HP Enterprise printers and scanners - Imaging and Printing Security Best Practices (white paper)
Encrypt all web communication by Enabling HTTPS. This setting enables encryption for configuration data between the
PC and the MFP EWS. It prevents sensitive data such as usernames and passwords from passing over the network in clear
text. This setting is related to the EWS Encryption Strength setting explained below.
Configure Encryption Strength to High. The encryption strength setting covers communication between a PC and the
Embedded Web Server. When HTTPS is configured (as recommended in this checklist), communication is encrypted
according to this Encryption Strength setting.
With Encryption Strength set to High, users will find that the EWS are accessible only from web browsers that support
that level of HTTPS communications.
This checklist recommends disabling EWS Config during normal use of MFPs. This removes all access to the EWS; however,
you should configure this setting for times when you temporarily enable EWS Config to make changes to configurations.
Web browsers that do not support SSL and high encryption strength will not be able to access the MFP EWS.
This checklist recommends disabling EWS Config during normal MFP operations and enabling it temporarily for changes to
configurations. This setting ensures that the network traffic is secure during those configurations.
Disable Open/Print from USB Device. The Open/Print from USB Device feature allows you to print documents stored on a
USB device. Leaving this option enabled could allow people without access to your network to print documents from your
devices at walk up.
Configure the PJL Password. The PJL password prevents unauthorized users from configuring certain features of the MFP.
It requires the password to change these settings via Print Job Language (PJL) commands.
With the PJL Password configured, the MFPs will deny access to commands that attempt to change default settings
without the correct password.
If you are using an HP or 3
rd
party solution this setting may interfere with upgrades to an existing solution, or installation
of a new solution.
Disable Printer Firmware Update. Printer Firmware Update enables the MFPs to accept printer firmware updates from
various sources. Disabling it ensures that no one can send firmware updates to the MFPs. If this feature is disabled it may
still be possible to update the firmware manually through the boot loader if you have not safeguarded this option.
HP recommends updating firmware whenever it becomes available at hp.com. You should enable Printer Firmware
Update to perform the upgrades and then disable it again during normal use of the MFPs.
With Printer Firmware Update disabled, the MFPs will deny access whenever anyone attempts to upgrade the firmware.
Configure color restriction settings. If your network includes Color LaserJet MFPs, you can configure settings to restrict the
use of color printing by users and by applications.
With color restriction settings configured, an MFP will print only in black and white for restricted users or applications.
Fax Options
Configure the Fax PIN. With the fax PIN configured, the MFP requires the Fax PIN be provided before access to held fax jobs
is gained at the control panel. This improves security by ensuring that printed faxes are not left in the output trays where
unauthorized personnel might see them.
NOTE:
Stored faxes are not affected by the Job Hold Timeout.
58