HP DesignJet and PageWide XL
Printers
Security feature s
HP DesignJe t and Page Wide XL Printers Security Features
2
© 2014, 2016 , 2021 HP Develo pment
Company, L.P.
Reproduction, ada ptation, or translatio n without
prior permissio n is prohibited, exc ept as allowed
under the copyright law s.
The information contained h erein is subject to
change without notic e. The only warranties for HP
products and servi ces are set forth in the ex press
warranty statements accompanying such prod ucts
and services. N othing herein should be c onstrued as
an additional warranty . HP shall not be liable for
technical or editori al errors or omissio ns contained
herein.
September 2021 Edition
HP DesignJe t and Page Wide XL Printers Security Features
3
Table of Contents
1. Introduction & Ov erview ........................................................................................................................................ 5
2. Security concepts explanation.............................................................................................................................. 5
2.1 Device security ........................................................................................................................................................ 5
UEFI secure boot......................................................................................................................................................... 5
Firmware protectio n .................................................................................................................................................. 6
Integration with SIEM tools ....................................................................................................................................... 6
2.2 Device configurat ion protect ion ........................................................................................................................... 6
Disable protocols ........................................................................................................................................................ 6
SNMP compatibility .................................................................................................................................................... 8
Disable connectivity interfaces ................................................................................................................................. 9
Control Panel Access .............................................................................................................................................. 11
SCL certificates ........................................................................................................................................................ 17
Embedded Web Se rver (EWS) acce ss control ...................................................................................................... 18
USB drive contr ol ..................................................................................................................................................... 26
Jetdirect Securit y Wizard (HP T9x0-T15x0 -T25x0 -T3500 -PageWide XL) ...................................................... 28
Hide IP from front panel ......................................................................................................................................... 28
2.3 Data security: encry pted communicatio ns ...................................................................................................... 28
IPSec 28
Encrypt web comm unications ............................................................................................................................... 29
Access control list .................................................................................................................................................... 29
802.1X authentication ............................................................................................................................................ 30
2.4 Authentication ..................................................................................................................................................... 30
2.5 Protected data in storage .................................................................................................................................. 30
Self-encrypted hard disk ........................................................................................................................................ 30
Secure File Erase (SFE) ........................................................................................................................................... 30
Secure Disk Erase (SDE).......................................................................................................................................... 31
Scan to network (HP Desig nJet T2500, T2530, T3500, T26 00, XL3600 eMFP Series) ................................. 33
Scan to FTP fol der ................................................................................................................................................... 41
Exclude personal i nfo from accounting ................................................................................................................ 43
Disable internet co nnection ................................................................................................................................... 44
2.6 Document security .............................................................................................................................................. 44
Job storage and PIN printi ng .................................................................................................................................. 44
ePrint center connect ion ........................................................................................................................................ 46
3. Advanced workflows ........................................................................................................................................... 48
3.1 Printing using LPR pro tocol. .............................................................................................................................. 48
How to use the LPR command in Windows. ........................................................................................................ 48
3.2 Printing using FTP prot ocol. ............................................................................................................................... 48
How to use FT P in Windows ................................................................................................................................... 49
How to use FTP from DOS command ................................................................................................................... 49
How to use FT P combined wit h DMS server ........................................................................................................ 49
Possible issu e .......................................................................................................................................................... 50
3.3 Printing with PJL s ................................................................................................................................................ 50
How to use PJLs....................................................................................................................................................... 52
4. Large Format printers: s ecurity features summary ....................................................................................... 53
5. Large Format scanners: s ecurity features sum mary ..................................................................................... 63
6. Ports used in HP printers .................................................................................................................................... 65
Appendix 1 – Web Jetadmin .......................................................................................................................................... 71
HP DesignJe t and Page Wide XL Printers Security Features
4
Manageability co ntract for Large Format P rinters ..................................................................................................... 71
MC DJA 1.0 ................................................................................................................................................................ 72
MC DJA 2.0 - Only additions are sho wn ............................................................................................................... 72
Appendix 2 – JetAdvantage Secur ity Manager ............................................................................................................ 73
Policy compatibi lity features (HP DesignJ et T1700/Z6/Z9+ Printer S eries) ................................................... 73
Appendix 3 - Security Manager ..................................................................................................................................... 75
Plug- in modules: ............................................................................................................................................................. 75
Appendix 4 - Netgard overvie w .................................................................................................................................... 77
Introduction ..................................................................................................................................................................... 77
User account .................................................................................................................................................................... 77
FP settings ....................................................................................................................................................................... 77
EWS settings .................................................................................................................................................................... 79
Netgard MFD con figuration ........................................................................................................................................... 80
Basic configurat ion of Netgard MFD for HP printers ........................................................................................... 80
Netgard MFD user interface acce ss ...................................................................................................................... 80
Additional info rmation ................................................................................................................................................... 86
Security Glossary ............................................................................................................................................................ 87
Device protection rela ted .............................................................................................................................................. 88
Data protection rela ted .................................................................................................................................................. 90
Document protection rela ted ........................................................................................................................................ 93
HP DesignJe t and Page Wide XL Printers Security Features
5
1. Introduction & Overview
This document provides an overview of the security and connectivity features supported by HP DesignJet a nd
PageWide XL printers as of October 2018 .
The security features described in this document ma ke the HP DesignJet and P ageWide XL printer serie s particu larly
well suited for
deployment in environments where network, data , and access control security are important.
In this document, you will find:
• The description of the feature s, where to configure them and some recommended values (Section 2,
Security concepts explanation
).
• Description of the advanced printing workflows that can be used with the HP DesignJet (only
T1700/Z6/Z9+/Z6 Pro/Z9+ Pro) and PageWide XL printers (Section 3, Advanced workf lows
).
• The table s summarizing the new and existing security features of the HP DesignJet and PageWide XL
printer series and how they are configured using the control panel, Embedded Web Server and/or HP Web
Jetadmin (WJA). Please make sure that your printer has the latest firmware version to benefit from all the
security features (Section 4, Large Format printers: security features summa ry
).
• The t able summarizing the new and existing security features of the HP Scanners compatible with the HP
DesignJet and PageWide XL printer s (Section 5, Large Format scanners: security features summary
).
• The list of port s used by the printer and the effect of keep them blocked (Secti on 5, Ports used in HP
printers).
NOTE: If your printer is not listed in the table, then these features are not imp lemented.
2. Security c oncepts e xplanation
2.1 Device s ecurity
UEFI secure boot
It prevents the loading of unauthorized operatin g systems (OS) during system startup. This feature is compli ant with
the UEFI specification. Non -configurable feature.
HP Secure Boot
HP Secure Boot is another security feature that further protects the printer during boot process by making the BIOS
validate its own integrity at the very start before continues execution. Secure Boot ensures a clean bootup to avoid
any usage of external software installed in the printer and blocking backdoors to prevent hacking of the BIOS of the
device.
To achieve this, file whitelisting ensures that the firmware and datafiles are originals and not modifie d or replaced
files by unknown sources.
Security Event Logging (Sysslog)
Security Event Logging ensures the device can regis ter all the security-rel ated events. It is achieved through
integration with Splunk and McAfee’s SIEMS.
All sensitive information, such as keys and passwords, are stored in an independent hardware item. To access this
hardware, the system uses different keys, protecting th e printer’s identity when authenticating.
HP DesignJe t and Page Wide XL Printers Security Features
6
Integration with SIEM too ls
SIEM tools are software products and services that result from the combination of Secu rity Information Managemen t
and Security Event Management. They provide re al- time analysis and recording of security alerts generated by
applications and network hardware.
Connection Inspector
Connection Inspector monitors the printer connections to the internet, detecting patterns from m alicious software
connections and acts on them. It can display 3 different system errors, base d on severity:
• Warni ng
• Severe Continuable
• Severe not Continuable (requires printer restart). By restarting the printe r, during the disk check, traces and
injected malware will be cleared.
Firmware protection
All HP portfolio use signed firmware package, that me ans firmware packages are digitally signed by the HP Code
Signing group.
The printer is able to check the authenticity of any firmware and install on ly those signed by HP.
It is really important to keep the printer updated with the latest firmware, that provides you the highest security and
new fea tures.
The firmware can be updated in various ways, although not all them are available in all the printers:
• Plugging a USB drive with the firmware file in the root folder.
• Sending the firmwar e file t hrough EWS.
• Sending the firmware file through the port 9100, as any other job.
• Activating the Automatic Firmware Upgrade ( AFU) : This function connects the printer with the HP server ,
checks if there is a new firmware and dow nload s it . The installation should always be launch ed from EWS
or printer contr ol panel.
Despite the signature system , the recommendation is to protect the printer from unautho rized firmware upgrade s:
• Protect the EWS access with an a dmin account (see section 2.2.6,
Embedded Web Server (EWS) access
control).
• Disable the firmware upgrade from USB (s ee section 2. 2.7, USB drive control )
• Use the Automatic Firmware Upgrade to do wnload the firmware .
2.2 Device configuration p rote ction
Disable protocols
In some cases, you might want to disable a ll protocols that you do not plan to use to acc ess your printer . For example,
you might prevent users from sending files via f tp or connecting through telnet to man age the printe r network
settings. You can disable unused protocols through the Mgmt. Protocols option in the Embedded Web Server, or
the
HP DesignJe t and Page Wide XL Printers Security Features
7
Network Enable Features in Web Jet admin.
In the HP DesignJet T830 MFP/T730 pr inter and HP DesignJet T200/600/St udio Printer, the network Management
Protocols can be configured from the
Network > Advanced Settings menu.
HP DesignJe t and Page Wide XL Printers Security Features
8
SNMP compatibility
SNMP is a protocol to get printer information and to configure it. SNMPv3 is its encrypted version . Enabling it, only
the client applications knowing the keys will be able to access the prin ter using this protocol.
The main benefits of using SNMPv3 are :
• Integr ity: protects data flowing from side-to - side from being modified by a third party .
• Authentication: verifies the data source.
• Encryp tion: protects data from being accessed by a third party .
• Access control: restricts the M anaged Device data that can be accessed by e ach Network Management
System.
You can enable and disable the SNMPv3 agent from your printer. You may set up an account that allows a
management application to access the SNMPv3 agent.
The recommendation is to work with SNMPv3 and keep SNMPv1/v2 disabled if your system allow s it.
HP DesignJe t and Page Wide XL Printers Security Features
9
Disable connectivity interfaces
Depending on the printer series, there are some U SB network interfaces tha t can be disabled to res trict access to the
printer through these interfaces.
In some products, you can install a J et direct card to add extra security features, in this case, you might want to disab le
the onboard Ethernet.
The HP Jetdirect 640n is a print networking device that offers high -speed wired function ality, easy set-up, full
manageability, backward compatibility and enterprise- c lass security features.
Ideal for ente rprise and workgroup SMBs requiring full-featured, secure, and backwar d-compatible print
managemen t of printe rs and MFPs over share d, wired net works.
HP DesignJe t and Page Wide XL Printers Security Features
10
Features: Print at high speed over gigabit networks
• Quickly connect to shared printers and MFPs throughout your office, over a gigabit network.
• Maintain ri gorous stan dards thr ough IPv6 network features: more IP addresses than IPv4 and IPsec secu rity.
• Help reduce administration and operation costs with off-the -shelf functionality and backward compatibility.
See http://www8.hp.com/emea_africa/en/pr oducts/print-servers/product-detail.html?oid=5305778
for more
information about the Jetdirect card.
If you enable or disable a connectivity option, the printer will automatically restart. Keep in mind that disabling a
connectivity option could cut off network access to the printer. As a security measure, you cannot disable the
connection that you use to access the Embedded Web server.
HP DesignJe t and Page Wide XL Printers Security Features
11
Control Pan el Access
The DesignJet and PageWide technolog ies allow the printer administrator to lock some features in the con trol panel
of the device. Currently, there are two mod es of control access “
Control Panel Access Lo ck” and “ Access Control”,
depending on the model. To use these features, it is c ompulsory to define an administrator account and password.
In some printers, when setting an Embedded Web Server a dmin password, you also restrict access to certain front
panel features by default. The protected features on the front panel are:
• Network connectivity & Internet connectivity
• Control firmware upgrades
• Reset factory defaults
• External hard disk connection
• Security
2.2.1 .1
Control Pan el Access lock
The control panel access lock is a feature intended for IT administrators, which enables them to lock the de vice’s
control panel by using either the HP Web Jeta dmin or the printer’s Embedded Web Server (depending on the p rinter
model). This feature prevents unauthorized users from accessing some features on the control panel. Administrators
can specify the level of access as follows:
• Unlock
• Minimum lock
• Moderate lock
• Interm ediate l ock
• Maximum lock
This option can be enabled from the HP Web Jetadmin as shown below:
HP DesignJe t and Page Wide XL Printers Security Features
12
This option can also be enabled from the T12 00 Embedded Web Server as shown below:
The following table shows the features enable d or disable d for each loc k level :
Functionality locked when the Lock l evel is set
Resets, CIP config, Security, Service Menu 1
Resets, CIP config, Security config
Connectivity, AFU, IDS workflows, System info, Job Queue
Resets, CIP config, Security
Connectivity config, AFU, IDS workflows, System info, Job Queue
Media mgmt. workflows, Pause printer, Maintenance & IQ wo rkflows
Resets, CIP config, Security
Connectivity config, AFU, IDS workflows, System info, J ob Queue
Media mgmt. workflows, Pause printer, Maintenance & I Q workflows
Any settings, Connectivity info, IDS info, Paper Info, Cancel jobs, Calibration info
HP DesignJe t and Page Wide XL Printers Security Features
13
Grouped by categories:
Permission denied if FP lock level is at least:
Connectivity App Details Access
Settings App Internet connectivity
Settings App Connectivity Troubleshooting
IDS App Actions i.e. r eplacement, alignment, etc.
IDS Widget – Access to IDS App
IDS Widget – Cartridge Replacement
Settings App Inks Entry Access
Paper App Change Paper Type
Paper Widget – Access to Paper App
Settings App Paper Entry Access
Printer Information App Access
Printer Information App AFU Access
Settings App Calibration Info Entry Access
Settings App IQ maintenance Entry Access: Test plots,
Align PH, IQ
3 - Intermediate
Settings App Maintenance Entry Access
Settings App System Entry Access
Settings App CIP Entry Access
Settings App Restore Factory Settings
Settings App Printer Logs
Settings App Service Level 1
1 - Minimum – PIN needs to be provided
NOTE: When the Intermediate or Maximum lo cks are set, you will not able to load/unload paper or replace
printheads/ink
cartridges without first unlocking the front panel. These options should only be set in specific
circumstances
where the implications are known and understo od.
NOTE: None of these levels lock s the copy, scan, or print applications .
HP DesignJe t and Page Wide XL Printers Security Features
14
When the control panel is locked, the applicable menus show a ‘loc k’ symbol in the front panel. If a user attempts to
access a “locked” menu entry, a warning message is displayed.
NOTE: In PageWide XL, when the user attempts to acc ess a “locked” menu, the printer asks for the Use r p assword
that is not available when the Control Panel Access Lock is used. To insert the Admin p assword, click on the top lef t
corner.
2.2.1 .2
Access Control
The Access Control pag e is placed in the Setup tab, in the subsection called Access Control .
This function allows you to manage at least three roles of use (depending on the firm ware version), defining which
applications are available for each o f them.
The Control Panel Access Lock ( Setup > Security ) should be set to unlocked (see 3.5.1. Control Panel Access Lock ).
How t o confi gu re Access Control
The Access Control page has three main sections for the three main acti ons that can be performed:
• Sign-in methods: this section shows the enabled sign- in methods that can be used to sign in to the device.
• Device user accounts: in this section you can create, edit or delete the user accounts that are available on
the printer.
• Sign-in and permission policies: here you can set up the sign-in requirements for specific tasks and restrict
user access by role.
HP DesignJe t and Page Wide XL Printers Security Features
15
Figure 1 - Access Control page
a. Sign- in methods
This section shows the enabled sign- in methods that can be used to sign in on the device.
Currently , sign -in method s are Local device , LDA P and Windows Sign-in (Kerber os) .
Figure 2 - Sign -in method s
b. Device user accounts
In this section, there are four actions availab le:
• New : to add a new user account .
• Edit : to edit the selected user account.
• Delete : to delete the selected user account.
• Delete all: to delete all the user accounts.
HP DesignJe t and Page Wide XL Printers Security Features
16
Figure 3 - Empty user accounts list
To add a new user:
• Click the New button; a section is expanded. It is required to fill in the name and password fields.
• It is possible to change the User access code and the Permission that is set. You can select from the
following permission roles.
This role has all the access pr ivileges granted to it and cannot be edited.
This role has some access privileges granted to it that can be edited in the Access
Control pag e.
This role has some access privileges granted to it that can be edited in the Access
Control
page.
Figure 4 - Creating a user account
After adding the user, you will see the following screen .
Figure 5 - User account s list
c. Sign -in and permissions p olicies
You can change the permissions for the roles guest and user . Select the permissions and click Apply .
HP DesignJe t and Page Wide XL Printers Security Features
17
Figure 6 - Defining permissions
NOTE: Users have at least the Guest permission.
NOTE: Any app that forces the user to log in will cause the Guest column to be disabled.
Front Panel log in
When the user clicks on any blocked function for the first time, a window appears. The user must enter in his/her
password. Session expiration can be managed in
Settings.
To log in as Admin , click the menu in the corner.
2.2.1 .3
Dea dl o ck: Fr on t Pan el l ocked + EWS pa ssword forgo tten
Under certain circumstances, a printer mi ght become inaccessible if the cont rol panel has been locked and the
administrator has lost the password needed to unlock it. This could happen if the front panel is locked t hrough t he
printer’s Embedded Web Server and the Administrative pass word for the EWS is lost. In this situation, it would not be
possible to unlock the front panel from the Embedded Web Se rver and it would not be possible to reset the
Embedded
Web Server from the front panel.
NOTE: If the printer’s f ront panel becomes locked and you are unable to unlock it, then you should contact HP support
as soon as possible.
SCL certificates
• Jetdirect identity certificate
You can reque st, instal l, and man age digital certific ates on the HP Jetdirect print server. Certificates are used
to
identify the Jetdirect pr int serv er both a s a vali d web server for network clients, and as a valid client
requesting access
on a secure network. By default, the Jetd irect print server contains a self-signed, pre -
installed certificate.
HP DesignJe t and Page Wide XL Printers Security Features
18
• Certificate Authority certificat e
You can inst all and man age a CA ce rtificates in the printer. The CA certific ate is used to validate the identi ty
of the network servers you may connect to, such as SSL or LDAP servers secu red with SSL.
Unique Admin password for EWS access control
New regulatory policies in some states worldwide state that governmental devices should h ave a non-blank default
administrative password and that all printer administration/configuration resources should be protected by an admin
password .
For this reason and to increase HP LFP Printers default security level, HP DesignJet and PageWide Pr inter Ser ies now
come with a new Security feature, the default unique admin passw ord. This feature is currently only present in
DesignJet and PageWide printers listed in the below table
but will be extended to further products. A defa ult a dmin
password wil l be assig ned at manufa cturin g stage to all HP DesignJet and Pag eWide Printer Series printers going
forwards that is unique for every printer.
HP DesignJe t and Page Wide XL Printers Security Features
19
Similarly, to other technical devices, this default admin password is already set when the user purchases the product.
Depending on the printer model the default admin password may be found in different places. In some models this
password can be located on a sticker on the rear of the printer. In other models the user will have a front panel menu
option to obtain this default admin password. By referencing the below table, you can see where to find your printer’s
unique default password and steps on how it can be changed/cus tomized in each case.
DesignJet and PageWide Printer Series
Location of default Admin password
PageWide XL 3 920 MFP
PageWide XL 4200 Printer/MFP
PageWide XL 4700 Printer/MFP
PageWide XL 5200 Printer/MFP
PageWide XL 5200 Printer
PageWide XL Pro 5200 Printer/MFP
PageWide XL 8200 Printer/MFP
PageWide XL 8200 Print er
PageWide XL Pro 8200 Printer/MFP
PageWide XL Pro10000 Printer
DesignJet Z6 Pro Printer
DesignJet Z9+ Pro Printer
Front panel of the printer
Sett i n gs Men u -- > S ecu r i ty --> Admi ni str ato r pa sswor d:
HP DesignJet T200/600/Stud io Printer On the s erial number label located on the back of printer
Using the Front Panel to discover the default admin password .
Using the Front Panel , navigate to Settings Menu > Security > Administrator password:
It can also be discovered from the Front Panel throug h Printer Infor matio n:
HP DesignJe t and Page Wide XL Printers Security Features
20
When the default admin password is modified , under these menu paths you will see: Administr ator password “Your
password has been modified by the administrator, in case you lost it and need t o recover, please contact your HP
Service Representative”
NOTE: This is only an example. In every LFP printer the default admin password will be different.
2.2.1 .4
How t o cha nge my pri nt er’s defau lt adm in passw ord
The printer’s admin password can be changed for any of your o wn (except a blank password). The process to ch ange
admin password can be performed in different ways.
Printer users can change the admin password through the web browser going t o:
Settings > Security > Administrator password > Click on the Pen Icon:
HP DesignJe t and Page Wide XL Printers Security Features
21
A new window will ask both the def ault admin password and the new admin password. Note that the new a dmin
password will have no constraint except that blank passwords are not allowed.
The admin password will remain between reboots.
NOTE: Default User name: adm in
2.2.1 .5
Reset a dm i n pa ss wo r d t o d efa u l t
In printers where the Unique Admin Pa ssword can be found on the printer front panel, users cannot reset the admin
password to t he default without assistance. If, for any reas on, the customer admin password of the printer is not
known, it is necessary to call a service representative to reset this password.
Only developers and servicing personnel will be allowed to reset admin password.
Unique Admin P assword on printer label
Some Printer models are not able to display the unique admin password on the printer front panel and are
therefore shipped with the def ault unique admin password on the printer label. These models can be identifi ed
from the above table . In these printer models there are 2 ways to find the default EWS password:
1. A label on the back of printer.
2. “Printer PI N” on “Pri nter Sta tus Report ”. Printable from front pane l if it has not been chang ed from the
defaul t. If you change the PIN, the status report will no longer show it. It w ill show “Custom user
password set” in the report instead.
NOTE: Defaul t Use r name: admin
HP DesignJe t and Page Wide XL Printers Security Features
22
In printer models where the default admin password is found on the prin ter label it is possible to reset the admin
password to its default through a factory rest of the printer.
Perform Setup > Printer Maintenance > Restore > Reset Factory Default
HP DesignJe t and Page Wide XL Printers Security Features
23
Embedded Web Server (EWS) access control
The Embedded Web Server is a powerful tool which en ables direct management of devices such as the HP LaserJet
or the HP DesignJet printe r s. With no security in place, however, this tool also has the potential to have a
negative
effect on many features, as they can be configured using just a web browser and knowing the IP address
of the
printer. To solve this situation, w e have implemented two levels of access to our compatible HP DesignJet
printe rs.
The Security page enables users to:
• Restrict access to the printer by setting an administrator user acc ount.
• Define two levels of access: Administrator and Guest (Gue st account not availab le in HP PageWide).
If the two levels of access have been set, and you have neither of the passwords, then you will not be able to gain
access to the EWS information, as in the image below.
2.2.1 .6
Admin ist rat or p asswo rd
Access control is enabled by setting the Admin account password , i.e. specifying a password for the user account at
admin level. You must then provide the admin password to perform any of the following restricted operations :
• Cancel, delete or preview a job in the job queue.
• Delete a stored job.
• Clear accounting information and configure cost assignment, in some models .
• Change printer settings on the Device Setup page.
• Access the setup tab to configure the printer.
• View protected printer information pages.
• Access the Custom er Involvement Program page.
• Access the Service Support.
HP DesignJe t and Page Wide XL Printers Security Features
24
HP DesignJe t and Page Wide XL Printers Security Features
25
If there is no administrator account, then the restricted operations can b e accessed without a password.
2.2.1 .7
Guest pa sswor d
Once the administrator user account has been set, the administrator can also set up a guest user account by
specifying a password for the guest.
If the guest user account is set up, a username and p assword are required for all EWS operations: users identified as
guests have access to restricted operations, whilst users identified a s administrators have access to all operations.
If the guest account is not set up, a username and password are not requir ed for unrestricted operations.
HP DesignJe t and Page Wide XL Printers Security Features
26
Notes:
• Some printers only have 1-level password access to the Embedded Web Server.
• The netw or king tab of the Embedded Web Server ask s for another admin a ccount and password. This
password is synchronized with the admin password for the co mplete EWS.
• For most printers that have EWS pass word capability, it is also possible to set up the admin pa sswor d
through Web Jetadmin. Only one level can be set in this way, howeve r, so the guest passw ord ca nnot be
set up from Web Jetadmin.
• Passwords have no minimum complexity requirement s; the maximum length is 16 characters .
• Printers with touchscreen front panels only allow the use of the limited set of characters shown below
(capital lette rs are also sup ported).
• These limitations do not apply to printe rs without touchscreen front panels , as the password can be set
using EWS.
• Some printe r drivers rely on th e EWS for creating the preview. In cases where an administrator password
is set, the administrator password will be required to access job preview.
USB drive con trol
All printers al low you to cont rol the USB use, in two ways :
• USB dr ive: ena ble or d isable t he use of the USB to print or scan.
• Firmware upgrade from USB: enable or disable the possibility of upg rading the firmware from a USB .
These features are available in the control panel, the E mbedded Web Server and Web Jetadmin.
HP DesignJe t and Page Wide XL Printers Security Features
27
HP DesignJe t and Page Wide XL Printers Security Features
28
Jetdirect Security Wizard (HP T9x0 -T15x0 -T25x0 -T3500 - PageWide XL)
The HP Jetdirect Security Configuration Wiz ard enables you to configure security se ttings for HP Jetdirect print server
management. There are 3 levels of Network Security that can be set:
Configure an admin password that
is shared on other tools such as Telnet and
SNMPv 1/v2.
Disable unsecure management protocols (FTP, Telnet, RCFG, SNMP v1/v2c).
Enable SNMP v3.
Enable SNMPv1/v2 read only access.
Manually adjust all the settings.
Hide IP from front panel
Some printers include an option in the Service Menu, accessible with the help of an HP Support agent only, that
enables you to hide all IP information from the printer’s fro nt panel. This prevents that people physical ly around the
printer could obtai n the IP and connect to it.
2.3 Data s ec urity: encrypted communications
IPSec
A Firewall or IP Security (IPsec) policy enables you to control traffic to or from the device by using network-layer
protoco ls. Eit her a fi rewall o r IPsec/firewall pages will appear, depending on whether IPsec is supported by the print
server and device. If IPsec is not supported, firewall pages will be display ed and a firewall policy can be configured.
NOTE: Before you enable a firewall or IPsec policy, you sho uld make sure that access to you r configuration
management settings is secured (for example, through an administrat or password). This will ensure that your policy
is
not easily disabled through Telnet, control panel menus, or other management tools.
Firewall. Use this page to view or configure a firewall policy. A firewall policy consists of up to 10 rules, where each
HP DesignJe t and Page Wide XL Printers Security Features
29
rule specifies the IP addresses and services that are allowed by the print server and device. To add a rule, click Add
Rule. This setting runs a wizard that will help you to configure each rule.
IPsec/Firewall. Use this page to view or configure an IPsec/firewall policy. An IPsec/firewall policy consists of up to
10 rules. As with a firewall policy, each rule specifies the IP addresses and services that are allowed by the print
server
and device. With IPsec support, you can apply IPsec authentication and encryption protocols for those
addresses and
services. To add a rule, click Add Rule . This runs a wizard that will help you to confi gure each rule.
For a detailed description of wizard settings and additional help, visit Jetdirect IPsec/Firewall Help .
Encrypt web communications
You can securely manage your network-connected printers using a web browser and the HTTPS protocol. To
authenticate the HP Jetdirect web s erver when HTTPS is used, you may configure a certificate, or you may use the
pre-installed, self -signed X.509 Certificate . The encryption strength specifies wha t ciphers the web server will use
for secure communications. SSL/TLS Protocols used in the communications can be configured in the printer’s EWS.
Supported cipher suites can also be checked at EWS .
When you enable encryption, the web server encrypts all web communication, forcing all connections to use HTTPS.
You can also configure encryption options to allow both HTTP (unencrypted) and HTTPS connections. In secure
environments , you should choos e to encrypt all web communications. Otherwise, sensitive management data
(administrator password , SNMP community names, and secret keys) may b e compromised.
Access control list
This feature lets you determine the access control list (ACL) , which is used to specify the IP addresses on your
network
that are allowed access to the device. The ACL is normally used for security pu rposes and supports up to 10
entries.
The device blocks communications from all other addresses. If the list is empty, any system is allowed
access. By
default, host systems with HTTP connections (such as web browser or IPP connections) are allowed access
regardless
of ACL entries. This allows hosts to access the device when proxy servers or Network Address Translators
(NATs) are
used. However, unfiltered access by HTTP hosts may be disabled by clear ing the Check ACL for HTTP
checkbox.
Host systems that have access are specified by their IP host or network address. If the network contains subn ets, an
address mask may be used to specify whether the IP address entry is for an individual host system or a group of host
systems. For an individual host system, the mask “255.255 .255.255” is assumed and is not required.