Manualshelf

HP Enterprise printers and scanners - Imaging and Printing Security Best Practices (white paper)

ManualsBrandsHP ManualsDesktopsHP LaserJet Managed Flow MFP E72525-E72535z - Base Product 25-35 ppm
51525354555657585960
o Enable 9100 Printing. 9100 Printing should always be enabled. It is the standard printing protocol used by MFP print
drivers. Disabling 9100 Printing would disable all printing for most users.
o Disable Air Print. Air Print Printing is a protocol for printing from apple devices. Unless your network environment
supports Air Print, we recommend keeping this feature disabled.
o Disable IPP Printing. IPP Printing is a protocol for printing over the internet or locally. Unless you have a requirement
for IPP printing it should be disabled. With it disabled, the MFPs will deny access to direct printing from the Internet.
Print jobs generated from web browsers using the installed print driver are not affected.
o Disable IPPS when IPP is not in use is your only option. When IPP is enabled, the IPPS Printing setting enables the
Internet Printing Protocol over SSL. IPPS provides a secure method for sending print jobs to the device over the
Internet or intranet. If you have chosen to enable IPP then we recommend Enabling IPPS as well.
o Disable MDNS Config. MDNS Config resolves host names with IP addresses in small networks without DNS servers.
Most enterprise networks include DNS servers and do not require this service. With this option disabled, a non-DNS
network will not recognize the MFPs. If your network does not include a DNS server, you should enable MDNS Config.
o Disable IPv4 Multicast Config. IPv4 Multicast Config configures multiple devices simultaneously over the network.
You should always disable IPv4 Multicast Config and use Web Jetadmin for managing MFPs.
o Disable WS-Discovery. WS-Discovery enables network hosts which support WS-Discovery to discover printers and
devices on the network. Unless you are in an IPv6 or Windows Vista/Windows 7 only environment there are other
protocols you can use to discover your printers.
o Disable HP XML Services. The HP Jetdirect XML Services setting is used to enable/disable the IXDM Access Interface
(IXA) which provides a method for collecting or configuring complex data where SNMP is impractical. When the HP
Jetdirect XML services setting is disabled, the IXA interface is disabled and configuration through XDM cannot take
place.
o Configure TCP Idle Timeout (previously called Job Timeout). The TCP Idle Timeout option enables the MFPs to move
on from jobs that lack proper end of job signals. The MFPs will be able to switch protocols to continue with other jobs
rather than waiting indefinitely for improperly formatted jobs to finish.
o Disable Web Services Print. This disables the Microsoft WSD Print services supported on the HP Jetdirect Print Server.
If this feature is enabled someone with a host that supports Web Services Print can discover IP Addresses and other
information about the printers in your environment.
Security Options
Configure Authentication (LDAP, Kerberos, Device PIN, or User PIN). Authentication requires users to log on for use of the
MFPs.
Configure Authentication Manager. The Authentication Manager provides the settings to require log in for use of the MFP.
It is important to be sure to configure the authentication methods (LDAP, Kerberos, Device PIN, or User PIN) you wish to
enforce in the authentication manager. With authentication enabled, MFPs will deny access to users who cannot supply
the correct credentials.
Disable Allow Use of Digital Send Service. HP Digital Sending Software is a useful tool for managing MFP digital sending.
It is available for purchase at hp.com. HP recommends using Digital Send Service, but it is not covered in this checklist.
Thus, this checklist recommends disabling it unless you are using it.
With Allow Use of Digital Send Service disabled, no one can manage the MFPs with an installation of Digital Send Service.
The MFPs will deny access.
Disable Allow Transfer to New Digital Send Service. This setting is related to the previous setting. If you allow use of
Digital Send Service, it is possible for any installation of Digital Send Service to take over management of an MFP.
Disabling this setting ensures that the MFPs will allow only one Digital Send Service computer to manage the MFPs.
With this setting disabled, the MFPs will deny access to a second Digital Send Service attempting to take over
management.
Embedded Web Server Options
56