HP Imaging and Printing Security Best Practices Configuring Security for Multiple LaserJet MFPs and Color LaserJet MFPs Version 5.0 for HP Web Jetadmin 10 © Copyright 2005, 2007, 2009, 2010 Hewlett-Packard Development Company, L.P.
Table of Contents Table of Contents...................................................................................................i Chapter 1: Introduction......................................................................................... 1 Cautions........................................................................................................................2 Follow the Checklist in Order........................................................................................
Printer Firmware Update ............................................................................................ 41 Secure Disk Encryption Mode ..................................................................................... 41 Apply the Changes ................................................................................................... 42 Configuring MFP Fax Settings.........................................................................................44 Configuring Fax Printing .........
Network Page Options .............................................................................................. 76 Security Page Options ............................................................................................... 79 Final Configurations .................................................................................................. 84 Overall Limitations ....................................................................................................
Chapter 1: Introduction This document is a security checklist for the following HP MFP models: HP LaserJet M3027 MFP HP LaserJet M3035 MFP HP LaserJet 4345 MFP HP LaserJet M4345 MFP HP LaserJet M5025 MFP HP LaserJet M5035 MFP HP LaserJet 9040 MFP HP LaserJet 9050 MFP HP Color LaserJet 4730 MFP HP Color LaserJet CM4730 MFP HP Color LaserJet 9500 MFP HP Color LaserJet CM3530 MFP HP Color LaserJet CM6030 MFP HP Color LaserJet CM6040 MFP All of these model
HP Web Jetadmin Version 10.2 installed on a Windows XP or Windows Vista PC One of each supported MFP with the latest updated firmware found at hp.com The process for configuring this checklist is developed using HP Web Jetadmin to manage all of the MFPs at the same time. This checklist covers only those parts of HP Web Jetadmin that pertain to appropriate security settings. See the user guides, admin guides, and help files for information on other configurations.
MFP Environment NIST defines several types of user environments, many of which are compatible with HP LaserJet and Color LaserJet MFPs. However, this checklist is written for MFPs in an enterprise environment or a small to medium business environment. These environments use most of the network features available with MFPs. This entire checklist can be configured using HP Web Jetadmin. You should configure as much of this checklist as possible while adapting the settings to your specific situation.
Solutions covered This checklist covers MFP security settings found in HP Web Jetadmin. This checklist covers no other solutions or applications. Organization This checklist includes the following chapters: Chapter 2: Threat Model: The Threat Model chapter explains the security circumstances relating to MFPs. It follows the Microsoft® STRIDE model.
Chapter 2: Threat Model This section explains the types of security risks involved with operating MFPs in enterprise environments. As technology improves, malicious people (hackers) continue to find new ways to exploit networks. They are beginning to target MFPs and other network peripherals to misuse resources or to gain access to networks or the internet. Predicting the actions of a hacker is difficult, but HP is dedicated to research in this area.
You can minimize the risks from identity spoofing in the following ways: Protect the from address field in the MFP Digital Sending and Fax configurations. Protect MFP disk access. Configure authentication. Configure the administrator password. Configure SNMPv3. Tampering with Data Tampering with data can include any method of changing, destroying, or adding to information that is flowing to or from an MFP or stored on it.
Install Jetdirect 635n Print Servers or enable embedded IPSec to encrypt the data stream to include log data and file metadata (look for this product at hp.com or contact your hp product supplier). Close unused ports and protocols. Save copies of log data at a separate location Add security solutions such as smartcard, swipe-card and thumbprint readers Information Disclosure Information disclosure is gathering information from an MFP and providing it to unauthorized users.
Causing interference with network communication to the MFP Changing the network location of the MFP Causing an error state that interrupts service Changing access configurations Here are some methods of minimizing opportunities for denial of service on an MFP: Lock the control panel. Lock EWS configuration settings. Close unused ports and protocols. Disable controls such as the Job Cancel button and the Go button.
Chapter 3: Basic Security for Multiple MFPs This chapter explains how to configure security settings for one or more MFPs using HP Web Jetadmin. It assumes that you have taken or plan to take reasonable steps to secure the network environment in which your MFPs are operating. This includes configuring network firewalls and providing up-to-date virus controls.
log of the passwords in a safe place. Web Jetadmin will prompt for passwords during the configuration process if they are missing from the cache. CAUTION: Losing passwords can block access to an MFP. Be careful to record them in a safe place. It is most important to remember the Bootloader password. With it, it is possible to restore the MFPs to factory default settings. Without it, the only way to restore the MFPs is to involve an HPauthorized service technician to reset the entire MFP.
Use meaningless random passwords. Passwords that are real words or phrases are easier to guess. The latest password cracking tools follow dictionaries to narrow down the possibilities. Record the passwords in a safe but hidden place. The passwords are designed to restrict access to management options on the MFPs. Losing a password can eliminate your access to settings. This is most important for the Bootloader Password.
Figure 1: Web Jetadmin showing the device list on the default view. 2. Check to see that the MFPs you wish to configure appear in the Device Model List. If they are not in the list, use the Discovery options to find the MFPs on your network. Note: This checklist does not include details on MFP discovery. See Web Jetadmin user guidance for more information. In most cases, the MFPs will already appear in the default view of Web Jetadmin.
4. Click the Config tab in the lower half of the Device List view to show settings available for configuration (Figure 3). Figure 3: The Config tab displays settings available for configuration. The Config tab contains all of the settings recommended in this checklist. Tip: If you are having a problem configuring a setting, try configuring it using the individual device’s configuration page. You can also attempt to configure the setting using the EWS of the MFP.
Follow these steps to use Web Jetadmin to verify your HP Secure Hard Disk is installed and configured: 1. In the device list view, add the columns for Secure Disk and Secure Disk Status if they are not visible. First, right click on the column area to the right of the existing columns. Then select customize… from the drop down list (Figure 4). Figure 4: Shows where how to reach the column customization menu. 2.
Figure 5: Shows how to add the Secure Disk and Secure Disk Status columns to the columns selected for display. 3. In the listing of printers, check the Secure Disk and Secure Disk Status columns. The Secure Disk column should indicate “Installed”. The Secure Disk Status column should indicate ”Encrypted” (Figure 6). Figure 6: Shows the Secure Disk and Secure Disk Status columns as Installed and Encrypted.
Note: If your MFP is reporting an installed HP Secure Disk but its status is anything other than Encrypted it is recommended you resolve the issues with your HP Secure Disk before continuing this checklist. If you do not you may need to re-apply the entire checklist to the MFP. An example of an MFP with a HP Secure Disk Installed that is not configured properly is shown below (Figure 7). Figure 7: Shows a HP Secure Disk with a status of Not Encrypted indicating an issue with the Disk that needs resolution.
Figure 8: The Security category and SNMP Version Access Control settings. 2. On the SNMP Version Access Control menu, and select the Enable SNMPv3 checkbox (Figure 9). Figure 9: Shows Enable SNMPv3 selected. 3. Once Enable SNMPv3 has been selected, and fills in the New User, the New Authentication Passphrase, and the New Privacy Passphrase fields (Figure 10) in the New SNMPv3 Credential section. See below for details.
Figure 10: The Enable SNMPv3 option has been selected and the New SNMPv3 Credential section is complete. The New User Name field can be any name you choose. The New Authentication Passphrase field can be any word or phrase that is at least 8 characters. The New Privacy Passphrase field can be any word or phrase that is at least 8 characters. CAUTION: These instructions are for the initial configuration of SNMPv3.
4. Scroll down to the SNMPv1 Settings section, and select SNMPv1 disabled (Figure 11). Figure 11: The SNMP Version 3 Only setting. This setting limits all SNMP configuration communication to only SNMPv 3. Once applied your MFPs will not allow SNMPv1 SET and SNMPv2 GET. 5. Choose Apply at the bottom of the SNMP Version Access Control configuration to apply the settings to the selected devices. This will open the configure devices dialogue box (Figure 12).
Figure 12: The Configure Devices dialogue box.
6. Click the Configure Devices button to execute the configuration. The result of your configuration will be displayed when the configuration is complete (Figure 13). Figure 13: Shows a successful configuration result. If your configuration is not successful, you can click the Details button for more information on why the configuration failed. Now, whenever you click Apply to configure settings, the MFP will check for the SNMPv3 credentials.
Configuring MFP Device Settings The Device category includes settings that affect some of the normal use of the MFPs. The following settings affect how jobs are stored, and how long your MFP will wait before a job times out in a particular way. 1. Click the Device category on the Config tab, to view the following configuration options: I/O Timeout to End Print Job The I/O Timeout to End Print Job allows you to specify the amount of time a device should wait between packets before canceling a job.
Figure 15: The Job Hold Timeout options. Job Retention 1. From the Device category, select Job Retention (Figure 16). 2. Click checkbox to select Job Retention (Error! Reference source not found.), and select Enabled. Figure 16: The Job Retention options. This allows users to store print jobs and fax jobs for printing at their discretion (when they can be present to control the printouts and keep them from view). Note: Job Hold Timeout does not apply to fax jobs. Apply the Changes 1.
Figure 17: The Configure Devices dialogue box. 2. Review your settings and then click the Configure Devices button to execute the configuration.
Configuring MFP Network Settings The Network category on the Device tab provides options that relate to Jetdirect Print Servers. The security features you will be configuring restrict what methods are available for communication with your MFP over the network. Follow the instructions below to view and configure these options. 1. Click the Network category on the Config tab to expand the configuration options (Figure 18). Figure 18: The Network Category.
Figure 19: The Enable Features option. 2. Next, select the print features you would like to enable or disable. The following table lists and explains the recommended settings for the Enable Features option: Feature Recommended Setting Explanation EWS Config Disabled*** Disabling EWS Config closes down the EWS and it eliminates the configuration settings that are controlled by the EWS. It also removes the affected settings from Web Jetadmin menus.
SLP Config Disabled Disabling SLP Config prevents access to configuration settings and other features through SLP. FTP Printing Disabled Disabling FTP Printing prevents access to configuration settings and other features through FTP. It also prevents printing through FTP. LPD Printing Disabled Disabling LPD Printing prevents access to configuration settings and other features through LPD. It also prevents printing through LPD.
WARNING: You will want to enable WS-Discovery on this printer if the following apply: You are using an IPv6 only network, you use WS-Print to discover your devices, or operate in a Windows Vista/ Windows 7 centric environment. If you are unsure of this setting, we highly recommend testing its implications with a single device before applying it to your whole fleet. Note: If you are using third party solutions recommendations may be different. Please see the Advanced Security chapter.
Figure 20: Review your Enable Features Configuration selections before configuring your devices. Encrypt all Web Communication This setting requires web browsers to use HTTPS when contacting the MFPs. This ensures secure communications with the MFP EWS. To enable this feature: 1. Click Encrypt all web communication, and then select Enabled to enable HTTPS communication between the Jetdirect Print Server and any web browser (Figure 21).
Figure 21: Enabling HTTPS web communication. Encryption Strength The Encryption Strength setting allows you to choose the strength of the encryption algorithm used for communication between the MFP EWS and the web browsers connecting to it (this is related to the HTTPS Setting option above). To configure the Encryption Strength setting: 1. Click Encryption Strength in the Network category (Figure 22). Figure 22: The Encryption Strength option. 2.
Figure 23: The Encryption Strength dropdown menu. Error Handling The Error Handling option (Figure 24) specifies how the Jetdirect Print Server handles error conditions. The settings are: Dump then Reboot does a memory dump them reboots. Reboot Without Dump reboots without dumping memory. Dump then Halt does a memory dump but does not do a reboot; operations are halted. Choose the setting that best fits your security needs. Figure 24: The Error Handling option.
Figure 25: The RCFG Setting option. Job Timeout The Job Timeout option enables the MFPs to move on from jobs that lack proper end of job signals. The MFPs will be able to switch protocols to continue with other jobs. Not all MFPs support the Job Timeout option, so it will not appear for all models. To set the Job Timeout option: 1. Click Job Timeout (Figure 26). Figure 26: The Job Timeout option. 2.
Local language selections used for viewing Web pages Network communications protocols enabled Network management interfaces enabled Device discovery protocols enabled Printing protocols enabled TCP/IP configuration methods enabled SNMP control methods enabled Wireless configuration methods enabled The MFP must have internet access to allow HP to collect information. To disable the Privacy Setting option: 1.
Figure 28: The Protocol Stacks options.
The following table lists each protocol with the recommended setting and an explanation: Protocol Stack Recommended Setting Explanation IPX/SPX Leave blank to disable This setting disables access for Novell servers. TCP/IP Always Enabled. This is the normal operating protocol for the MFPs. DLC/LLC Leave blank to disable This setting enables the MFP to communicate at basic levels on the network. It should be disabled if not in use.
Apply your Changes 1. Click the Apply button located in the bottom right hand corner to apply the settings to the selected devices. This will open the configure devices dialogue box (Figure 30). Figure 30: The Configure Devices dialogue box. 2. Review your settings and then click the Configure Devices button to execute the configuration.
Configuring MFP Security Settings The Security category includes many advanced security settings and password settings. If you are attempting to configure a setting that is in the Security category and not listed in this section, you should check the chapter on Advanced Security for multiple MFPs. To set the basic required settings in this category follow the steps in the sections below.
Color Access Control The Color Access Control options (Figure 32) allow you to manage the usage of color printing supplies within your organization. If you wish to restrict access to color printing you can configure these settings to match your policy. Figure 32: The Color Access Control options. Control Panel Access The Control Panel Access Feature allows you to set the level of security on the physical control panel of your MFPs.
Figure 33: The Control Panel Access option. Note: This setting prevents access to configuration settings in the control panel, including digital send and fax settings. If you wish to make changes to settings in the control panel, unlock access using Web Jetadmin, make the changes, and then lock access again. See the Ramifications chapter for more information. Embedded Web Password You can configure many of the settings in this checklist using the Embedded Web Server.
2. Type a password of 8 to 16 characters in the Embedded Web Server Password field (you should always type the maximum number of characters for best security). This setting requires users to log on for parts of the EWS that provide configuration options. 3. Repeat the password exactly in the Repeat Password field. Note: The Embedded Web Server Password is synchronized with the Device Password (appears later in this checklist).
Printer Firmware Update HP recommends updating firmware whenever new firmware is available, but you should keep Printer Firmware Update disabled until you plan to use it. To disable Printer Firmware Update: 1. Click to select Printer Firmware Update (Figure 36), and select Disable. Figure 36: The Printer Firmware Update option. Secure Disk Encryption Mode The Secure Disk Encryption Mode option (Figure 37) determines whether encryption is automatically enabled when an HP Secure Hard Disk is installed.
Figure 37: The Secure Disk Encryption Mode option. Apply the Changes 1. Click the Apply button located in the bottom right hand corner to apply the settings to the selected devices. This will open the configure devices dialogue box (Figure 38).
Figure 38: The Configure Devices dialogue box. 2. Review your settings and then click the Configure Devices button to execute the configuration.
Configuring MFP Fax Settings The Fax Category provides options for the analog fax functions. This includes settings to allow for printing fax jobs when the recipient is present and for restricting access to fax print jobs. Configuring Fax Printing Follow these instructions to configure Fax Printing: Note: Be sure to configure the MFPs for fax capabilities before continuing with the instructions below. At the minimum, configure the modem settings for the country, the company, and the phone number. 1.
Note: This setting also enables PIN printing. 3. Select Store all Received Faxes. The Store all Received Faxes option holds incoming faxes for printing until someone enters the correct PIN number and selects the menu options at the control panel. This is considered the most secure mode of fax printing. You may wish to use the fax scheduling options to print all faxes at a time when security is optimal. Apply the Changes 1.
2. Review your settings and then click the Configure Devices button to execute the configuration. Additional Fax Configuration Some of the newer MFPs or recently upgraded MFPs may contain options for setting and locking down the Fax speed-dial feature. This Fax feature is not yet accessible via Web Jetadmin 10.2. To set your MFP speed-dial options follow the steps below . 1.
3. Set any speed-dials you wish to have by selecting the speed-dial number and clicking the Edit Speed Dial button (Figure 43). Figure 43: The Fax Speed Dials configuration button. 4. To keep speed-dial entries from being added or edited via the control panel input the number of the specific speed-dials you wish to lock. We recommend locking all speed-dial entries from modification. To do this, enter 0-99 in the box and select Save (Figure 44).
Configuring MFP Embedded Web Server Settings Embedded Web Server Configuration Options Each MFP has an Embedded Web Server that provides network access to view MFP status, to set preferences, and to configure the MFP. You can view an MFP Embedded Web Server by typing the MFP IP address into a web browser. This section covers settings that Web Jetadmin access through the EWS.
Embedded Web Server Configuration Option Recommended setting Explanation Outgoing Mail (enabled by default) Enable as desired Outgoing Mail enables the MFP to send alerts and AutoSend messages to a designated recipient. This is not necessarily a security-related feature. Use it as you see fit. This setting does not affect the MFP Send to Email feature.
Continue Button (enabled by default) Select to enable Continue Button allows the MFPs to resume after an error has been cleared. Print Service (enabled by default) Leave blank to disable Print Service enables users to send print-ready files directly to an MFP without having the MFP installed on a computer. Apply the Changes 1. Click the Apply button located in the bottom right hand corner to apply the settings to the selected devices. This will open the configure devices dialogue box (Figure 46).
2. Review your settings and then click the Configure Devices button to execute the configuration. Configuring MFP File System Settings The File system category provides settings for access to the MFP hard drive, the Compact Flash card, and optional data storage devices. Several security settings are available that can help prevent unauthorized access to data. File System External Access It is recommended that all external access to the file systems on your MFPs be disabled.
protocol for the MFPs. PostScript Disabled Prevents access to the file system through this protocol. NOTE: Disabling PostScript may affect interactions with third party applications. File System Password When a File System Password is set, the MFPs will require the password whenever anyone or any device requests access to the storage devices. To set the File System password follow the instructions below: 1. Click to select File system Password (Figure 48). Figure 48: The File system Password option.
Secure File Erase Mode This setting determines the level of overwriting applied to delete files during routine functions. This includes removal of files for the Secure Storage Erase function. The settings are: Non-secure Fast Erase does a standard erase with no additional security. Secure Fast Erase overwrites files using one pass. This takes some extra time, but it provides reasonable security. Secure Sanitizing Erase overwrites files with three passes.
Figure 50: The Secure File Erase Mode setting. Apply the Changes 5. Click the Apply button located in the bottom right hand corner to apply the settings to the selected devices. This will open the configure devices dialogue box (Figure 51).
Figure 51: The Configure Devices dialogue box. 6. Review your settings and then click the Configure Devices button to execute the configuration.
Configuring MFP Digital Sending Settings The Digital Sending category includes options for email and for send to network folder. This includes settings for protecting the sender identification fields. Note: Some security-related settings that do not apply to LaserJet and Color LaserJet MFPs might appear on the Digital Sending page. These settings are for other types of HP MFPs. You should configure the settings that appear in the instructions below.
Default From Address HP recommends configuring the default from address to ensure that no one can send email using false or misleading identification. If you are using LDAP Authentication, the MFP will use the email address of the authenticated user to replace the default from address. To configure the Default 'From: ' Address: 1. Scroll down, and click to select Default 'From:' Address (Figure 53). Figure 53: The Default From Address options. 2.
Figure 54: The Configure Devices dialogue box. 2. Review your settings and then click the Configure Devices button to execute the configuration. Configuring Final Settings Some of the MFP settings should be configured independently from other settings and only at the end of this checklist. Follow these instructions for the final settings: Disabling Direct Ports The Disable Direct Ports feature disables the USB and Parallel ports on the MFPs.
Figure 55: The Disable Direct Ports option. 2. 3. 4. 5. Click to select the Disable Direct Ports option to the right. Select Yes. Click Apply at the bottom of the page. Wait for a few minutes to allow all of the MFPs to restart. Do not continue until all of them are at the READY state. Disabling EWS Config EWS Config was required for configuring this checklist, but it should be disabled during normal use of the MFPs. To disable EWS Config: 1.
Note: This setting disables configuration from the MFP EWS. It also disables all EWS-related settings from Web Jetadmin (they will disappear from Web Jetadmin menus). With this setting configured, the only way to make changes to the EWS settings again is to re-enable them using Web Jetadmin. Always remember to disable EWS Config after making changes. Your MFPs are now securely configured.
Chapter 4: Advanced Security for Multiple MFPs This chapter gives some tips for configuring more advanced security settings for one or more MFPs using HP Web Jetadmin. These features should be set up before locking down your MFPs using the settings in the previous chapter. This allows adequate testing of your security solution to be completed while you still have open access to your devices.
Figure 57: The Configuration Categories Menu Network option. 2. Add an IP address or a net mask by filling in the IP Address or Mask fields. CAUTION: Be sure to include the IP address of the computer that is running Web Jetadmin (it can be a computer other than the one you are using). Otherwise, the ACL will block your access, and you will not be able to continue. The Mask option requires an entry in the IP address field to determine the subnet for which to grant access.
Authentication Manager The Authentication Manager allows you to customize access to functions of the MFP. You can use these options to provide varying services to different groups of people. 1. Click to select Authentication Manager (Figure 58). Figure 58: The Authentication Manager options. Note: Be sure to select only the authentication features that you plan to configure for the MFPs selected.
Figure 59: The drop down menu for Log in at Walk Up. Choosing an authentication method for Log in at Walk Up causes the MFP to require everyone to log in for access to the control panel menus. You can choose to require further authentication for specific functions of the MFP. Choose an authentication method for each device function as desired. If you choose to use different log in methods for each device function, the MFP will require authentication as needed.
Figure 60: The Group 1 PIN and Group 2 PIN Authentication options. Click to select PIN Authentication, and enter PINs as desired. Be sure to repeat the PINs exactly in the Confirm PIN fields. Note: If your network includes NTLM service, configure NTLM. This option specifies the authentication method to use when your MFP executes a send to folder job. We recommend using the highest authentication available.
LDAP If your network includes LDAP, configure the LDAP Authentication options (Figure 61). Figure 61: The Accessing the LDAP Server options. These settings enable the MFPs to require a user's logon credentials for use of the MFPs. This is related to the LDAP access options in the Digital Sending category, which enable the MFP to use the LDAP address book; however, the SSL certificate options for both configurations appear on the Digital Sending page.
If you choose Simple for the bind method, usernames, email addresses, passwords, and other data will be sent over the LDAP protocol in clear text. Fill in the remaining fields according to your network configuration. If your network has Kerberos authentication capabilities, configure the Kerberos Authentication options. User Pin Authentication User PIN Authentication allows you to restrict access to MFP functions by specific users.
Chapter 5: Settings List This section is a complete list of the settings recommended in this checklist. This section does not include instructions or explanations. It is intended to be used as a check-off list of the recommended settings to help ensure that you complete the entire configuration. See the Network Security section (above) and the Ramifications section (below) for information on each setting.
Disable mDNS Config. Disable IPV4 Multicast Config. Disable WS-Discovery. Enable HTTPS Setting to Encrypt all web communication. Configure Encryption Strength to High. Configure Error Handling Disable IPX RCFG Support. Configure Job Timeout. Set the Privacy Setting as desired. Configure Protocol Stacks. Disable IPX/SPX. Enable TCP/IP. Disable DLC/LLC. Disable AppleTalk. Disable Web Services Print. Security Category Options Configure Bootloader Password.
Embedded Web Server Page Options Configure Embedded Web Server Configuration options. Enable Outgoing Mail. Disable Incoming Mail. Disable Cancel Job Button. Disable Go Button. Disable Command Invoke. Disable Command Download. Disable Command Load and Execute. Enable Continue Button. Disable Print Service. File System Page Options Configure File System External Access. Disable PJL. Disable PML. Disable NFS. Disable PostScript. Configure File System Password.
Chapter 6: Default Settings: This chapter lists the default setting for each configuration in the checklist: Setting Default Setting Configure HP Secure Hard Disk Installed and Enabled Configure SNMPv3 (Security page). Not configured I/O Timeout to End Print Job Not configured Configure Job Hold Timeout. Never Delete Enable Job Retention. Enabled Configure Enable Features options (do not disable EWS Config at this point). (See below) Disable Telnet Config. Enabled Disable SLP Config.
IPX RCFG Support. Enabled Configure Job Timeout. Not Configured Set the privacy setting as desired. Not configured Configure Protocol Stacks. (See below) Disable IPX/SPX. Enabled Enable TCP/IP. Enabled Disable DLC/LLC. Enabled Disable AppleTalk. Enabled Web Services Print. Enabled Configure Bootloader password. Not configured Configure Color Access Control Not configured Configure Control Panel Access to Maximum Lock. Unlock Configure Embedded Web Server Password.
Disable Incoming Mail. Disabled Disable Cancel Job Button. Disabled Disable Go Button. Enabled Disable Command Invoke. Enabled Disable Command Download. Enabled Disable Command Load and Execute. Enabled Enable Continue Button. Enabled Disable Print Service. Enabled Configure File System External Access. (See below) Disable PJL. Enabled Disable PML. Enabled Disable NFS. Enabled Enable PostScript. Enabled Configure File System Password.
Configure Auto Reset Send Settings to Delay before resetting the default settings, and type a number of seconds to delay. Not configured, Delay default: 20 seconds Configure Default From Address. Not configured Select Prevent user from changing the Default From Address. Not selected Disable Direct Ports (wait for MFPs to restart). Enabled Disable EWS Config.
Chapter 7: Ramifications Raising the level of security on HP MFPs requires giving up some conveniences and usability. This section explains some of the compromises you can expect from configuring the settings recommended in this checklist. Keep in mind that this is not a comprehensive list. You should test each MFP in your network environment to understand the implications of these settings and configurations.
Disabling SNMPv1 disables SNMPv1 GET and SNMPv2 SET commands. Any solution or software that requires SNMPv1 or SNMPv2 will not function. If you require these to be enabled be sure to set the community name to something that would be difficult to guess. Device Page Settings Set I/O Timeout to End Print Job. The I/O Timeout to End Print Job allows you to specify the amount of time a device should wait between packets before canceling a job.
Disable SLP Config. SLP Config accommodates software using SLP as a discovery mechanism. For example disabling SLP Config on some Novell networks (depending on how Novell is configured) would cause Novell to not recognize the MFPs on the network. Thus, if your network uses these features of Novell, you should enable SLP Config. If you use software other than HP Web Jetadmin with your HP MFPs please test this feature before disabling it.
Enable HTTPS, and configure the setting to Encrypt all web communication. This setting enables encryption for configuration data between the PC and the MFP EWS. It prevents sensitive data such as usernames and passwords from passing over the network in clear text. This setting is related to the EWS Encryption Strength setting explained earlier. Web browsers that do not support SSL and high encryption strength will not be able to access the MFP EWS.
Disable unused Protocol Stacks. These options provide for the various types of network communication to the MFPs. Closing down unused protocol stacks is affective toward better network security. See the ramifications of each option below: Disable IPX/SPX. IPX/SPX is the network protocol for Novell. Disabling it prevents printing and all other communications with Novell non-TCP/IP components. With it disabled, Novell non-TCP/IP components will not recognize the MFPs on the network. Enable TCP/IP.
The maximum Control Panel Access Lock closes all access to the fax menu. This includes the options to Cancel All Pending Transmissions and Cancel Current Transmission. If you wish to provide these options, use Intermediate Lock. Configure the Embedded Web Server Password. The EWS password restricts access to the configuration settings in the EWS. When configured, the MFP requires the password whenever anyone or any application attempts to make changes to the EWS settings.
The Device Password is synchronized with the EWS password. If you change either of them, the MFP will change the other one to be the same. Disable Allow Use of Digital Send Service. HP Digital Sending Software is a useful tool for managing MFP digital sending. It is available for purchase at hp.com. HP recommends using Digital Send Service, but it is not covered in this checklist. Thus, this checklist recommends disabling it unless you are using it.
Disable Incoming Mail. Some network solutions can send commands to the MFP via email. If your network uses any of these solutions, you should enable Incoming mail. Otherwise, disable it as a best practice. This setting does not affect any other use of the MFP. With this setting configured, the MFPs will ignore all incoming emails. Disable Cancel Job Button. The EWS provides a Cancel Job button that allows users to cancel jobs that are pending in the queue.
NOTE: Some storage management tools, such as the Web Jetadmin Device Storage Manager (a Web Jetadmin add-on available in the Product Update navigation mode), use some of these protocols to access the file system. You might consider enabling these protocols only to update configurations and then disable them during normal MFP operation. Also, note that disabling PJL and PML only affects file system access, but disabling NFS shuts down the protocol for the entire MFP. Disable PJL access.
ensures that the original data is destroyed. Secure Fast Erase mode overwrites files one time. It slows MFP performance a bit, but it provides reasonable security for most situations. Secure Sanitizing Erase overwrites files 3 times. It slows MFP performance considerably, but it provides even more assurance that the data is not recoverable. If your network is required to meet stringent security requirements such as DOD regulations, you should use Secure Sanitizing Erase.
Disable EWS Config. Disabling EWS Config removes the EWS from the network. They become unavailable to everyone. This eliminates many risks to security. Since all of the EWS configuration settings are available in Web Jetadmin, there is no need to have them available anywhere else. Keep in mind, though, that disabling EWS Config also eliminates the affected settings from Web Jetadmin. Thus, you will have to enable EWS Config temporarily to make changes to the configurations, and then disable it again.
Chapter 8: Physical Security Many of the most notable features of HP MFPs involve hard copy documents. MFPs can print them, scan them, send them to email, send them to network folders, send them to other printers, and fax them. Handling hardcopy documents can involve a variety of activities that can lead to compromise of data security: Leaving documents in the printer output trays exposed to possible unauthorized viewers.
Chapter 9: Appendix 1: Glossary of Terms and Acronyms The following table lists terms and acronyms found in this checklist: Term Description ACL Access Control List. The ACL restricts network access to the MFP by allowing only those IP addresses or subnets that are listed in it. Analog fax Analog fax is fax functions via telephone lines. The fax module is available in most HP MFP bundles and it is covered in this checklist.
Term Description JDI Jetdirect Inside. Many of the MFPs include internal Jetdirect hardware as standard equipment. Other MFPs, such as HP Color LaserJet 9500 MFPs require EIO Jetdirect cards for network connectivity. Job Retention Job Retention is the MFP capability of storing print jobs or fax jobs for printing on demand at the control panel. PIN printing and PIN fax printing are functions of Job Retention.
Microsoft® is a U.S. registered trademark of Microsoft Corporation. Adobe and PostScript are trademarks of Adobe Systems Incorporated. © Copyright 2005, 2006, 2009, 2010 Hewlett-Packard Development Company, L.P.
