HP 635n HP Jetdirect Security Guidelines - Page 9

they are trusted to establish a print connection, they are trusted to print. Some additional protections can be provided, in the form of Color Access Controls using HP's Universal Print Driver (UPD), which allow an administrator to control the amount of color being used by a user. In addition, HP's Web Jetadmin includes functionality called Report Generator which facilitates reports on users and their how their printing behavior. This functionality is useful for auditing and understanding printer usage. HP Jetdirect Hacks: Password and SNMP Community Names HP Jetdirect password and SNMP Community Name behavior has definitely evolved over the years. An excellent resource for the history and current behavior is located here: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00004828. In short, keep your firmware updated on your HP Jetdirect, use the latest client software from HP, and upgrade to the latest Web Jetadmin management software. After you have upgraded all software and firmware, change your passwords on these devices to something new. This process will help make your HP Jetdirect devices behave the same regarding their password handling. To better protect passwords from passive sniffing, consider using SSL/TLS. SET 2/3/4 support automatic redirection to SSL/TLS and prevents HTTP from being used to access the EWS (if the administrator so desires). However, when using SSL/TLS, be sure to update the HP Jetdirect certificate to a certificate issued by a trusted CA to properly avoid MITM attacks. Also, consider migrating to SNMPv3. HP Web Jetadmin can be configured to use SNMPv3 automatically. HP Jetdirect devices that belong to SET 2, 3, or 4 support SNMPv3. HP Jetdirect Hacks: Firmware Upgrade A nice overview of the various methods used by HP Jetdirect to upgrade firmware is described here: http://www.hp.com/go/webjetadmin_firmware. All HP Jetdirect firmware files follow the same basic format: a recovery partition and a main functionality partition. In case of an upgrade programming failure (due to a network outage, client lockup, printer powered down during the upgrade, etc...), HP Jetdirect will be able to recover, albeit with less functionality. This behavior allows an administrator to restart the upgrade process from the recovery partition and regain full functionality without having to contact HP support. There are three common ways of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using HP Download Manager or HP Web Jetadmin, the application issues an SNMP SET to the HP Jetdirect device. If the application has proper credentials, it can populate the firmware upgrade MIB table with TFTP server information. HP Jetdirect uses this information to start a TFTP client and pull down the download file. These applications use the well-known default SNMP community names. However, if an administrator has configured the SNMP SET community name, then the application must know it to successfully set the TFTP MIB objects for firmware upgrade. Customers can also utilize SNMPv3 for additional security and HP Web Jetadmin makes using SNMPv3 easy. Also note that applications such as the HP Download Manager and HP Web Jetadmin are digitally signed by Hewlett-Packard as proof of their source. The ability to use FTP to upgrade the firmware of HP Jetdirect devices is described here: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj07129. At the end of the document is a Security section detailing the security precautions available for FTP firmware upgrades. Essentially: if a password has been specified, it is required to be entered to utilize FTP 9