Manualshelf

HP Enterprise printers and scanners - Imaging and Printing Security Best Practices (white paper)

ManualsBrandsHP ManualsDesktopsHP LaserJet Managed Flow MFP E72525-E72535z - Base Product 25-35 ppm
51525354555657585960
Ramifications
Raising the level of security on HP MFPs requires giving up some conveniences and usability. This section explains some of the
compromises you can expect from configuring the settings recommended in this checklist. Keep in mind that this is not a
comprehensive list. You should test each MFP in your network environment to understand the implications of these settings and
configurations.
The following sections explain some of the known ramifications of each recommended setting:
Initial Settings
Configuring Advanced Security Settings (ACL, PIN Authentication, LDAP, Solutions, etc.)
There are many advanced security settings that you may be using as part of your infrastructure or print solution. These
settings should be configured and tested before locking down your devices with this checklist. If you are unsure how a setting
may affect an advanced security configuration see the advanced security section or test the setting on a single device before
applying it to your fleet.
Configure HP Secure Hard Disk.
HP Secure Hard Disk is a disk that encrypts all data stored on your hard drive.
Failure to set up this device before setting the NIST checklist or other MFP settings will result in a loss of all previous settings
when the HP Secure Hard Disk is installed and set to encrypt data.
Once the HP Secure Hard Disk is installed, the hardware encryption is transparent to the device. It should have no impact on
subsequent configurations unless you:
o Remove the HP Secure Hard Disk and install a new one
o Use the “reinitialize” feature which will result in cryptographically erasing your entire disk, or
o Change the password, which will also result in reinitializing the encrypted disk
Enable SNMPv3
SNMPv3 is a secure protocol that encrypts configuration data transmitted over the network. Web Jetadmin accesses most of
the MFP configuration settings through the MFP SNMP ports.
Once SNMPv3 is configured, the MFPs will prompt for the credentials every time anyone tries to configure settings using Web
Jetadmin or any other tool. However, Web Jetadmin includes a convenient device cache feature that stores all of the passwords
and credentials for each MFP. Whenever an authorized Web Jetadmin administrator makes a change, Web Jetadmin
automatically provides the credentials without prompting. Thus, the administrator is required to remember the credentials
only when the device cache credentials are outdated. The device cache is secured by encryption, and Web Jetadmin allows only
the authenticated administrator to log in and manage the MFPs. Be sure to configure a robust password for Web Jetadmin.
With SNMPv3 configured, an unauthorized user attempting to access the MFP configuration settings will observe a prompt for
the SNMPv3 credentials. The MFP will not disclose which credentials are incorrect; it will only revert to the prompt for
credentials.
SNMPv3 causes some slowing of the configuration process due to the additional time taken to encrypt the data.
Disabling SNMPv1 disables SNMPv1 GET and SNMPv2 SET commands. Any solution or software that requires SNMPv1 or
SNMPv2 will not function. If you require these to be enabled, be sure to set the community name to something that would be
difficult to guess.
Device Page Settings
Set I/O Timeout to End Print Job. The I/O Timeout to End Print Job allows you to specify the amount of time a device should
wait between packets before canceling a job. Setting this timeout will help prevent jobs formed or sent incorrectly from tying
up a print resource. If you are on a busy network or spool large jobs real time that may cause packet gap set this setting high
enough to accommodate your environment.
54