HP Commercial LaserJet Printers and MFPs - Imaging and Printing Security Best Practices

Chapter 7 HP LaserJet and Color LaserJet MFP Security Checklist 80
The maximum Control Panel Access Lock closes all access to the fax menu. This includes the
options to Cancel All Pending Transmissions and Cancel Current Transmission. If
you wish to provide these options, use Intermediate Lock.
Configure the Embedded Web Server Password. The EWS password restricts access to
the configuration settings in the EWS. When configured, the MFP requires the password
whenever anyone or any application attempts to make changes to the EWS settings. Keep in
mind that the settings provided in the EWS are also accessed by Web Jetadmin. Thus, the
MFPs will require the EWS password from Web Jetadmin whenever it attempts to access these
settings.
Web Jetadmin keeps all passwords and credentials in the encrypted device cache. It will
automatically provide the EWS password to the MFPs whenever they MFPs prompt for it.
The EWS password is synchronized with the device password, which is recommended later in
this checklist. Whenever you change either password, the MFP will change the other one to be
the same.
Configure the PJL Password. The PJL password prevents unauthorized users from configuring
certain features of the MFP. It requires the password to change these settings via Print Job
Language (PJL) commands.
With the PJL Password configured, the MFPs will deny access to commands that attempt to
change default settings without the correct password.
Disable Printer Firmware Update. Printer Firmware Update enables the MFPs to
accept printer firmware updates from various sources. Disabling it ensures that no one can
send firmware updates to the MFPs. If this feature is disabled it may still be possible to update
the firmware manually through the boot loader if you have not safeguarded this option.
HP recommends updating firmware whenever it becomes available at hp.com. You should
enable Printer Firmware Update to perform the upgrades and then disable it again during
normal use of the MFPs.
With Printer Firmware Update disabled, the MFPs will deny access whenever anyone
attempts to upgrade the firmware.
Configure Authentication (LDAP, Kerberos, Device PIN, or User PIN). Authentication requires
users to log on for use of the MFPs.
Configure Authentication Manager. The Authentication Manager provides the settings to
require log in for use of the MFP. It is important to be sure to configure the authentication
methods (LDAP, Kerberos, Device PIN, or User PIN) you wish to enforce in the authentication
manager. With authentication enabled, MFPs will deny access to users who cannot supply the
correct credentials.
Set the Device Password. The Device Password helps prevent unauthorized users from
changing configurations in the MFPs. The MFPs will deny access to configuration settings
without the password.
Web Jetadmin keeps MFP credentials in its encrypted device cache. It will not prompt for the
device password of an MFP that it manages.