HP M5035x HP LaserJet MFP and Color MFP Products - Configuring Security for Mu
HP M5035x - LaserJet MFP B/W Laser Manual
UPC - 882780574830
View all HP M5035x manuals
Add to My Manuals
Save this manual to your list of manuals |
HP M5035x manual content summary:
- HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 1
HP Imaging and Printing Security Best Practices Configuring Security for Multiple LaserJet MFPs and Color LaserJet MFPs Draft 3.5 6/19/2007 © Copyright 2005, 2007 Hewlett-Packard Development Company, L.P. - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 2
Settings 51 Initial settings...51 Device Page Settings...51 Fax Page Options ...51 Digital Sending Page Options 51 Embedded Web Server Page Options 52 File System Page Options ...52 Network Page Options ...52 Security Page Options...53 HP LaserJet and Color LaserJet MFP Security Checklist 2 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 3
Final configurations ...53 Chapter 5: Default Settings 54 Chapter 6: Ramifications 57 Device Page Settings...58 Fax Page Options ...58 Digital Sending Page Options 58 Security 67 Chapter 8: Appendix 1: Glossary of Terms and Acronyms 68 HP LaserJet and Color LaserJet MFP Security Checklist 3 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 4
Version 8.1 installed on a Windows XP PC • One of each supported MFP with the latest updated firmware found at hp.com The process for configuring this checklist is developed using HP Web Jetadmin managing all of the MFPs at the same time. HP LaserJet and Color LaserJet MFP Security Checklist 4 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 5
using HP Web Jetadmin. You should configure as much of this checklist as possible while adapting the settings to your specific situation. Assumptions This checklist makes some assumptions about network administrators and about enterprise environments: HP LaserJet and Color LaserJet MFP Security - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 6
help files. This checklist relies on these materials for necessary information. All of these guides are available by searching for them at hp.com. • MFPs: This checklist covers security settings for specific HP LaserJet MFPs and HP Color LaserJet MFPs. It is meant to enable you to configure multiple - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 7
MFPs are installed. It covers security for picking up print jobs, copying, and scanning. This section includes suggestions for securing the locations where MFPs are installed and for securing MFP internal hardware. • Chapter 8: Appendix 1, Glossary and Acronyms. HP LaserJet and Color LaserJet MFP - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 8
's log on credentials for administrative access to MFPs You can minimize the risks from identity spoofing in the following ways: • Protect the from address field in the MFP Digital Sending and Fax configurations. • Protect MFP disc access. HP LaserJet and Color LaserJet MFP Security Checklist 8 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 9
metadata (look for this product at hp.com or contact your hp product supplier). • Close unused ports and protocols. • Save copies of log data at a separate location • Add security solutions such as swipe-card readers and thumbprint readers HP LaserJet and Color LaserJet MFP Security Checklist 9 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 10
.com or contact your hp product supplier). • Close unused ports and protocols. • Configure all possible password settings. • Configure authentication. • Configure SNMPv3 for Web Jetadmin. Denial of Service Denial of service is any type of interference with normal use of an MFP. This can include any - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 11
management software to bypass job accounting functions Here are some methods of minimizing opportunities for elevation of privilege: • Configure the administrator (device) password. • Configure SNMPv3 and HTTPS. • Lock the control panel. HP LaserJet and Color LaserJet MFP Security Checklist 11 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 12
default. To hide the Network Address button on models that provide it, follow these instructions MFPs. Testing shows that this combination of settings is successful in the most common network environments as long as the settings are executed in the correct order. HP LaserJet and Color LaserJet MFP - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 13
the correct password. Configuring MFP Security Settings This section provides instructions for configuring the MFPs for best-practice security. All of these settings are presented for HP Web Jetadmin Version 8.1 or later. Note: Web Jetadmin displays all supported settings for all MFPs it is - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 14
in the default view of Web Jetadmin. Note: It is possible for Web Jetadmin to lose contact temporarily with an MFP that is configured for DHCP. Use the Discovery options to restore contact, or configure the MFPs with static IP addresses. HP LaserJet and Color LaserJet MFP Security Checklist - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 15
devices selected and the Device Tools menu showing Configure selected. Note: Remember that the steps in this checklist are for the specified HP LaserJet and Color LaserJet MFPs. Other devices may appear in the Device Model list, and it may be possible to configure them using this process, but the - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 16
also helps to ensure that no one can gather sensitive information, such as passwords, usernames, and other codes, over the network lines while you are configuring the MFPs. Note: It is best to configure SNMPv3 by itself to ensure that the settings are saved properly. Follow these steps: 1. Click - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 17
, the New Authentication Passphrase, and the New Privacy Passphrase fields (Figure 6). See below for details. Figure 6: The SNMPv3 settings enabled and the fields filled out. HP LaserJet and Color LaserJet MFP Security Checklist 17 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 18
. This setting limits all configuration communication to only SNMPv3. The MFPs will ignore communications via other versions of SNMP or any other protocols. 5. Select the devices you wish to configure in the Device Model list (Figure 8). HP LaserJet and Color LaserJet MFP Security Checklist 18 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 19
Figure 8: The Device Model list. 6. Click Configure Devices (Figure 9) to execute the configuration. Figure 9: The Configure Devices button. After you click Configure Devices, a View Log page (Figure 10) will appear. HP LaserJet and Color LaserJet MFP Security Checklist 19 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 20
. The Bootloader password is not configured by default. CAUTION: Be very careful to remember the bootloader password that you provide. Once you configure the bootloader password, the bootloader features will be inaccessible permanently HP LaserJet and Color LaserJet MFP Security Checklist 20 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 21
that is on the list, have the correct Web Jetadmin password, and then have the correct SNMPv3 credentials to manage the MFPs. Note: The following MFP models also have a Jetdirect Firewall feature along with the Access Control List: HP LaserJet and Color LaserJet MFP Security Checklist 21 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 22
• HP LaserJet M3027 MFP • HP LaserJet M3035 MFP • HP LaserJet M4345 MFP • HP LaserJet M5025 MFP • HP LaserJet M5035 MFP HP Web Jetadmin might not provide options to configure the Jetdirect Firewall settings. Look for them in the MFP EWS. Note: Keep in mind that the ACL is not configured until at - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 23
Server (HTTP) access to ensure that the ACL restricts access to the MFP EWSs through HTTP. 5. Select the MFPs you wish to configure in the Device Model list, and click Configure Devices (Figure 16). Figure 16: The Configure Devices button. HP LaserJet and Color LaserJet MFP Security Checklist 23 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 24
print jobs stored on the MFP are erased after a reasonable time. Note: Job Hold Timeout does not apply to fax jobs. 3. Select the devices to configure in the Device List, and click Configure Devices (Figure 18) at the bottom of the page. HP LaserJet and Color LaserJet MFP Security Checklist 24 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 25
with the instructions below. At the minimum, configure the modem settings for the country, the company, and the phone number. 1. Click Fax in the Configuration Categories Menu (Figure 19). Figure 19: The Fax category. 2. Click to select Fax Printing (Figure 20). HP LaserJet and Color LaserJet MFP - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 26
of fax printing. You may wish to use the fax scheduling options to print all faxes at support them. Follow these instructions: 1. Click Digital Sending in the Configuration categories menu. 2. Scroll down, and click to select Default 'From:' Address (Figure 21). HP LaserJet and Color LaserJet MFP - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 27
5. Fill in the Display Name and the Default Subject fields as desired. 6. If your MFPs to provide the LDAP address book to users. They also include options for uploading the SSL certificates in order to secure communications between the MFPs and the LDAP server. HP LaserJet and Color LaserJet MFP - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 28
credentials of the authenticated user to access the LDAP service.) • Searching the LDAP database • Advanced Search Options (These options allow you to specify limits to the LDAP search functions) 12. Click to select Time-outs (Figure 23). HP LaserJet and Color LaserJet MFP Security Checklist 28 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 29
Time-outs options. 13. Select Delay before resetting the default settings. This allows users to send multiple jobs to a is enabled. Follow these instructions: 1. Click Embedded Web Server in the Configuration Categories menu (Figure 24). HP LaserJet and Color LaserJet MFP Security Checklist 29 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 30
the Device Password (appears later in this checklist). If you change either the Embedded Web Server password or the Device Password, the MFP will configure both to be the same. 5. Click to select Embedded Web Server Configuration Options (Figure 26). HP LaserJet and Color LaserJet MFP Security - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 31
users from remotely cancelling the jobs of others. Go Button (enabled by default) Leave blank to disable Disabling Go Button prevents users from delaying or stopping the jobs of others. It is the Pause/Resume button in the MFP EWS. HP LaserJet and Color LaserJet MFP Security Checklist 31 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 32
default) Print Service (enabled by default) Select to enable Leave blank to disable Command Invoke does not apply to the MFPs. Disabling it is only a best practice. Command Download does not apply to MFPs these instructions: 1. MFP. It is HP LaserJet and Color LaserJet MFP Security Checklist 32 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 33
As long as an authorized administrator is logged into Web Jetadmin, it will supply the passwords automatically without prompting. 4. Click to select Set Secure File Erase Mode (Figure 29), and select Secure Fast Erase in the dropdown menu. HP LaserJet and Color LaserJet MFP Security Checklist 33 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 34
as Department of Defense standards. Note: Secure File Erase requires that the File System Password be configured. The two can be configured together. 5. Click to select File System Prevents access to the file system through this protocol HP LaserJet and Color LaserJet MFP Security Checklist 34 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 35
the NFS option disables the entire protocol for the MFPs. The PostScript protocol is not as sensitive, and instructions: 1. Click Network in the Configuration Categories menu (Figure 31). Figure 31: The Network option. 2. Click to select Job Timeout (Figure 32). HP LaserJet and Color LaserJet MFP - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 36
. 4. Click Encryption Strength (Figure 33). Figure 33: The Encryption Strength option. 5. Click the Encryption Strength dropdown menu, and select the highest setting that your browser supports (Figure 34). HP LaserJet and Color LaserJet MFP Security Checklist 36 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 37
the encryption algorithm that will be used for communication between the MFP EWS and the web browsers connecting to it (this is related fax. You should disable EWS Config while the MFPs are in use, and enable it only to make changes to the affected configurations. HP LaserJet and Color LaserJet MFP - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 38
Printing is the access point for normal printing through standard HP print drivers. Disabling IPP Printing prevents access to configuration settings and all MFP access points when they are not in use. The next option is Privacy Setting (Figure 36). HP LaserJet and Color LaserJet MFP Security - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 39
here to assure you that it does not compromise your network security. It allows HP to collect statistical data about the MFP. HP will not collect network-specific or personal data. For information on HP privacy policies, read the Hewlett-Packard Online Privacy Statement available by clicking privacy - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 40
with the MFP EWS. This setting is related to the Encryption Strength setting covered earlier. 9. Click to select Protocol Stacks (Figure 39), and deselect all unused protocol stacks as applicable to your network. See the table below. HP LaserJet and Color LaserJet MFP Security Checklist - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 41
the other settings as a safeguard, but they are ignored on devices that do not support them. Follow these instructions: 1. Click Security in the Configuration Categories menu. This opens the Security configuration page (Figure 40). HP LaserJet and Color LaserJet MFP Security Checklist 41 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 42
to functions of the MFP. You can use these options to provide varying services to different groups of people. Note: Be sure to select only the authentication features that you plan to configure in the subsequent steps on the Security page. HP LaserJet and Color LaserJet MFP Security Checklist 42 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 43
Service require additional solutions on the network for support authentication for specific functions of the MFP. 4. MFPs. 6. If your network includes LDAP, configure the LDAP Authentication options (Figure 43). Figure 43: The Accessing the LDAP Server options. HP LaserJet and Color LaserJet MFP - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 44
MFPs using the LDAP Access options in the Digital Sending page (explained earlier). CAUTION: If you choose Simple for the bind method, usernames, email addresses, passwords 2 PIN for access to the fax function. Click to select PIN HP LaserJet and Color LaserJet MFP Security Checklist 44 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 45
it. The SNMPv3 instructions appear at the beginning of this checklist to help ensure security during the time you are configuring the MFPs. 13. The next option is Device Password (Figure 46). This option should be already configured. See below. HP LaserJet and Color LaserJet MFP Security Checklist - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 46
to login before remotely changing device configuration settings. Thus, the same password is required for access to the MFP via Web Jetadmin, the EWS, or any other management software. 14 access configuration settings in the control panel. HP LaserJet and Color LaserJet MFP Security Checklist 46 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 47
Send Service option. Digital Send Service claims ownership of the MFPs it manages. Anyone with another installation of Digital Send Service can take over an MFP unless you disable this option. 17. Click to select PJL Password (Figure 50). HP LaserJet and Color LaserJet MFP Security Checklist - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 48
. Follow these instructions for the final settings: 1. Go to the Security page, and click to select Disable Direct Ports (Figure 51). Figure 51: The Disable Direct Ports option. 2. Click to select the Disable Direct Ports option to the right. HP LaserJet and Color LaserJet MFP Security Checklist - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 49
used. However, sometimes the cache can loose track of some credentials. Thus, you should keep a log of the passwords in a safe place. Web Jetadmin will prompt for passwords during the configuration process if they are missing from the cache. HP LaserJet and Color LaserJet MFP Security Checklist 49 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 50
important to remember the Bootloader password. With it, it is possible to restore the MFPs to factory default settings. Without it, the only way to restore the MFPs is to involve an HP-authorized service technician to reset the entire MFP. You may wish to use a password vault program to organize and - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 51
not include instructions or explanations. password. Default From Address. Configure Accessing LDAP Server settings (if available on your network). Configure LDAP Server Bind Method to Simple over SSL (if possible). Upload SSL Certificate (if available). HP LaserJet and Color LaserJet MFP - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 52
Disable Command Download. Disable Command Load and Execute. Enable Continue Button. Disable Print Service. File System Page Options Configure File System Password. . Set the privacy setting as desired. Disable RCFG Setting. HP LaserJet and Color LaserJet MFP Security Checklist 52 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 53
Send Service. Disable Allow Transfer to New Digital Send Service. Configure the PJL Password. Configure color restriction settings as desired. Final configurations Disable Direct Ports (wait for MFPs to restart). Disable EWS Config. HP LaserJet and Color LaserJet MFP Security Checklist - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 54
Print All Received Faxes Not configured Not selected Not configured Simple Not applicable Not configured Delay default: 20 seconds Not configured (See below) Enabled Disabled Disabled Enabled Enabled Enabled Enabled Enabled Enabled HP LaserJet and Color LaserJet MFP Security Checklist 54 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 55
Configure File System Password. Not Configured Configure Secure File Printer Firmware Update. Enabled Configure the Device Password. Not configured Configure Control Panel Access to Maximum Lock. Unlock Disable Allow Use of Digital Send Service. Enabled HP LaserJet and Color LaserJet MFP - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 56
Disable Allow Transfer to New Digital Send Service. Configure the PJL Password. Configure color restriction settings. Disable Direct Ports (wait for MFPs to restart). Disable EWS Config. Enabled Not configured Not Configured Enabled Enabled HP LaserJet and Color LaserJet MFP Security Checklist 56 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 57
Access Control List is filled out incorrectly, it can cause complete loss of communication with the MFP. Be sure to use the correct information. The only way to restore communication is to reconfigure the MFPs to factory default settings. HP LaserJet and Color LaserJet MFP Security Checklist 57 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 58
From field. These features ensure that nobody can use the MFP to spoof identity or provide erroneous addresses. Consider using a From address that describes the location or the type of MFP, or use a real address to monitor reply messages. HP LaserJet and Color LaserJet MFP Security Checklist 58 - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 59
in the checklist. It is important to use the SSL capabilities to ensure that usernames, passwords, and email addresses are not passed over network lines in clear text. When Accessing LDAP Server settings are configured, the MFPs provide access to the LDAP address book using either the credentials of - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 60
this password. Without the password, the MFP denies access to the File System and to File System configurations. Web Jetadmin stores the file system password in its encrypted device cache. It automatically provides the password when the MFPs request it. HP LaserJet and Color LaserJet MFP Security - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 61
down the protocol for the entire MFP. • Disable PJL access. PJL (Printer Job Language) includes capabilities to MFPs directly for printing and for access to fonts. This feature is convenient and useful, and it is not known to pose significant risks to security. HP LaserJet and Color LaserJet MFP - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 62
) printer management tools. Jetdirect also supports some used by MFP print drivers. Disabling 9100 service. With this option disabled, a non-DNS network will not recognize the MFPs. If your network does not include a DNS server, you should enable MDNS Config. HP LaserJet and Color LaserJet MFP - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 63
sensitive data such as usernames and passwords from passing over the network in clear text. This setting is related to the EWS Encryption Strength setting explained earlier. Web browsers that do not support SSL and high encryption strength will not be able to access the MFP EWSs. This checklist - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 64
available at hp.com. You should enable Printer Firmware Update to perform the upgrades and then disable it again during normal use of the MFPs. With Printer Firmware Update disabled, the MFPs will deny access whenever anyone attempts to upgrade the firmware. • Set the Device Password. The Device - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 65
restricts this access to PCL and PostScript commands. With the PJL Password configured, the MFPs will deny access to commands that attempt to change default settings without the correct password. • Configure color restriction settings. If your network includes Color LaserJet MFPs, you can configure - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 66
to use MFPs: Users will be required to provide usernames and passwords at the control panels before they can use the MFPs. • No MFPs will place either a default from address or the user's email address as the From Address. It will provide no method to change it. HP LaserJet and Color LaserJet MFP - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 67
placing the MFPs in access-controlled locations. You can control access to the MFP internal hardware (hard drives, Compact Flash cards, and formatter board) using hardware locks. Use a lock, such as a Kensington Lock, as recommended in the MFP User Guide. HP LaserJet and Color LaserJet MFP Security - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 68
fax accessory card, and the DC Controller, which is the power supply for the MFP. The formatter also accommodates accessories such as wireless cards. Since the formatter is removable (using common tools), it includes the capability to be locked using devices such as Kensington locks. HP LaserJet - HP M5035x | HP LaserJet MFP and Color MFP Products - Configuring Security for Mu - Page 69
MFPs, such as HP Color LaserJet 9500 MFPs require EIO Jetdirect cards for network connectivity. Job Retention is the MFP capability of storing print jobs or fax numeric password. MFPs use PINs for secure printing and secure fax printing. They can also use PINs for authentication. The top of the MFP
HP Imaging and Printing Security Best Practices
Configuring Security for Multiple LaserJet MFPs and Color
LaserJet MFPs
Draft 3.5
6/19/2007
© Copyright 2005, 2007 Hewlett-Packard Development Company, L.P.