HP PageWide Pro 577z Printing Security Best Practices: Configuring a Printer S
HP PageWide Pro 577z Manual
View all HP PageWide Pro 577z manuals
Add to My Manuals
Save this manual to your list of manuals |
HP PageWide Pro 577z manual content summary:
- HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 1
for HP PageWide Pro Printers and HP Web Jetadmin Configuring a Printer Securely in HP Web Jetadmin 10.4 Version 1.0 HP PageWide Pro 477dn MFP HP PageWide Pro 477dw MFP HP PageWide Pro 577dw MFP HP PageWide Pro 577z MFP HP PageWide Pro 452dn Printer HP PageWide Pro 452dw Printer HP PageWide Pro 552dw - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 2
...6 Information Disclosure ...7 Denial of Service ...7 Elevation of Privilege ...8 Chapter 2: Basic Network Security for Multiple HP Devices 9 Notes on the Process of Configuration ...9 Using Web Jetadmin and Printer Passwords ...9 Getting Started ...10 Setting up HP Web Jetadmin ...11 Configuring - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 3
USB...25 Encrypt all Web Communication...26 Encryption Strength...26 Printer Firmware Update ...27 Restrict Color...27 Configuring Fax Settings ...28 Embedded Web Server 36 Disable Job Log on EWS Tools tab ...37 HP and 3rd Party Solutions...37 Chapter 4: Settings List ...38 Recommended Basic - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 4
iii - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 5
is a security checklist for the following HP device models: • HP PageWide Pro 452dn Printer • HP PageWide Pro 452dw Printer • HP PageWide Pro 552dw Printer • HP PageWide Pro 477dn MFP • HP PageWide Pro 477dw MFP • HP PageWide Pro 577dw MFP • HP PageWide Pro 577z MFP This checklist is written for - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 6
HP has tested this checklist to ensure that MFPs continue to provide the best possible performance while averting possible security threats; however, some of these settings can cause unexpected problems HP provides this checklist as a guide HP PageWide Pro MFPs. However, this checklist applies for HP - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 7
HP Jetdirect connections and using HP Web Jetadmin. Administrators should have read the MFP user guide and the MFP administrator guide; Web Jetadmin user guides Security for Multiple HP Devices: The Network Security for Multiple MFPs chapter provides step-by-step instructions for configuring MFP - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 8
Multiple HP Devices provides some limited information on where to find configuration settings in WJA for advanced network configurations. • Chapter 4: Settings List: The Settings List chapter provides a bulleted list of the recommended settings with checkboxes. It does not include instructions or - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 9
difficult, but HP is dedicated to research in this area. This checklist represents some of HP's efforts to ensure that you can use HP MFPs with Using another person's email credentials to have free use of an email service • Using another person's email credentials to view that person's email messages - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 10
storage access • Configure authentication • Configure the administrator password • Configure SNMPv3 Tampering with Data Tampering with data can include any method of changing, destroying, or adding to information that is flowing to or from a device or stored on it. Here are some ways tampering with - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 11
the MFP • Disconnecting the MFP from the network • Causing interference with network communication to the MFP • Changing the network location of the MFP • Causing an error state that interrupts service • Changing access configurations Here are some methods of minimizing opportunities for denial of - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 12
is any method of upgrading authorized access to include unauthorized access. This can be any of the following: • Non-administrators changing settings to get administrator privileges • Unauthorized use of management software to provide access for other unauthorized users • Using management software - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 13
of MFPs and printers. It provides the ability to configure a wide variety of features and services on the network. changes to configurations, the printers and MFPs will require all applicable passwords. Web Jetadmin keeps an encrypted cache of all of passwords that are configured or used on each HP - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 14
for passwords. • Change the passwords often. instructions for configuring HP printers for best-practice security. All of these settings pertain to HP printers at once, Web Jetadmin will display all supported settings for all the MFPs it is managing, even though some of the MFPs may not support - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 15
supports Web Jetadmin version 10.4. Setting up HP Web Jetadmin Follow these instructions to prepare Web Jetadmin for configuring on print device discovery. See the Web Jetadmin user guide for more information. In most cases, the devices will printers or MFPs from the Device List (Figure 2) that you - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 16
selected Note: Remember that the steps in this checklist are for the specified HP PageWide MFPs. Other devices may appear in the Device Model list, and it may for configuration Tip: If you are having a problem configuring a setting, try configuring it using the individual device's configuration page. - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 17
Device Cache (see Web Jetadmin Help) and re-enter the device credentials. 5. Continue to the next step to configure secure communications between HP Web Jetadmin and the MFPs. Configuring SNMPv3 SNMPv3 provides encryption for communication between Web Jetadmin and MFPs. It helps to ensure that only - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 18
in the SNMP Version Access Control dialog box CAUTION: These instructions are for the initial configuration of SNMPv3. Once you finish If you forgot these credentials, the only way to restore communication between HP Web Jetadmin and the print devices is to restore the factory default settings - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 19
before canceling a job. Setting this timeout will help prevent jobs formed or sent incorrectly from tying up a print resource. To set this timeout follow the instructions below. 1. From the Device category, select the I/O Timeout to End Print Job option (Figure 8). 15 - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 20
timeout will help prevent jobs sent with improper paper or media selections from tying up a print resource. To set this timeout follow the instructions below. 1. From the Device category, select the Input Auto Continue Timeout menu. 2. Click the checkbox to enable the Input Auto Continue Timeout - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 21
11: The Job Retention options Job Storage Limit The Job Storage Limit allows you to specify the maximum number of stored jobs allowed on the printer. You will want to choose a number of jobs that is appropriate for your print devices and print usage in your environment. This setting can protect - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 22
Figure 12: The Job Storage Limit options 3. Click the Apply button located in the bottom right hand corner to apply the settings to the selected devices. Figure 13: The Configure Devices dialog box 4. Review your settings and then click the Configure Devices button to execute the configuration. 18 - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 23
over the network. Follow the instructions below to view and configure HP Web Services, or other applications are part of your print environment we recommend disabling these features. If you are using the ePrint enterprise server instead of the HP cloud, you should refer to your administrators guide - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 24
Figure 15: Disable HP ePrint, HP Web Services, and Apps Enable WINS Port The Enable WINS Port setting enables/disables the port used for WINS name resolution. To enable the WINS Port, click - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 25
Figure 17: Disabling Web Services Print Google Cloud Print This option enables or disables the Google Cloud Print for Devices. Click to select Google Cloud Print (Figure 18), and select - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 26
Enabled 9100 Printing is the access point for normal printing through standard HP print drivers. AirPrint Disabled Disabling AirPrint prevents printing via AirPrint. If you do not operate in an environment that supports this feature, we recommend disabling this feature. IPP FAX Out Disabled - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 27
protocol. If you do not operate in an environment that supports this feature, we recommend disabling this feature. Disabling IPP Printing using WS-Discovery for discovering or browsing printers on the network. WARNING: You should enable WS-Discovery on this printer if any of the following apply: 1) - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 28
right hand corner to view the Configure Devices dialog box. (Figure 24). Review your selections carefully before clicking on the Configure Devices button. Figure 20: Confirm . To do this, follow these instructions. 1. Click Embedded Web Server Password under the Security category (Figure 21). 24 - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 29
in the Confirm Password field. Note: The Embedded Web Server Password is synchronized with the Device Password (appears later in this checklist). If you change either the Embedded Web Server password or the Device Password, the MFP will configure both to be the same. Enable Host USB The Enable Host - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 30
Strength setting: 1. Click Encryption Strength in the Security category (Figure 24). 2. Click the Encryption Strength dropdown menu, and select the highest setting that your browser supports. 26 - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 31
24: The Encryption Strength option Printer Firmware Update HP recommends updating firmware whenever new firmware is available, but you should keep Printer Firmware Update disabled until you plan to use it. To disable Printer Firmware Update: Click to select Printer Firmware Update (Figure 25), and - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 32
number to the blocked fax list. Follow these instructions to configure Fax Printing: Note: Be sure to configure the MFPs for fax capabilities before continuing with the instructions below. At the minimum, configure the modem settings for the country, - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 33
Figure 28: Fax Header settings 2. Enter the Phone number and Company name that you would like to appear on faxes. 29 - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 34
erase with no additional security. To set the Secure File Erase Mode follow these instructions: 1. Click to select Secure File Erase Mode (Figure 29), and view the devices. The Configure Devices dialog box will open. 4. Review your settings and then click the Configure Devices button to execute - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 35
Address/Message Settings - Default From Address HP recommends configuring the default from address to that includes an ampersand (@). 5. Click to uncheck the User editable box to prevent a user from changing the Default From: address. Tip: You may wish to use the email address of an administrator who - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 36
section that is not contained in this document you can refer to the MFP User Guides and the Embedded Web Server Administrator Guide for more information. You can find these documents and more information at hp.com. Access Control for Device Functions Access Control for Device Functions allows you to - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 37
you plan to configure for the MFPs selected. Many of the options available (such as LDAP and Kerberos) require additional solutions on the network for support. For more information on Access Control configuration, please refer to the user or EWS Administration - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 38
LDAP If your network includes LDAP, configure the LDAP Sign In Setup and the LDAP Users and Groups options (Figure 34 and 35). Figure 34: The LDAP Sign In Setup options Figure 35: The LDAP Users and Groups options Once these settings are configured, users will be required to enter login credentials - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 39
Firewall Firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules. HP PageWide printers provide this feature to ensure that printing is secure. Figure 37: The Firewall Setup options The Failsafe option (Figure 38 - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 40
Figure 38: The HTTPS Setup options Figure 39: The IPsec Setup options Security Features Available in the Embedded Web Server These features are either only partially offered in Web Jetadmin, or are only available for configuration through the MFPs embedded web interface. To configure these settings, - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 41
of the recommendations in the next chapter can be implemented without having a negative impact on HP and 3rd party solutions, however HP and 3rd party solutions should be tested with any settings changes to ensure that there are not any negative impacts. If a previously working solution no longer - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 42
the settings recommended in this checklist. This section does not include instructions or explanations. This list provides the recommended settings to ensure MFPs configured according to this list are considered secure, but HP does not warrant or guarantee that this configuration prevents or limits - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 43
Services Print Security Category Options Configure Embedded Web Server Password Disable Enable Host USB Enable HTTPS Setting to Encrypt all web communication Configure Encryption Strength to High Disable Printer From Address Select Prevent user from changing the Default From Address 39 - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 44
Config Enabled Disable WS-Discovery Disabled Web Services Print Enabled Embedded Web Server Password Disabled Configure Encryption Strength to High High Disable Printer Firmware Update Enabled Restrict Color Not configured user from changing the Default From Address Not selected 40 - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 45
6: Ramifications Raising the level of security on HP MFPs requires giving up some conveniences and usability. and credentials for each MFP. Whenever an authorized Web Jetadmin administrator makes a change, Web Jetadmin automatically provides the credentials without prompting. Thus, the administrator - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 46
Unless ePrint, HP Web Services, or other HP cloud for ePrint you should refer to your administrators guide for any special settings that may be required to secure your solution. • Configure Enable Features options. These options enable or disable various supported MFP print drivers. Disabling 9100 - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 47
printers. • Disable Web Services Print. This disables the Microsoft WSD Print services supported. If this feature is enabled someone with a host that supports Web Services the password whenever anyone or any application attempts to make changes to the EWS settings. Keep in mind that the settings - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 48
support SSL and high encryption strength will not be able to access the MFP EWS. It is recommended that you disable EWS Config during normal MFP operations and enabling it temporarily for changes HP recommends updating firmware whenever it becomes available at hp.com. You should enable Printer - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 49
configuration provides a high level of network security for HP MFPs. At the same time, it introduces some No Embedded Web Servers: Disabling EWS Config disables the entire EWS feature. • No way to change the From Address on email send jobs: Depending on the capabilities of your network, the MFPs - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 50
HP MFPs involve hard copy documents. MFPs can print them, scan them, send them to email, send them to network folders, send them to other printers services and features • Access to stored print jobs (depending on settings) • Access to copy features (unauthorized overuse of resources such as toner - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 51
is fax functions via telephone lines. The fax module is available in most HP MFP bundles and it is covered in this checklist. MFPs are also capable into a paper path from an input tray similar to the input paper tray on a printer. It runs each sheet past the scanner and places it in an output tray. - HP PageWide Pro 577z | Printing Security Best Practices: Configuring a Printer S - Page 52
two types of data: system data, such as configurations, and user data, such as print jobs, address books, and installed applications. HP Web Jetadmin: HP Web Jetadmin is a peripheral management tool that provides access to multiple devices for status and configuration. It is capable of configuring
HP Printing Security Best Practices
for HP PageWide Pro Printers and HP
Web Jetadmin
Configuring a Printer Securely in HP Web Jetadmin 10.4
Version 1.0
HP PageWide Pro 477dn MFP
HP PageWide Pro 477dw MFP
HP PageWide Pro 577dw MFP
HP PageWide Pro 577z MFP
HP PageWide Pro 452dn Printer
HP PageWide Pro 452dw Printer
HP PageWide Pro 552dw Printer