality of usage environments as a usage environment corresponding to the first communication interface; a second receiving unit configured to receive, from a user, a selection of one item among a plurality of items associated with the plurality of usage environments as a usage environment corresponding to the second communication interface; and a setting unit configured to set the information processing apparatus based on a first set of setting values that are included in the plurality of setting values stored in the storage unit and correspond to use environments associated with the items selected by the first receiving unit and a second set of setting values that are included in the plurality of setting values stored in the storage unit and correspond to use environments associated with the items selected by the second receiving unit.
Other features of the present invention will become apparent from the following description of exemplary embodiments with reference to the accompanying drawings.
Drawings
Fig. 1 is a diagram showing an example of an information processing system.
Fig. 2 is a diagram showing an example of a hardware configuration of the image forming apparatus.
Fig. 3 is a diagram showing an example of a software configuration of the image forming apparatus.
Fig. 4 is a diagram showing an example of a screen to be displayed on an operation unit of the image forming apparatus.
Fig. 5 is a flowchart showing an example of collective setting processing performed by the image forming apparatus.
Fig. 6 is a diagram showing an example of a screen to be displayed on an operation unit of the image forming apparatus according to the second exemplary embodiment.
Fig. 7 is a flowchart showing an example of collective setting processing performed by the image forming apparatus according to the second exemplary embodiment.
Fig. 8 is a flowchart showing an example of collective setting processing performed by the image forming apparatus according to the third exemplary embodiment.
Fig. 9 is a flowchart showing an example of collective setting processing performed by the image forming apparatus according to the fourth exemplary embodiment.
Fig. 10 is a flowchart showing an example of collective setting processing performed by the image forming apparatus according to the fifth exemplary embodiment.
Detailed Description
Hereinafter, exemplary embodiments of the present invention will now be described with reference to the accompanying drawings. Note that the following exemplary embodiments are not intended to limit the present invention according to the scope of the claims. Furthermore, not all combinations of features described in the exemplary embodiments are always essential for the solution of the invention.
Fig. 1 is a diagram showing an example of an information processing system according to the first exemplary embodiment. The image forming apparatus 101 serving as an example of the information processing apparatus according to the present exemplary embodiment includes two wired communication interfaces, and the two wired communication interfaces are connected to different networks, respectively. In the present exemplary embodiment, the use environment 110 illustrated in fig. 1 will be referred to as a corporate intranet environment 110, and the use environment 120 illustrated in fig. 1 will be referred to as an internet direct connection environment 120. The use environment 110 is regarded as the use environment of the main line, and the use environment 120 is regarded as the use environment of the sub-line.
The corporate intranet environment 110 is an environment in which an image forming apparatus 101 and a Personal Computer (PC) 113 are connected via a corporate intranet Local Area Network (LAN) 112. A firewall 114 is installed at the boundary between the LAN 112 and the internet 100.
In other words, communication performed between each information processing apparatus in the corporate intranet environment 110 and the internet 100 is monitored and protected by the firewall 114. Thus, in the corporate intranet environment 110, the risk of an attacker accessing individual information processing apparatuses from the internet 100, for example, is significantly reduced.
In contrast, in the internet direct connection environment 120, a firewall is not installed. The internet direct connection environment 120 is an environment as follows: the image forming apparatus 101 and the PC 123 are directly connected to the internet 100 via the LAN 122, and communicate without being monitored and protected by a firewall. Accordingly, the information processing apparatuses such as the image forming apparatus 101 and the PC 123 need to take measures by using a personal firewall function in each information processing apparatus to prevent risks such as access by an attacker from the internet 100.
In the present exemplary embodiment, environments in which information processing apparatuses such as image forming apparatuses are used are classified into six types: the usage environments 110 and 120 shown in fig. 1, and an internet prohibition environment, a remote work environment, a public space environment, and a highly confidential information management environment, which are not shown in fig. 1. The main line or the sub line is provided with a collective setting function for collectively performing security function settings appropriate for the category.
The above-described category classification is not intended to limit the present invention, and the environment may be classified as part of the categories exemplified in the present exemplary embodiment, or may be classified as other categories. For example, in a case where it is assumed that the information processing apparatus is installed inside a company, the environments may be classified by service categories such as financial service and public service. The environment may also be classified into class levels corresponding to security intensities.
The information processing apparatus includes various setting items in addition to the setting items related to the security function. In the present exemplary embodiment, the collective setting function of collectively performing the settings related to the security function is provided, but the collective setting function of collectively performing settings other than the security function setting may be provided.
Hereinafter, four use environments not shown in fig. 1 will be described.
The internet-prohibited environment is a closed area network environment that is isolated from a different network, such as the internet 100. In the internet prohibition environment, the respective information processing apparatuses are connected via a LAN, and network communication can be performed between the information processing apparatuses on the LAN. The respective information processing apparatuses are not accessed by unspecified users on the internet 100.
The remote work environment is an environment in which an information processing apparatus is connected via a home LAN. The home LAN is a private network composed of home routers, but does not employ security countermeasures as taken by a robust firewall in corporate intranet environment 110. Accordingly, similarly to the internet direct connection environment 120, the information processing apparatuses installed in the remote working environment need to take measures by using a personal firewall function in each information processing apparatus to prevent risks such as access by an attacker from the internet 100.
The public space environment is the following: the unspecified users can physically access the information processing apparatus and the unspecified users can commonly use the network in the environment.
The highly confidential information management environment is an environment that processes highly confidential information. The environment that handles highly confidential information is referred to as an environment that gives highest priority to security countermeasures.
A classification method for classifying the use environments of the information processing apparatus into the above six categories according to the present exemplary embodiment will now be described.
Here, the environment that processes highly confidential information is defined as a highly confidential information management environment. The environment in which highly confidential information is not processed is defined as other five environments.
These five environments are further divided into two groups depending on whether the environments are under strict ingress management. Corporate intranet environment 110, internet direct connection environment 120, and internet prohibited environment are defined as environments under strict access regulations. The teleworking environment and the public space environment are defined as environments that are not strictly under entry management.
The remote work environment and the public space environment are classified according to whether or not the unspecified user uses the network in the common environment. An environment in which users are not specified to use a network in a common environment is defined as a public space environment. An environment in which the unspecified user does not use the network in the common environment is defined as a teleworking environment.
The corporate intranet environment 110, the internet direct connection environment 120, and the internet prohibited environment are classified according to whether the environment is an internet connection environment. The environment other than the internet connection environment is defined as an internet prohibition environment. Among the internet connection environments, a firewall-installed environment is defined as a corporate intranet environment 110, and an environment without a firewall installed environment is defined as an internet direct connection environment 120.
The above six categories and security countermeasures taken for the respective categories will be described with reference to table 1.
TABLE 1
The target items set by the security function group according to the present exemplary embodiment are seven items listed in table 1.
Communication path encryption is a security countermeasure that prevents information leakage by encrypting information communicated over a network. As an example of a function of realizing communication path encryption, there is Transport Layer Security (TLS). Encryption of the communication path is desirable due to interception of the communication content by a third party in an internet connection environment. In other words, except in the case of the internet prohibition environment, it is recommended to perform communication path encryption.
Disabling legacy protocols is a security countermeasure that prevents counterfeiting and information leakage by disabling functions that use an unsafe legacy communication protocol. As an example of the legacy protocol, there is Windows Internet Name Service (WINS). Similar to communication path encryption, it is also desirable to set to deactivate legacy protocols in an environment in which an information processing apparatus is connected to an external network such as the internet. In other words, it is recommended to deactivate legacy protocols in environments other than the internet-prohibited environment.
The personal firewall is a firewall to be installed on the information processing apparatus. Similar to a general firewall, a personal firewall monitors communication between an information processing apparatus and an external network such as the internet. Internet Protocol (IP) filters and port number filters are examples of firewalls. The IP filter is a security countermeasure that reads transmission destination information and transmission source information of a communication packet and allows the communication packet to be preset. Unauthorized access and information leakage can thereby be prevented. The port number filter is a security countermeasure that prevents entry from a port by closing an unused port. Thus, denial of service (DoS) attacks, which are network attacks that result in vulnerabilities by applying a large amount of load, can be prevented. Since there is a possibility of information leakage and DoS attack in an environment where the information processing apparatus is connected to an external network and a firewall is not installed, it is desirable to activate a personal firewall. In other words, personal firewall activation is recommended in addition to the internet prohibition environment in which the information processing apparatus is not connected to the external network and the corporate intranet environment 110 in which the firewall is installed. As an example of personal firewall activation, the default policy for IP address filters is denied. Alternatively, a subnet address indicating a network to which the image forming apparatus belongs is set as an exceptional address of the IP address filter. Specifically, the filtration conditions were set as follows: communication from the address range corresponding to the subnet is allowed and communication from the other address range is denied.
Authentication security enhancement refers to strengthening countermeasures against counterfeiting by, for example, prohibiting caching of passwords and specifying the minimum number of characters of the passwords. In addition to the internet prohibited environment in which the information processing apparatus is connected within the isolated network, there is a possibility of impersonation. Therefore, it is desirable to enhance authentication security.
The physical attack countermeasure is a security countermeasure for preventing leakage of physical information. In the image forming apparatus 101, temporary data such as a print job is generated on a hard disk. The image forming apparatus 101 includes a complete erasing function of automatically completely erasing the generated temporary data at the end of the job. The above-described complete erase function is used as an example of a physical attack countermeasure for the image forming apparatus 101. As long as such a function is provided, temporary data is not read even in the case of physically removing the hard disk. In the present exemplary embodiment, the teleworking environment and the public space environment are defined as environments that are not strictly under entry management. In a remote work environment and a public space environment, which are environments that are not strictly under access management and that cannot restrict physical access to an information processing apparatus, it is desirable to take physical attack countermeasures. Further, in a highly confidential information management environment in which a reduction in risk of information leakage is given the highest priority, it is desirable to take physical attack countermeasures.
The file sharing function is a function of sharing files on a network in an environment. In an environment where a network in the user sharing environment is not specified, the file sharing function is disabled to prevent information leakage. In other words, it is recommended to deactivate the file sharing function in addition to the private network environment of the network in the specific user sharing environment. In the present exemplary embodiment, the private network environment is defined as a corporate intranet environment 110, an internet prohibition environment, and a remote work environment. Therefore, in an environment excluding these private network environments, that is, in the internet direct connection environment 120, public space environment, and highly confidential information management environment, it is recommended to deactivate the file sharing function. As an example of setting the file sharing function, there is a Server Message Block (SMB) server setting.
The deactivation of the external storage device means, for example, that a Universal Serial Bus (USB) storage device is set so as not to be usable as the external storage device in the information processing apparatus. With this arrangement, it is possible to prevent information from being written to the external storage device and prevent information from leaking. Infection of computer viruses via the USB storage device, and leakage of information caused by infection can also be prevented. The risk of leakage of information via an external storage device, such as a USB storage device, is common to all use environments. Thus, it is desirable to deactivate external storage devices in all usage environments.
Table 1 lists the recommended settings described above. For the item for which setting is recommended, "on" is displayed, and for the item for which any one of "on" and "off" can be set, a diagonal line is drawn.
< hardware Structure of image Forming apparatus >
A hardware configuration of an image forming apparatus 101 serving as an example of an information processing apparatus according to the present exemplary embodiment will be described with reference to fig. 2. Only the image forming apparatus 101 will be described with reference to fig. 2, but it is also assumed that the image forming apparatus used in the environment not shown in fig. 1 has a configuration similar to that of the image forming apparatus 101.
As described above, in the present exemplary embodiment, the image forming apparatus 101 will be described as an example of an information processing apparatus, but the information processing apparatus is not limited thereto. For example, the information processing apparatus may be a Single Function Peripheral (SFP) including a single function, such as a scanner or a printer. The present exemplary embodiment may be applied to internet of things (IoT) devices and various communication devices connected to a network, such as three-dimensional (3D) printers, smartphones, digital cameras, webcams, and televisions.
A control unit 200 including a Central Processing Unit (CPU) 201 controls the operation of the entire image forming apparatus 101. A Read Only Memory (ROM) 202 stores programs to be executed by the CPU 201. The CPU 201 performs various types of control such as read control and transmission control on the image forming apparatus 101 by reading out a control program stored in the ROM 202. A Random Access Memory (RAM) 203 is used as a temporary storage area, such as a main memory or a work area of the CPU 201. A Hard Disk Drive (HDD) 204 is a storage device that stores image data, various programs, and various types of setting information. The HDD204 may also include another storage device such as a Solid State Drive (SSD). In this way, hardware components such as the CPU 201, the ROM 202, the RAM 203, and the HDD204 constitute a so-called computer.
An operation unit interface (I/F) 205 connects the operation unit 206 and the control unit 200.
The operation unit 206 includes a liquid crystal display unit having a touch panel function and various hardware keys. The operation unit 206 functions as a display unit that displays information to a user and a receiving unit that receives an instruction of the user.
The printer I/F207 connects the printer 208 and the control unit 200. Image data to be printed by the printer 208 is transferred from the control unit 200 via the printer I/F207. The input image data is output onto a recording medium in the printer 208. The scanner I/F209 connects the scanner 210 and the control unit 200. The scanner 210 generates image data by reading an original placed on a platen (not shown). The generated image data is input to the control unit 200 via the scanner I/F209.
The network cable is connected to the first wired communication I/F211 and the second wired communication I/F212. The first wired communication I/F211 connects the control unit 200 and the LAN 112. The first wired communication I/F211 transmits image data or information to an external device on the LAN 112, and receives various types of information from the external device on the LAN 112. The second wired communication I/F212 connects the control unit 200 and the LAN 122. The second wired communication I/F212 transmits image data or information to an external device on the LAN 122, and receives various types of information from the external device on the LAN 122. The wireless communication I/F213 connects the control unit 200 and the wireless LAN. The wireless communication I/F213 is used instead of the first wired communication I/F211 or the second wired communication I/F212. Of the three I/Fs, any one I/F is used as a main line, and one I/F other than the main line is used as a sub-line. In the present exemplary embodiment, the first wired communication I/F211 is connected to the LAN 112 corresponding to the corporate intranet environment 110 to serve as a main line. A second wired communication I/F212 connected to the LAN 122 corresponding to the internet direct connection environment 120 serves as a sub-line. In the present exemplary embodiment, a case is assumed where one of the second wired communication I/F212 and the wireless communication I/F213 is available, and it is assumed that the number of communication interfaces that can be used at a time is limited to two. In the case of using the wireless communication I/F, the wireless communication I/F serves as a sub-line.
< software Structure of image Forming apparatus >
A software configuration of the image forming apparatus 101 serving as an example of the information processing apparatus according to the present exemplary embodiment will now be described with reference to fig. 3. Each component shown in fig. 3 is realized by the CPU 201 executing a program corresponding to the component stored in the ROM 202.
The operation control unit 310 displays a screen for the user on the operation unit 206. The operation control unit 310 also detects an operation by the user, and switches a screen or updates a display based on the detection result.
The data storage unit 320 stores data on the HDD204 or reads out data from the HDD204 according to a request from another control unit. The data storage unit 320 stores setting information for determining the operation of the image forming apparatus 101 and information on the setting of the security function. Specifically, the data storage unit 320 stores a main line recommendation setting value database 321, a sub line recommendation setting value database 322, a category priority order database 323, and current operation setting data 324.
The main line recommendation setting value database 321 and the sub line recommendation setting value database 322 each refer to a setting data group including a combination of setting items and setting values of security functions of respective categories corresponding to environments in which the image forming apparatus 101 is used.
The main line recommendation setting value database 321 will now be described with reference to table 2. Table 2 describes more detailed setting items and recommended setting data of respective categories for seven setting items described with reference to table 1.
The settings for personal firewalls vary between the primary and secondary lines. Accordingly, the main line recommendation setting value database 321 stores recommendation setting data unique to the main line. In the present exemplary embodiment, settings other than the settings regarding the personal firewall are settings shared by the main line and the sub-line. The shared setting is a setting with reference to a common setting value in the process of using the main line and the sub line.
Table 2: main line recommended setting value database 321
For the item of the recommendation setting, the recommendation setting value is described. For items for which setting is not recommended and is not required, a diagonal line is drawn.
The sub-line recommended setting value database 322 is a database obtained by replacing the setting items and setting values unique to the main line with the setting items and setting values unique to the sub-line. In the present exemplary embodiment, the sub-line recommendation setting value database 322 is a database obtained by replacing the setting items and values of the personal firewall of the main line in table 2 with the setting items and values of the personal firewall of the sub-line. Since the sub-line recommendation setting value database 322 has a similar format to the main line recommendation setting value database 321, illustration of the table is omitted.
In the present exemplary embodiment, the main line recommendation setting value database 321 and the sub line recommendation setting value database 322 store the "true/false" boolean values of the respective setting items. For the setting values of the recommended settings (such as "on", "off", "inhibit" or "eight characters") described in table 2, "true" is stored. For the setting values of the diagonals drawn in table 2, "false" is stored. In the case where the boolean value is true, recommended setting data to be applied, which is described in table 2, is also stored. In the case where collective settings are to be made, for a setting item in which "true" is stored as a boolean value, the security setting control unit 330, which will be described below, changes the settings using the corresponding recommended setting data. In contrast, with respect to the setting item in which "false" is stored as a boolean value, control is performed in such a manner that the current setting value is not changed. The data storage method and the setting control method are merely examples, and are not limited thereto.
In the present exemplary embodiment, a plurality of setting values prepared for setting of the image forming apparatus 101 are stored in the form of the main line recommendation setting value database 321 and the sub line recommendation setting value database 322, but the configuration is not limited thereto. For example, two databases may be collectively stored as one database, and necessary data may be extracted and used in the setting control process.
The category priority order database 323 is a database for determining which recommended setting data, a category corresponding to the main line, and a category corresponding to the sub line are preferentially applied when setting values of setting items shared by the main line and the sub line are determined. An example of the category priority order database 323 is shown in table 3.
Table 3: category priority order database 323
Priority order Category(s)
6 Highly confidential information management environment
5 Public space environment
4 Household environment
3 Internet direct connection environment
2 Corporate intranet environment
1 Internet prohibited environment
In the present exemplary embodiment, the priorities of the respective categories are represented by numerical values, and the category having a large value is regarded as the category to be prioritized. The category priority order database 323 is defined to give higher priority to use environments with stricter security. The storage method of the priority order is not limited thereto. For example, when the priority order is represented by a numerical value, a category having a small value may be regarded as a category to be prioritized. Further, the determination method of the priority is not limited thereto, and the value of the priority of each category may be any value. For example, the total number of setting items storing "true" as boolean values may be calculated from the main line recommendation setting value database 321 and the sub line recommendation setting value database 322, and the calculated values may be used as priorities. Further, after the importance degree is defined for each setting item, each setting item may be weighted, and the weighted total of setting items storing "true" may be calculated and used as priority.
Referring again to fig. 3, the current operation setting data 324 is a setting data group including a combination of setting items and setting values currently applied to the image forming apparatus 101. The security setting control unit 330, which will be described below, rewrites the current operation setting data 324 at the time of the setting change. After that, the security setting control unit 330 restarts the image forming apparatus 101. If the image forming apparatus 101 is restarted, the program reads out new current operation setting data 324, and the image forming apparatus 102 operates with the new setting.
The security setting control unit 330 collectively sets the security functions of the image forming apparatus 101 according to an instruction from the user detected by the operation control unit 310. A specific description of the setting control will be described below. The collective setting according to the present exemplary embodiment is a function capable of collectively setting recommended setting values of typical security functions defined by a vendor. Hereinafter, this function will also be referred to as a security collective setting function. In the present exemplary embodiment, the seven setting items described with reference to table 1 are regarded as setting targets in the security collective setting function. A function is known that applies a security policy defined by an organization to an image forming apparatus and prohibits a change in the setting of a specific security setting item to a setting unsuitable for the policy. This function is qualitatively different from the security collective setting function of the present exemplary embodiment. In other words, even in the case where a user such as an administrator makes collective settings using the security collective setting function, the user can change the setting value of the individual setting item to another setting value again via the individual setting change screen (not shown) according to the actual use situation.
The network User Interface (UI) control unit 340 controls a setting screen to be displayed on an external information processing apparatus such as the PC 113 or the PC 12 via the first wired communication I/F211, the second wired communication I/F212, or the wireless communication I/F213. The user can refer to and change the settings of the image forming apparatus 101 by using the setting screen on the web browser provided by the web UI control unit 340. The network UI control unit 340 may further include a function of importing and exporting the main line recommendation setting value database 321, the sub line recommendation setting value database 322, or the category priority order database 323. If such a function is included, the user can create and edit data files related to the respective databases on the external information processing apparatus. The user may also send the edited database to the image forming apparatus 101 and store the edited data in the data storage unit 320. In the present exemplary embodiment, the network UI control unit 340 may also be omitted.
< setting Screen of image Forming apparatus >
A setting screen 400 to be displayed on the operation unit 206 of the image forming apparatus 101 will now be described with reference to fig. 4. In the present exemplary embodiment, the setting screen 400 to be displayed on the operation unit 206 of the image forming apparatus 101 will be described, but the setting screen is not limited thereto. For example, a web page similar to the setting screen 400 may be provided to a web browser of the external information processing apparatus using the web UI control unit 340, and a setting operation may be performed via the web page.
The setting screen 400 is a screen displayed on the operation unit 206 by the operation control unit 310. If the user performs an operation of displaying the setting screen 400 on a menu screen (not shown), the operation control unit 310 detects the operation and displays the setting screen 400. The main line environment list box 401 is an area in which a user selects a use environment of a main line. In the present exemplary embodiment, the above six use environments are displayed as options. In the main line environment list box 401, the user can select one option from among a plurality of options. The sub-line environment list box 402 is an area in which the user selects the use environment of the sub-line, and six use environments are displayed as options similarly to the main line environment list box 401. Also in the sub-line environment list box 402, the user can select one option from among a plurality of options. The user selects the use environment of the main line of the image forming apparatus 101 from among the options in the main line environment list box 401. The user also selects the usage environment of the sub-line of the image forming apparatus 101 from among the options in the sub-line environment list box 402. Then, the user presses the execute button 403. The operation control unit 310 of the image forming apparatus 101 detects a user operation and transmits information indicating a result of the selection made by the user to the security setting control unit 330. The security setting control unit 330 collectively performs settings of security functions suitable for the use environment selected by the user and received from the operation control unit 310. The cancel button 404 is a button for ending the collective setting function. If the cancel button 404 is pressed, a menu screen (not shown) is displayed, and the display of the setting screen 400 is ended.
In the present exemplary embodiment, the following configuration will be described: the user selects the respective usage environments of the main line and the sub line in both the main line environment list box 401 and the sub line environment list box 402, but the configuration is not limited thereto. Even in a state where the use environment is selected only in the main line environment list box 401 or the sub line environment list box 402, the execution button 403 on the setting screen 400 can be made to be pressed. In the case where the use environment in the main line environment list box 401 is selected, security function settings appropriate for the selected use environment are made for setting items unique to the main line and setting items shared by the main line and the sub line. Alternatively, in the case where the use environment in the sub-line environment list box 402 is selected, security function settings appropriate for the selected use environment are made for setting items unique to the sub-line and setting items shared by the main line and the sub-line. In the case where the use environment is selected in both the main line environment list box 401 and the sub line environment list box 402, a process similar to that in the present exemplary embodiment is performed. With this configuration, at least one of the main line and the sub line can be provided collectively.
The setting screen 400 of the present exemplary embodiment has a configuration in which the main line environment list box 401 and the sub line environment list box 402 are displayed on one screen, but the configuration is not limited thereto. For example, two screens corresponding to the main line environment selection screen and the sub-line environment selection screen may be displayed, respectively. Hereinafter, specific examples will be described.
If the user operates to display a setting screen of the collective setting function, the operation control unit 310 detects the operation. Then, the operation control unit 310 displays a main line environment selection screen including a main line environment list box, an execution button, a cancel button, and a skip button on the operation unit 206. If the user selects one option from among options in the main line environment list box and presses the execute button, the operation control unit 310 detects the operation. Then, the operation control unit 310 transmits information indicating the selection result to the security setting control unit 330, and displays a sub-line environment selection screen on the operation unit 206. If the user presses a skip button on the main line environment selection screen, the operation control unit 310 detects the operation and displays a sub line environment selection screen on the operation unit 206. The sub-line environment selection screen is a screen including a sub-line environment list box, an execution button, and a cancel button. If the user selects one option from among the options in the sub-line environment list box and presses the execution button, the operation control unit 310 detects the operation. Then, the operation control unit 310 transmits information indicating the selection result to the security setting control unit 330. If the user presses the cancel button when the main line environment selection screen or the sub line environment selection screen is displayed, the operation control unit 310 detects the operation. Then, the operation control unit 310 displays a menu screen (not shown) on the operation unit 206, and ends the collective setting function. Based on the information indicating the selection result received from the operation control unit 310, the security setting control unit 330 makes collective settings for at least one of the main line and the sub line. In this example, the following example case has been described: after receiving a setting operation or a setting cancel operation of the main line environment on the main line environment selection screen, the screen transitions from the main line environment selection screen to the sub line environment selection screen. However, the configuration is not limited thereto. For example, a screen configuration may be adopted in which a main line environment is selectable on a setting screen for performing main line operation setting, and a sub line environment is selectable on a setting screen for performing sub line operation setting. In this case, the user can shift the screen from the network setting screen (not shown) to a screen for performing the operation of the respective communication I/fs and associate the environment with the desired communication I/F.
The user also selects a category corresponding to the respective usage environments of the main line and the sub line on the setting screen 400. However, according to the present exemplary embodiment, some combinations of the selected main line category and the sub line category are unsuitable in order to facilitate classification of the categories. For example, although the remote working environment according to the present exemplary embodiment is an environment that is not under strict entry management, the internet direct connection environment is an environment under strict entry management. Such a combination is considered unsuitable because one image forming apparatus cannot exist at both a position not under access management and a position under access management. As another example, corporate intranet environments, remote work environments, and public space environments cannot exist in the same location, and thus three combinations, i.e., two of these three environments, are considered unsuitable.
A configuration may also be adopted in which display control is performed when the user selects such an unsuitable category combination. More specifically, display control may be performed in which a warning message indicating unsuitable is displayed on the operation unit 206 and the user is prompted to review the selection. Specifically, data of unsuitable combination is stored in the data storage unit 320. If the user selects a category corresponding to each use environment of the main line and the sub line on the setting screen 400, the operation control unit 310 detects the operation. Then, the operation control unit 310 transmits information indicating the selection result to the security setting control unit 330. The security setting control unit 330 determines whether the combination selected by the user is an unsuitable combination based on the received information and the data of the unsuitable combination stored in the data storage unit 320. In the case where the combination is not appropriate, the security setting control unit 330 cooperates with the operation control unit 310 to display a warning message on the operation unit 206.
It is also possible to employ a configuration in which display control is performed in a case where the user selects the use environment of one of the main line and the sub line from among the options in the list box. More specifically, the following display control may be performed: the user is presented with the option in another list box forming the unsuitable combination described above. Specifically, for each environment, information indicating environments unsuitable as a combination is stored in the data storage unit 320. For example, for a corporate intranet environment, a teleworking environment and a public space environment are stored as unsuitable environments and flags are set thereto. If the user selects the main line use environment, the operation control unit 310 then brings the option of the use environment forming an unsuitable combination with the main line use environment selected by the user into an ashed state in the sub-line environment list box 402. Specifically, if the operation control unit 310 detects that one environment has been selected from among the options in the main line environment list box 401, the operation control unit 320 refers to the flag stored in the data storage unit 320 and identifies an environment that is not suitable as a combination with the selected environment. The operation control unit 310 controls in such a manner that the identified unsuitable environment is displayed in the ashed state in the sub-line environment list box 402. In contrast, in the case where the user selects the sub-line use environment, the operation control unit 310 similarly brings the option of the unsuitable use environment into the ashed state in the main line environment list box 401. The specific processing is similar to that performed in the case where the user selects the main line use environment.
In the present exemplary embodiment, the same environment may be selected as the main line environment and the sub-line environment, but may be displayed in such a manner that the same environment is not selectable. Specifically, for a specific environment, it is sufficient to store the environment as an environment unsuitable as a combination into the data storage unit 320.
The determination method of the category corresponding to the use environment of the image forming apparatus 101 according to the present exemplary embodiment is a method of prompting the user to select an option of the category itself, but the determination method is not limited thereto. For example, a configuration may be adopted in which questions based on category classification conditions are displayed and the user is prompted to select their answer. Hereinafter, an example of a problem based on the category classification condition will be given. First, the operation control unit 310 displays a question "is an environment that processes highly confidential information? ". Based on the answer to the question, the security setting control unit 330 determines whether the usage environment is a highly confidential information management environment. Subsequently, the operation control unit 310 displays a question "is a strict entry into the environment under management? ". If the answer to the question is yes, the security setting control unit 330 determines that the use environment is a corporate intranet environment, an internet direct connection environment, or an internet prohibition environment. If the answer to the question is "no", the security setting control unit 330 determines that the use environment is a remote work environment or a public space environment. In the case where the answer to the question regarding entry management is no, the operation control unit 310 displays the question "does not specify whether the users commonly use the network" on the operation unit 206? ". If the answer to the question is yes, the security setting control unit 330 determines that the use environment is a public space environment. If the answer to the question is "no", the security setting control unit 330 determines that the use environment is a remote work environment. In the case where the answer to the question regarding entry management is yes, the operation control unit 310 displays the question "is the environment in which the device is directly connected to the internet" on the operation unit 206? ". If the answer to the question is yes, the security setting control unit 330 determines that the use environment is a corporate intranet environment or an internet direct connection environment. If the answer to the question is "no", the security setting control unit 330 determines that the use environment is an internet prohibition environment. If the answer to the question is yes, the operation control unit 310 finally displays the question "is a firewall-installed environment" on the operation unit 206? ". In the case where the answer to the question is yes, the security setting control unit 330 determines that the use environment is a corporate intranet environment. In the case where the answer to the question is no, the security setting control unit 330 determines that the use environment is an internet direct connection environment.
In the above description, the category is selected by the user operation, but the configuration is not limited thereto. A configuration may also be adopted in which the CPU 201 of the image forming apparatus 101 performs a process of estimating a category corresponding to the use environment of the image forming apparatus 102, and performs setting based on the estimation result. The construction will be specifically described. First, the CPU 201 performs estimation processing using operation setting information about the network, such as an IP address, gateway address, and Dynamic Host Configuration Protocol (DHCP) server address of the image forming apparatus 101. By performing the estimation processing, estimation results of the estimated use environments corresponding to the respective communication I/fs are obtained. Subsequently, the CPU 201 transmits information indicating the estimation result to the security setting control unit 330. After receiving the information indicating the estimation result, the security setting control unit 330 finally performs setting based on the received estimation result.
< collective setting Process of Main line and auxiliary line >
The collective setting process of the main line and the sub line will now be described with reference to fig. 5. The respective operations (steps) shown in the flowchart in fig. 5 are realized by the CPU 201 loading a program for realizing the respective control units stored in the ROM 202 or the HDD 204 onto the RAM 203 and executing the program.
The process shown in fig. 5 is started when the operation control unit 310 detects an operation of selecting the respective use environments of the main line and the sub line by the user and a pressing operation of the execution button 403, and transmits information indicating the selection result to the security setting control unit 330.
In step S501, the security setting control unit 330 determines whether the sub-line is enabled. The state in which the sub-line is enabled refers to a state in which the main line and the sub-line are simultaneously used. The state in which the sub-line is disabled refers to a state in which only one communication I/F is used.
In the case where the sub-line is enabled (yes in step S501), the process proceeds to step S504. In the case where the sub-line is not enabled (no in step S501), the process proceeds to step S502. In the case where the sub-line is not enabled, only the main line is set collectively. Accordingly, in step S502, the security setting control unit 330 reads out recommendation setting data stored in association with the category selected by the user from the main line recommendation setting value database 321 stored in the data storage unit 320. In step S503, recommended setting data is applied to the setting of the main line. Specifically, the recommended setting data is written to the current operation setting data 324. As described above, in the present exemplary embodiment, for the setting item storing "false" as a boolean value, the setting value is not changed, and the setting value of the setting item storing "true" is changed.
In the case of enabling the sub-line, the process of determining the collective setting values of the main line and the sub-line is performed by using the main line recommendation setting value database 321 and the sub-line recommendation setting value database 322. The set value is determined as follows: a category to be prioritized is selected from the main line category and the sub line category that the user has selected, and recommendation setting data of the selected category is preferentially set.
In step S504, the security setting control unit 330 selects a category to be prioritized using the category priority order database 323 stored in the data storage unit 320. Specifically, the security setting control unit 330 determines which of the category selected as the primary line environment and the category selected as the secondary line environment has a higher priority. In the case where the category selected as the primary line environment has a higher priority than the category selected as the secondary line environment (yes in step S504), the processing proceeds to step S505. In the case where the category selected as the sub-line environment has a higher priority than the category selected as the main line environment (no in step S504), the processing proceeds to step S510.
In step S505, the security setting control unit 330 reads out recommendation setting data stored in association with the sub-line category selected by the user from the sub-line recommendation setting value database 322 stored in the data storage unit 320. In step S506, the security setting control unit 330 reads out recommendation setting data stored in association with the main line category selected by the user from the main line recommendation setting value database 321 stored in the data storage unit 320. In step S507 and step S508, the security setting control unit 330 determines recommended setting data to be applied using the set value group associated with the sub-line category read out in step S505 and the set value group associated with the main line category read out in step S506. A specific determination method of the recommendation setting data to be applied will be described below. As described above with reference to table 2, the setting items according to the present exemplary embodiment include the setting items shared by the main line and the sub line, the setting items unique to the main line, and the setting items unique to the sub line. In step S507, the security setting control unit 330 determines recommended setting data to be applied to the setting shared by the main line and the sub line. Specifically, the security setting control unit 330 determines recommended setting data to be applied by overwriting the sub-line recommended setting data (the set of setting values read out in step S505) with the main line recommended setting data (the set of setting values read out in step S506). In overwriting, similar to the above writing of the current operation setting data 324, for a setting item storing "false" as a boolean value, the setting value is not changed, and the setting value of the setting item storing "true" is changed. In step S508, the security setting control unit 330 determines recommended setting data to be applied based on the settings unique to the respective lines. Specifically, the security setting control unit 330 extracts a setting item unique to each line and a setting value corresponding to the setting item from the recommended setting data of each line that has been read out in steps S505 and S506, and determines the extracted data as recommended setting data to be applied to the setting unique to each line. Specific examples of the recommendation setting data determined by the processing in the above-described step S505 to step S508 are listed in table 4.
TABLE 4
/>
The determination method of the setting data to be applied is not limited to the overwriting process in step S505 to step S508. For example, the setting data may be determined by extracting setting values of setting items shared by the main line and the sub line from recommended setting data of a category having a higher priority, and extracting setting item setting values unique to the main line and the sub line from recommended setting data of each selected category.
If the security setting control unit 330 determines in step S507 and step S508 that the setting data is to be applied, the process proceeds to step S509. In step S509, the security setting control unit 330 writes the determined setting data to the current operation setting data 324.
In the case where the security setting control unit 330 determines in step S504 that the category selected as the sub-line environment has a higher priority than the category selected as the main line environment (no in step S504), the processing proceeds to step S510. In step S510, the security setting control unit 330 reads out recommendation setting data stored in association with the main line category selected by the user from the main line recommendation setting value database 321 stored in the data storage unit 320. In step S511, the security setting control unit 330 reads out recommendation setting data stored in association with the sub-line category selected by the user from the sub-line recommendation setting value database 322 stored in the data storage unit 320. In step S512 and step S508, the security setting control unit 330 determines recommendation setting information to be applied using the recommendation setting data of each line read out in step S510 and step S511. The process in step S512 is a process in which the main line and the sub line are interchanged in the process in step S507. More specifically, for the setting items shared by the main line and the sub line, the security setting control unit 330 determines recommended setting data to be applied by overwriting the main line recommended setting data read out in step S510 with the sub line recommended setting data read out in step S511. Then, the process proceeds to step S508, and as described above, the security setting control unit 330 determines recommended setting data to be applied based on settings unique to each line. Specifically, the security setting control unit 330 extracts a setting item unique to each line and a setting value corresponding to the setting item from the recommended setting data of each line that has been read out in steps S510 and S511, and determines the extracted data as recommended setting values to be applied to settings unique to each line. In step S509, the security setting control unit 330 writes the recommended setting data determined in step S512 and step S508 to the current operation setting data 324.
Finally, in step S513, the security setting control unit 330 restarts the image forming apparatus 101. If the image forming apparatus 101 is restarted, the rewritten current operation setting data 324 is read out by the program, and the program operates with the rewritten new setting. In this way, the applied settings are reflected in the operation of the image forming apparatus 101.
In the present exemplary embodiment, the priority order of the category selected as the primary line environment and the category selected as the secondary line environment is determined based on the category priority order database 323. Then, recommendation setting data of the line associated with the category having the low priority order is overwritten with recommendation setting information of the line associated with the category having the high priority order. By such a configuration, recommended setting data of the line associated with the category having the high priority order can be written preferentially to the current operation setting data 324. For example, in the case where there are an environment in which eight characters are set as the minimum number of characters of the password as one of the setting items and an environment in which ten characters are set as the minimum number of characters of the password, and the priority order of the environment having ten characters is higher than that of the environment having eight characters, by performing the overwriting process of the present exemplary embodiment, the setting data to be applied can be determined as ten characters.
By performing the above-described processing, in the information processing apparatus including the main line and the sub-line, the information processing apparatus can be collectively set by the user selecting the category corresponding to each line.
In the present exemplary embodiment, a configuration has been described in which both shared settings and unique settings are collectively set using a recommended setting value database including setting items shared by the main line and the sub line and setting items unique to the main line and the sub line. However, the configuration is not limited thereto. It is also possible to adopt a configuration in which only setting items unique to the main line and the sub line are set collectively, or only setting items shared by the main line and the sub line are set collectively. In the present exemplary embodiment, the number of setting items unique to the main line and the sub line is one, and only the setting concerning the personal firewall is provided, but a plurality of unique setting items may be provided.
In the case where only setting items unique to the main line and the sub line are set collectively, a recommended setting value database including only setting items unique to the main line and the sub line is first stored in the data storage unit 320.
In this case, the category priority order database 323 does not need to be stored. Recommended setting values corresponding to setting items unique to the main line are applied to the setting of the main line, and recommended setting values corresponding to setting items unique to the sub line are applied to the setting of the sub line.
Further, in the first exemplary embodiment, a part of the operation settings described as the operation settings shared by the main line and the sub-line may also be managed as operation settings unique to the respective lines. For example, operation settings regarding the protocol may be provided as setting items unique to the respective lines. More specifically, the settings for communication path encryption, the settings for legacy protocols, and the settings for file sharing functions illustrated in table 2 may be managed as operation settings unique to the respective lines. In this case, in the case where communication with respect to the protocol occurs, the information processing apparatus refers to the unique operation settings set for the respective lines, and performs communication control with respect to the protocol. For example, collective settings in the following example cases will be described: the in-company intranet type is selected as a category corresponding to the main line and the internet direct connection type is selected as a category corresponding to the sub-line. For ease of explanation, the following example cases will be described: both the SMB server setting unique to the main line and the SMB server setting unique to the sub-line are set to "on", as the current operation setting of the information processing apparatus. In the case where the above-described operation settings are set, if collective settings including a combination of the above-described lines and categories are performed, the SMB server setting unique to the sub-line may be set to "off", while the SMB server setting unique to the main line is kept to "on". In this case, in the communication performed via the main line, the file sharing function can be used as usual, and in the communication performed via the sub line, the file sharing function can be made unavailable.
In contrast, in the case where only the setting items shared by the main line and the sub line are set collectively, the recommended setting value database including only the setting items shared by the main line and the sub line is first stored in the data storage unit 320. Then, the category priority order database 323 is used to determine setting data to be applied, and the setting data to be applied is applied to the setting of the information processing apparatus as described above.
< modification 1>
In the above-described exemplary embodiments, environments using an information processing apparatus (such as an image forming apparatus) are classified into six categories corresponding to a corporate intranet environment, an internet direct connection environment, an internet prohibition environment, a remote work environment, a public space environment, and a highly confidential information management environment. However, the classification is not limited thereto. The categories may be classified by security levels that are classified based on the security policies of the user. Hereinafter, an example of classifying categories by security level will be described. The hardware configuration and the software configuration of the image forming apparatus 101 are similar to those in the first exemplary embodiment, and a description will be omitted.
For example, in the case where the security policy is not set, the security level is set to 0. In the case where the authority protection of the administrator is set to the security policy, the security level is set to 1. In the case where the limit of the usage range is set to the security policy, the security level is set to 2. In the case where the personal information leakage prevention is set to the security policy, the security level is set to 3. In this way, the security level is ranked by the security policy. In this modification, a hierarchical security level or a security policy corresponding to the security level is used as the category. The following functions are known: the security policy defined by the organization is applied to the image forming apparatus, and the setting of the specific security setting item is prohibited from being changed to a setting unsuitable for the security policy. This modification is an example of applying the present invention to this function. In the first exemplary embodiment, even in the case where the user has made collective settings, the user such as an administrator can change the setting value of the individual setting item to another setting value again via the individual setting change screen (not shown) according to the actual use situation. However, in this modification, such a change cannot be made. Also in such a configuration, the present invention can be applied. A specific description will be given below.
Similar to the main line recommendation setting value database 321 and the sub line recommendation setting value database 322, a set data group including a combination of a set item of the security function and recommendation setting values of the respective categories is stored in the data storage unit 320. The category priority order database 323 may be omitted by using the numerical value of the security level itself as the priority order.
If the user performs an operation to display a setting screen on the menu screen, the operation control unit 310 detects the operation and displays the setting screen on the operation unit 206. On the setting screen, list boxes are displayed for the main line and the sub line, respectively, each list box including a hierarchical security level or a security policy corresponding to the security level as an option. The list box will be referred to as a primary line list box or a secondary line list box. An execution button similar to execution button 403 in fig. 4 is also displayed. If the user selects a security level suitable for the main line from among options in the main line list box, selects a security level suitable for the sub line from among options in the sub line list box, and presses an execution button, the operation control unit 310 detects an operation. The operation control unit 310 transmits information indicating the result of the selection made by the user to the security setting control unit 330. The security setting control unit 330 collectively performs security function settings appropriate for the security level selected by the user. The collective setting process is similar to the process shown in fig. 5, and therefore the explanation will be omitted.
By using the above-described processing, in an information processing apparatus including a main line and a sub-line, by specifying security levels of security policies based on the respective lines, collective settings appropriate for the security policies can be made for the respective lines.
< modification 2>
In the first exemplary embodiment, the configuration has been described in which the use environments suitable for the two lines corresponding to the main line and the sub line are selected and set. However, the configuration is not limited thereto.
As described above, the image forming apparatus 101 includes the first wired communication I/F211, the second wired communication I/F212, and the wireless communication I/F213. Further, in the case where these three lines or more are used simultaneously, the present invention can be applied.
For example, three lines will be referred to as a main line, a sub line 1, and a sub line 2. On the setup screen 400, a main line environment list box, a sub line 1 environment list box, a sub line 2 environment list box, and an execution button are displayed. The options in the list box are similar to those in the first exemplary embodiment. If the user selects a use environment suitable for each line from among the options in the three list boxes and presses the execution button, the operation control unit 310 detects the operation. The operation control unit 310 transmits information indicating the result of the selection made by the user to the security setting control unit 330. The security setting control unit 330 performs security function settings suitable for the selected use environment received from the operation control unit 310.
Similar to the first exemplary embodiment, the data storage unit 320 stores a category priority order database 323 and current operation setting data 324. The data storage unit 320 also stores a main line recommended setting database, a sub-line 1 recommended setting database, and a sub-line 2 recommended setting database.
The processing of the security setting control follows the processing described in the first exemplary embodiment with reference to fig. 5. Specifically, the security setting control unit 330 determines whether the sub-line 1 is enabled or whether the sub-line 2 is enabled. In the case where both the sub-line 1 and the sub-line 2 are disabled, the processing in step S502, step S503, and step S513 is performed. In the case where the sub-line 1 is enabled and the sub-line 2 is disabled, a process similar to that in the first exemplary embodiment is performed. In the case where both the sub-line 1 and the sub-line 2 are enabled, the security setting control unit 330 performs the following processing. The security setting control unit 330 first determines the priority order of three categories selected as the respective environments of the main line, the sub-line 1, and the sub-line 2 by using the category priority order database 323. Then, the security setting control unit 330 overwrites the recommendation setting data of the line related to the category having the lowest priority order with the recommendation setting data of the line related to the category having the second lowest priority order. Subsequently, the security setting control unit 330 determines setting data to be applied by overwriting the overwritten data with recommended setting data of the line associated with the category having the highest priority order. Finally, the security setting control unit 330 writes the determined setting data to the current operation setting data 324, and restarts the image forming apparatus 101.
By employing the above-described processing, in the case where the image forming apparatus 101 uses three lines simultaneously, recommended setting values suitable for the environments of the respective three lines can also be set. Four lines or more may also be provided by performing the following processing.
In the first exemplary embodiment, for the setting items shared by the main line and the sub line, the recommended setting data to be applied is automatically determined based on the priorities of the main line environment and the sub line environment, but the user cannot manually set the recommended setting data to be applied.
In the second exemplary embodiment, for the setting items shared by the main line and the sub line, at the time of initial installation, it is made possible to select which of the main line recommendation setting data and the sub line recommendation setting data is to be set using the operation unit. The user sets main line recommendation setting data or sub line recommendation setting data.
A setting screen 600 to be displayed on the operation unit 206 of the image forming apparatus 101 will be described with reference to fig. 6. In the present exemplary embodiment, the setting screen 600 to be displayed on the operation unit 206 of the image forming apparatus 101 will be described, but the setting screen is not limited thereto. For example, a web page similar to the setting screen 600 may be provided to a web browser of an external information processing apparatus using the web UI control unit 340, and a setting operation may be performed via the web page.
The setting screen 600 is a screen to be displayed on the operation unit 206 by the operation control unit 310. If the user operates to display the setting screen 600 on a menu screen (not shown), the operation control unit 310 detects the operation and displays the setting screen. The main line button 601 is an area for the user to select a main line as a priority line. The sub-line button 602 is an area for the user to select a sub-line as a priority line. The auto button 603 is a region for automatically determining a line to be prioritized among the main line and the sub line as in the first exemplary embodiment. Then, the user operates to press the execute button 604. The operation control unit 310 of the image forming apparatus 101 detects an operation performed by the user, and transmits information indicating a result of the selection made by the user to the security setting control unit 330. The security setting control unit 330 reflects the setting selected by the user and received from the operation control unit 310 in operation. The cancel button 605 is a button that does not reflect the setting. If the cancel button 605 is pressed, a menu screen (not shown) is displayed, and the display of the setting screen 600 ends.
The collective setting process of the main line and the sub line will now be described with reference to fig. 7. The respective operations (steps) shown in the flowchart in fig. 7 are realized by the CPU 201 loading a program for realizing the respective control units stored in the ROM 202 or the HDD 204 onto the RAM 203 and executing the program.
The process shown in fig. 7 is started when the operation control unit 310 detects an operation of selecting the respective use environments of the main line and the sub line by the user on the setting screen 600 and a pressing operation of the execution button 403, and transmits information indicating the selection result to the security setting control unit 330.
The processing in step S501 to step S513 is similar to that in fig. 5. In step S701, the security setting control unit 330 determines whether the main line has been set as the priority environment setting on the setting screen 600 in fig. 6. In the case where the main line has been set as the priority environment setting (yes in step S701), the process proceeds to step S505. In the case where the main line is not set to the priority environment setting (no in step S701), the process proceeds to step S702. In step S702, the security setting control unit 330 determines whether the sub-line has been set as the priority environment setting on the setting screen 600 in fig. 6. In the case where the sub-line has been set to the priority environment setting (yes in step S702), the process proceeds to step S510. In the case where the sub-line is not set to the priority environment setting (no in step S702), the process proceeds to step S504. The processing in step S504 and subsequent steps is similar to that in fig. 5.
With the above-described configuration, the user can manually select recommended setting data to be applied for the setting items shared by the main line and the sub line.
In the first exemplary embodiment, for the setting items shared by the main line and the sub line, recommended setting data to be applied is automatically determined based on the priorities of the main line environment and the sub line environment. In the first exemplary embodiment, when the state of only the main line is enabled to be changed to the state of the sub line is also enabled later, the setting value of the main line which is not desired to be changed is also changed in some cases. This may prevent communication via the main line.
In the third exemplary embodiment, when only the main line is set at the time of initial installation and the sub line is set later, only the setting unique to the sub line is made, and the setting shared by the main line and the sub line is not made, so as to avoid affecting communication via the main line.
The collective setting process of the main line and the sub line will be described with reference to fig. 8. The respective operations (steps) shown in the flowchart in fig. 8 are realized by the CPU 201 loading a program for realizing the respective control units stored in the ROM 202 or the HDD 204 onto the RAM 203 and executing the program.
The process shown in fig. 8 is started when the operation control unit 310 detects an operation of selecting the respective use environments of the main line and the sub line by the user on the setting screen 400 and a pressing operation of the execution button 403, and transmits information indicating the selection result to the security setting control unit 330.
The processing in step S501 to step S503 is similar to that in fig. 5. In step S801, the security setting control unit 330 sets a main line setting flag. In step S802, the security setting control unit 330 determines whether the main line setting flag is set. If the main line set flag is set (yes in step S802), the process advances to step S803. If the main line setting flag is not set (no in step S802), the process advances to step S504. In step S803, the security setting control unit 330 determines recommended setting data to be applied based on the setting unique to the sub-line, and the process proceeds to step S509. The specific process in step S803 is similar to the determination method of the recommended setting data of the setting unique to the sub-line in step S508. The processing in step S505 to step S513 is similar to that in fig. 5.
With the above configuration, when the state in which only the main line is enabled is changed to the state in which the sub line is also enabled later, only the setting unique to the sub line can be changed to the setting suitable for the environment without changing the setting value of the main line which is not desired to be changed.
In the first exemplary embodiment, for the setting items shared by the main line and the sub line, recommended setting data to be applied is automatically determined based on the priorities of the main line environment and the sub line environment, but recommended setting data to be applied cannot be determined for the respective setting items.
In the fourth exemplary embodiment, as for the determination method to be set to the setting values of the setting items shared by the main line and the sub line, the priority order of the environments is determined for the respective setting items, and the setting values of the environments having higher priority orders are set. For example, for TLS settings, the priority order is determined in order of a highly confidential information management environment, a public space environment, a remote work environment, an internet direct connection environment, a corporate intranet environment, and an internet prohibition environment. In contrast, for the WINS setting, the priority order is determined in order of the highly confidential information management environment, the internet direct connection environment, the public space environment, the internet prohibition environment, the remote work environment, and the corporate intranet environment.
The collective setting process of the main line and the sub line will be described with reference to fig. 9. The respective operations (steps) shown in the flowchart in fig. 9 are realized by the CPU 201 loading a program for realizing the respective control units stored in the ROM 202 or the HDD 204 onto the RAM 203 and executing the program.
The process shown in fig. 9 is started when the operation control unit 310 detects an operation of selecting the respective use environments of the main line and the sub line by the user on the setting screen 400 and a pressing operation of the execution button 403, and transmits information indicating the selection result to the security setting control unit 330.
The processing in step S501 to step S503 and the processing in step S505 to step S506 are similar to the processing shown in fig. 5. The processing performed in step S504, step S507, and step S510 to step S512 is not performed. In step S901, for the setting items shared by the main line and the sub line, the security setting control unit 330 determines the setting values of the environments with higher priority predefined for the respective setting items as recommended setting data to be applied. Then, the process proceeds to step S508.
For example, in the present exemplary embodiment, it is assumed that the corporate intranet environment is selected as the main line environment, and the internet prohibition environment is selected as the sub-line environment. In this case, the corporate intranet environment is prioritized in the TLS setting and the internet prohibited environment is prioritized in the WINS setting according to the above-described priority order of the TLS setting and the WINS setting. The recommended setting values of the respective environments are similar to those in the first exemplary embodiment, and the values in table 2 are used. Thus, the TLS setting is set to "on" while the setting value of the WINS setting is not changed. Only a part of the setting items are described, but the setting values of the respective setting items are determined by a similar method.
With the above configuration, the setting of the environment having a higher priority can be applied for each setting item.
In the first exemplary embodiment, for the setting items shared by the main line and the sub line, recommended setting data to be applied is automatically determined based on the priorities of the main line environment and the sub line environment, but recommended setting data to be applied cannot be determined for the respective setting items. Therefore, in the fourth exemplary embodiment, the priority order of the environments is determined for each setting item, and the recommended setting data of the environments having the higher priority order is applied.
In the fifth exemplary embodiment, as for the determination method of setting values to be set to setting items shared by the main line and the sub line, the priority order of the setting values is determined for the respective setting items, and the setting values having higher priority orders are set. For example, for TLS setting, "on" takes precedence, and for SMB server setting, "off" takes precedence.
Collective setting processing of the main line and the sub line will be described with reference to fig. 10. The respective operations (steps) shown in the flowchart in fig. 10 are realized by the CPU 201 loading a program for realizing the respective control units stored in the ROM 202 or the HDD 204 onto the RAM 203 and executing the program.
The process shown in fig. 10 is started when the operation control unit 310 detects an operation of selecting the respective use environments of the main line and the sub line by the user on the setting screen 400 and a pressing operation of the execution button 403, and transmits information indicating the selection result to the security setting control unit 330.
The processing in step S501 to step S503 and the processing in step S505 to step S506 are similar to the processing shown in fig. 5. The processing in step S504, step S507, and step S510 to step S512 is not performed. In step S1001, for the setting items shared by the main line and the sub line, the security setting control unit 330 determines the setting values with higher priority predefined for the respective setting items as recommended setting data to be applied. Then, the process proceeds to step S508.
For example, in the present exemplary embodiment, it is assumed that the corporate intranet environment is selected as the main line environment, and the internet direct connection environment is selected as the sub-line environment. The recommended setting values of the respective environments are similar to those in the first exemplary embodiment, and the values in table 2 are used. In this case, since the recommended setting value set for TLS is "on" in both the corporate intranet environment and the internet direct connection environment, the "on" is determined as the setting value to be applied. For the SMB server setting, the recommended setting value in the corporate intranet environment is not set, and the recommended setting value in the internet direct connection environment is "off". Since the priority is "off" in the above-described priority order, the "off" is determined as the setting value to be applied to the SMB server setting. Only a part of the setting items are described, but the setting values of the respective setting items are determined by a similar method.
With the above configuration, a setting value having a higher priority can be applied for each setting item.
The exemplary embodiments of the present invention can also be realized by providing a program for realizing one or more functions of each of the above-described exemplary embodiments to a system or an apparatus via a network or a storage medium and one or more processors in a computer of the system or the apparatus read the program and execute a process of the program. Furthermore, exemplary embodiments of the invention may also be implemented by circuitry (e.g., an Application Specific Integrated Circuit (ASIC) or a Field Programmable Gate Array (FPGA)) for implementing one or more functions.
According to the information processing apparatus of the exemplary embodiment of the present invention, in the information processing apparatus including a plurality of communication interfaces, settings appropriate for use environments corresponding to the communication interfaces can be collectively made.
Other embodiments
Embodiments of the present invention may also be implemented by a computer of a system or apparatus that reads out and executes computer-executable instructions (e.g., one or more programs) recorded on a storage medium (which may also be more fully referred to as a "non-transitory computer-readable storage medium") to perform the functions of one or more of the above-described embodiments, and/or that includes one or more circuits (e.g., application Specific Integrated Circuits (ASICs)) for performing the functions of one or more of the above-described embodiments, and may be implemented with a method of performing the functions of one or more of the above-described embodiments by, for example, reading out and executing the computer-executable instructions from the storage medium by the computer of the system or apparatus. The computer may include one or more processors (e.g., a Central Processing Unit (CPU), micro-processing unit (MPU)), and may include a separate computer or a network of separate processors to read out and execute the computer-executable instructions. The computer-executable instructions may be provided to the computer, for example, from a network or the storage medium. The storage medium may include, for example, a hard disk, random Access Memory (RAM), read Only Memory (ROM), memory of a distributed computing system, an optical disk (such as a Compact Disk (CD), digital Versatile Disk (DVD) ) Or blue ray disc (BD) TM ) One or more of a flash memory device, a memory card, and the like.
The embodiments of the present invention can also be realized by a method in which software (program) that performs the functions of the above embodiments is supplied to a system or apparatus, a computer of the system or apparatus or a method in which a Central Processing Unit (CPU), a Micro Processing Unit (MPU), or the like reads out and executes the program, through a network or various storage mediums.
While the invention has been described with reference to exemplary embodiments, it is to be understood that the invention is not limited to the disclosed exemplary embodiments. The scope of the following claims is to be accorded the broadest interpretation so as to encompass all such modifications and equivalent structures and functions.

Claims (15)

1. An information processing apparatus including a first communication interface and a second communication interface, the information processing apparatus comprising:
a storage unit configured to store a plurality of setting values prepared for setting the information processing apparatus;
a first receiving unit configured to receive, from a user, a selection of one item among a plurality of items associated with a plurality of usage environments as a usage environment corresponding to the first communication interface;
A second receiving unit configured to receive, from a user, a selection of one item among a plurality of items associated with the plurality of usage environments as a usage environment corresponding to the second communication interface; and
a setting unit configured to set the information processing apparatus based on a first set of setting values that are included in the plurality of setting values stored in the storage unit and correspond to a use environment associated with the item selected by the first receiving unit, and a second set of setting values that are included in the plurality of setting values stored in the storage unit and correspond to a use environment associated with the item selected by the second receiving unit.
2. The information processing apparatus according to claim 1, the information processing apparatus further comprising:
a display control unit configured to perform display control of one item selected by the second receiving unit from among partial items of the plurality of items based on one item selected by the first receiving unit from among the plurality of items.
3. The information processing apparatus according to claim 2, wherein the display control unit displays an item excluding the partial item among the plurality of items in an ashing state.
4. The information processing apparatus according to claim 1, wherein the setting unit sets setting items that refer to common setting values in processing using the first communication interface and the second communication interface, based on at least one of the first setting value group and the second setting value group.
5. The information processing apparatus according to claim 4,
wherein the storage unit further stores information indicating priorities of the plurality of usage environments, and
wherein the setting unit sets the setting item with reference to the common setting value in the process of using the first communication interface and the second communication interface, based on the set value group corresponding to the use environment having the higher priority among the two use environments associated with the items selected by the first receiving unit and the second receiving unit.
6. The information processing apparatus according to claim 4, the information processing apparatus further comprising:
a third receiving unit configured to receive a selection of a communication interface to be prioritized among the first communication interface and the second communication interface from a user,
wherein the setting unit sets, based on a set value group corresponding to a use environment corresponding to the communication interface selected by the third receiving unit, a set item referring to a common set value in a process of using the first communication interface and the second communication interface.
7. The information processing apparatus according to claim 4, wherein in the case where the first set value group is set based on the selection made by the first receiving unit, the setting unit sets setting items that refer to common set values in the process using the first communication interface and the second communication interface, based on the second set value group.
8. The information processing apparatus according to claim 4,
wherein the storage unit further stores setting values to be prioritized for the respective setting items for setting items with reference to a common setting value in a process using the first communication interface and the second communication interface, and
wherein the setting unit sets the setting items with reference to the common setting value in the process of using the first communication interface and the second communication interface, based on the first setting value group, the second setting value group, and the setting values to be prioritized for the respective setting items.
9. The information processing apparatus according to claim 4, wherein setting items referring to a common setting value in processing using the first communication interface and the second communication interface are: setting items regarding at least one of encryption of a communication path, legacy protocols, authentication security, physical attack countermeasures, file sharing functions, and external storage devices.
10. The information processing apparatus according to claim 1,
wherein the setting unit sets the filtering condition with respect to the first communication interface in the following manner: allowing communication from a first address range corresponding to a subnet of a network to which the first communication interface belongs, and rejecting communication from an address range falling outside the first address range, and
wherein the setting unit sets the filtering condition with respect to the second communication interface in the following manner: communication from a second address range corresponding to a subnet of the network to which the second communication interface belongs is allowed, and communication from an address range falling outside the second address range is rejected.
11. The information processing apparatus according to claim 1, wherein the first receiving unit and the second receiving unit individually receive a selection on one screen.
12. The information processing apparatus according to claim 1,
wherein the first receiving unit receives the selection on a first screen, and
wherein the second receiving unit receives the selection on a second screen.
13. The information processing apparatus according to claim 1, wherein the information processing apparatus is a printing apparatus.
14. A control method of an information processing apparatus that includes a first communication interface and a second communication interface, and that includes a storage unit configured to store a plurality of setting values prepared for setting the information processing apparatus, the control method comprising:
a first receiving step of receiving, from a user, a selection of one item among a plurality of items associated with a plurality of usage environments as a usage environment corresponding to the first communication interface;
a second receiving step of receiving, from a user, a selection of one item among a plurality of items associated with the plurality of usage environments as a usage environment corresponding to the second communication interface; and
the information processing apparatus is set based on a first set of setting values that are included in the plurality of setting values stored in the storage unit and that correspond to the use environments associated with the items selected in the first receiving step, and a second set of setting values that are included in the plurality of setting values stored in the storage unit and that correspond to the use environments associated with the items selected in the second receiving step.
15. A storage medium storing a computer program for executing a control method of an information processing apparatus including a first communication interface and a second communication interface, and including a storage unit configured to store a plurality of setting values prepared for setting the information processing apparatus, the control method comprising:
a first receiving step of receiving, from a user, a selection of one item among a plurality of items associated with a plurality of usage environments as a usage environment corresponding to the first communication interface;
a second receiving step of receiving, from a user, a selection of one item among a plurality of items associated with the plurality of usage environments as a usage environment corresponding to the second communication interface; and
the information processing apparatus is set based on a first set of setting values that are included in the plurality of setting values stored in the storage unit and that correspond to the use environments associated with the items selected in the first receiving step, and a second set of setting values that are included in the plurality of setting values stored in the storage unit and that correspond to the use environments associated with the items selected in the second receiving step.
CN202310025745.2A 2022-01-14 2023-01-09 Information processing apparatus, control method for information processing apparatus, and storage medium Pending CN116455751A (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
JP2022-004123 2022-01-14
JP2022-163765 2022-10-12
JP2022163765A JP2023103955A (en) 2022-01-14 2022-10-12 Information processing apparatus, method for controlling information processing apparatus, and program

Publications (1)

Publication Number Publication Date
CN116455751A true CN116455751A (en) 2023-07-18

Family

ID=87124468

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310025745.2A Pending CN116455751A (en) 2022-01-14 2023-01-09 Information processing apparatus, control method for information processing apparatus, and storage medium

Country Status (1)

Country Link
CN (1) CN116455751A (en)

Similar Documents

Publication Publication Date Title
US20090217372A1 (en) Preset security levels
US20230176793A1 (en) Printing apparatus, control method of printing apparatus, and storage medium
US9733874B2 (en) Image processing apparatus and method and non-transitory computer readable medium
US9461988B2 (en) Image forming apparatus capable of executing authentication processing, method of controlling the same, and storage medium
US20230231887A1 (en) Information processing apparatus, control method of information processing apparatus, and storage medium
US20240064242A1 (en) Image processing apparatus, control method therefor, and medium
JP2007128234A (en) Image formation apparatus, method for setting security function, computer program for setting security function and recording medium
CN116455751A (en) Information processing apparatus, control method for information processing apparatus, and storage medium
JP2021005376A (en) System and method for implementing policy-based image forming operation
CN116248805A (en) Image processing apparatus, control method thereof, and storage medium
US20240045977A1 (en) Information processing apparatus, control method for information processing apparatus, and storage medium
JP2023103955A (en) Information processing apparatus, method for controlling information processing apparatus, and program
JP7409621B2 (en) Printing device, printing device control method and program
US11928369B2 (en) Information processing apparatus, control method, and program product that batch sets a group of set values corresponding to a selected use environment
JP2021005378A (en) Method for policy-based image forming operation in public domain
JP2023173066A (en) Information processing apparatus, method for controlling information processing apparatus, and program
US20240056801A1 (en) Information processing apparatus, control method for information processing apparatus, and storage medium
US20240020069A1 (en) Information processing system, information processing apparatus, and control method for information processing system
JP2010253724A (en) Image forming apparatus
US11768642B1 (en) Printing control apparatus that reduces time and effort in security management for printing, printing apparatus, control method therefor, and storage medium
KR101059698B1 (en) Portable memory unit having a module of api hooking and method for driving personal firewall using thereof
Condon et al. How secure are networked office devices?
US10379795B2 (en) Information processing apparatus capable of reducing damage caused by invalid execution data, control method therefor, and storage medium
JP6432324B2 (en) Image processing apparatus, control method thereof, and program
WO2021107977A1 (en) Network security configuration of image forming apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination