HP Imaging and Printing Security Best Practices Configuring Security for LaserJet MFPs and Color LaserJet MFPs Version 1.0 for HP LaserJet Enterprise Printers & HP Web Jetadmin10 HP Scanjet Enterprise 7000n , HP Color LaserJet CP5520, HP Color LaserJet CM4540 MFP, and HP LaserJet M4555 MFP © Copyright 2011 Hewlett-Packard Development Company, L.P.
Table of Contents Table of Contents ...................................................................................................... i Chapter 1: Introduction ............................................................................................. 1 Cautions ........................................................................................................................ 1 Follow the Checklist in Order ........................................................................................
HTTP Idle Timeout ..................................................................................................... 34 IPX RCFG Support ..................................................................................................... 35 Network Enable Features ........................................................................................... 36 Protocol Stacks ......................................................................................................... 39 TCP Idle Timeout ......
Chapter 7: Ramifications ........................................................................................ 65 Initial Settings ........................................................................................................... 65 Device Page Settings ................................................................................................. 66 Network Page Options .............................................................................................. 66 Security Page Options ....
Chapter 1: Introduction This document is a security checklist for the following HP device models: • HP Scanjet Enterprise 7000n • HP Color LaserJet CP5520 • HP Color LaserJet CM4540 MFP • HP LaserJet M4555 MFP This checklist is written for acceptance by the National Institute of Standards and Technology (NIST), and it will be available at the NIST Checklist website. This checklist is meant for trained network administrators who use HP Web Jetadmin version 10.1 or above in enterprise networks.
possible security threats; however, some of these settings can cause unexpected problems in your environment especially if you are using custom print solutions. Please be aware of the following cautions before you begin: Follow the Checklist in Order The settings in this checklist are presented in a specific order to ensure success. Many of these security settings can be configured successfully only in the correct order.
Jetdirect connections and using HP Web Jetadmin. Administrators should have read the MFP user guide, the MFP administrator guide, the Jetdirect administrator guide; Web Jetadmin user guides, and help files. This checklist relies on these materials for necessary information. All of these guides are available by searching for them at hp.com. • MFPs: This checklist covers security settings for specific HP devices outlined at the beginning of this document.
• Chapter 4: Basic Network Security for Multiple HP Devices: The Network Security for Multiple MFPs chapter provides step-by-step instructions for configuring MFP security settings. • Chapter 5: Settings List: The Settings List chapter provides a bulleted list of the recommended settings with checkboxes. It does not include instructions or explanations. • Chapter 6: Default Settings: The Default Settings chapter lists each recommended setting with its corresponding default setting.
Chapter 2: Threat Model This section explains the types of security risks involved with operating MFPs in enterprise environments. As technology improves, malicious people (hackers) continue to find new ways to exploit networks. They are beginning to target MFPs and other network peripherals to misuse resources or to gain access to networks or the internet. Predicting the actions of a hacker is difficult, but HP is dedicated to research in this area.
You can minimize the risks from identity spoofing in the following ways: • Protect the from address field in the MFP Digital Sending and Fax configurations. • Protect MFP disk access. • Configure authentication. • Configure the administrator password. • Configure SNMPv3. Tampering with Data Tampering with data can include any method of changing, destroying, or adding to information that is flowing to or from a device or stored on it.
• Enable embedded IPSec to encrypt the data stream to include log data and file metadata • Close unused ports and protocols. • Save copies of log data at a separate location • Add security solutions such as smartcard, swipe-card and thumbprint readers Information Disclosure Information disclosure is gathering information from an MFP and providing it to unauthorized users. This can include authentication information, usage log information, or information from the contents of a job.
• Changing access configurations Here are some methods of minimizing opportunities for denial of service on an MFP: • Lock the control panel by configuring Access Controls. • Lock EWS configuration settings. • Close unused ports and protocols. • Disable controls such as the Job Cancel button and the Go button. • Enable the resume feature to allow the MFP to resume operations after an error state. • Configure Job Timeout. • Control physical access to the MFP.
Chapter 3: Advanced Security for Multiple HP Devices This chapter will provide some tips for configuring HP MFP security features that require network specific information to operate correctly using HP Web Jetadmin. This chapter will also provide some special recommendations for those using customized HP solutions. These features should be installed before locking down your MFPs using the settings in the next chapter.
Figure 2: The Access for Device Functions option. To set access control for each of these permission sets check or un-check the box in that permission set column for access to that function. If you would like a special kind of authentication you can also set the sign in method for that device function. Figure 3: The Access for Device Functions option. Choosing an authentication method for Log in at Walk Up causes the MFP to require everyone to log in for access to the control panel menus.
Note: Be sure to select only the authentication features that you plan to configure for the MFPs selected. Many of the options available (such as LDAP, Kerberos, and Digital Send Service) require additional solutions on the network for support. For more information on Access Control configuration, please refer to the user or administration guide for your device. For more information on Access Control Solutions, please refer to the Access Control Printing Solutions Overview located here: http://h20195.www2.
CAUTION: Be sure to include the IP address of the computer that is running Web Jetadmin (it can be a computer other than the one you are using). Otherwise, the ACL will block your access, and you will not be able to continue. The Mask option requires an entry in the IP address field to determine the subnet for which to grant access. If you set a mask be sure it is correct before moving on. 1.
LDAP If your network includes LDAP, configure the LDAP Sign In Setup and the LDAP Users and Groups options (Figure 5). Figure 5: The LDAP Sign In Setup options. Figure 6: The LDAP Users and Groups options. These settings enable the MFPs to require a user's logon credentials for use of the MFPs. This is related to the LDAP access options in the Digital Sending category, which enable the MFP to use the LDAP address book.
Security Features Available Through the Embedded Web These features are either only partially offered in Web Jetadmin, or are only available for configuration through the MFPs embedded web interface. LLMNR Link-Local Multicast Name Resolution (LLMNR) is a protocol that provides a method for resolving host names on the same local link. It is useful in networks that do not have a DNS server. It does not require any configuration or administration in order to work, and it supports IPv4 and IPv6.
Figure 8: The Configuration Categories Menu Network option. Certificate Management Service The Certificate Mgmt Service setting enables/disables batch certificate management. Using the Certificate Batch plug-in, WJA 10.x can batch manage and configure certificates on devices that support the Certificate Mgmt Service. Figure 9: The Configuration Categories Menu Network option.
Enable WINS Port The Enable WINS Port setting enables/disables the port used for WINS name resolution. To enable the WINS Port: 1. Browse to the Embedded Web Server for the target device. 2. Select the Networking tab. 3. Choosing Other Settings from the left hand menu. 4. Checking the box for Enable WINS Port (Figure 10). Figure 10: Enable WINS Port by selecting check box.
Figure 11: Enable TFTP Configuration File use by selecting check box. IPPS The IPPS Printing setting enables/disabled the Internet Printing Protocol over SSL. IPPS provides a secure method for sending print jobs to the device over the Internet or intranet. Figure 12: The Configuration Categories Menu Network option.
HP & 3rd Party Solutions Most of the recommendations in the next chapter of this checklist can be implemented without having a negative impact on HP & third party solutions you may utilize in your environment without causing them to fail. However, there are some settings that have been known to cause problems.
Chapter 4: Basic Network Security for Multiple HP Devices This chapter explains how to configure security settings for one or more printers using HP Web Jetadmin. It assumes that you have taken or plan to take reasonable steps to secure the network environment in which your MFPs are operating. This includes configuring network firewalls and providing up-to-date virus controls.
credentials. Thus, you should keep a log of the passwords in a safe place. Web Jetadmin will prompt for passwords during the configuration process if they are missing from the cache. CAUTION: Losing passwords can block access to an MFP. Be careful to record them in a safe place. It is most important to remember the Bootloader password. With it, it is possible to restore the MFPs to factory default settings.
• Record the passwords in a safe but hidden place. The passwords are designed to restrict access to management options on the MFPs. Losing a password can eliminate your access to settings. This is most important for the Bootloader Password. The Bootloader Password is a permanent setting that can never be changed or reset without the correct password. Getting Started This section provides instructions for configuring HP printers for best-practice security.
Setting up HP Web Jetadmin Follow these instructions to prepare Web Jetadmin for configuring the MFPs: Open Web Jetadmin to view the device list (Figure 13) that appears by default. Figure 13: Web Jetadmin showing the device list on the default view. Check to see that the print devices you wish to configure appear in the Device Model List. If they are not in the list, use the Discovery options to find the print devices on your network.
Note: Remember that the steps in this checklist are for the specified HP LaserJet and Color LaserJet MFPs. Other devices may appear in the Device Model list, and it may be possible to configure them using this process, but the results may vary. Click the Config tab in the lower half of the Device List view to show settings available for configuration (Figure 15). Figure 15: The Config tab displays settings available for configuration.
Configuring HP Secure Hard Disk If you have an HP Secure Hard Disk installed you need to verify data encryption is enabled (this should happen by default after initial hard drive installation). WARNING: If your HP Secure Hard Disk is not already configured to encrypt your data, consult your documentation to resolve this issue.
1. Select Protect Stored Data from the right hand menu list to view the Protect Stored Data Page (Figure 17). Figure 17: Shows the Protect Stored Data settings page in the EWS. 2. In the Hard Disk Status section of the Protect Stored Data page you can see the Encryption Status for that device. If you see a green checkmark the device is encrypting your data properly (Figure 18). Figure 18: Shows the Hard Disk Status a green check means an encrypted disk is Installed and Encrypted.
The next step is to configure secure communications between HP Web Jetadmin and the MFPs: Configuring SNMPv3 SNMPv3 provides encryption for communication between Web Jetadmin and MFPs. It helps to ensure that only authorized and authenticated administrators have access to the configuration settings of the MFPs. It also helps to ensure that no one can gather sensitive information, such as passwords, usernames, and other codes, over the network while you are configuring the MFPs.
On the SNMP Version Access Control menu, and select the Enable SNMPv3 checkbox (Figure 20). Figure 20: Shows Enable SNMPv3 selected. Once Enable SNMPv3 has been selected, and fill in the New User, the New Authentication Passphrase, and the New Privacy Passphrase fields (Figure 21) in the New SNMPv3 Credential section. See below for details. Figure 21: The Enable SNMPv3 option has been selected and the New SNMPv3 Credential section is complete. The New User Name field can be any name you choose.
CAUTION: These instructions are for the initial configuration of SNMPv3. Once you finish this configuration, your devices will require these credentials whenever anyone attempts to access settings over the network. Be sure to remember these credentials and provide them only to authorized users. If these credentials are forgotten, the only way to restore communication between HP Web Jetadmin and the print devices is to restore them to factory default settings.
Configuring Device Settings The Device category includes settings that affect some of the normal use of the print device. The following settings affect how jobs are stored, and how long your print device will wait before a job times out in a particular way. 1.
Figure 24: The Input Auto Continue Timeout options. Job Hold Timeout From the Device category select the Job Hold Timeout menu (Figure 25). Click checkbox to enable the Job Hold Timeout (Figure 25) setting, and select a reasonable time for printing. This ensures that stored copy and print jobs on the MFP are erased after a reasonable time. Figure 25: The Job Hold Timeout options. Job Retention From the Device category select Job Retention (Figure 26).
Figure 26: The Job Retention options. This allows users to store print jobs and fax jobs for printing at their discretion (when they can be present to control the printouts and keep them from view). Note: Job Hold Timeout does not apply to fax jobs. Job Storage Limit The Job Storage Limit allows you to specify the maximum number of stored jobs allowed on the printer. You will want to choose a number of jobs that is appropriate for your print devices and print usage in your environment.
Apply the Changes Click the Apply button located in the bottom right hand corner to apply the settings to the selected devices. This will open the configure devices dialogue box (Figure 28). Figure 28: The Configure Devices dialogue box. 1. Review your settings and then click the Configure Devices button to execute the configuration.
Configuring Network Settings The Network category on the Device tab provides options that relate to Jetdirect Print Servers. The security features you will be configuring restrict what methods are available for communication with your MFP over the network. Follow the instructions below to view and configure these options. Click the Network category on the Config tab to expand the configuration options (Figure 29). Figure 29: The Network Category.
Figure 30: Enabling ePrint Print. Error Handling The Error Handling option (Figure 31) specifies how the Jetdirect Print Server handles error conditions. The settings are: Dump then Reboot does a memory dump them reboots. Reboot Without Dump reboots without dumping memory. Dump then Halt does a memory dump but does not do a reboot; operations are halted. Choose the setting that best fits your security needs. Figure 31: The Error Handling option.
Click HTTP Idle Timeout (Figure 32). Figure 32: The HTTP Idle Timeout option. In the input field, type a reasonable number of seconds (5 to 60) for the device to wait on an idle connection before moving on. If you spool large documents on a regular basis you will want to set this on the higher end. The default setting is 15. IPX RCFG Support This setting prevents access to configuration settings through Novell NetWare linkages; however, you should enable it if your network uses these linkages.
Figure 33: The RCFG Setting option. Network Enable Features To enable or disable print features on your MFP you: Click Enable Features from the configuration options in the Network category (Figure 34). Figure 34: The Enable Features option. 1. Next, select the print features you would like to enable or disable.
Feature Recommended Setting Explanation EWS Config Disabled*** Disabling EWS Config closes down the EWS and it eliminates the configuration settings that are controlled by the EWS. It also removes the affected settings from Web Jetadmin menus. This includes settings for email, send to folder, and fax. You should disable EWS Config while the MFPs are in use, and enable it only to make changes to the affected configurations.
MDNS Config Disabled Disabling MDNS Config prevents access to configuration settings and other features through MDNS. IPv4 Multicast Config Disabled Disabling IPv4 Multicast Config prevents access to configuration settings and other features through IPv4 Multicast. WS-Discovery Disabled Disabling WS-Discovery prevents systems from using WS-Discovery for discovering or browsing printers on the network.
Figure 35: Review your Enable Features Configuration selections before configuring your devices. Protocol Stacks The Protocol Stacks option allows you to enable or disable certain print protocols used in your environment. To set your configuration: Click to select Protocol Stacks (Figure 36), and deselect all unused protocol stacks as applicable to your network. See the table below.
Figure 36: The Protocol Stacks options. The following table lists each protocol with the recommended setting and an explanation: Protocol Stack Recommended Setting Explanation TCP/IP Always Enabled. This is the normal operating protocol for the MFPs. IPX/SPX Leave blank to disable This setting disables access for Novell servers. DLC/LLC Leave blank to disable This setting enables the MFP to communicate at basic levels on the network. It should be disabled if not in use.
Figure 37: The HTTP Idle Timeout option. In the input field, type a reasonable number of seconds (5 to 60) for the device to wait on an idle connection before moving on. If you spool large documents on a regular basis you will want to set this on the higher end. The default setting is 15. Web Services Print This option enables or disables the Microsoft Services for Devices WSD Print services supported on the HP Jetdirect Print Server. Click to select Web Services Print (Figure 38), and select Disabled.
Configuring Security Settings The Security category includes many advanced security settings and password settings. If you are attempting to configure a setting that is in the Security category and not listed in this section, you should check the chapter on Advanced Security for multiple MFPs. To set the basic required settings in this category follow the steps in the sections below.
Digital Sending Service The Digital Sending Service is used when your print infrastructure utilizes a DSS server or other HP print solutions. If you have a print infrastructure keep Allow use of digital send service checked. Otherwise deselect this checkbox to prevent from unauthorized use of this service. On the Config tab under the Security category page, select the Digital Sending Service option (Figure 40) Figure 40: The Digital Sending Service option.
Repeat the password exactly in the Repeat Password field. Note: The Embedded Web Server Password is synchronized with the Device Password (appears later in this checklist). If you change either the Embedded Web Server password or the Device Password, the MFP will configure both to be the same. Enable Host USB The Enable Host USB Feature allows you to enable or disable use of USB accessories. An Example of this would be scanning to a USB storage device.
Figure 43: Enabling HTTPS web communication. Encryption Strength The Encryption Strength setting allows you to choose the strength of the encryption algorithm used for communication between the MFP EWS and the web browsers connecting to it (this is related to the HTTPS Setting option above). To configure the Encryption Strength setting: Click Encryption Strength in the Network category (Figure 44). Click the Encryption Strength dropdown menu, and select the highest setting that your browser supports.
Figure 45: The Open/Print from USB option. PJL Password The PJL password protects the default features on the MFP that can be changed by sending PJL commands to the MFP. The PJL password is required for administrative PJL commands that are used to modify feature settings. If you do not set this password you are vulnerable to having your device settings including your control panel display altered. To set the PJL Password: Click PJL Password under the Security category (Figure 46).
Printer Firmware Update HP recommends updating firmware whenever new firmware is available, but you should keep Printer Firmware Update disabled until you plan to use it. To disable Printer Firmware Update: Click to select Printer Firmware Update (Figure 47), and select Disable. Figure 47: The Printer Firmware Update option. Restrict Color The Restrict Color options (Figure 48) allow you to manage the usage of color printing supplies within your organization.
Note: If you are configuring multiple devices and are not sure whether a manual password has been set on any of those devices it is recommended you skip this step in the configuration. Figure 49: The Secure Disk Encryption Mode option. Apply the Changes Click the Apply button located in the bottom right hand corner to apply the settings to the selected devices 1. Review your settings and then click the Configure Devices button to execute the configuration.
Figure 50: The Blocked Fax List settings. Enter a Fax number you wish to block and clock the Add Number button. To remove a blocked fax number highlight that number and click the Remove button. Fax Header Settings The Fax Header Settings option (Figure 51) allows you to set the phone number company name and location for all of your faxes. We recommend setting these options. Follow these instructions to configure Fax Printing: Click Fax on the Config tab, and select Fax Header Settings.
1. Open the Embedded Web server for your MFP by entering the IP address of the printer into address field of your web browser and click the fax tab (Figure 52). Figure 52: The Fax Settings Page. 2. Click to select Fax Speed Dials on the left hand menu (Figure 53). Figure 53: Fax Speed Dials selection and page.
3. Set any speed-dials you wish to have by selecting the speed-dial number and clicking the Edit Speed Dial button (Figure 54). Figure 54: The Fax Speed Dials configuration button. 4. To keep speed-dial entries from being added or edited via the control panel input the number of the specific speed-dials you wish to lock. We recommend locking all speed-dial entries from modification. To do this, enter 0-99 in the box and select Save (Figure 55).
Configuring MFP File System Settings The File system category provides settings for access to the MFP hard drive, the Compact Flash card, and optional data storage devices. Several security settings are available that can help prevent unauthorized access to data. File System External Access It is recommended that all external access to the file systems on your MFPs be disabled. To do so, follow these instructions: Click the File System category to select File System External Access (Figure 56).
Secure Fast Erase overwrites files using one pass. This takes some extra time, but it provides reasonable security. Secure Sanitizing Erase overwrites files with three passes. It noticeably slows the MFP, but it ensures that files are completely unrecoverable. Use Secure Sanitizing Erase to meet stringent security requirements such as Department of Defense standards. Note: Secure File Erase requires that the File System Password be configured.
are for other types of HP MFPs. You should configure the settings that appear in the instructions below. You may wish to configure the other settings as a safeguard, but they are ignored on devices that do not support them. Auto Reset Send Settings This setting governs how long after sending a job the device waits to log off the current user and reset the control panel.
Figure 59: The Default From Address options. Click to select Prevent user from changing the Default 'From:' Address. Fill in the Email Address field with any address that includes the ampersand (@). Tip: You may wish to use the email address of an administrator who can receive responses such as e-mail and send notices and failures. Fill in the Display Name and the Default Subject fields as desired.
Figure 60: The Disable Direct Ports option. Click to select the Disable Direct Ports option to the right. Select Yes. Click Apply at the bottom of the page. Wait for a few minutes to allow all of the MFPs to restart. Do not continue until all of them are at the READY state. Disabling EWS Config EWS Config was required for configuring this checklist, but it should be disabled during normal use of the MFPs. To disable EWS Config: Go to the Network category, and click to select Enable Features (Figure 61).
Note: This setting disables configuration from the MFP EWS. It also disables all EWS-related settings from Web Jetadmin (they will disappear from Web Jetadmin menus). With this setting configured, the only way to make changes to the EWS settings again is to re-enable them using Web Jetadmin. Always remember to disable EWS Config after making changes. Your MFPs are now securely configured.
Chapter 5: Settings List This section is a complete list of the settings recommended in this checklist. This section does not include instructions or explanations. It is intended to be used as a check-off list of the recommended settings to help ensure that you complete the entire configuration. See the Network Security section (above) and the Ramifications section (below) for information on each setting.
Enable EWS Config. Disable Telnet Config. Disable SLP Config. Disable FTP Printing. Disable LPD Printing. Enable 9100 Printing. Disable IPP Printing. Disable mDNS Config. Disable IPV4 Multicast Config. Disable WS-Discovery. Configure Protocol Stacks. Disable IPX/SPX. Enable TCP/IP. Disable DLC/LLC. Disable AppleTalk. Configure TCP Idle Timeout. Disable Web Services Print. Security Category Options Configure Bootloader Password. Disable Digital Sending Service.
Additional Fax Configuration Configure Fax Speed Dials. Lock Speed Dials. MFP File System Options Configure File System External Access. Disable PJL. Disable PostScript. Configure Secure File Erase Mode to Secure Fast Erase or Secure Sanitize Erase. Digital Sending Settings Options Configure Auto Reset Send Setting to Delay before resetting the default settings, and type a number of seconds to delay. Configure Default From Address.
Chapter 6: Default Settings: This chapter lists the default setting for each configuration in the checklist: Setting Default Setting Configure HP Secure Hard Disk Installed and Enabled Configure SNMPv3 (Security page). Not configured I/O Timeout to End Print Job Not configured Configure Job Hold Timeout. Never Delete Enable Job Retention. Enabled Configure Enable Features options (do not disable EWS Config at this point). (See below) Disable Telnet Config. Enabled Disable SLP Config.
IPX RCFG Support. Enabled Configure Job Timeout. Not Configured Set the privacy setting as desired. Not configured Configure Protocol Stacks. (See below) Disable IPX/SPX. Enabled Enable TCP/IP. Enabled Disable DLC/LLC. Enabled Disable AppleTalk. Enabled Web Services Print. Enabled Configure Bootloader password. Not configured Configure Color Access Control Not configured Configure Control Panel Access to Maximum Lock. Unlock Configure Embedded Web Server Password.
Disable Incoming Mail. Disabled Disable Cancel Job Button. Disabled Disable Go Button. Enabled Disable Command Invoke. Enabled Disable Command Download. Enabled Disable Command Load and Execute. Enabled Enable Continue Button. Enabled Disable Print Service. Enabled Configure File System External Access. (See below) Disable PJL. Enabled Disable PML. Enabled Disable NFS. Enabled Enable PostScript. Enabled Configure File System Password.
Configure Auto Reset Send Settings to Delay before resetting the default settings, and type a number of seconds to delay. Not configured, Delay default: 20 seconds Configure Default From Address. Not configured Select Prevent user from changing the Default From Address. Not selected Disable Direct Ports (wait for MFPs to restart). Enabled Disable EWS Config.
Chapter 7: Ramifications Raising the level of security on HP MFPs requires giving up some conveniences and usability. This section explains some of the compromises you can expect from configuring the settings recommended in this checklist. Keep in mind that this is not a comprehensive list. You should test each MFP in your network environment to understand the implications of these settings and configurations.
Disabling SNMPv1 disables SNMPv1 GET and SNMPv2 SET commands. Any solution or software that requires SNMPv1 or SNMPv2 will not function. If you require these to be enabled be sure to set the community name to something that would be difficult to guess. Device Page Settings • Set I/O Timeout to End Print Job. The I/O Timeout to End Print Job allows you to specify the amount of time a device should wait between packets before canceling a job.
• • Disable SLP Config. SLP Config accommodates software using SLP as a discovery mechanism. For example disabling SLP Config on some Novell networks (depending on how Novell is configured) would cause Novell to not recognize the MFPs on the network. Thus, if your network uses these features of Novell, you should enable SLP Config. If you use software other than HP Web Jetadmin with your HP MFPs please test this feature before disabling it.
• Enable HTTPS, and configure the setting to Encrypt all web communication. This setting enables encryption for configuration data between the PC and the MFP EWS. It prevents sensitive data such as usernames and passwords from passing over the network in clear text. This setting is related to the EWS Encryption Strength setting explained earlier. Web browsers that do not support SSL and high encryption strength will not be able to access the MFP EWS.
• Disable unused Protocol Stacks. These options provide for the various types of network communication to the MFPs. Closing down unused protocol stacks is affective toward better network security. See the ramifications of each option below: • Disable IPX/SPX. IPX/SPX is the network protocol for Novell. Disabling it prevents printing and all other communications with Novell non-TCP/IP components. With it disabled, Novell non-TCP/IP components will not recognize the MFPs on the network. • Enable TCP/IP.
The maximum Control Panel Access Lock closes all access to the fax menu. This includes the options to Cancel All Pending Transmissions and Cancel Current Transmission. If you wish to provide these options, use Intermediate Lock. • Configure the Embedded Web Server Password. The EWS password restricts access to the configuration settings in the EWS. When configured, the MFP requires the password whenever anyone or any application attempts to make changes to the EWS settings.
Web Jetadmin keeps MFP credentials in its encrypted device cache. It will not prompt for the device password of an MFP that it manages. The Device Password is synchronized with the EWS password. If you change either of them, the MFP will change the other one to be the same. • Disable Allow Use of Digital Send Service. HP Digital Sending Software is a useful tool for managing MFP digital sending. It is available for purchase at hp.com.
affect the MFP send to email functions. It also is not known to affect network security. If you use fax notification or other automatic email alerts, you should enable outgoing email. • Disable Incoming Mail. Some network solutions can send commands to the MFP via email. If your network uses any of these solutions, you should enable Incoming mail. Otherwise, disable it as a best practice. This setting does not affect any other use of the MFP.
File System Page Options • Configure File System External Access. The File System External Access settings shuts down access to the MFP file system (storage devices and configuration settings) through protocols and ports. They eliminate access from various types of management tools. HP recommends shutting down all unused access to the file system. See the ramifications for each protocol below.
normal use of the MFPs such as job storage. Users attempting to make changes to the file system settings or attempting to access data through network ports will be required to provide this password. Without the password, the MFP denies access to the File System and to File System configurations. Web Jetadmin stores the file system password in its encrypted device cache. It automatically provides the password when the MFPs request it.
This setting causes the MFPs to turn off and turn on. They will be out of service during this time. This is also the reason this setting should be configured independently of other setting configurations. If you attempt to configure this setting with other settings, the other settings will likely fail. This is because Web Jetadmin temporarily loses contact with each MFP while the MFP is restarting.
No way to change the From Address on email send jobs: Depending on the capabilities of your network, the MFPs will place either a default from address or the user's email address of the user who logged into the MFP. It will provide no method to change it.
Chapter 8: Physical Security Many of the most notable features of HP MFPs involve hard copy documents. MFPs can print them, scan them, send them to email, send them to network folders, send them to other printers, and fax them. Handling hardcopy documents can involve a variety of activities that can lead to compromise of data security: • Leaving documents in the printer output trays exposed to possible unauthorized viewers.
Chapter 9: Appendix 1: Glossary of Terms and Acronyms The following table lists terms and acronyms found in this checklist: Term Description ACL Access Control List. The ACL restricts network access to the MFP by allowing only those IP addresses or subnets that are listed in it. Analog fax Analog fax is fax functions via telephone lines. The fax module is available in most HP MFP bundles and it is covered in this checklist.
Term Description JDI Jetdirect Inside. Many of the MFPs include internal Jetdirect hardware as standard equipment. Other MFPs, such as HP Color LaserJet 9500 MFPs require EIO Jetdirect cards for network connectivity. Job Retention Job Retention is the MFP capability of storing print jobs or fax jobs for printing on demand at the control panel. PIN printing and PIN fax printing are functions of Job Retention.
Microsoft® is a U.S. registered trademark of Microsoft Corporation. Adobe and PostScript are trademarks of Adobe Systems Incorporated. © Copyright 2011 Hewlett-Packard Development Company, L.P.
