HP Imaging and Printing Security Best Practices Configuring Security for Multiple LaserJet MFPs and Color LaserJet MFPs Version 5.0 for HP Web Jetadmin 10 © Copyright 2005, 2007, 2009, 2010 Hewlett-Packard Development Company, L.P.
Table of Contents Table of Contents....................i Chapter 1: Introduction..................1 Cautions........................2 Follow the Checklist in Order..................2 Understand the Ramifications..................2 Continue to be Vigilant ....................2 MFP Environment ......................3 Assumptions........................3 Solutions covered ......................4 Organization .........................4 Chapter 2: Threat Model..................5 Spoofing Identity ......................5 Tampering with Data.......................6 Repudiation ........................6...
Printer Firmware Update .................... 41 Secure Disk Encryption Mode ..................41 Apply the Changes ....................42 Configuring MFP Fax Settings..................44 Configuring Fax Printing .................... 44 Apply the Changes ....................45 Additional Fax Configuration..................46 Configuring MFP Embedded Web Server Settings .............48 Embedded Web Server Configuration Options .............
Network Page Options ....................76 Security Page Options ....................79 Final Configurations ....................84 Overall Limitations ....................85 Chapter 8: Physical Security ................86 Chapter 9: Appendix 1: Glossary of Terms and Acronyms ........87 HP LaserJet and Color LaserJet MFP Security Checklist...
Chapter 1: Introduction This document is a security checklist for the following HP MFP models: HP LaserJet M3027 MFP HP LaserJet M3035 MFP HP LaserJet 4345 MFP HP LaserJet M4345 MFP HP LaserJet M5025 MFP HP LaserJet M5035 MFP ...
HP Web Jetadmin Version 10.2 installed on a Windows XP or Windows Vista PC One of each supported MFP with the latest updated firmware found at hp.com The process for configuring this checklist is developed using HP Web Jetadmin to manage all of the MFPs at the same time.
MFP Environment NIST defines several types of user environments, many of which are compatible with HP LaserJet and Color LaserJet MFPs. However, this checklist is written for MFPs in an enterprise environment or a small to medium business environment. These environments use most of the network features available with MFPs.
Solutions covered This checklist covers MFP security settings found in HP Web Jetadmin. This checklist covers no other solutions or applications. Organization This checklist includes the following chapters: Chapter 2: Threat Model: The Threat Model chapter explains the security circumstances ...
Chapter 2: Threat Model This section explains the types of security risks involved with operating MFPs in enterprise environments. As technology improves, malicious people (hackers) continue to find new ways to exploit networks. They are beginning to target MFPs and other network peripherals to misuse resources or to gain access to networks or the internet.
You can minimize the risks from identity spoofing in the following ways: Protect the from address field in the MFP Digital Sending and Fax configurations. Protect MFP disk access. Configure authentication. Configure the administrator password. Configure SNMPv3. ...
Install Jetdirect 635n Print Servers or enable embedded IPSec to encrypt the data stream to include log data and file metadata (look for this product at hp.com or contact your hp product supplier). Close unused ports and protocols. Save copies of log data at a separate location ...
Causing interference with network communication to the MFP Changing the network location of the MFP Causing an error state that interrupts service Changing access configurations Here are some methods of minimizing opportunities for denial of service on an MFP: Lock the control panel.
Chapter 3: Basic Security for Multiple MFPs This chapter explains how to configure security settings for one or more MFPs using HP Web Jetadmin. It assumes that you have taken or plan to take reasonable steps to secure the network environment in which your MFPs are operating.
log of the passwords in a safe place. Web Jetadmin will prompt for passwords during the configuration process if they are missing from the cache. CAUTION: Losing passwords can block access to an MFP. Be careful to record them in a safe place. It is most important to remember the Bootloader password.
Use meaningless random passwords. Passwords that are real words or phrases are easier to guess. The latest password cracking tools follow dictionaries to narrow down the possibilities. Record the passwords in a safe but hidden place. The passwords are designed to restrict access to management options on the MFPs.
Figure 1: Web Jetadmin showing the device list on the default view. 2. Check to see that the MFPs you wish to configure appear in the Device Model List. If they are not in the list, use the Discovery options to find the MFPs on your network.
4. Click the Config tab in the lower half of the Device List view to show settings available for configuration (Figure 3). Figure 3: The Config tab displays settings available for configuration. The Config tab contains all of the settings recommended in this checklist. Tip: If you are having a problem configuring a setting, try configuring it using the individual device’s configuration page.
Follow these steps to use Web Jetadmin to verify your HP Secure Hard Disk is installed and configured: 1. In the device list view, add the columns for Secure Disk and Secure Disk Status if they are not visible. First, right click on the column area to the right of the existing columns.
Figure 5: Shows how to add the Secure Disk and Secure Disk Status columns to the columns selected for display. 3. In the listing of printers, check the Secure Disk and Secure Disk Status columns. The Secure Disk column should indicate “Installed”. The Secure Disk Status column should indicate ”Encrypted”...
Note: If your MFP is reporting an installed HP Secure Disk but its status is anything other than Encrypted it is recommended you resolve the issues with your HP Secure Disk before continuing this checklist. If you do not you may need to re-apply the entire checklist to the MFP. An example of an MFP with a HP Secure Disk Installed that is not configured properly is shown below (Figure 7).
Figure 8: The Security category and SNMP Version Access Control settings. 2. On the SNMP Version Access Control menu, and select the Enable SNMPv3 checkbox ( Figure 9 Figure 9: Shows Enable SNMPv3 selected. 3. Once Enable SNMPv3 has been selected, and fills in the New User, the New Authentication Passphrase, and the New Privacy Passphrase fields ) in the New SNMPv3 Credential section.
Figure 10: The Enable SNMPv3 option has been selected and the New SNMPv3 Credential section is complete. The New User Name field can be any name you choose. The New Authentication Passphrase field can be any word or phrase that is at least 8 characters.
4. Scroll down to the SNMPv1 Settings section, and select SNMPv1 disabled Figure 11 Figure 11: The SNMP Version 3 Only setting. This setting limits all SNMP configuration communication to only SNMPv 3. Once applied your MFPs will not allow SNMPv1 SET and SNMPv2 GET. 5.
Figure 12: The Configure Devices dialogue box. Chapter 3 HP LaserJet and Color LaserJet MFP Security Checklist...
6. Click the Configure Devices button to execute the configuration. The result of your configuration will be displayed when the configuration is complete (Figure 13). Figure 13: Shows a successful configuration result. If your configuration is not successful, you can click the Details button for more information on why the configuration failed.
Configuring MFP Device Settings The Device category includes settings that affect some of the normal use of the MFPs. The following settings affect how jobs are stored, and how long your MFP will wait before a job times out in a particular way. 1.
Figure 15: The Job Hold Timeout options. Job Retention 1. From the Device category, select Job Retention (Figure 16). 2. Click checkbox to select Job Retention (Error! Reference source not found.), and select Enabled. Figure 16: The Job Retention options. This allows users to store print jobs and fax jobs for printing at their discretion (when they can be present to control the printouts and keep them from view).
Figure 17: The Configure Devices dialogue box. 2. Review your settings and then click the Configure Devices button to execute the configuration. Chapter 3 HP LaserJet and Color LaserJet MFP Security Checklist...
Configuring MFP Network Settings The Network category on the Device tab provides options that relate to Jetdirect Print Servers. The security features you will be configuring restrict what methods are available for communication with your MFP over the network. Follow the instructions below to view and configure these options. 1.
Figure 19: The Enable Features option. 2. Next, select the print features you would like to enable or disable. The following table lists and explains the recommended settings for the Enable Features option: Feature Recommended Explanation Setting EWS Config Disabled*** Disabling EWS Config closes down the EWS and it ***NOTE:...
SLP Config Disabled Disabling SLP Config prevents access to configuration settings and other features through SLP. FTP Printing Disabled Disabling FTP Printing prevents access to configuration settings and other features through FTP. It also prevents printing through FTP. LPD Printing Disabled Disabling LPD Printing prevents access to...
WARNING: You will want to enable WS-Discovery on this printer if the following apply: You are using an IPv6 only network, you use WS-Print to discover your devices, or operate in a Windows Vista/ Windows 7 centric environment. If you are unsure of this setting, we highly recommend testing its implications with a single device before applying it to your whole fleet.
Figure 20: Review your Enable Features Configuration selections before configuring your devices. Encrypt all Web Communication This setting requires web browsers to use HTTPS when contacting the MFPs. This ensures secure communications with the MFP EWS. To enable this feature: 1.
Figure 21: Enabling HTTPS web communication. Encryption Strength The Encryption Strength setting allows you to choose the strength of the encryption algorithm used for communication between the MFP EWS and the web browsers connecting to it (this is related to the HTTPS Setting option above).
Figure 23: The Encryption Strength dropdown menu. Error Handling The Error Handling option (Figure 24) specifies how the Jetdirect Print Server handles error conditions. The settings are: Dump then Reboot does a memory dump them reboots. Reboot Without Dump reboots without dumping memory. Dump then Halt does a memory dump but does not do a reboot;...
HP will not collect network-specific or personal data. For information on HP privacy policies, read the Hewlett-Packard Online Privacy Statement available by clicking privacy statement at http://www.hp.com. If you enable this feature, information collected by HP will be limited to the...
Local language selections used for viewing Web pages Network communications protocols enabled Network management interfaces enabled Device discovery protocols enabled Printing protocols enabled TCP/IP configuration methods enabled SNMP control methods enabled Wireless configuration methods enabled The MFP must have internet access to allow HP to collect information.
Figure 28: The Protocol Stacks options. Chapter 3 HP LaserJet and Color LaserJet MFP Security Checklist...
The following table lists each protocol with the recommended setting and an explanation: Protocol Stack Recommended Explanation Setting IPX/SPX Leave blank to disable This setting disables access for Novell servers. TCP/IP Always Enabled. This is the normal operating protocol for the MFPs. DLC/LLC Leave blank to disable This setting enables the MFP to...
Apply your Changes 1. Click the Apply button located in the bottom right hand corner to apply the settings to the selected devices. This will open the configure devices dialogue box (Figure 30). Figure 30: The Configure Devices dialogue box. 2.
Configuring MFP Security Settings The Security category includes many advanced security settings and password settings. If you are attempting to configure a setting that is in the Security category and not listed in this section, you should check the chapter on Advanced Security for multiple MFPs. To set the basic required settings in this category follow the steps in the sections below.
Color Access Control The Color Access Control options (Figure 32) allow you to manage the usage of color printing supplies within your organization. If you wish to restrict access to color printing you can configure these settings to match your policy. Figure 32: The Color Access Control options.
Figure 33: The Control Panel Access option. Note: This setting prevents access to configuration settings in the control panel, including digital send and fax settings. If you wish to make changes to settings in the control panel, unlock access using Web Jetadmin, make the changes, and then lock access again.
2. Type a password of 8 to 16 characters in the Embedded Web Server Password field (you should always type the maximum number of characters for best security). This setting requires users to log on for parts of the EWS that provide configuration options.
Printer Firmware Update HP recommends updating firmware whenever new firmware is available, but you should keep Printer Firmware Update disabled until you plan to use it. To disable Printer Firmware Update: 1. Click to select Printer Firmware Update (Figure 36), and select Disable. Figure 36: The Printer Firmware Update option.
Figure 37: The Secure Disk Encryption Mode option. Apply the Changes 1. Click the Apply button located in the bottom right hand corner to apply the settings to the selected devices. This will open the configure devices dialogue box (Figure 38). Chapter 3 HP LaserJet and Color LaserJet MFP Security Checklist...
Figure 38: The Configure Devices dialogue box. 2. Review your settings and then click the Configure Devices button to execute the configuration. Chapter 3 HP LaserJet and Color LaserJet MFP Security Checklist...
Configuring MFP Fax Settings The Fax Category provides options for the analog fax functions. This includes settings to allow for printing fax jobs when the recipient is present and for restricting access to fax print jobs. Configuring Fax Printing Follow these instructions to configure Fax Printing: Note: Be sure to configure the MFPs for fax capabilities before continuing with the instructions below.
Note: This setting also enables PIN printing. 3. Select Store all Received Faxes. The Store all Received Faxes option holds incoming faxes for printing until someone enters the correct PIN number and selects the menu options at the control panel. This is considered the most secure mode of fax printing.
2. Review your settings and then click the Configure Devices button to execute the configuration. Additional Fax Configuration Some of the newer MFPs or recently upgraded MFPs may contain options for setting and locking down the Fax speed-dial feature. This Fax feature is not yet accessible via Web Jetadmin 10.2. To set your MFP speed-dial options follow the steps below 1.
3. Set any speed-dials you wish to have by selecting the speed-dial number and clicking the Edit Speed Dial button (Figure 43). Figure 43: The Fax Speed Dials configuration button. 4. To keep speed-dial entries from being added or edited via the control panel input the number of the specific speed-dials you wish to lock.
Configuring MFP Embedded Web Server Settings Embedded Web Server Configuration Options Each MFP has an Embedded Web Server that provides network access to view MFP status, to set preferences, and to configure the MFP. You can view an MFP Embedded Web Server by typing the MFP IP address into a web browser.
Embedded Web Recommended Explanation Server Configuration setting Option Outgoing Mail (enabled by Enable as desired Outgoing Mail enables the default) MFP to send alerts and AutoSend messages to a designated recipient. This is not necessarily a security-related feature. Use it as you see fit. This setting does not affect the MFP Send to Email feature.
Continue Button (enabled by Select to enable Continue Button allows the default) MFPs to resume after an error has been cleared. Print Service (enabled by Leave blank to disable Print Service enables users default) to send print-ready files directly to an MFP without having the MFP installed on a computer.
2. Review your settings and then click the Configure Devices button to execute the configuration. Configuring MFP File System Settings The File system category provides settings for access to the MFP hard drive, the Compact Flash card, and optional data storage devices. Several security settings are available that can help prevent unauthorized access to data.
protocol for the MFPs. PostScript Disabled Prevents access to the file system through this protocol. NOTE: Disabling PostScript may affect interactions with third party applications. File System Password When a File System Password is set, the MFPs will require the password whenever anyone or any device requests access to the storage devices.
Secure File Erase Mode This setting determines the level of overwriting applied to delete files during routine functions. This includes removal of files for the Secure Storage Erase function. The settings are: Non-secure Fast Erase does a standard erase with no additional security. Secure Fast Erase overwrites files using one pass.
Figure 50: The Secure File Erase Mode setting. Apply the Changes 5. Click the Apply button located in the bottom right hand corner to apply the settings to the selected devices. This will open the configure devices dialogue box (Figure 51). Chapter 3 HP LaserJet and Color LaserJet MFP Security Checklist...
Figure 51: The Configure Devices dialogue box. 6. Review your settings and then click the Configure Devices button to execute the configuration. Chapter 3 HP LaserJet and Color LaserJet MFP Security Checklist...
Configuring MFP Digital Sending Settings The Digital Sending category includes options for email and for send to network folder. This includes settings for protecting the sender identification fields. Note: Some security-related settings that do not apply to LaserJet and Color LaserJet MFPs might appear on the Digital Sending page.
Default From Address HP recommends configuring the default from address to ensure that no one can send email using false or misleading identification. If you are using LDAP Authentication, the MFP will use the email address of the authenticated user to replace the default from address. To configure the Default From: Address: 1.
Figure 54: The Configure Devices dialogue box. 2. Review your settings and then click the Configure Devices button to execute the configuration. Configuring Final Settings Some of the MFP settings should be configured independently from other settings and only at the end of this checklist.
Figure 55: The Disable Direct Ports option. 2. Click to select the Disable Direct Ports option to the right. 3. Select Yes. 4. Click Apply at the bottom of the page. 5. Wait for a few minutes to allow all of the MFPs to restart. Do not continue until all of them are at the READY state.
Note: This setting disables configuration from the MFP EWS. It also disables all EWS-related settings from Web Jetadmin (they will disappear from Web Jetadmin menus). With this setting configured, the only way to make changes to the EWS settings again is to re-enable them using Web Jetadmin.
Chapter 4: Advanced Security for Multiple MFPs This chapter gives some tips for configuring more advanced security settings for one or more MFPs using HP Web Jetadmin. These features should be set up before locking down your MFPs using the settings in the previous chapter.
Figure 57: The Configuration Categories Menu Network option. 2. Add an IP address or a net mask by filling in the IP Address or Mask fields. CAUTION: Be sure to include the IP address of the computer that is running Web Jetadmin (it can be a computer other than the one you are using).
Authentication Manager The Authentication Manager allows you to customize access to functions of the MFP. You can use these options to provide varying services to different groups of people. 1. Click to select Authentication Manager (Figure 58). Figure 58: The Authentication Manager options. Note: Be sure to select only the authentication features that you plan to configure for the MFPs selected.
Figure 59: The drop down menu for Log in at Walk Up. Choosing an authentication method for Log in at Walk Up causes the MFP to require everyone to log in for access to the control panel menus. You can choose to require further authentication for specific functions of the MFP.
Figure 60: The Group 1 PIN and Group 2 PIN Authentication options. Click to select PIN Authentication, and enter PINs as desired. Be sure to repeat the PINs exactly in the Confirm PIN fields. Note: If your network includes NTLM service, configure NTLM. This option specifies the authentication method to use when your MFP executes a send to folder job.
LDAP If your network includes LDAP, configure the LDAP Authentication options (Figure 61). Figure 61: The Accessing the LDAP Server options. These settings enable the MFPs to require a user's logon credentials for use of the MFPs. This is related to the LDAP access options in the Digital Sending category, which enable the MFP to use the LDAP address book;...
If you choose Simple for the bind method, usernames, email addresses, passwords, and other data will be sent over the LDAP protocol in clear text. Fill in the remaining fields according to your network configuration. If your network has Kerberos authentication capabilities, configure the Kerberos Authentication options.
Chapter 5: Settings List This section is a complete list of the settings recommended in this checklist. This section does not include instructions or explanations. It is intended to be used as a check-off list of the recommended settings to help ensure that you complete the entire configuration. See the Network Security section (above) and the Ramifications section (below) for information on each setting.
Disable mDNS Config. Disable IPV4 Multicast Config. Disable WS-Discovery. Enable HTTPS Setting to Encrypt all web communication. Configure Encryption Strength to High. Configure Error Handling Disable IPX RCFG Support. Configure Job Timeout. ...
Embedded Web Server Page Options Configure Embedded Web Server Configuration options. Enable Outgoing Mail. Disable Incoming Mail. Disable Cancel Job Button. Disable Go Button. Disable Command Invoke. Disable Command Download. Disable Command Load and Execute. ...
Chapter 6: Default Settings: This chapter lists the default setting for each configuration in the checklist: Setting Default Setting Configure HP Secure Hard Disk Installed and Enabled Configure SNMPv3 (Security page). Not configured I/O Timeout to End Print Job Not configured Configure Job Hold Timeout.
IPX RCFG Support. Enabled Configure Job Timeout. Not Configured Set the privacy setting as desired. Not configured Configure Protocol Stacks. (See below) Disable IPX/SPX. Enabled Enable TCP/IP. Enabled Disable DLC/LLC. Enabled Disable AppleTalk. Enabled Web Services Print. Enabled Configure Bootloader password. Not configured Configure Color Access Control Not configured...
Disable Incoming Mail. Disabled Disable Cancel Job Button. Disabled Disable Go Button. Enabled Disable Command Invoke. Enabled Disable Command Download. Enabled Disable Command Load and Execute. Enabled Enable Continue Button. Enabled Disable Print Service. Enabled Configure File System External Access. (See below) Disable PJL.
Configure Auto Reset Send Settings to Delay Not configured, Delay default: 20 seconds before resetting the default settings, and type a number of seconds to delay. Configure Default From Address. Not configured Select Prevent user from changing the Default From Not selected Address.
Chapter 7: Ramifications Raising the level of security on HP MFPs requires giving up some conveniences and usability. This section explains some of the compromises you can expect from configuring the settings recommended in this checklist. Keep in mind that this is not a comprehensive list. You should test each MFP in your network environment to understand the implications of these settings and configurations.
Disabling SNMPv1 disables SNMPv1 GET and SNMPv2 SET commands. Any solution or software that requires SNMPv1 or SNMPv2 will not function. If you require these to be enabled be sure to set the community name to something that would be difficult to guess. Device Page Settings Set I/O Timeout to End Print Job.
Disable SLP Config. SLP Config accommodates software using SLP as a discovery mechanism. For example disabling SLP Config on some Novell networks (depending on how Novell is configured) would cause Novell to not recognize the MFPs on the network. Thus, if your network uses these features of Novell, you should enable SLP Config.
HP to collect statistical data on the use of MFPs. HP uses such information to help improve the design and development of MFPs. HP will not collect network- specific or personal data. For information on HP privacy policies, read the Hewlett-Packard Online Privacy Statement available by clicking privacy statement at http://www.hp.com.
Disable unused Protocol Stacks. These options provide for the various types of network communication to the MFPs. Closing down unused protocol stacks is affective toward better network security. See the ramifications of each option below: Disable IPX/SPX. IPX/SPX is the network protocol for Novell. Disabling it prevents ...
The maximum Control Panel Access Lock closes all access to the fax menu. This includes the options to Cancel All Pending Transmissions and Cancel Current Transmission. If you wish to provide these options, use Intermediate Lock. Configure the Embedded Web Server Password. The EWS password restricts access to ...
The Device Password is synchronized with the EWS password. If you change either of them, the MFP will change the other one to be the same. Disable Allow Use of Digital Send Service. HP Digital Sending Software is a useful tool ...
Disable Incoming Mail. Some network solutions can send commands to the MFP via email. If your network uses any of these solutions, you should enable Incoming mail. Otherwise, disable it as a best practice. This setting does not affect any other use of the MFP.
NOTE: Some storage management tools, such as the Web Jetadmin Device Storage Manager (a Web Jetadmin add-on available in the Product Update navigation mode), use some of these protocols to access the file system. You might consider enabling these protocols only to update configurations and then disable them during normal MFP operation.
ensures that the original data is destroyed. Secure Fast Erase mode overwrites files one time. It slows MFP performance a bit, but it provides reasonable security for most situations. Secure Sanitizing Erase overwrites files 3 times. It slows MFP performance considerably, but it provides even more assurance that the data is not recoverable.
Disable EWS Config. Disabling EWS Config removes the EWS from the network. They become unavailable to everyone. This eliminates many risks to security. Since all of the EWS configuration settings are available in Web Jetadmin, there is no need to have them available anywhere else.
Chapter 8: Physical Security Many of the most notable features of HP MFPs involve hard copy documents. MFPs can print them, scan them, send them to email, send them to network folders, send them to other printers, and fax them. Handling hardcopy documents can involve a variety of activities that can lead to compromise of data security: ...
Chapter 9: Appendix 1: Glossary of Terms and Acronyms The following table lists terms and acronyms found in this checklist: Term Description Access Control List. The ACL restricts network access to the MFP by allowing only those IP addresses or subnets that are listed in it. Analog fax Analog fax is fax functions via telephone lines.
Term Description Jetdirect Inside. Many of the MFPs include internal Jetdirect hardware as standard equipment. Other MFPs, such as HP Color LaserJet 9500 MFPs require EIO Jetdirect cards for network connectivity. Job Retention Job Retention is the MFP capability of storing print jobs or fax jobs for printing on demand at the control panel.
Microsoft® is a U.S. registered trademark of Microsoft Corporation. Adobe and PostScript are trademarks of Adobe Systems Incorporated. © Copyright 2005, 2006, 2009, 2010 Hewlett-Packard Development Company, L.P.