HP Imaging and Printing Security Best Practices Configuring Security for Multiple LaserJet MFPs and Color LaserJet MFPs Draft 3.5 6/19/2007 © Copyright 2005, 2007 Hewlett-Packard Development Company, L.P.
Table of Contents Chapter 1: Introduction ....................................................................................................... 4 Cautions .......................................................................................................................... 5 Follow the Checklist in Order................................................................................................. 5 Understand the Ramifications........................................................................
Final configurations .............................................................................................................. 53 Chapter 5: Default Settings:.............................................................................................. 54 Chapter 6: Ramifications .................................................................................................. 57 Device Page Settings........................................................................................................
Chapter 1: Introduction This document is a security checklist for the following HP MFP models: • HP LaserJet M3027 MFP • HP LaserJet M3035 MFP • HP LaserJet 4345 MFP • HP LaserJet M4345 MFP • HP LaserJet M5025 MFP • HP LaserJet M5035 MFP • HP LaserJet 9040 MFP • HP LaserJet 9050 MFP • HP Color LaserJet 4730 MFP • HP Color LaserJet M4730 MFP • HP Color LaserJet 9500 MFP All of these models are called MFPs hereafter.
This checklist covers only those parts of HP Web Jetadmin that pertain to appropriate security settings. See the user guides, admin guides, and help files for information on other configurations. Cautions HP is dedicated to providing the best and latest security information available for MFPs. This checklist is meant to help you to improve MFPs in your workplace.
• Network administrators: This checklist assumes that readers are trained network administrators who are familiar with common networking practices such as configuring HP Jetdirect connections and using HP Web Jetadmin. Administrators should have read the MFP user guide, the MFP administrator guide, the Jetdirect administrator guide, Web Jetadmin user guides, and help files. This checklist relies on these materials for necessary information. All of these guides are available by searching for them at hp.com.
• Chapter 5: Default Settings: The Default Settings chapter lists each recommended setting with its corresponding default setting. • Chapter 6: Ramifications: The Ramifications chapter explains the possible limitations implied with each recommended setting. • Chapter 7: Physical Security: The Physical Security chapter explains security concerns in workplaces where MFPs are installed. It covers security for picking up print jobs, copying, and scanning.
Chapter 2: Threat Model This section explains the types of security risks involved with operating MFPs in enterprise environments. As technology improves, malicious people (hackers) continue to find new ways to exploit networks. They are beginning to target MFPs and other network peripherals to misuse resources or to gain access to networks or the internet. Predicting the actions of a hacker is difficult, but HP is dedicated to research in this area.
• Configure authentication. • Configure the administrator password. • Configure SNMPv3. Tampering with Data Tampering with data can include any method of changing, destroying, or adding to information that is flowing to or from an MFP or stored on it. Here are some ways tampering with data can relate to MFPs: • Canceling another person's job. Someone could use a remote access tool to cancel pending jobs. The person who sent a cancelled job gets no warning; only part or none of the job is printed.
Information Disclosure Information disclosure is gathering information from an MFP and providing it to unauthorized users. This can include authentication information, usage log information, or information from the contents of a job.
• Lock physical access to removable hardware. Elevation of Privilege Elevation of privilege is any method of upgrading authorized access to include unauthorized access.
Chapter 3: Network Security for Multiple MFPs This chapter explains how to configure security settings for one or more MFPs using HP Web Jetadmin. Overall Network Settings This checklist assumes that you have taken reasonable steps to secure the network environment in which your MFPs are operating. This includes configuring network firewalls and providing upto-date virus controls.
Since this is a complicated overall configuration, sometimes settings can fail in the process. If this happens, try again. If it fails again, try using the individual configuration pages. Sometimes also, Web Jetadmin might show a false failure; the setting will have actually been successful. Verify this using the individual configuration pages. Keep in mind that every network is different. Your network will require adjustments to this configuration.
continues without issues. For instance, color settings will be ignored for a non-color MFP. For the same reason, some of the settings may not appear in HP Web Jetadmin if none of your MFPs supports them. Web Jetadmin displays only the options that apply to the MFPs you are managing. For instance, color settings will not appear if none of your MFPs has color. Ignore recommendations in this checklist if they do not appear on your Web Jetadmin screen.
3. Click to select the MFPs to configure in the Device List view, and click Configure in the Device Tools dropdown menu (Figure 2). Figure 2: The Device List showing devices selected and the Device Tools menu showing Configure selected. Note: Remember that the steps in this checklist are for the specified HP LaserJet and Color LaserJet MFPs. Other devices may appear in the Device Model list, and it may be possible to configure them using this process, but the results may vary.
Figure 3: The Multiple Device Configuration Tool showing the Configure Devices tab outlined in green. The Configure Devices tab contains all of the settings recommended in this checklist. Tip: Sometimes configuration requests can be lost in the process of configuration. If any of the settings fail during this process, try configuring them using their individual device configuration pages. Sometimes Web Jetadmin can lose track of MFP credentials. If this happens, some settings might fail.
Figure 4: The Security category. 2. Scroll down to the SNMPv3 option, and select the SNMPv3 checkbox (Figure 5). Figure 5: The Security menu showing SNMPv3 selected. 3. Click to select Enabled below the SNMPv3 checkbox, and fill in the New User, the New Authentication Passphrase, and the New Privacy Passphrase fields (Figure 6). See below for details. Figure 6: The SNMPv3 settings enabled and the fields filled out.
The New User Name field can be any name you choose. The New Authentication Passphrase field can be any word or phrase that is at least 8 characters. The New Privacy Passphrase field can be any word or phrase that is at least 8 characters. CAUTION: These instructions are for the initial configuration of SNMPv3. Once you finish this configuration, the MFPs will require these credentials whenever anyone attempts to access settings over the network.
Figure 8: The Device Model list. 6. Click Configure Devices (Figure 9) to execute the configuration. Figure 9: The Configure Devices button. After you click Configure Devices, a View Log page (Figure 10) will appear.
Figure 10: The View Log page showing that SNMPv3 is executing. 7. Wait a few seconds (sometimes this can take a few minutes), and click Refresh to see the progress. The View Log page will reappear with the status. Once the configuration is complete, the View Log page will show success (Figure 11). Figure 11: The View Log page showing successful configuration of SNMPv3. Now, whenever you click Apply to configure settings, the MFP will check for the SNMPv3 credentials.
without it. The only way to restore the default setting and clear the password is to provide the correct password and set it with a blank password. 1. With Web Jetadmin open to the Security Configuration page (continuing from the previous section), scroll down to view the Bootloader Password option (Figure 12). Figure 12: The Bootloader Password option. 2. Click to select Bootloader Password. 3.
• • • • • HP LaserJet M3027 MFP HP LaserJet M3035 MFP HP LaserJet M4345 MFP HP LaserJet M5025 MFP HP LaserJet M5035 MFP HP Web Jetadmin might not provide options to configure the Jetdirect Firewall settings. Look for them in the MFP EWS. Note: Keep in mind that the ACL is not configured until at least one computer is in the list. When it is configured, no computer outside the list will have access to the MFP including printing. Follow these steps to configure the ACL: 1.
Figure 15: The ACL IP address field. CAUTION: Be sure to include the IP address of the computer that is running Web Jetadmin (it can be a computer other than the one you are using). Otherwise, the ACL will block your access, and you will not be able to continue. Note: The Mask option requires an entry in the IP address field to determine the subnet for which to grant access.
Note: These ACL options allow you to add one IP address or one mask at a time. To add more IPs or masks, repeat these steps. Remember to deselect Allow Web Server (HTTP) access each time. The View Log page will appear to show the status of the configuration. Click Refresh to update the status. When the settings are successful, click Go Back to view Multiple Device Configuration Tool, and continue with this checklist.
Figure 18: The Configure Devices button. Once you click Configure Devices, the View Log page will appear to show the progress. Click Refresh to update the page to see the results of the configurations. Click Go Back to continue. Configurations on the Fax Page The Fax Configuration Page provides options for the analog fax functions. This includes settings to allow for printing fax jobs when the recipient is present and for restricting access to fax print jobs.
Figure 20: The Fax Printing options. 3. Enter a four-digit number in the PIN Number field, and repeat it in the Confirm PIN Number field. This setting requires users to provide the PIN number to print Fax jobs. Note: This setting also enables PIN printing. 4. Select Store all Received Faxes in the Enable Mode dropdown menu. The Store all Received Faxes option holds incoming faxes for printing until someone enters the correct PIN number and selects the menu options at the control panel.
Figure 21: The Default From Address options. Note: HP recommends configuring the default from address to ensure that no one can send email using false or misleading identification; however, if you configure LDAP authentication (later in this chapter), the MFP will use the email address of the authenticated user as the From address, and it will not allow users to change it. 3. Click to select Prevent user from changing the Default 'From:' Address. 4.
Note: This LDAP access configuration is required for LDAP Authentication, which appears on the Security page (explained later). Be sure to configure these settings including the SSL certificate upload settings in order to enable LDAP Authentication. These instructions assume that the LDAP server is configured for SSL. If you have this feature available, you should upload a certificate that was created by the LDAP server. 7. Select Simple over SSL in the LDAP Server Bind Method dropdown menu.
Figure 23: The Time-outs options. 13. Select Delay before resetting the default settings. This allows users to send multiple jobs to a location without having to retype all of the information in the control panel, but it also ensures that the information displayed on the control panel will be removed if the user walks away without clearing the menu. 14.
Figure 24: The Embedded Web Server option. 2. Click to select Embedded Web Server Password (Figure 25). Figure 25: The Embedded Web Server Password options. 3. Type a password of 2 to 16 characters in the Embedded Web Server Password field (you should always type the maximum number of characters for best security). This setting requires users to log on for parts of the EWS that provide configuration options. 4. Repeat the password exactly in the Repeat Password field.
Figure 26: The Embedded Web Server Configuration Options. 6. Click to enable Continue Button, and leave the remaining options blank. See below for more information: The Embedded Web Server Configuration Options are either enabled or disabled in this menu. They will be reconfigured regardless of their current state (which is not displayed). If you select an option, you are enabling it; if you leave an option blank, you are disabling it.
Command Invoke (enabled by default) Leave blank to disable Command Invoke does not apply to the MFPs. Disabling it is only a best practice. Command Download (enabled by default) Leave blank to disable Command Download does not apply to MFPs. Disabling it is only a best practice. Command Load and Execute (enabled by default) Leave blank to disable Command Load and Execute enables the MFPs to install and run Chai services, such as workflow applications and job accounting solutions.
useful for cleaning out all traces of print jobs, fax jobs, copy jobs, digital send jobs, stored fonts, and even some stored settings from an MFP, but it should not be used regularly. CAUTION: Secure Storage Erase requires considerable downtime. It permanently destroys all user data including installed applications. Use it only as needed to clean MFPs for resale, for reuse, or for conforming to high-level security requirements such as Department of Defense regulations.
Figure 29: The Set Secure File Erase Mode setting. This setting determines the level of overwriting applied to delete files during routine functions. This includes removal of files for the Secure Storage Erase function (see the explanation earlier). Secure Fast Erase overwrites files using one pass. This takes some extra time, but it provides reasonable security. Secure Sanitizing Erase overwrites files with three passes. It noticeably slows the MFP, but it ensures that files are completely unrecoverable.
PML Disabled Prevents access to the file system through this protocol NFS Disabled Prevents access to the file system through this protocol NOTE: Disabling the NFS option disables the entire protocol for the MFPs. PostScript Enabled The PostScript protocol is not as sensitive, and it is more likely to be used for common types of print jobs. 7. Select the devices to configure in the Device List, and click Configure Devices. The View Log page will appear to show the status.
Figure 32: The Job Timeout option. The Job Timeout option enables the MFPs to move on from jobs that lack proper end of job signals. The MFPs will be able to switch protocols to continue with other jobs. The Job Timeout option might not appear for some models. 3. In the field next to Job Timeout, type a reasonable number of seconds for the MFPs to wait for an end of job before moving on. 4. Click Encryption Strength (Figure 33). Figure 33: The Encryption Strength option. 5.
Figure 34: The Encryption Strength dropdown menu. The Encryption Strength setting allows you to choose the strength of the encryption algorithm that will be used for communication between the MFP EWS and the web browsers connecting to it (this is related to the HTTPS Setting option later on the Network page). 6. Click Enable Features (Figure 35). Figure 35: The Enable Features option (scroll down to view more of the features).
Telnet Config Disabled Disabling Telnet Config prevents access to configuration settings and other features through Telnet. SLP Config Disabled Disabling SLP Config prevents access to configuration settings and other features through SLP. FTP Printing Disabled Disabling FTP Printing prevents access to configuration settings and other features through FTP. It also prevents printing through FTP.
Figure 36: The Privacy Setting option. The Privacy Setting option is not considered a security-related setting. It is explained here to assure you that it does not compromise your network security. It allows HP to collect statistical data about the MFP. HP will not collect network-specific or personal data. For information on HP privacy policies, read the Hewlett-Packard Online Privacy Statement available by clicking privacy statement at http://www.hp.com.
Figure 37: The RCFG Setting option. This setting prevents access to configuration settings through Novell NetWare linkages; however, you should enable it if your network uses these linkages. Note: When you disable RCFG Setting, a warning message will appear explaining that you are disabling access for Novell. If you are not using Novell, click OK to continue. Note: The Access Control List options appear next on the Network page, but you should have already configured this.
Figure 39: The Protocol Stacks: options. The following table lists each protocol with the recommended setting and an explanation: Protocol Stack Recommended Setting Explanation IPX/SPX Leave blank to disable This setting disables access for Novell servers. TCP/IP Select to enable This is the normal operating protocol for the MFPs. DLC/LLC Select to enable This setting enables the MFP to communicate at basic levels on the network.
Figure 40: The Security configuration category. Click to select Authentication Manager ( 2. Figure 41). Figure 41: The Authentication Manager options. The Authentication Manger allows you to customize access to functions of the MFP. You can use these options to provide varying services to different groups of people. Note: Be sure to select only the authentication features that you plan to configure in the subsequent steps on the Security page.
Note: LDAP, Kerberos, and Digital Send Service require additional solutions on the network for support. 3. Click the dropdown menu next to Log in at Walk Up, and select from the list (Figure 42). Figure 42: The drop down menu for Log in at Walk Up. Choosing an authentication method for Log in at Walk Up causes the MFP to require everyone to log in for access to the control panel menus. You can choose to require further authentication for specific functions of the MFP. 4.
These settings enable the MFPs to require a user's NT logon credentials for use of the MFPs. This is related to the LDAP access options on the Digital Sending page, which enable the MFP to use the LDAP address book; however, the SSL certificate options for both configurations appear on the Digital Sending page. Note: These instructions assume that the LDAP server is configured for SSL.
Note: If your network includes NTLM service, configure NTLM. This option enables the MFP to authenticate to NTLM for the purposes of digital sending to network folders. It is not for restricting access to MFP functions. This is not necessarily a security setting. 11. Configure User PIN Authentication as desired. User PIN Authentication allows you to restrict access to MFP functions by specific users.
Figure 46: The Device Password option. CAUTION: The Device Password option should already be configured. When you configured the EWS Password earlier in this process, each MFP should have automatically configured the device password to be the same as the EWS password. Tip: Configure the Device Password setting using the same password you used as the EWS password. This will ensure that both passwords are configured the same and that you are sure have the correct one.
Note: This setting prevents everyone from accessing configuration settings in the control panel, including digital send and fax settings. If you wish to make changes to settings in the control panel, unlock access using Web Jetadmin, make the changes, and then lock access again. See the Ramifications chapter for more information. 15. Click to select Allow Use of Digital Send Service (Figure 48), and click Disabled (unless your network is using HP Digital Send Service).
Figure 50: The PJL Password option. 18. Type a password that is any number from 1 to 2147483647, and repeat it in the Repeat PJL Password field. The PJL password protects the default features on the MFP. PJL commands are allowed only when the correct PJL password is included. This also affects PCL and PostScript commands. Note: If you are configuring color MFPs, options for restricting the use of color will appear on the Security page.
The Disable Direct Ports feature shuts down the USB and Parallel ports on the MFPs. It ensures that only network-connected computers can access the MFPs. In order to configure this feature, each MFP will turn off and turn on automatically. 3. Click Configure Devices at the bottom of the page. 4. Wait for a few minutes to allow all of the MFPs to restart. Do not continue until all of them are at the READY state. 5. Go to the Network page, and click to select Enable Features (Figure 52).
CAUTION: Losing passwords can eliminate access to an MFP. Be careful to record them in a safe place. It is most important to remember the Bootloader password. With it, it is possible to restore the MFPs to factory default settings. Without it, the only way to restore the MFPs is to involve an HP-authorized service technician to reset the entire MFP. You may wish to use a password vault program to organize and store all of the passwords.
Chapter 4: Settings List This section is a complete list of the settings recommended in this checklist. This section does not include instructions or explanations. It is meant as a check-off list of the recommended settings to help ensure that you complete the entire configuration. See the Network Security section (above) and the Ramifications section (below) for information on each setting. NOTE: This section lists recommended settings for reasonable security on the most common networks that include MFPs.
Configure Time-outs to Delay before resetting the default settings, and type a number of seconds to delay. Embedded Web Server Page Options Configure Embedded Web Server Password. Configure Embedded Web Server Configuration options. Enable Outgoing Mail. Disable Incoming Mail. Disable Cancel Job Button. Disable Go Button. Disable Command Invoke. Disable Command Download. Disable Command Load and Execute. Enable Continue Button. Disable Print Service.
Enable HTTPS Setting to Encrypt all web communication. Configure Protocol Stacks. Disable IPX/SPX. Enable TCP/IP. Enable DLC/LLC. Disable AppleTalk. Security Page Options Configure authentication (LDAP, Kerberos, Device PIN, or User PIN). Configure the Authentication Manager to restrict access to specific MFP functions. Disable Printer Firmware Update. Configure the Device Password. Configure Control Panel Access to Maximum Lock. Disable Allow Use of Digital Send Service.
Chapter 5: Default Settings: This chapter lists the default setting for each configuration in the checklist: Setting Configure SNMPv3 (Security page). Default Setting Not configured Configure Bootloader password. Not configured Configure ACL (Network page). Not configured Disable Allow Web Server (HTTP) Access. Enabled Enable Job Retention. Enabled Configure Job Hold Timeout. Never Delete Configure Fax Printing. Not configured Establish PIN Number.
Configure File System Password. Not Configured Configure Secure File Erase Mode to Secure Fast Erase or Secure Sanitize Erase. Non-Secure Fast Erase Configure File System External Access. (See below) Disable PJL. Enabled Disable PML. Enabled Disable NFS. Enabled Enable PostScript. Enabled Configure Job Timeout. Not Configured Configure Encryption Strength to High. Low Configure Enable Features options (do not disable EWS Config at this point). (See below) Disable Telnet Config.
Disable Allow Transfer to New Digital Send Service. Enabled Configure the PJL Password. Not configured Configure color restriction settings. Not Configured Disable Direct Ports (wait for MFPs to restart). Enabled Disable EWS Config.
Chapter 6: Ramifications Raising the level of security on HP MFPS requires giving up some conveniences and usability. This section explains some of the compromises you can expect from configuring the settings recommended in this checklist. Keep in mind that this is not a comprehensive list. You should test your system to know how it reacts to these settings and configurations. The following sections explain some of the known ramifications of each recommended setting: • Enable SNMPv3 (Security Page).
• Disable Allow Web Server (HTTP) access. The MFPs have Embedded Web Servers that provide many of the same configuration capabilities that Web Jetadmin can access. If you enable Allow Web Server (HTTP) access, users will be able to access the MFP EWSs without restriction. If you disable Allow Web Server (HTTP) access only computers listed on the ACL will have access to the EWSs.
With the Default From Address configured, no one can change the From address in email messages. The address you configure is the only address anyone can use. • Configure Accessing LDAP Server settings (if available on your network). These LDAP settings enable the MFPs to provide the LDAP address books to users. Access to the address books is not necessarily related to security, but the accompanying security settings are important for its use.
MFP. With this setting configured, the MFPs will ignore all incoming emails. • Disable Cancel Job Button. The EWS provides a Cancel Job button that allows users to cancel jobs that are pending in the queue. This includes canceling jobs sent by other users. Thus, disabling the Cancel Job button removes the ability to cancel jobs remotely (and anonymously); however, users will be able to cancel their own jobs from the printer driver or from the control panel. • Disable Go Button.
• Set the Secure File Erase Mode to Secure Fast Erase or to Secure Sanitizing Erase. Secure File Erase enables the MFPs to overwrite storage space whenever files are deleted. This helps ensure that the original data is destroyed. Secure Fast Erase mode overwrites files one time. It slows MFP performance a bit, but it provides reasonable security for most situations. Secure Sanitizing Erase overwrites files 3 times.
Network Page Options • Configure Job Timeout. The Job Timeout option enables the MFPs to move on from jobs that lack proper end of job signals. The MFPs will be able to switch protocols to continue with other jobs rather than waiting indefinitely for improperly formatted jobs to finish. • Configure Encryption Strength to High. The encryption strength setting covers communication between a PC and the Embedded Web Server.
• • Disable IPv4 Multicast Config. IPv4 Config configures multiple devices simultaneously over the network. You should always disable IPv4 Config, and use Web Jetadmin for managing MFPs. Set the Privacy setting as desired. The Privacy setting is included in this checklist to inform you of its purpose: it allows HP to collect statistical data on the use of MFPs. HP uses such information to help improve the design and development of MFPs. HP will not collect network-specific or personal data.
• Disable IPX/SPX. IPX/SPX is the network protocol for Novell. Disabling it prevents printing and all other communications with Novell components. With it disabled, Novell components will not recognize the MFPs on the network. • Enable TCP/IP. TCP/IP is the standard network protocol for MFP operations. It provides the necessary network communication for printing and for configuration. It should be enabled during normal use of MFPs. • Enable DLC/LLC.
The maximum Control Panel Access Lock closes all access to the fax menu. This includes the options to Cancel All Pending Transmissions and Cancel Current Transmission. If you wish to provide these options, use Intermediate Lock. • Disable Allow Use of Digital Send Service. Digital Send Service is a useful tool for managing MFP digital sending. It is available for purchase at hp.com. HP recommends using Digital Send Service, but it is not covered in this checklist.
Config temporarily to make changes to the configurations, and then disable it again. With EWS Config disabled, the MFPs will not provide the EWSs on the network. Web browsers will return with no such web site found. This removes some conveniences that EWSs provide, but all of the functions that you would want to provide to users are available using the MFP drivers or the control panels. Overall Limitations This overall configuration provides a high level of network security for HP MFPs.
Chapter 7: Physical Security Many of the most notable features of a HP MFPs involve hard copy documents. MFPs can print them, scan them, send them to email, send them to network folders, send them to other printers, and fax them. Handling hardcopy documents can involve a variety of activities that can lead to compromise of data security: • Leaving documents in the printer output trays exposed to possible unauthorized viewers.
Chapter 8: Appendix 1: Glossary of Terms and Acronyms The following table lists terms and acronyms found in this checklist: Term Description ACL Access Control List. The ACL restricts network access to the MFP by allowing only those IP addresses or subnets that are listed in it. Analog fax Analog fax is fax functions via telephone lines. The fax module is available in most HP MFP bundles and it is covered in this checklist.
Term Description JDI Jetdirect Inside. Many of the MFPs include internal Jetdirect hardware as standard equipment. Other MFPs, such as HP Color LaserJet 9500 MFPs require EIO Jetdirect cards for network connectivity. Job Retention Job Retention is the MFP capability of storing print jobs or fax jobs for printing on demand at the control panel. PIN printing and PIN fax printing are functions of Job Retention.
