HP PageWide 377 Printing Security Best Practices: Configuring a Printer Secure
HP PageWide 377 Manual
View all HP PageWide 377 manuals
Add to My Manuals
Save this manual to your list of manuals |
HP PageWide 377 manual content summary:
- HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 1
for HP PageWide Pro Printers and HP Web Jetadmin Configuring a Printer Securely in HP Web Jetadmin 10.4 Version 1.0 HP PageWide Pro 477dn MFP HP PageWide Pro 477dw MFP HP PageWide Pro 577dw MFP HP PageWide Pro 577z MFP HP PageWide Pro 452dn Printer HP PageWide Pro 452dw Printer HP PageWide Pro - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 2
1: Threat Model ...5 Spoofing Identity...5 Tampering with Data ...6 Repudiation ...6 Information Disclosure ...7 Denial of Service ...7 Elevation of Privilege ...8 Chapter 2: Basic Network Security for Multiple HP Devices 9 Notes on the Process of Configuration ...9 Using Web Jetadmin and Printer - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 3
- Default From Address 31 Chapter 3: Advanced Security for Multiple HP Devices 32 Access Control for Device Functions...32 LDAP...34 Disable the Embedded Web Server 36 Disable Job Log on EWS Tools tab ...37 HP and 3rd Party Solutions...37 Chapter 4: Settings List ...38 Recommended Basic Settings - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 4
iii - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 5
HP device models: • HP PageWide Pro 452dn Printer • HP PageWide Pro 452dw Printer • HP PageWide Pro 552dw Printer • HP PageWide Pro 477dn MFP • HP PageWide Pro 477dw MFP • HP PageWide Pro 577dw MFP • HP PageWide HP Web Jetadmin version 10.4 or later in enterprise networks. It includes instructions - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 6
HP has tested this checklist to ensure that MFPs continue to provide the best possible performance while averting possible security threats; however, some of these settings can cause unexpected problems HP provides this checklist as a guide HP PageWide Pro MFPs. However, this checklist applies for HP - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 7
HP Jetdirect connections and using HP Web Jetadmin. Administrators should have read the MFP user guide and the MFP administrator guide; Web Jetadmin user guides Security for Multiple HP Devices: The Network Security for Multiple MFPs chapter provides step-by-step instructions for configuring MFP - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 8
Multiple HP Devices provides some limited information on where to find configuration settings in WJA for advanced network configurations. • Chapter 4: Settings List: The Settings List chapter provides a bulleted list of the recommended settings with checkboxes. It does not include instructions or - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 9
difficult, but HP is dedicated to research in this area. This checklist represents some of HP's efforts to ensure that you can use HP MFPs with Using another person's email credentials to have free use of an email service • Using another person's email credentials to view that person's email messages - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 10
• Protect MFP storage access • Configure authentication • Configure the administrator password • Configure SNMPv3 Tampering with Data Tampering with data can include any method of changing, destroying, or adding to information that is flowing to or from a device or stored on it. Here are some ways - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 11
password settings. • Configure access control and authentication for device functions. • Configure SNMPv3 for Web Jetadmin, including disabling SNMPv1/2. Denial of Service Denial of service is any type of interference with normal use of an MFP. This can include any of the following: • Canceling or - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 12
Elevation of Privilege Elevation of privilege is any method of upgrading authorized access to include unauthorized access. This can be any of the following: • Non-administrators changing settings to get administrator privileges • Unauthorized use of management software to provide access for other - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 13
that do not apply. All of the steps in this chapter are found in HP Web Jetadmin and you should use Web Jetadmin to complete them. If possible, It provides the ability to configure a wide variety of features and services on the network. Without proper security, Web Jetadmin allows malicious users - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 14
Started This section provides instructions for configuring HP printers for best-practice security. All of these settings pertain to HP Web Jetadmin version Jetadmin will display all supported settings for all the MFPs it is managing, even though some of the MFPs may not support all of these settings - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 15
MFPs supports them. are from Web Jetadmin version 10.4. Setting up HP Web Jetadmin Follow these instructions to prepare Web Jetadmin for configuring the MFPs include details on print device discovery. See the Web Jetadmin user guide for more information. In most cases, the devices will already appear - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 16
selected Note: Remember that the steps in this checklist are for the specified HP PageWide MFPs. Other devices may appear in the Device Model list, and it may for configuration Tip: If you are having a problem configuring a setting, try configuring it using the individual device's configuration page. - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 17
Device Cache (see Web Jetadmin Help) and re-enter the device credentials. 5. Continue to the next step to configure secure communications between HP Web Jetadmin and the MFPs. Configuring SNMPv3 SNMPv3 provides encryption for communication between Web Jetadmin and MFPs. It helps to ensure that only - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 18
in the SNMP Version Access Control dialog box CAUTION: These instructions are for the initial configuration of SNMPv3. Once you finish If you forgot these credentials, the only way to restore communication between HP Web Jetadmin and the print devices is to restore the factory default settings - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 19
before canceling a job. Setting this timeout will help prevent jobs formed or sent incorrectly from tying up a print resource. To set this timeout follow the instructions below. 1. From the Device category, select the I/O Timeout to End Print Job option (Figure 8). 15 - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 20
timeout will help prevent jobs sent with improper paper or media selections from tying up a print resource. To set this timeout follow the instructions below. 1. From the Device category, select the Input Auto Continue Timeout menu. 2. Click the checkbox to enable the Input Auto Continue Timeout - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 21
Figure 10: The Job Hold Timeout options Job Retention 1. From the Device category select Job Retention (Figure 11). 2. Click the checkbox to select Job Retention, and then select Enabled (Figure 11). This allows users to store print jobs for printing at their discretion (when they can be present to - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 22
Figure 12: The Job Storage Limit options 3. Click the Apply button located in the bottom right hand corner to apply the settings to the selected devices. Figure 13: The Configure Devices dialog box 4. Review your settings and then click the Configure Devices button to execute the configuration. 18 - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 23
over the network. Follow the instructions below to view and configure HP Web Services, or other applications are part of your print environment we recommend disabling these features. If you are using the ePrint enterprise server instead of the HP cloud, you should refer to your administrators guide - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 24
Figure 15: Disable HP ePrint, HP Web Services, and Apps Enable WINS Port The Enable WINS Port setting enables/disables the port used for WINS name resolution. To enable the WINS Port, click - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 25
Figure 17: Disabling Web Services Print Google Cloud Print This option enables or disables the Google Cloud Print for Devices. Click to select Google Cloud Print (Figure 18), and select - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 26
Enabled 9100 Printing is the access point for normal printing through standard HP print drivers. AirPrint Disabled Disabling AirPrint prevents printing via AirPrint. If you do not operate in an environment that supports this feature, we recommend disabling this feature. IPP FAX Out Disabled - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 27
disabling this feature. Disabling eSCL Scan prevents scanning via eSCL, a REST protocol. If you do not operate in an environment that supports this feature, we recommend disabling this feature. Disabling IPP Printing prevents access to configuration settings and other features through the IPP. It - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 28
. To protect your MFP while configuring this checklist using Web Jetadmin it is important to set the Embedded Web Password. To do this, follow these instructions. 1. Click Embedded Web Server Password under the Security category (Figure 21). 24 - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 29
Figure 21: The Embedded Web Server Password options 2. Type a password of 9 to 16 characters in the Password field (you should always type the maximum number of characters for best security). This setting requires users to log on for parts of the EWS that provide configuration options. 3. Repeat the - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 30
Strength setting: 1. Click Encryption Strength in the Security category (Figure 24). 2. Click the Encryption Strength dropdown menu, and select the highest setting that your browser supports. 26 - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 31
Figure 24: The Encryption Strength option Printer Firmware Update HP recommends updating firmware whenever new firmware is available, but you should keep Printer Firmware Update disabled until you plan to use it. To disable Printer - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 32
number to the blocked fax list. Follow these instructions to configure Fax Printing: Note: Be sure to configure the MFPs for fax capabilities before continuing with the instructions below. At the minimum, configure the modem settings for the country, - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 33
Figure 28: Fax Header settings 2. Enter the Phone number and Company name that you would like to appear on faxes. 29 - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 34
Storage Erase function. The Non-secure Fast Erase does a standard erase with no additional security. To set the Secure File Erase Mode follow these instructions: 1. Click to select Secure File Erase Mode (Figure 29), and view the option in the dropdown menu. Figure 29: The Secure File Erase Mode - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 35
Email Address/Message Settings - Default From Address HP recommends configuring the default from address to ensure that no one can send email using false or misleading identification. If you are using LDAP Authentication, - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 36
section that is not contained in this document you can refer to the MFP User Guides and the Embedded Web Server Administrator Guide for more information. You can find these documents and more information at hp.com. Access Control for Device Functions Access Control for Device Functions allows you to - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 37
you plan to configure for the MFPs selected. Many of the options available (such as LDAP and Kerberos) require additional solutions on the network for support. For more information on Access Control configuration, please refer to the user or EWS Administration - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 38
LDAP If your network includes LDAP, configure the LDAP Sign In Setup and the LDAP Users and Groups options (Figure 34 and 35). Figure 34: The LDAP Sign In Setup options Figure 35: The LDAP Users and Groups options Once these settings are configured, users will be required to enter login credentials - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 39
Firewall Firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules. HP PageWide printers provide this feature to ensure that printing is secure. Figure 37: The Firewall Setup options The Failsafe option (Figure 38 - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 40
Figure 38: The HTTPS Setup options Figure 39: The IPsec Setup options Security Features Available in the Embedded Web Server These features are either only partially offered in Web Jetadmin, or are only available for configuration through the MFPs embedded web interface. To configure these settings, - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 41
and 3rd Party Solutions Most of the recommendations in the next chapter can be implemented without having a negative impact on HP and 3rd party solutions, however HP and 3rd party solutions should be tested with any settings changes to ensure that there are not any negative impacts. If a previously - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 42
the settings recommended in this checklist. This section does not include instructions or explanations. This list provides the recommended settings to ensure MFPs configured according to this list are considered secure, but HP does not warrant or guarantee that this configuration prevents or limits - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 43
Disable Web Services Print Security Category Options Configure Embedded Web Server Password Disable Enable Host USB Enable HTTPS Setting to Encrypt all web communication Configure Encryption Strength to - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 44
Disable AirPrint Enabled Disable IPP Printing Enabled Disable IPPS Enabled Disable MDNS Config Enabled Disable WS-Discovery Disabled Web Services Print Enabled Embedded Web Server Password Disabled Enable Host USB Disabled Enable Encrypt all Web Communication Enabled Configure - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 45
Chapter 6: Ramifications Raising the level of security on HP MFPs requires giving up some conveniences and usability. This section explains some of the compromises you can expect from configuring the settings recommended in this - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 46
Disable ePrint. Unless ePrint, HP Web Services, or other applications are a HP cloud for ePrint you should refer to your administrators guide for any special settings that may be required to secure your solution. • Configure Enable Features options. These options enable or disable various supported - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 47
are other protocols you can use to discover your printers. • Disable Web Services Print. This disables the Microsoft WSD Print services supported. If this feature is enabled someone with a host that supports Web Services Print can discover IP Addresses and other information about the printers in - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 48
are accessible only from web browsers that support that level of HTTPS communications. Web browsers that do not support SSL and high encryption strength will not firmware updates to the MFPs. HP recommends updating firmware whenever it becomes available at hp.com. You should enable Printer Firmware - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 49
Overall Limitations This overall configuration provides a high level of network security for HP MFPs. At the same time, it introduces some limitations to the conveniences designed into the MFPs. Following is a list of known effects of this overall - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 50
7: Physical Security Many of the most notable features of HP MFPs involve hard copy documents. MFPs can print them, Access to network cables and phone lines connected to the MFP • Access to digital sending services and features • Access to stored print jobs (depending on settings) • Access to copy - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 51
is fax functions via telephone lines. The fax module is available in most HP MFP bundles and it is covered in this checklist. MFPs are also capable become available. New firmware is available by searching for it by product at hp.com. This checklist assumes that each MFP is upgraded with the latest - HP PageWide 377 | Printing Security Best Practices: Configuring a Printer Secure - Page 52
two types of data: system data, such as configurations, and user data, such as print jobs, address books, and installed applications. HP Web Jetadmin: HP Web Jetadmin is a peripheral management tool that provides access to multiple devices for status and configuration. It is capable of configuring
HP Printing Security Best Practices
for HP PageWide Pro Printers and HP
Web Jetadmin
Configuring a Printer Securely in HP Web Jetadmin 10.4
Version 1.0
HP PageWide Pro 477dn MFP
HP PageWide Pro 477dw MFP
HP PageWide Pro 577dw MFP
HP PageWide Pro 577z MFP
HP PageWide Pro 452dn Printer
HP PageWide Pro 452dw Printer
HP PageWide Pro 552dw Printer