Technical white paper HP Printing Security Best Practices for HP FutureSmart Products Configuring a Printer Securely in HP Web Jetadmin 10.4 Version 2.
Introduction This document is a security checklist for the HP FutureSmart products (see Appendix 2 for full list of products). This checklist is written for acceptance by the National Institute of Standards and Technology (NIST). This checklist is meant for trained network administrators who use HP Web Jetadmin version 10.4 or above in enterprise networks. It includes step-by-step instructions to configure one or more printing products on a network.
We developed the process for configuring this checklist using HP Web Jetadmin to manage all the printing products at the same time. This checklist covers only those parts of HP Web Jetadmin that pertain to appropriate security settings. See the user guides, admin guides, and help files for information on other configurations. Cautions HP is dedicated to providing the best and latest security information available for MFPs. This checklist is meant to help you to improve printing security in your workplace.
Enterprise products: This checklist covers security settings for specific HP devices outlined at the beginning of this document. It is meant to enable you to configure multiple devices simultaneously. It assumes that the devices are turned on, connected to the network, and in the factory default state. Most of the settings recommended in this checklist apply to other HP printers and devices; however, this checklist is tested and known to be successful only with the specified device models.
Threat Model This section explains the types of security risks involved with operating MFPs in enterprise environments. As technology improves, malicious people (hackers) continue to find new ways to exploit networks. They are beginning to target MFPs and other network peripherals to misuse resources or to gain access to networks or the internet. Predicting the actions of a hacker is difficult, but HP is dedicated to research in this area.
Tampering with Data Tampering with data can include any method of changing, destroying, or adding to information that is flowing to or from a device or stored on it. Here are some ways tampering with data can relate to MFPs: Canceling another person's job. Someone could use a remote access tool to cancel pending jobs. The person who sent a cancelled job gets no warning; only part or none of the job is printed.
Intercepting print jobs, copy jobs, fax jobs, or digital send jobs (such as email). You can minimize the risks of information disclosure in the following ways: Enable IPsec to protect data in transit. Use hardware encryption to protect data at rest. Some devices may include an encrypted disk. If not, you can add an HP Secure Hard Disk accessory to protect data stored on your MFP. (Look for this product at hp.com or contact your HP product supplier). Close unused ports and protocols.
Configure the administrator (device) password. Configure the PJL password. Configure SNMPv3 and HTTPS.
Basic Network Security for Multiple HP Devices This chapter explains how to configure security settings for one or more printers using HP Web Jetadmin. It assumes that you have taken or plan to take reasonable steps to secure the network environment in which your MFPs are operating. This includes configuring network firewalls and providing up-to-date virus controls.
Use good practices for setting and updating passwords (some of the password settings have limitations on what and how many characters may be used): Use alpha, numeric and special characters whenever possible. For numeric only passwords use passwords with at least nine digits. Use a different password for each password setting. Many of the latest password cracking tools can follow patterns to make guessing easier. Avoid using a pattern for passwords.
Setting up HP Web Jetadmin Follow these instructions to prepare Web Jetadmin for configuring the MFPs: Open Web Jetadmin to view the device list (Figure 1) that appears by default. Figure 1: Web Jetadmin showing the device list on the default view. Check to see that the print devices you wish to configure appear in the Device Model List. If they are not in the list, use the Discovery options to find the print devices on your network. Note: This checklist does not include details on print device discovery.
Figure 3: The Config tab displays settings available for configuration. Tip: If you are having a problem configuring a setting, try configuring it using the individual device’s configuration page. You can also attempt to configure the setting using the EWS of the device. Sometimes Web Jetadmin can lose track of device credentials. If this happens, some settings might fail. Clear the Web Jetadmin Device Cache (see Web Jetadmin Help) and re-enter the device credentials.
Figure 4: Shows the Storage Media pop-up details. Figure 4 is an example of a disk that has not the Secure Hard Disk Accessory installed. The Highlighted line is the hard disk. The other listed disk is the original memory module which is no longer being used for customer data. As such it is listed as No Encrypted Disk. If the product does not have an accessory, the memory will show as shown in Figure 5.
2. Select Protect Stored Data from the left-hand menu list to view the Protect Stored Data Page (Figure 7). Figure 7: Shows the Protect Stored Data settings page in the EWS. 3. In the Hard Disk Status section of the Protect Stored Data page, you can see the Encryption Status for that device. If you see a green checkmark, the device is encrypting your data properly (Figure 8). Figure 8: Shows the Hard Disk Status a green check means an encrypted disk is Installed and Encrypted.
Follow these steps: Click Security in the Configuration Categories menu (Figure 9) to view the options for configuration. From the Security Options select SNMP Version Access Control. Figure 9: The Security category and SNMP Version Access Control settings. On the SNMP Version Access Control menu and select the Enable SNMPv3 checkbox (Figure 10). Figure 10: Shows Enable SNMPv3 selected.
Figure 11: The Enable SNMPv3 option has been selected and the New SNMPv3 Credential section is complete. The New User Name field can be any name you choose. The New Authentication Passphrase field can be any word or phrase that is at least 9 alphanumeric characters. The New Privacy Passphrase field can be any word or phrase that is at least 9 alphanumeric characters. CAUTION: These instructions are for the initial configuration of SNMPv3.
Now, whenever you click Apply to configure settings, the MFP or other device will check for the SNMPv3 credentials. Note: For convenience, Web Jetadmin stores the credentials for each device in an encrypted format. However, Web Jetadmin may still prompt you for credentials on occasion so remember the passwords you set. Click Done to exit the Configure Devices dialogue and continue with this checklist.
Figure 14: The Input Auto Continue Timeout options. Job Hold Timeout From the Device category select the Job Hold Timeout menu (Figure 15). Click checkbox to enable the Job Hold Timeout (Figure 15) setting and select a reasonable time for printing. This ensures that stored copy and print jobs on the MFP are erased after a reasonable time. Figure 15: The Job Hold Timeout options. Job Retention From the Device category select Job Retention (Figure 16).
Job Storage Limit The Job Storage Limit allows you to specify the maximum number of stored jobs allowed on the printer. You will want to choose a number of jobs that is appropriate for your print devices and print usage in your environment. This setting can protect your printer from accepting more print jobs than it can effectively store. From the Device category select the Job Storage Limit menu (Figure 17).
Configuring Network Settings The Network category on the Device tab provides options that relate to Jetdirect Print Servers. The security features you will be configuring restrict what methods are available for communication with your MFP over the network. Follow the instructions below to view and configure these options. Click the Network category on the Config tab to expand the configuration options (Figure 19). Figure 19: The Network Category.
Choose the setting that best fits your security needs. Figure 21: The Error Handling option. HTTP Idle Timeout The HTTP Idle Timeout option configures the amount of time an HTTP connection to the device remains open. This can prevent the need to physically go to the device when you have problem jobs that lack proper end of job signals or other hung connections. After the HTTP Idle Timeout has expired, the idle connection will be closed to allow for a new connection to your device.
Figure 23 The RCFG Setting option. Network Enable Features To enable or disable print features on your MFP you: Click Enable Features from the configuration options in the Network category (Figure 23). Figure 24: The Enable Features option. Next, select the print features you would like to enable or disable.
Feature Recommended Setting Explanation EWS Config Disabled*** Disabling EWS Config closes down the EWS and it eliminates the configuration settings that are controlled by the EWS. It also removes the affected settings from Web Jetadmin menus. This includes settings for email, send to folder, and fax. You should disable EWS Config while the MFPs are in use, and enable it only to make changes to the affected configurations.
IPPS Printing Disabled Disabling IPPS when IPP is not in use is your only option. When IPP is enabled, the IPPS Printing setting enables the Internet Printing Protocol over SSL. IPPS provides a secure method for sending print jobs to the device over the Internet or intranet. MDNS Config Disabled Disabling MDNS Config prevents access to configuration settings and other features through MDNS.
Figure 25: Review your Enable Features Configuration selections before configuring your devices. Protocol Stacks The Protocol Stacks option allows you to enable or disable certain print protocols used in your environment. To set your configuration: Click to select Protocol Stacks (Figure 25) and deselect all unused protocol stacks as applicable to your network. See the table below. Figure 26: The Protocol Stacks options.
The following table lists each protocol with the recommended setting and an explanation: Protocol Stack Recommended Setting Explanation TCP/IP Always enabled This is the normal operating protocol for the MFPs. IPX/SPX Leave blank to disable This setting disables access for Novell servers. DLC/LLC Leave blank to disable This setting enables the MFP to communicate at basic levels on the network. It should be disabled if not in use.
Figure 28: Disabling Web Services Print. Apply your Changes Click the Apply button located in the bottom right hand corner to apply the settings to the selected devices. Review your settings and then click the Configure Devices button to execute the configuration. Configuring Security Settings The Security category includes many advanced security settings and password settings.
Figure 29: The Bootloader Password option. Type a password of 9 to 16 numeric digits in the New Password field and repeat it exactly in the Repeat Password field. Note: To reset (clear) this password, click to select Bootloader Password, type the correct current password, and leave the New Password and Repeat Password fields blank. Then click Configure, and the bootloader password will be cleared in the MFPs.
Figure 31: The Embedded Web Server Password options. Type a password of 9 to 16 characters in the Embedded Web Server Password field (you should always type the maximum number of characters for best security). This setting requires users to log on for parts of the EWS that provide configuration options. Repeat the password exactly in the Repeat Password field. Note: The Embedded Web Server Password is synchronized with the Device Password (appears later in this checklist).
Figure 33: Enabling HTTPS web communication. Encryption Strength The Encryption Strength setting allows you to choose the strength of the encryption algorithm used for communication between the MFP EWS and the web browsers connecting to it (this is related to the HTTPS Setting option above). To configure the Encryption Strength setting: Click Encryption Strength in the Security category (Figure 34). Click the Encryption Strength dropdown menu, and select the highest setting that your browser supports.
PJL Password The PJL password protects the default features on the MFP that can be changed by sending PJL commands to the MFP. The PJL password is required for administrative PJL commands that are used to modify feature settings. If you do not set this password, you are vulnerable to having your device settings including your control panel display altered. To set the PJL Password: Click PJL Password under the Security category (Figure 36). Figure 36: The PJL Password option.
Figure 38: The Color Access Control options. Secure Disk Password The Secure Disk Password option (Figure 39) allows you to configure the password for a secure disk. If you change the password, no data on the secure disk is lost. Note: If you are configuring multiple devices and are not sure whether a manual password has been set on any of those devices it is recommended you skip this step in the configuration. Figure 39: The Secure Disk Encryption Mode option.
Follow these instructions to configure Fax Printing: Note: Be sure to configure the MFPs for fax capabilities before continuing with the instructions below. At the minimum, configure the modem settings for the country, the company, and the phone number. Click Fax on the Config tab and select Blocked Fax List Settings. Figure 40: The Blocked Fax List settings. Enter a Fax number you wish to block and clock the Add Number button.
Additional Fax Configuration Some of the newer MFPs or recently upgraded MFPs may contain options for setting and locking down the Fax speed-dial feature. To set your MFP speed-dial options follow the steps below. 1. Open the Embedded Web server for your MFP by entering the IP address of the printer into address field of your web browser and click the fax tab (Figure 42). Figure 42: The Fax Settings Page. 2. Click to select Fax Speed Dials on the left-hand menu (Figure 43).
Figure 44: The Fax Speed Dials configuration button. 4. To keep speed-dial entries from being added or edited via the control panel input the number of the specific speed-dials you wish to lock. We recommend locking all speed-dial entries from modification. To do this, enter 0-99 in the box and select Save (Figure 45).
Configuring MFP File System Settings The File system category provides settings for access to the MFP hard drive, the Compact Flash card, and optional data storage devices. Several security settings are available that can help prevent unauthorized access to data. File System External Access It is recommended that all external access to the file systems on your MFPs be disabled. To do so, follow these instructions: Click the File System category to select File System External Access (Figure 46).
Note: Secure File Erase requires that the File System Password be configured. If you are following this checklist in order this should not be an issue. To set the Secure File Erase Mode follow these instructions: Click to select Secure File Erase Mode (Figure 47) and view the options in the dropdown menu. Figure 47: The Secure File Erase Mode setting. Select Secure Fast Erase or Secure Sanitizing Erase if you require maximum security.
Figure 48: The Time-outs options. Select Delay before resetting the default settings. Choose a reasonable time to allow users to send multiple jobs, but also to ensure that the information will not be left on the control panel for too long after the user walks away. Select Immediately reset to default settings to immediately logoff the current session.
Fill in the Display Name and the Default Subject fields as desired. Apply the Changes Click the Apply button located in the bottom right hand corner to apply the settings to the selected devices. Configuring Final Settings Some of the MFP settings should be configured independently from other settings and only at the end of this checklist. Follow these instructions for the final settings: Disabling Direct Ports The Disable Direct Ports feature disables the USB and Parallel ports on the MFPs.
Figure 51: The Enable Features option. Click to disable EWS Config.
Advanced Security for Multiple HP Devices This chapter will provide some tips for configuring HP security features that require network specific information to operate correctly using HP Web Jetadmin. This chapter will also provide some special recommendations for those using customized HP solutions. These features should be installed before locking down your MFPs using the settings in the next chapter.
Figure 54: The Access for Device Functions option. Choosing a default authentication (Local Device, Windows, LDAP, DSS, Smartcard) method causes the MFP to require everyone to log in for access to the control panel menus. You can choose to require further authentication from a user for specific functions of the MFP. Choose an authentication method for each device function as desired. If you choose to use different log in methods for each device function, the MFP will require authentication as needed.
Figure 55: The Access Control List Settings under the Security Category. Add an IP address or a net mask by filling in the IP Address or Mask fields. CAUTION: Be sure to include the IP address of the computer that is running Web Jetadmin (it can be a computer other than the one you are using). Otherwise, the ACL will block your access, and you will not be able to continue. The Mask option requires an entry in the IP address field to determine the subnet for which to grant access.
LDAP If your network includes LDAP, configure the LDAP Sign In Setup and the LDAP Users and Groups options (Figure 56 and 56). Figure 56: The LDAP Sign In Setup options. Figure 57: The LDAP Users and Groups options. These settings enable the MFPs to require a user's logon credentials for use of the MFPs. This is related to the LDAP access options in the Digital Sending category, which enable the MFP to use the LDAP address book.
LLMNR Link-Local Multicast Name Resolution (LLMNR) is a protocol that provides a method for resolving host names on the same local link. It is useful in networks that do not have a DNS server. It does not require any configuration or administration in order to work, and it supports IPv4 and IPv6. A host on the network that needs to resolve a host name sends a query to a multicast address. Other hosts on the network who support LLMNR listen to this multicast address and respond to the query.
Figure 59: The Configuration Categories Menu Network option. Certificate Management Service The Certificate Mgmt Service setting enables/disables batch certificate management. Using the Certificate Batch plug-in, WJA 10.x can batch manage and configure certificates on devices that support the Certificate Mgmt Service. Figure 60: The Configuration Categories Menu Network option. Enable WINS Port The Enable WINS Port setting enables/disables the port used for WINS name resolution.
3. 4. Choosing Other Settings from the left-hand menu. Checking the box for Enable WINS Port (Figure 61). Figure 61: Enable WINS Port by selecting check box. IPPS The IPPS Printing setting enables/disabled the Internet Printing Protocol over SSL. IPPS provides a secure method for sending print jobs to the device over the Internet or intranet. Figure 62 The Configuration Categories Menu Network option.
Viewing of job log and print page information on the EWS information tab is enabled on default. To restrict access to this data, disable the feature. To disable Print Page and Job Log: 1. 2. 3. 4. 5. Browse to the Embedded Web Server for the target device. Select the Security tab. Select General Settings from the left-hand menu. Uncheck the boxes for Display Print Page on Information tab and Display Job Log in Information Tab (Figure 63). Click Apply.
Figure 64: Enable TFTP Configuration File use by selecting check box. HP & 3rd Party Solutions Most of the recommendations in the next chapter of this checklist can be implemented without having a negative impact on HP & 3rd party solutions you may utilize in your environment without causing them to fail. However, there are some settings that have been known to cause problems.
Settings List This section is a complete list of the settings recommended in this checklist. This section does not include instructions or explanations. It is intended to be used as a check-off list of the recommended settings to help ensure that you complete the entire configuration. See the Network Security section (above) and the Ramifications section (below) for information on each setting.
Security Category Options Disable Digital Sending Service. Configure Embedded Web Server Password. Disable Enable Host USB. Enable HTTPS Setting to Encrypt all web communication. Configure Encryption Strength to High. Configure Open/Print from USB Device. Configure the PJL Password. Disable Printer Firmware Update. Configure Restrict Color as desired. Configure the Secure Disk Password. Fax Category Options Configure Fax Printing. Blocked Fax List Settings. Fax Header Settings.
Default Settings This chapter lists the default setting for each configuration in the checklist: Setting Default Setting Configure HP Secure Hard Disk Installed and Enabled Configure SNMPv3 (Security page). Not configured I/O Timeout to End Print Job Not configured Configure Job Hold Timeout. Never Delete Enable Job Retention.
Setting Default Setting Restrict Color Not configured Secure Disk Password Automatic Configure Fax Printing. Not configured Blocked Fax List Settings Not Configured Fax Header Settings Not Configured Configure Fax Speed Dials Not Configured Lock Speed Dials Not Configured Configure File System External Access. (See below) Disable PJL. Enabled Disable PostScript. Enabled Configure File System Password.
Ramifications Raising the level of security on HP MFPs requires giving up some conveniences and usability. This section explains some of the compromises you can expect from configuring the settings recommended in this checklist. Keep in mind that this is not a comprehensive list. You should test each MFP in your network environment to understand the implications of these settings and configurations.
Input Auto Continue Timeout. Configure Auto Continue Timeout to setting of your choice. Enable Job Hold Timeout. Job Hold Timeout is related to the Job Retention setting below. It permanently deletes stored jobs (except fax) that are held past the allowed time. This ensures that the stored jobs are not accessible after a time, and it ensures that the hard drive is cleared periodically. Job Hold Timeout requires that users are mindful of their print jobs.
o o o o o o o o o o Enable 9100 Printing. 9100 Printing should always be enabled. It is the standard printing protocol used by MFP print drivers. Disabling 9100 Printing would disable all printing for most users. Disable Air Print. Air Print Printing is a protocol for printing from apple devices. Unless your network environment supports Air Print, we recommend keeping this feature disabled. Disable IPP Printing. IPP Printing is a protocol for printing over the internet or locally.
Configure Embedded Web Server Configuration Options. These options limit some of the EWS features that can be misused: o Enable Outgoing Mail. The MFP sends some email, such as automatic fax notifications and consumables alerts, depending on configurations. This Outgoing Mail feature does not affect the MFP send to email functions. It also is not known to affect network security. If you use fax notification or other automatic email alerts, you should enable outgoing email. o Disable Incoming Mail.
Encrypt all web communication by Enabling HTTPS. This setting enables encryption for configuration data between the PC and the MFP EWS. It prevents sensitive data such as usernames and passwords from passing over the network in clear text. This setting is related to the EWS Encryption Strength setting explained below. Configure Encryption Strength to High. The encryption strength setting covers communication between a PC and the Embedded Web Server.
The Fax Printing options limit access to timely faxes. You may wish to provide the PIN to a number of people to ensure that someone can print a fax on demand. You can also configure fax alerts to ensure that personnel will know when a fax arrives even though it is not printed upon arrival. Additional Fax Configuration Configure the number of Fax Speed Dials with the Embedded Web server.
Secure Fast Erase mode overwrites files one time. It slows MFP performance a bit, but it provides reasonable security for most situations. Secure Sanitizing Erase overwrites files 3 times. It slows MFP performance considerably, but it provides even more assurance that the data is not recoverable. If your network is required to meet stringent security requirements such as DOD regulations, you should use Secure Sanitizing Erase.
This overall configuration provides a high level of network security for HP MFPs. At the same time, it introduces some limitations to the conveniences designed into the MFPs. Here are some known effects of this overall configuration: Extra steps to use MFPs: Users will be required to provide usernames and passwords at the control panels before they can use the MFPs. The MFPs will not allow a user to cancel the print jobs of other users.
Appendix 1: Glossary of Terms and Acronyms The following table lists terms and acronyms found in this checklist: Term Description ACL Access Control List. The ACL restricts network access to the MFP by allowing only those IP addresses or subnets that are listed in it. Analog fax Analog fax is fax functions via telephone lines. The fax module is available in most HP MFP bundles and it is covered in this checklist.
Term Description Scanner, ADF, or flatbed scanner The top of the MFP is a scanner that converts paper documents into digital images for copying, fax, or digital sending. The scanner can scan a document in two ways: Automatic Document Feeder (ADF) or flatbed. The ADF is the top of the MFP. It is the cover of the flatbed scanner. The ADF draws sheets into a paper path from an input tray similar to the input paper tray on a printer. It runs each sheet past the scanner and places it in an output tray.
Appendix 2: Products supported by this checklist HP Color LaserJet CM4540 MFP HP Color LaserJet CP5525xh HP LaserJet Enterprise M4555 MFP HP LaserJet Enterprise M406/M407 series HP LaserJet Enterprise MFP M430/M431 series HP Color LaserJet Enterprise M455series HP Color LaserJet Enterprise MFP M480 series HP LaserJet Enterprise M506 series HP Color LaserJet Enterprise M751 Printer series HP LaserJet Enterprise 700 color M775 series HP Color LaserJet MFP M776 series HP LaserJet Enterprise M806 HP LaserJet E
HP OfficeJet Enterprise X555 series HP OfficeJet Enterprise X585 series HP PageWide Enterprise Color MFP 586 series HP PageWide Color 755 Printer series HP PageWide Enterprise Color 765 series HP PageWide Enterprise Color 774/779 series HP PageWide Enterprise Color MFP 780/785 series HP PageWide Managed Color MFP E58650 series HP PageWide Managed Color E75160 series HP PageWide Managed Color MFP E77650/60 series HP PageWide Managed Color MFP P77940/50/60 series HP Digital Sender Flow 8500 fn2 HP ScanJet Ent
Get connected hp.com/go/getconnected Current HP driver, support, and security alerts delivered directly to your desktop © Copyright 2021 HP Inc Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
