JP7215274B2 - Information processing device, control method for information processing device, and program - Google Patents

Description

The present disclosure relates to an information processing device that performs password-based authentication, a control method for the information processing device, and a program.

For example, the device disclosed in Patent Document 1 performs password authentication with a communication terminal connected to a network. If a password has not been set, the device restricts use of the device and displays a password setting screen on the communication terminal to request setting of the password.

Japanese Patent Application Laid-Open No. 2004-310372

By the way, an initial password may be set by a vendor in an information processing device such as the device described above that performs password authentication. In this case, the user who purchased the information processing device changes the password to any password as necessary.

On the other hand, if the information processing apparatus is used as it is without changing the initial password, there is a possibility that a malicious user may perform unauthorized access using the initial password depending on the network environment or the like. Therefore, security measures should be taken when initial passwords are used.

The present application has been proposed in view of the above problems, and an object of the present invention is to provide an information processing device, a control method for the information processing device, and a program that can improve security in an information processing device that performs password authentication. and

An information processing apparatus according to the present application includes a communication unit that communicates with an external device, and a control unit, and the control unit detects an access from the external device via the communication unit. a first reception process for receiving identification information from the external device via the communication unit; a second reception process for receiving a password from the external device via the communication unit; 1 determination processing, a second determination processing of determining whether the password is an initial password, and access from a plurality of the external devices via the communication unit based on the identification information stored in the storage unit. a third judgment process for judging whether or not there is a third judgment process; the first judgment process judges that the authentication by the password is successful; the second judgment process judges that the password is the initial password; 3) security processing for increasing the security level from the current security level when it is determined that there is access from a plurality of external devices via the communication unit in determination processing 3;
Further, the contents disclosed in the present application can be implemented not only as an information processing apparatus, but also as a control method for controlling the information processing apparatus and a program executed by a computer for controlling the information processing apparatus.

According to the information processing apparatus and the like according to the present application, when the password authentication is successful, the password is the initial password, and there is access from a plurality of external devices via the communication unit, the security level be raised from the current level. Therefore, when a plurality of external devices with different identification information are accessed using the initial password, it is possible to take security measures and raise the security level.

1 is a diagram showing the configuration of a network connecting printers according to the present embodiment; FIG. 1 is a block diagram of a printer according to this embodiment; FIG. It is a figure which shows the content of access source log|history. FIG. 10 is a diagram showing the contents of an access source history after updating; It is a figure which shows the content of a warning display. 4 is a flow chart showing the contents of access control; 4 is a flow chart showing the contents of access control; FIG. 4 is a sequence diagram showing access of a PC to a printer; FIG. 4 is a sequence diagram showing access of a PC to a printer; 4 is a flowchart showing details of warning cancellation control; 4 is a flow chart showing the contents of processing at startup. FIG. 10 is a diagram showing a configuration of a network connecting printers of another example; FIG. 10 is a diagram showing a configuration of a network connecting printers of another example;

A printer 10, which is an embodiment of the information processing apparatus of the present application, will be described below with reference to the drawings. First, the configuration of the network connecting the printer 10 will be described. FIG. 1 shows the configuration of a network connecting printers 10 .

(1. Network configuration)
As shown in FIG. 1, the printer 10 of this embodiment is connected to a first network NW1. The first network NW1 is, for example, a LAN (Local Area Network). The printer 10 communicates with external devices through the first network NW1. The printer 10 communicates with an external device in accordance with, for example, the TCP/IP (Transmission Control Protocol/Internet Protocol) protocol. The external devices are, for example, PCs 11 and 13, a router 15, and external PCs 17 and 19, which can communicate with the printer 10 through a first network NW1 and a second network NW2 described later, as shown in FIG.

In addition to the printer 10, PCs 11 and 13 and a router 15 are connected to the first network NW1. The PCs 11 and 13 are personal computers, for example, terminals that can be used by users using the first network NW1. The PCs 11 and 13 execute instructions such as printing to the printer 10 based on the user's operation.

The router 15 is connected to the second network NW2 in addition to the first network NW1. The second network NW2 is, for example, the Internet. The router 15 is connected between two different networks, the first network NW1 and the second network NW2, and relays data transmitted and received between the two networks.

The router 15 has a plurality of communication interfaces connected to the first network NW1 and the second network NW2. A communication interface of the router 15 connected to the first network NW1 is assigned a private IP1, which is an IPv4 private IP (Internet Protocol) address, for example. Similarly, the printer 10 and the PCs 11 and 13 are assigned private IP2, private IP3 and private IP4 in this order.

In addition to the router 15, external PCs 17 and 19 are connected to the second network NW2. A communication interface of the router 15 connected to the second network NW2 is assigned, for example, a global IP5, which is an IPv4 global IP address. Similarly, global IP6 and global IP7 are assigned to the external PCs 17 and 19 in this order. The router 15 can communicate with external PCs 17 and 19 via the second network NW2.

The PCs 11 and 13 are capable of communicating with external devices (external PC 17, web server, etc.) connected to the second network NW2 via the router 15. FIG. The router 15 uses network address translation technology such as NAPT (Network Address and Port Translation) to share one global IP 5 with the printer 10 and the PCs 11 and 13 connected to the first network NW 1 to relay data. Execute. As a result, the printer 10 and the PCs 11 and 13 can communicate with external devices connected to the second network NW2 by one global IP5.

(2. Printer configuration)
Next, the configuration of the printer 10 will be described with reference to FIG. FIG. 2 shows the configuration of the printer 10. As shown in FIG. The printer 10 of this embodiment is, for example, a multi-function machine having a print function, a copy function, a scanner function, and a FAX function.

As shown in FIG. 2, the printer 10 includes a CPU 21, a RAM 23, a memory 25, a printing section 26, an image reading section 27, a FAX communication section 28, a user interface 29, a network interface 31, and the like. These CPUs 21 and the like are connected to each other via a bus 33 so that they can communicate with each other. The printer 10 also includes a power supply 35 that supplies power from a commercial power supply. The power supply 35 includes a power cord and a power supply circuit (bridge diode, smoothing circuit, etc.), generates DC power from a commercial power supply, and supplies power to each part of the printer 10 through a power line.

The memory 25 (an example of the storage section of the present application) is, for example, a non-volatile memory such as NVRAM. Note that the storage unit of the present application is not limited to NVRAM, and may be a volatile RAM, ROM, HDD, an external storage device (such as a USB memory) connected to the printer 10, or a storage unit combining them. Also, the storage unit of the present application may be a file server connected via the network interface 31 . Also, the storage unit may be a computer-readable storage medium. A computer-readable storage medium is a non-transitory medium. In addition to the above examples, non-transitory media include recording media such as CD-ROMs and DVD-ROMs. A non-transitory medium is also a tangible medium. On the other hand, an electrical signal that carries a program downloaded from a server on the Internet is a computer-readable signal medium, which is a kind of computer-readable medium, but is a non-transitory computer-readable storage. Not included in media.

The memory 25 stores various programs such as the control program 41 . The control program 41 is, for example, a program that comprehensively controls each part of the printer 10 . The CPU 21 executes the control program 41 and temporarily stores the results of the executed processing in the RAM 23 while controlling each unit connected by the bus 33 . In the following description, the printer 10 that executes the control program 41 and the like by the CPU 21 may be simply referred to as a device name. For example, the description “the printer 10 detects access to the network interface 31 from an external device” means that “the printer 10 executes the control program 41 with the CPU 21 to control the network interface 31 to detect access from the external device to the network interface 31”. 31 is detected".

Also, the printer 10 of the present embodiment can be accessed by using a password from an external device and logged in by performing login authentication. For example, the control program 41 in the memory 25 includes an EWS (Embedded Web Server) program that functions as a Web server. The CPU 21 causes the printer 10 to function as a web server by executing the EWS program. The user can log in to the Web server by operating the PC 11 to access the Web server of the printer 10 and entering a password on the Web page. The printer 10 accepts, for example, password change, editing of the telephone directory 45 (to be described later), and administrator information change on the Web page after login. It should be noted that the method of accepting password authentication and operations after login is not limited to the Web server. For example, the printer 10 may perform password authentication or the like by sending and receiving commands using a command prompt.

An initial password is set in the printer 10 of this embodiment. The initial password is set in advance by the vendor, for example, when the printer 10 is manufactured, and is stored in the access source history 43 of the memory 25 . The printer 10 performs login authentication using the initial password preset in the access source history 43 until the password change is accepted.

The memory 25 of the present embodiment also stores an access source history 43 indicating information that access to the network interface 31 is detected. FIG. 3 shows the contents of the access source history 43. As shown in FIG. As shown in FIG. 3, the access source history 43 stores data such as first access source history. The data of the “initial access source history” is data of the IP address of the external device that accessed the printer 10 for the first time. The initial access here means, for example, the initial login authentication performed to the EWS Web server after connecting the printer 10, which has been shipped from the factory and has undergone initial settings such as an IP address, to the network. Access. As the initial value of the "first access source history", data indicating "not applicable" is set.

The "current access" data in the access source history 43 is data indicating the IP address of the access source detected during execution of the access control shown in FIGS. 6 and 7, which will be described later. As the initial value of "current access", data indicating "not applicable" is set. In the example shown in FIG. 3, private IP3 is set as an example in the "current access" data. This indicates that the IP address of the access source detected during execution of the access control shown in FIGS. 6 and 7 is private IP3. The data of "access from multiple external devices" is data indicating whether or not access for login authentication from multiple external devices has been detected. As the initial value of "access from multiple external devices", data indicating "none" is set. The "password" data is data indicating the password being set. The "initial password" data is data indicating an initial password set by a vendor or the like. The “printer IP address” data is data indicating the IP address set in the printer 10 . Note that the data configuration of the access source history 43 shown in FIG. 3 is an example. For example, the password being set and the initial password may be stored in the memory 25 as information separate from the access source history 43 .

In addition, as shown in FIG. 2, the memory 25 stores warning information 44, which is information indicating whether or not a warning has been displayed as a countermeasure for increasing the security level. The warning information 44 is, for example, 1-bit data. The printer 10 sets a bit value (for example, zero) in the warning information 44 indicating that the warning display is not executed until the warning display is executed. When the printer 10 executes the warning display, the printer 10 sets the warning information 44 to a bit value (for example, 1) indicating that the warning has been executed. How to use the access source history 43 and the warning information 44 will be described later.

Also, the memory 25 stores a telephone directory 45 . In the telephone directory 45, for example, names (names and company names), telephone numbers, e-mail addresses, etc. are associated and stored. For example, when the touch panel 53 receives a FAX transmission operation, the printer 10 reads out the telephone directory 45 from the memory 25 and displays names and telephone numbers in a selectable manner. Thereby, the user can transmit a FAX to a desired destination by operating the touch panel 53 of the user interface 29 and selecting a telephone number.

The printing section 26 has a head 47 and an ink cartridge 49 . The ink cartridge 49 contains ink. The head 47 ejects ink supplied from the ink cartridge 49 onto a sheet (paper, OHP, etc.). As a result, the printing unit 26 prints an image on the sheet by the inkjet method under the control of the CPU 21 . Note that the printing unit 26 is not limited to a configuration that performs printing by an inkjet method, and may be configured to perform printing by another method, for example, an electrophotographic method. In the case of an electrophotographic system, the printing unit 26 may include a photosensitive drum, a developing roller that supplies toner to the photosensitive drum, an exposure device that exposes the photosensitive drum, a toner cartridge that stores toner, and the like.

The image reading unit 27 includes an image sensor such as a CIS (Contact Image Sensor) or a CCD (Charge-Coupled Device). The image reading unit 27 moves a CIS or the like with respect to a document placed on a document platen (not shown), reads the document, and generates image data 51 . The image reading unit 27 stores the generated image data 51 in the memory 25 . A FAX communication unit 28 transmits and receives FAX data to and from another facsimile device via a telephone line. The FAX communication unit 28 transmits image data 51 generated by the image reading unit 27 and job image data 51 received from the PCs 11 and 13 (see FIG. 1) connected to the network interface 31, for example.

The user interface 29 has operation buttons such as a touch panel 53 and numeric keys 55 . The touch panel 53 includes, for example, a liquid crystal panel, a light source such as an LED that emits light from the back side of the liquid crystal panel, and a contact sensing film adhered to the surface of the liquid crystal panel. The user interface 29 displays, for example, various setting screens and the operating state of the device on the touch panel 53 under the control of the CPU 21 . Further, the user interface 29 transmits to the CPU 21 a signal corresponding to an operation input on the touch panel 53 or the numeric keypad 55 . Although the printer 10 of this embodiment includes the touch panel 53 serving as both a display unit and an operation unit, the present invention is not limited to this, and hardware keys may be provided as an operation unit in addition to the display unit. good too.

The network interface 31 is a communication interface connectable to the first network NW1, and is connected to the router 15 via a LAN cable (not shown). Note that the configurations of the first network NW1 and the second network NW2 shown in FIG. 1 are examples. For example, the communication methods of the first network NW1 and the second network NW2 are not limited to wired communication, and may be wireless communication.

In the network configuration described above, the user can execute a print instruction, a FAX transmission instruction, or the like from the PCs 11, 13 to the printer 10 by operating one of the plurality of PCs 11, 13, for example. The printer 10 prints the image data 51 based on the print job received from the PC 11 by the printing unit 26, for example.

(3. Access control)
Next, access control via the network interface 31 by the printer 10 of this embodiment will be described with reference to FIGS. 6 and 7. FIG. 6 and 7 show the contents of access control. For example, when the printer 10 is turned on, the control program 41 stored in the memory 25 is executed by the CPU 21, and after starting the system, the access control shown in FIGS. 6 and 7 is started. It should be noted that the flowcharts in this specification basically show the processing of the CPU 21 according to the instructions described in the program. That is, the processing such as “receiving”, “determining”, “writing” in the following description represents the processing of the CPU 21 . Processing by the CPU 21 also includes hardware control.

First, at step 11 in FIG. 6 (hereinafter simply referred to as "S"), the printer 10 determines whether or not the network interface 31 has been accessed via the first network NW1. For example, when the printer 10 detects access for performing login authentication to the EWS Web server, it determines that there has been access (S11: YES). The printer 10 repeatedly executes the determination process of S11 until access for login authentication is detected (S11: NO). Therefore, the printer 10 of the present embodiment does not execute the processes after S13 until access for login authentication is detected. In the following description, access for login authentication may be referred to as a unit "access". Further, the condition for determining the presence or absence of access in S11 is not limited to the presence or absence of access for login authentication. For example, the printer 10 may make an affirmative determination in S11 when detecting access to data that can be edited after login authentication (access source history 43 or telephone directory 45). Therefore, "access from an external device" in the present application is not limited to access for login authentication, and is a concept that includes access to data stored in the printer 10. FIG.

When the printer 10 makes an affirmative determination in S11 (S11: YES), it receives an IP address (an example of identification information of the present application) from the external device that is the access source of the access detected in S11 (S13). For example, the printer 10 acquires the value of the source address set in the packet received from the external device as the IP address of the external device. The printer 10 writes the value of the acquired IP address to the access source history 43 as data of "current access". As shown in FIG. 3, for example, when the printer 10 detects the access of the PC11 in S11, it writes the value of the private IP3 of the PC11 as the data of "current access".

Next, the printer 10 determines whether or not data of "not applicable" is set in the "first access source history" of the access source history 43 (S15). In the data of "first access source history" shown in FIG. 3, data indicating "not applicable" is set as an initial value, and when the first access to the printer 10 is detected, data of the IP address of the access source is set. be done. Therefore, the printer 10 determines in S15 whether the access detected in S11 is the first access to the printer 10 or not. When the data indicating "not applicable" is set in the "first access source history" data of the access source history 43, the printer 10 makes an affirmative determination (S15: YES), and executes S17. On the other hand, if a valid IP address value is set in the "first access source history" data, the printer 10 makes a negative determination (S15: NO), and executes S16.

In S<b>17 , the printer 10 writes the value of the IP address written in “current access” of the access source history 43 in S<b>13 to “first access source history” of the access source history 43 . For example, in the case shown in FIG. 3, the printer 10 updates the access source history 43 by writing the private IP3 value of "current access" to the "first access source history" in S17. After executing S17, the printer 10 executes S19. Therefore, the printer 10 executes S15 and S17 and stores the IP address in the "first access source history" because the "first access source history" is "none" for the first access (S15: YES). Further, the printer 10 makes a negative determination in S15 for the second and subsequent accesses, and executes S16.

In S16, the printer 10 determines whether or not the IP address of the "first access source history" of the access source history 43 matches the IP address of the access source received in S13. In other words, the printer 10 determines whether or not the current access source external device matches the first access source external device. As described above, upon detecting the first access, the printer 10 stores the IP address of the first access in the access source history 43 by updating the "first access source history" of the access source history 43 (S17). In S16, if the printer 10 determines that the IP address in the "initial access source history" matches the IP address received in S13 after the access subsequent to the initial access (S16: YES), it executes S19. .

On the other hand, if the printer 10 determines that the IP address in the "first access source history" does not match the IP address received in S13 (S16: NO), it executes S18. FIG. 4 shows a state in which part of the access source history 43 has been updated by the second and subsequent accesses. As shown in FIG. 4, in S18, the printer 10 updates the data of "Access from multiple external devices" in the access source history 43 to data indicating "Yes". Therefore, when the printer 10 is accessed again from an external device with the same IP address as the first access, the printer 10 maintains the data of "access from multiple external devices" as data indicating "none". When the printer 10 is accessed from an external device with an IP address different from that of the first access, the printer 10 updates the data of "access from multiple external devices" to data indicating "Yes". Thereby, it is possible to determine whether or not there is access from a plurality of external devices, and update the access source history 43 according to the determination result.

Note that the method of determining whether or not there is access from a plurality of external devices is not limited to the above-described method using IP addresses. For example, when fixed private IP addresses are not set in the PCs 11 and 13 of the first network NW1, and private IP addresses are dynamically set by DHCP (Dynamic Host Configuration Protocol), the external device is configured only by the IP address. It becomes difficult to determine the identity of In this case, the printer 10 may use, for example, the MAC address or host name of the communication interface of the PCs 11 and 13 to determine the identity of the first access external device and the second and subsequent access external devices. . In this case, the printer 10 may store the MAC address and host name in the access source history 43 and use them to determine the identity. Also, in this embodiment, the router 15 (see FIG. 1) performs address translation associated with TCP/UDP port numbers using the NAPT technology. In this case, for example, when accessing the printer 10 from the external PCs 17 and 19 via the router 15, the external PCs 17 and 19 access the printer 10 using the private IP1 of the router 15 as the source address. Therefore, the printer 10 may determine whether the access is from the PCs 11 and 13 or the other (external PCs 17 and 19) based on the private IP1 of the router 15 and the other private IPs 3 and 4, for example. Alternatively, the printer 10 may identify the external PCs 17, 19 by other information (host name, etc.) from the external PCs 17, 19. FIG.

Next, in S19 of FIG. 6, the printer 10 executes password acceptance processing. The printer 10 accepts a password, for example, in a password entry field on a web page. For example, when the login button displayed on the web page is clicked, the printer 10 accepts the password entered in the password entry field (S19).

Next, the printer 10 authenticates the password (S21). The printer 10 determines whether or not the password accepted in S19 matches the "password" data in the access source history 43, thereby executing password authentication (S21). For example, as shown in FIG. 3, when the initial password is set as "password" data, the printer 10 determines whether the accepted password matches the initial password.

When the printer 10 determines that the accepted password matches the "password" of the access source history 43 (S21: YES), that is, when password authentication is successful, S23 is executed. On the other hand, when the printer 10 determines that the passwords do not match (S21: NO), it executes S22 of FIG. In this case, since password authentication has failed, the printer 10 refuses login (S22). The printer 10 displays, for example, a web page indicating that login authentication has failed. The printer 10 puts the external device, which has failed in login authentication, into a state in which it cannot perform operations (such as editing of the telephone book 45) that can be performed when login authentication succeeds. After executing S22, the printer 10 ends the access control shown in FIGS. 6 and 7, and restarts the processing from S11. The printer 10 executes processing for the next access. When the printer 10 accesses for the first time and password authentication fails (S15: YES, S21: NO), the printer 10 stores the IP address data of the "first access source history" of the access source history 43 stored in S17. You can delete it. That is, if the access is the first access to the printer 10 but the login authentication fails, the access need not be recorded as the "first access source history".

In addition, in S23 of FIG. 6, the printer 10 determines whether or not the "password" currently set in the access source history 43 is the initial password. Here, if the printer 10 is used without changing the initial password, a malicious user may gain unauthorized access to the printer 10 . For example, a malicious user transmits a virus from the external PC 17 (see FIG. 1) to the PC 13 within the LAN (first network NW1) via the Internet (second network NW2) and hijacks the PC13. In this case, a malicious user may remotely operate the PC 13 from the external PC 17 and illegally access the printer 10 from the PC 13 using the initial password. For this reason, when the printer 10 determines in S23 that the "password" of the access source history 43 is the initial password (S23: YES), the printer 10 displays a warning or performs functions after login according to certain conditions, as will be described later. Enforce restrictions and increase security levels.

On the other hand, for example, the system administrator can operate the PC 11 to access the printer 10, perform authentication using the initial password, and then change the password. By changing the password from the initial password, the security level of the printer 10 can be improved. In other words, if the password has been changed from the initial password to an arbitrary password, there is a high possibility that the password is properly managed by the system administrator or the like. Therefore, when the printer 10 of the present embodiment determines in S23 that the "password" of the access source history 43 is not the initial password (S23: NO), the printer 10 permits login and does not restrict functions in operations after login ( S26 in FIG. 7).

After permitting the login, the printer 10 performs post-login screen display and the like. The printer 10 accepts, for example, a password change, an edit of the telephone directory 45, and the like on the screen after login. At this time, the printer 10 accepts various changing operations and the like without restricting functions. After executing S26, the printer 10 ends the access control shown in FIGS. 6 and 7, and restarts the processing from S11.

Further, when the printer 10 determines in S23 of FIG. 6 that the "password" of the access source history 43 is the initial password (S23: YES), it determines whether or not there have been accesses from a plurality of external devices (S25). . For example, when data indicating "Yes" is set as data of "Access from multiple external devices" in the access source history 43, the printer 10 makes an affirmative determination in S25 (S25: YES), and S31 of FIG. to run.

On the other hand, if data indicating "none" is set in "access from multiple external devices", the printer 10 makes a negative determination in S25 (S25: NO), and executes S26. Therefore, in the printer 10 of the present embodiment, if login authentication is not performed from an external device with a different IP address, even if login authentication is performed many times from an external device with the same IP address as that for the first access, the functions after login will not be performed. is not limited (S26). For example, an individual user may continue to use the printer 10 without changing the initial password because changing the password is troublesome. In this case, there is a high possibility that the individual user will perform login authentication to the printer 10 using only a specific PC within the first network NW1. For this reason, in consideration of the user's convenience, it is preferable not to restrict functions after login when multiple accesses are made only from a specific PC (IP address). Therefore, the printer 10 of this embodiment does not limit the function when there is access from one external device (when the data of "access from multiple external devices" is "none") (S26). As a result, user convenience can be improved.

On the other hand, in S31 of FIG. 7, the printer 10 displays a warning. When S31 is executed, the printer 10 is in a state where login authentication using the initial password is being executed from a plurality of external devices. Therefore, the printer 10 displays a warning and raises the security level of the printer 10 .

In S31, the printer 10 displays a warning on the touch panel 53, for example. FIG. 5 shows an example of warning display. As shown in FIG. 5, the printer 10 displays on the touch panel 53, for example, content indicating that login authentication has been executed from a plurality of PCs, or content requesting the password to be changed from the initial password. A method of canceling the warning display will be described later with reference to FIG.

Moreover, the display destination of the warning display is not limited to the touch panel 53 . For example, when there is a possibility that unauthorized access has been received, displaying a warning to the external device that is the access source or the PCs 11 and 13 connected to the first network NW1 may be known by a malicious user. I don't like it. However, there is a possibility that an external device connected to the printer 10 by a connection method other than the first network NW1, such as a USB connection, has not been illegally accessed. Therefore, if there is an external device connected via a USB cable, the printer 10 may display a warning to that external device. Alternatively, if the system administrator's e-mail address is registered, the printer 10 may send the warning e-mail to that e-mail address.

Also, in S<b>31 , the printer 10 updates the warning information 44 in the memory 25 . As described above, the printer 10 sets a bit value in the warning information 44 indicating that the warning display is not executed until the warning display is executed in S31. When the printer 10 executes the warning display in S31, the printer 10 sets the warning information 44 to a bit value indicating that the warning has been executed.

After executing S31, the printer 10 determines whether or not the IP address of the "initial access source history" matches the IP address of the current access source (S33). As in S16, the printer 10 determines whether the IP addresses match, and determines whether or not the source of the first access matches the source of the current access.

When the printer 10 determines that the source of the first access matches the source of the current access (S33: YES), the printer 10 executes S26. Therefore, even if the printer 10 of the present embodiment is accessed by a plurality of external devices, the external device that is the source of the first access is allowed to operate after login without restricting the functions. For example, since the system administrator makes settings for the printer 10, there is a high possibility that login authentication for the printer 10 will be performed before general users. Therefore, the system administrator is likely to access for the first time. Also, the system administrator may change the password remotely from the PC 11 or the like after seeing the warning displayed on the touch panel 53 . For this reason, it is preferable that the external device used by the system administrator is permitted to log in and the function is not restricted even after access is made from a plurality of external devices. Therefore, the printer 10 of the present embodiment permits the login to the external device that has been accessed for the first time, and does not limit the function by the operation after login (S26). As a result, user convenience can be improved without excessively restricting functions.

If the printer 10 makes a negative determination in S33 (S33: NO), the printer 10 permits login and restricts functions that can be executed after login (S35). Therefore, when login authentication using the initial password is executed from a plurality of external devices and login authentication is executed from an external device different from the initial access, the printer 10 restricts the functions available to the login user. As a result, even if a malicious user or the like executes authentication using the initial password, it is possible to suppress the spread of damage to the system of the printer 10 by restricting functions after login.

It should be noted that there are no particular restrictions on the contents of the function restrictions. For example, the printer 10 may prohibit use of all functions. Alternatively, printer 10 may prohibit the use of some of its functions. For example, the printer 10 may prohibit editing of the telephone directory 45 while permitting reading of the telephone directory 45 . Also, the printer 10 may prohibit changing the password. Also, the printer 10 may selectively limit the FAX function and the scanner function.

Here, for example, consider a case where the PC of the system administrator who performed the initial access breaks down. In this case, even if the system administrator accesses the printer 10 from another PC, the functions are restricted, and the password cannot be changed. Therefore, the printer 10 of the present embodiment restricts the functions after login in S35, but does not restrict the functions after login when the login operation is performed using the touch panel 53 . That is, the functions of remote login are restricted, and the functions of login by directly operating the printer 10 are not restricted. As a result, the system administrator or the like can perform a password change or the like by performing a login operation on the touch panel 53 . Note that the method of securing means for changing the password or the like after restricting the functions is not limited to the method using the touch panel 53 described above. For example, the printer 10 may initialize the access source history 43 based on receiving a specific operation on the user interface 29 . As a result, the system administrator or the like can log in to the printer 10 using a PC other than the failed PC.

After executing S35, the printer 10 ends the control shown in FIGS. In this manner, the printer 10 of the present embodiment uses the access source history 43 to display warnings and restrict functions, thereby improving both the security level and user convenience. can.

(4. An example of access operation)
Next, the operation of the printer 10 when accessed from a plurality of external devices will be described. 8 and 9 show, as an example, the sequence when the PCs 11 and 13 access the printer 10. FIG. FIGS. 8 and 9 show a state in which the PC 13 accesses the printer 10 after the PC 11 accesses the printer 10 . Also, the printer 10 shows a case where an initial password is set, and authentication by the initial password is executed from the PCs 11 and 13 . The first-time access PC 11 is, for example, the system administrator's PC. Also, the PC 13 to be accessed later is a general user's PC that has been illegally accessed and taken over by a malicious user.

As shown in FIG. 8, first, the printer 10 detects login authentication access from the PC 11 and receives the private IP3 from the PC 11 (S41, S11 and S13 in FIG. 6). For example, a system administrator accesses the printer 10 from the PC 11 in order to make initial settings for the printer 10 .

The printer 10 reads the access source history 43 from the memory 25 and determines the data (S43, S15 in FIG. 6). At this time, data indicating "none" is set in the "first access source history" of the access source history 43. FIG. Therefore, the printer 10 determines that there is no match (S45), and writes the IP address received in S41 into the access source history 43 (S47, S17 in FIG. 6).

When the printer 10 receives a password from the PC 11 (S51) and determines that the received password matches the password (initial password) of the access source history 43 (S53, S55), it determines whether or not there has been access from a plurality of external devices. (S57, S25 in FIG. 6). Since this access is the first access, the printer 10 determines that there is no access from a plurality of external devices (S59, S25 in FIG. 6: NO), and permits login (S61). In this case, the printer 10 does not execute warning display (S31 in FIG. 7) and function restriction (S35), and accepts operations after login (S26). The printer 10 accepts the password change, etc., and writes the data to the memory 25 (S63, S65).

Next, the operation sequence of FIG. 9 will be described. FIG. 9 shows a case where unauthorized access is received from the PC 13 after the initial access by the PC 11 shown in FIG. First, the printer 10 detects access for login authentication from the PC 13 and receives the private IP4 (S67). As described above, the initial access by the PC 11 has already been executed. In this case, as shown in FIG. 4, the private IP 3 of the PC 11 accessed for the first time is stored in the “first access source history” of the access source history 43 . Therefore, based on the access source history 43, the printer 10 determines that there is a match (first access) (S69, S71), and determines whether the IP addresses match (S73, S75).

Since the IP address of the first access (private IP3) does not match the IP address of the current access (private IP4), the printer 10 stores data indicating "Yes" in "Access from multiple external devices" in the access source history 43. is written (S77, S18 in FIG. 6). Next, the printer 10 accepts login authentication of the PC 13 using the initial password (S79, S81, S83). The printer 10 receives unauthorized access from the PC 13 and is logged in.

However, the printer 10 determines that data indicating "Yes" is stored in "Access from multiple external devices" in the access source history 43 (S85, S87), and executes warning display (S89). That is, since the initial password is used and accesses from a plurality of external devices are detected, a warning is displayed on the touch panel 53 (S89, S31 in FIG. 7). Further, the printer 10 restricts functions after login because the IP address of the access source this time does not match the IP address of the first access (S91, S93, S95). This makes it possible to enforce functional restrictions against malicious users. By confirming the warning on the touch panel 53, the system administrator can take appropriate measures such as changing the password.

(5. Cancellation of warning display)
Next, control for canceling the warning display once executed will be described with reference to FIG. 10 . FIG. 10 shows the content of warning cancellation control for canceling the warning display. The printer 10 starts the control of FIG. 10, for example, when S31 of FIG. 7 is executed.

10, the printer 10 determines whether or not the "password" of the access source history 43 has been changed from the initial password (S101), until the password is changed (S101: NO), The process of S101 is repeatedly executed. Also, when the password is changed from the initial password (S101: YES), the printer 10 cancels the warning display (S103). For example, when the printer 10 accepts a password change from the Web server and changes the "password" data in the access source history 43, the printer 10 makes an affirmative determination in S101.

Therefore, the printer 10 of this embodiment maintains the warning display on the touch panel 53 until the password is changed from the initial password. This allows the system administrator or the like to more reliably recognize the warning. On the other hand, when the printer 10 is logged in from an external device and the password is changed from the initial password, the warning display on the touch panel 53 is canceled. As a result, the warning display can be canceled at an appropriate timing.

In S<b>103 , the printer 10 sets a bit value indicating that the warning display is not executed as the warning information 44 in the memory 25 . As a result, the warning information 44 can be updated to appropriate data in accordance with the cancellation of the warning display. After executing S103, the printer 10 ends the control shown in FIG. In addition, the content of the above-described warning cancellation control is an example. For example, the printer 10 may receive an instruction to cancel the warning display on the touch panel 53, and may cancel the warning display after a certain period of time has passed.

(6. Warning display at startup)
Next, the processing of the printer 10 at startup will be described with reference to FIG. The printer 10 executes the startup process shown in FIG. 11 when the system is started up, and re-displays the warning display. More specifically, when the printer 10 starts the process of FIG. 11, it executes S105, reads out the warning information 44 from the memory 25, and determines the data of the warning information 44. FIG. When the printer 10 determines that the bit value indicating that the warning display is not executed is set in the warning information 44 (S105: NO), the process of FIG. 11 ends. In this case, the printer 10 starts up the system without displaying a warning on the touch panel 53 .

On the other hand, if the warning information 44 contains a bit value indicating that the warning has been displayed (S105: YES), the printer 10 executes S107. In S107, the printer 10 determines whether or not the network is connected to the network interface 31 (S107). For example, when the printer 10 detects that the router 15 and the PCs 11 and 13 are connected via the first network NW1, it determines that it is connected to the network (S107: YES). Further, when the LAN cable is not connected to the network interface 31, or when communication with an external device is impossible even if the LAN cable is connected, the printer 10 determines that it is not connected to the network (S107: NO).

The printer 10 repeats the process of S107 while making a negative determination in S107 (S107: NO). Therefore, the printer 10 executes the process of S107 until it is connected to the network. Further, when the printer 10 makes an affirmative determination in S107 (S107: YES), the warning display on the touch panel 53 is performed again (S109). After executing S109, the printer 10 ends the process shown in FIG.

With the above-described processing, for example, even if the printer 10 is powered off while a warning is displayed on the touch panel 53, when the power is turned on again and the system is started, the warning is displayed again. As a result, the user can more reliably recognize the warning and the security level can be increased. Also, the printer 10 does not re-display the warning display until the network is connected. This is because when the network is not connected, the possibility of unauthorized access is low even if the initial password is used. When the printer 10 detects network connection, the printer 10 displays the warning again. As a result, the warning display can be restarted at an appropriate timing.

Incidentally, the printer 10 is an example of an information processing device. The PCs 11, 13, router 15, and external PCs 17, 19 are examples of external devices. CPU21 is an example of a control part. The memory 25 is an example of a storage unit. Network interface 31 is an example of a communication unit. Private IP1, IP3, IP4 and global IP6, IP7 are examples of identification information.

(6. Effect)
As described above, according to the above-described embodiment, the following effects are obtained.
(1) When the CPU 21 of the printer 10 of the present embodiment detects an access from the PC 11 or the like via the network interface 31, the process of S13 receives IP address information (an example of identification information) from the PC 11 or the like (first 1 example of receiving process), the process of S19 receiving a password from the PC 11 or the like (an example of a second receiving process), and the process of S21 determining whether authentication by the password has succeeded (an example of a first determination process). Then, based on the process of S23 (an example of the second determination process) for determining whether the password is the initial password or not, and the IP address stored in the memory 25, a plurality of external devices via the network interface 31 The processing of S16 and S25 (an example of the third determination processing) for determining whether or not there is an access is executed. When the CPU 21 makes an affirmative determination in S21 (S21: YES), makes an affirmative determination in S23 (S23: YES), and makes an affirmative determination in S25 (S25: YES), the security level is increased from the current security level in S31, The processing of S35 (an example of security processing) is executed.

According to this, the CPU 21 raises the security level from the current level when the authentication by the password is successful, the password is the initial password, and there is access from a plurality of external devices via the network interface 31. . Therefore, when a plurality of external devices having different IP addresses access the system using the initial password, it is possible to take security measures and raise the security level.

(2) In addition, the CPU 21 stores the IP address received from the external device in S13 in the memory 25 (an example of the first storage process) in S17, Then, the process of S15 (an example of the fourth determination process) for determining whether or not the IP address is already stored is executed. The CPU 21 executes S16 based on having determined in S15 that the IP address has already been stored in the access source history 43 of the memory 25 (S15: NO). After storing the IP address in the memory 25 in S16, the CPU 21 replaces the IP address received from the external device in the process of S13 executed after the next access with the IP address stored in the memory 25 (the IP address of the first access source history). address), and if they do not match (S16: NO), it is determined that there has been access from a plurality of external devices via the network interface 31 (S18). The CPU 21 notifies a warning indicating that there has been authentication by the initial password from a plurality of external devices using different IP addresses (S31).

According to this, by announcing the warning, it is possible to inform the user that the authentication by the initial password has been executed from a plurality of external devices using different IP addresses. This makes it possible to prompt the user to change the initial password.

(3) In addition, the CPU 21 performs the process of S101 (an example of the fifth determination process) for determining whether or not the password has been changed from the initial password, and based on determining that the password has been changed from the initial password, (S101: YES), and the processing of S103 (an example of cancellation processing) for canceling the notification of the warning is executed. According to this, the warning can be terminated when the password is changed from the initial password and security is ensured.

(4) In addition, the CPU 21 stores in the memory 25 the warning information 44 indicating that the warning notification has started (an example of the second storage processing), and at the time of startup, the warning notification has started. Based on the processing of S105 (an example of the sixth determination processing) for determining whether or not the warning information 44 indicating is stored in the memory 25, and the affirmative determination in S105 (S105: YES), the warning is issued again and the processing of S109 (an example of re-notification processing) are executed.

According to this, the CPU 21 judges the necessity of re-notifying the warning when the system is terminated once after executing the notification of the warning and restarted. When the memory 25 stores the warning information 44 indicating that the warning notification has been started, the CPU 21 issues the warning again after activation. As a result, it is possible to issue a warning again after activation, and to make the user recognize the warning more reliably.

(5) In addition, the CPU 21 stores in the memory 25 the warning information 44 indicating that the warning notification has started (an example of the second storage processing), and at the time of startup, the warning notification has started. Based on the process of S105 (an example of the sixth determination process) for determining whether or not the warning information 44 indicating is stored in the memory 25 and the affirmative determination in S105 (S105: YES), the network interface 31 The process of S107 (an example of the seventh determination process) of determining whether or not the network is connected, and the process of S109 (re-notification process) of re-announcing the warning based on the affirmative determination in S107 (S107: YES). example) and .

According to this, when the CPU 21 detects that it has been connected to the network after activation, it issues a warning again. As a result, it is possible to issue a second warning only when a security problem arises due to connection to the network, suppressing execution of unnecessary warnings, and improving user convenience.

(6) Further, the CPU 21 restricts the functions of the printer 10 that can be used by external devices (S35). According to this, even if a malicious user gains unauthorized access, it is possible to prevent the spread of damage within the system by limiting available functions.

(7) The CPU 21 accepts password changes via the user interface 29 even when the functions of the printer 10 that can be used by external devices are restricted (S35). If the external device with the IP address first stored in the memory 25 fails, etc., and the authentication by other IP addresses is restricted, the external device may not be able to change the password. Therefore, even when the functions are restricted, by permitting the password to be changed through the user interface 29, it is possible to secure means for changing the password from the initial password.

(8) Further, the CPU 21 executes the process of S33 (an example of the eighth determination process) for determining whether or not the IP address in the memory 25 matches the IP address received from the external device in S13. If the IP addresses match in S33, the CPU 21 does not limit the functions of the printer 10 that can be used by the external device (S33: YES, S26).

According to this, even if the authentication by the password is successful, the password is the initial password, and the access is made from a plurality of external devices, the IP address of the current access source is the IP address stored in the memory 25. If it matches , do not restrict the function. That is, after accesses from a plurality of external devices, if there is an access from the first external device that executed the access, the function is not restricted. As a result, it is possible to secure the use of the function by the external device that has performed the access first.

(9) Further, when the CPU 21 succeeds in password authentication in S21 (S21: YES) and determines in S23 that the password is not the initial password (S23: NO), the processing of S31 and S35 (an example of security processing) ) is not executed. Even if password authentication succeeds, a certain level of security can be ensured if the password is changed instead of the initial password. Therefore, by tightening the conditions for executing the processing for increasing the security level, it is possible to improve both security and convenience.

(10) Further, when the password authentication is successful in S21 (S21: YES) and a negative determination is made in S25 (S25: NO), the CPU 21 does not execute the processing of S31 or S35 (an example of security processing). Even if the authentication by the initial password is successful, if the printer 10 is not accessed by a plurality of external devices using the same IP address, there is a possibility that one external device is using the printer 10, and a certain level of security can be ensured. . Therefore, by tightening the conditions for executing the processing for increasing the security level, it is possible to improve both security and convenience.

(7. Modification)
It goes without saying that the present application is not limited to the above embodiments, and that various improvements and modifications are possible without departing from the scope of the present disclosure.
For example, the network configuration of FIG. 1 described above is an example. For example, as shown in FIG. 12, global IP5 may be assigned to the printer 10 and the printer 10 may be directly connected to the second network NW2. In the configuration shown in FIG. 12, the printer 10 can communicate with the external PC 17 and the external PC 19 via the second network NW2 (such as the Internet). The external PCs 17 and 19 execute printing and login authentication for the printer 10 using the global IP6 and IP7 as the source IP address. In such a case, the printer 10 may use the global IP, host name, or the like to determine the external device that is the access source, and display a warning or the like.

Alternatively, for example, as shown in FIG. 13, a virtual private network (VPN) protocol technology may be used to construct a wide-area virtual private network via the Internet, and the printer 10 may be connected to the private network. . In the example shown in FIG. 13, printer 10, PC 11, and PC 13, to which private IP addresses are assigned, are connected via router 15, second network NW2, and router 16. FIG. The printer 10 and PC 11 can communicate with a remote PC 13 via VPN using a private IP address. In this case, the printer 10 may perform login authentication and the like using the private IP of the external device that has received access via the second network NW2 (such as the Internet) as identification information.

Further, the identification information of the present disclosure is not limited to the IP address, and may be the host name of the computer or the like. Also, both an IP address and a host name may be used. Also, for example, version information of a web browser that has accessed the EWS and cookie information may be used as identification information.
In addition, the printer 10 executes a warning display (S31) and function restriction (S35) as security processing, but the present invention is not limited to this. The printer 10 may execute either S31 or S35. The printer 10 may also execute processing such as sounding a buzzer, lighting a lamp, and sending a warning email to the registered email address of the system administrator.
Also, the printer 10 canceled the warning display at the timing when the password was changed (see FIG. 10). However, the printer 10 may, for example, cancel the warning display after a certain amount of time has passed.
Further, the printer 10 redisplayed the warning display when the system was started (see FIG. 11). However, for example, once the system is stopped, the printer 10 does not have to display the warning when it is started next time. In this case, printer 10 does not need to store warning information 44 in memory 25 .
Further, when the warning information 44 indicating that the warning notification has been started is stored in the memory 25 when the printer 10 is activated, the printer 10 does not execute the process of determining whether or not there is a network connection in S107, and issues a warning. You may notify again (S109). That is, the warning may be issued regardless of the presence or absence of network connection.
Further, the printer 10 permits login authentication and password change through the user interface 29 even if the functions are restricted (S35). However, the printer 10 may prohibit login authentication through the user interface 29 in accordance with functional restrictions.
Also, when the IP address matches the IP address of the first access, the printer 10 did not restrict the function (S33: YES), but the function may be restricted.
Further, although the IP address is used as the identification information of the external device in the above embodiment, the MAC address may be used as the identification information.

Also, the storage unit for storing the control program 41, the access source history 43, and the warning information 44 may not be provided in the printer 10. FIG. For example, the printer 10 may store the access source history 43 in a server on the second network NW2.
Further, in the above-described embodiment, the CPU 21 is used as the control unit of the present application, but the present invention is not limited to this. For example, the control unit may be composed of dedicated hardware such as ASIC (Application Specific Integrated Circuit). Further, the control unit may be configured to operate using both processing by software and processing by hardware, for example.
Further, in the above-described embodiment, the printer 10, which is a multifunctional machine, is used as the information processing apparatus of the present application, but the present invention is not limited to this. The information processing apparatus of the present application is not limited to a printer, and may be a copier, a facsimile machine, or a scanner.

10 printer (information processing device) 11, 13 PC (external device), 15 router (external device), 17, 19 external PC (external device), 21 CPU (control unit), 25 memory (storage unit), 29 user interface , 31 network interface (communication unit), 44 warning information, IP1, IP3, IP4 private (identification information), IP6, IP7 global (identification information).

Claims (12)

a communication unit that communicates with an external device;
a control unit;
with
The control unit
a first reception process for receiving identification information from the external device via the communication unit when access from the external device is detected via the communication unit;
a second reception process for receiving a password from the external device via the communication unit;
a first judgment process for judging whether or not authentication by the password has succeeded;
a second determination process for determining whether the password is an initial password;
a third determination process of determining whether or not there is access from a plurality of external devices via the communication unit based on the identification information stored in the storage unit;
determining in the first determination process that authentication by the password has succeeded, in the second determination process, determining that the password is the initial password, and in the third determination process, from the plurality of external devices to the communication unit a security process of increasing the security level from the current security level when it is determined that there has been access via
An information processing device that executes The control unit
a first storage process of storing the identification information received from the external device in the first reception process in the storage unit;
a fourth determination process for determining whether or not the identification information is already stored in the storage unit;
and run
executing the third determination process based on determining that the identification information has already been stored in the storage unit in the fourth determination process;
In the third determination process, after the identification information is stored in the storage unit, the identification information received from the external device in the first reception process executed after the next access is stored in the storage unit. determining whether or not it matches the identification information, and if not matching, determining that there has been access from a plurality of the external devices via the communication unit;
2. The information processing apparatus according to claim 1, wherein, as said security process, a process of notifying a warning indicating that authentication by said initial password has been performed from a plurality of said external devices using different said identification information is executed. The control unit
a fifth determination process for determining whether the password has been changed from the initial password;
a canceling process of canceling the notification of the warning based on determining that the password has been changed from the initial password;
3. The information processing apparatus according to claim 2, which executes The control unit
a second storage process of storing warning information indicating that the warning notification has started in the storage unit;
a sixth judgment process for judging whether or not the warning information indicating that the warning notification has started is stored in the storage unit at startup;
a re-notification process for re-announcing the warning based on the determination that the warning information indicating that the warning has started to be notified is stored in the storage unit in the sixth determination process;
4. The information processing apparatus according to claim 2 or 3, which executes The control unit
a second storage process of storing warning information indicating that the warning notification has started in the storage unit;
a sixth judgment process for judging whether or not the warning information indicating that the warning notification has started is stored in the storage unit at startup;
determining whether or not the communication unit is connected to a network based on determining in the sixth determination process that the warning information indicating that the warning notification has started is stored in the storage unit; a seventh determination process;
a re-notification process for re-announcing the warning based on the determination that the communication unit is connected to the network in the seventh determination process;
4. The information processing apparatus according to claim 2 or 3, which executes The control unit
6. The information processing apparatus according to any one of claims 1 to 5, wherein as said security processing, functions of said information processing apparatus that can be used by said external device are restricted. further equipped with a user interface,
The control unit
7. The information processing apparatus according to claim 6, wherein even in a state in which functions of said information processing apparatus that can be used by said external device are restricted, said password change is accepted via said user interface. The control unit
executing an eighth judgment process for judging whether or not the identification information in the storage unit matches the identification information received from the external device in the first reception process;
8. The information processing apparatus according to claim 6, wherein if the identification information matches in the eighth determination process, the functions of the information processing apparatus that can be used by the external device are not restricted. The control unit
9. The security process is not executed if authentication by the password is successful in the first determination process and the password is not the initial password in the second determination process. The information processing device according to item 1. The control unit
The security processing is not executed when authentication by the password is successful in the first determination processing and when it is determined in the third determination processing that there is no access from the plurality of external devices via the communication unit. The information processing apparatus according to any one of claims 1 to 8. A control method for an information processing device including a communication unit that communicates with an external device,
a first receiving step of receiving identification information from the external device via the communication unit when access from the external device is detected via the communication unit;
a second receiving step of receiving a password from the external device via the communication unit;
a first determination step of determining whether authentication by the password has succeeded;
a second determining step of determining whether the password is an initial password;
a third determination step of determining whether or not there is access from a plurality of external devices via the communication unit based on the identification information stored in the storage unit;
determining in the first determining step that the authentication by the password has succeeded, in the second determining step determining that the password is the initial password, and in the third determining step, the plurality of external devices from the communication unit; a security step of increasing the security level from the current security level when it is determined that there has been access via
A control method for an information processing device, comprising: A program that causes a computer to control an information processing device that includes a communication unit that communicates with an external device,
to the computer;
a first reception process for receiving identification information from the external device via the communication unit when access from the external device is detected via the communication unit;
a second reception process for receiving a password from the external device via the communication unit;
a first judgment process for judging whether or not authentication by the password has succeeded;
a second determination process for determining whether the password is an initial password;
a third determination process of determining whether or not there is access from a plurality of external devices via the communication unit based on the identification information stored in the storage unit;
determining in the first determination process that authentication by the password has succeeded, in the second determination process, determining that the password is the initial password, and in the third determination process, from the plurality of external devices to the communication unit a security process of increasing the security level from the current security level when it is determined that there has been access via
The program that causes the to run.

Images