How it Works
Hp
Loading...
L
Loading...
Loading...
LASERJET M2727 MFP
Copy Manual
9 pgs274.64 Kb0
HP Imaging and Printing Security Best Practices
86 pgs1.54 Mb0
Print Manual
13 pgs789.02 Kb0
Scan Manual
4 pgs228.81 Kb0
service manual
370 pgs17.43 Mb3
User Manual
2 pgs182.13 Kb0
User Manual
9 pgs341.68 Kb0
User Manual
4 pgs247.28 Kb0
User Manual
266 pgs8 Mb0
User Manual
318 pgs8.76 Mb0
User Manual [es]
4 pgs246.79 Kb0
User Manual [es]
9 pgs342.57 Kb0
User Manual [es]
10 pgs321.85 Kb0
User Manual [zh]
278 pgs7.94 Mb0
Table of contents
Loading...

Hp LASERJET M2727 MFP, LASERJET 9040MFP, LASERJET 9000MFP, LASERJET 3300MFP, LASERJET CM4730 MFP HP Imaging and Printing Security Best Practices

...
Download
HP Imaging and Printing Security Best Practices
Configuring Security for Multiple LaserJet MFPs, Color LaserJet MFPs, and Color MFPs with Edgeline Technology
Version 3.0
Table of Contents
Introduction......................................................................................................................................... 4
Cautions............................................................................................................................................. 6
Follow the Checklist in Order............................................................................................................. 6
Configure One MFP Model at a Time ................................................................................................. 6
Understand the Ramifications............................................................................................................. 6
Continue to be Vigilant ..................................................................................................................... 6
MFP Environment ............................................................................................................................. 6
Assumptions........................................................................................................................................ 6
Solutions covered ................................................................................................................................7
Organization ...................................................................................................................................... 7
Threat Model ...................................................................................................................................... 7
Spoofing Identity.............................................................................................................................. 8
Tampering with Data........................................................................................................................ 8
Repudiation..................................................................................................................................... 9
Information Disclosure ...................................................................................................................... 9
Denial of Service.............................................................................................................................. 9
Elevation of Privilege ...................................................................................................................... 10
Network Security ............................................................................................................................... 10
Overall Network Settings ................................................................................................................ 10
Notes on the Process of Configuration .............................................................................................. 11
Notes on Passwords ....................................................................................................................... 11
Configuring MFP Security Settings.................................................................................................... 12
Settings List ....................................................................................................................................... 65
Initial settings................................................................................................................................. 66
Settings for All MFPs....................................................................................................................... 66
Settings only for Edgeline MFPs ....................................................................................................... 67
Default Settings.................................................................................................................................. 68
Ramifications..................................................................................................................................... 72
Initial Settings ................................................................................................................................72
Settings for all MFPs (including Edgeline MFPs).................................................................................. 74
Settings Only for Edgeline MFPs ...................................................................................................... 81
Final Configurations ....................................................................................................................... 83
Overall Limitations.......................................................................................................................... 84
Physical Security................................................................................................................................84
Appendix 1: Glossary of Terms and Acronyms...................................................................................... 85

Introduction

HP MFPs are designed to provide the best quality, versatility, and convenience possible. They include a wide variety of features to improve your experience with data handling and printing. These features include security settings that help protect your valuable intellectual property and your network data.
HP prepares MFPs to be easy to set up and use right out of the box; however, this means that many of the security features are not configured by default. To help with this, HP developed this checklist as a guide to help you configure the security-related settings. It provides instructions to configure these settings for one or more MFPs at the same time.
This checklist covers the following HP MFP models:
MFP Type Model
HP LaserJet MFPs HP LaserJet 4345 MFP
HP LaserJet M4345 MFP
HP LaserJet M3027 MFP
HP LaserJet M3035 MFP
HP LaserJet M5025 MFP
HP LaserJet M5035 MFP
HP LaserJet 9040 MFP
HP LaserJet 9050 MFP
HP Color LaserJet MFPs HP Color LaserJet 4730 MFP
HP Color LaserJet M4730 MFP
HP Color LaserJet 9500 HP
HP Color MFPs with Edgeline Technology
HP CM8050 Color MFP
HP CM8060 Color MFP
This checklist covers security settings on all of these MFPs, but each type of MFP has varying characteristics. Wherever possible, these differences are explained in the instructions. Here is a summary of the major differences between these MFP types:
HP LaserJet MFPs:
HP LaserJet MFPs are based on single-color (also called black and white) LaserJet print technology. Settings that relate to color printing do not apply to these models.
HP Color LaserJet MFPs:
HP Color LaserJet MFPs are based on Color LaserJet print technology. Most settings in this checklist apply to these MFPs.
HP Color MFPs with Edgeline Technology:
HP Color MFPs with Edgeline Techology are based on a new high-speed color ink technology introduced by HP in 2007. These MFPs have some unique security-related settings that do not apply to the other MFPs. Some of these exclusive settings appear similar to those for the other MFPs, but they apply only the HP Color MFPs with Edgeline Technology.
This checklist is written for acceptance by the National Institute of Standards and Technology (NIST). HP thanks NIST for its support in the process of creating this document.
This checklist assumes that you are a trained network administrator and that you are familiar with the use of HP Web Jetadmin to manage HP MFPs and printers and to upgrade firmware. You should be familiar with Embedded Web Servers (EWS), and with HP Jetdirect connections. Refer to the MFP User Guides and the HP Jetdirect Administrator Guide for more information. You can find these documents and more information by searching for them at hp.com.
HP Web Jetadmin is the recommended management tool for all HP network printing and digital sending products. This checklist is developed only for HP Web Jetadmin Version 8.1 with Service Pack 4. Web Jetadmin Version 8.1 is available for download at the following location:
http://www.hp.com/bizsupport/wja/live/manual/8.1/html/wjacomp_winnt.html
You can also find HP Web Jetadmin by searching for it at hp.com.
You should install HP Web Jetadmin and update it with Service Pack 4 using the Product Update menu under the Install option (
Figure 1).
Figure 1: The Navigation menu showing the Product Update Install option.
The Web Jetadmin Update page will appear with options for finding and installing updates. Be sure to enable WJA to check for updates at hp.com, and click the button to check for new updates. Once you have installed Service Pack 4, you should install all remaining updates. See HP Web Jetadmin user guides for more information.
Note:
If Service Pack 4 does not appear in the Available Updates window, it is already installed.
This checklist applies to most types of networks; however, it is developed and tested in the following environment:
An ordinary TCP/IP network
Microsoft Internet Explorer version 6.0 with SP2
HP Web Jetadmin Version 8.1 with Service Pack 4 installed on a Windows XP PC
One of each supported MFP
The process for configuring this checklist is developed using HP Web Jetadmin Version 8.1 managing all of the MFPs at the same time. It covers only those parts of HP Web Jetadmin that pertain to appropriate security settings. See the user guides, admin guides, and help files for more information.

Cautions

HP is dedicated to providing the best and latest security information available for MFPs. This checklist is meant to help you to improve MFP security in your workplace. HP has tested this checklist to ensure that MFPs continue to provide the best possible performance while averting possible security threats; however, some of these settings can cause unexpected problems in your network environment. Be aware of the following cautions before you begin:

Follow the Checklist in Order

The settings in this checklist are presented in a specific order to ensure success. Many of these settings can be configured successfully only in the correct order. You should follow the instructions exactly and avoid making additional configurations during this process.

Configure One MFP Model at a Time

For best results, configure one MFP model at a time. This checklist covers a large number of settings that become complicated as they go on. Configuring multiple models at the same time increases the complications and can cause failures in some settings. However, Web Jetadmin can configure an unlimited number of individual MFPs of the same model.

Understand the Ramifications

HP Web Jetadmin and MFPs include a wide variety of useful settings designed to make work easier and more productive. However, raising the level of security requires trade-offs in these areas. Be aware that applying this checklist can limit or even eliminate some features. See the Ramifications chapter for more information.
HP provides this checklist as a guide to best-practice security configurations that allow for reasonable convenience and usability. Some of the recommended settings create extra steps when accessing and managing MFPs.
You should test these settings in your environment to ensure that you understand their effects. You may find that some of the settings cause undesirable limitations.

Continue to be Vigilant

This checklist is provided only as a complimentary guide to known best practices for increasing MFP security. HP does not claim or warrant that these configurations prevent misuse of MFPs or networks or that they prevent malicious attacks on MFPs or networks.

MFP Environment

NIST defines several types of user environments, many of which are compatible with HP MFPs. However, this checklist is written for an enterprise environment. Such an environment uses most of the network features available with MFPs. Other types of environments tend to use a subset of these features. You should configure as much of this checklist as possible while adapting the settings to your specific situation.

Assumptions

This checklist makes some assumptions about the reader and about enterprise environments:
Network administrators: This checklist assumes that you are a trained network administrator who is
familiar with common networking practices, including configuring HP Jetdirect connections, and using HP Web Jetadmin. You should have read the MFP user guide, the MFP administrator guide, the Jetdirect administrator guide, Web Jetadmin user guides, and help files. This checklist relies on these materials for necessary information. All of these guides are available by searching for them at hp.com.
MFPs: This checklist covers security settings for specific HP MFPs. It is meant to help you configure
multiple MFPs simultaneously using the HP Web Jetadmin Multiple Device Configuration Tool (explained later). It assumes that the MFPs are turned on, connected to the network, and in their factory default states.
Most of the settings recommended in this checklist apply to other HP products; however, this checklist is tested and known to be successful only with the specified MFP models.
Web Jetadmin Version 8.1 with Service Pack 4: This checklist does not apply to other versions of
Web Jetadmin. However, you should use the MFP Web Jetadmin Version 8.1 Product Update tool to install all of the latest updates available from HP. See Web Jetadmin help for more information.
Enterprise environment: This checklist is created and tested in a TCP/IP enterprise environment.
However, most of the settings apply to most common networks.
Network connection: This checklist assumes that each MFP is connected directly to a local area
network via Jetdirect or Jetdirect Inside (JDI). Other connections, such as direct-connect via parallel cable or via USB are not covered (this checklist recommends disabling direct-connect ports).
The recommended settings are only suggestions: All settings in this checklist are meant only as
suggestions for best-practice security for MFPs. Use it as a reference, and make judgments about each recommended setting before configuring your MFPs.
Internet and intranet security: This checklist assumes that your network includes basic security
configurations and components. All MFPs should be installed behind network firewalls and other standard tools such as updated virus protection applications.

Solutions covered

This checklist covers MFP security settings found in HP Web Jetadmin Version 8.1 and on MFP control panels. This checklist covers no other solutions or applications.

Organization

This checklist includes the following chapters:
Threat Model: The Threat Model chapter explains the security circumstances relating to MFPs. It
follows the Microsoft® STRIDE model.
Network Security: The Network Security chapter provides step-by-step instructions for configuring
MFP security settings.
Settings List: The Settings List chapter provides a bulleted list of the recommended settings with
checkboxes. It does not include instructions or explanations.
Default Settings: The Default Settings chapter lists each recommended setting with its corresponding
default setting.
Ramifications: The Ramifications chapter lists each recommended setting with explanations of
possible limitations.
Physical Security: The Physical Security chapter explains security concerns in workplaces where
MFPs are installed. It covers security for picking up print jobs, copying, and scanning.
Appendix 1, Glossary and Acronyms.

Threat Model

This chapter lists some of the types of security risks that an MFP might encounter in an enterprise network environment, and it suggests some ways to help protect your network and your data.
As technology improves, malicious people (hackers) continue to find new ways to exploit networks. Hackers are beginning to target MFPs and other network peripherals to misuse resources or to gain access to networks or to the internet. Predicting the actions of a hacker is difficult, but HP is dedicated
to research in this area. You should continue to be ware and always remain vigilant. Use other techniques with this checklist to help ensure that your network is resistant to compromise.
Note:
This is not a comprehensive treatment of these issues. This chapter is only an introduction to the types of threats that might possibly affect MFPs.
The Microsoft STRIDE model provides a valuable outline to categorize these known types of threats:
Spoofing identity
Tampering with data
Repudiation
Information disclosure
Denial of service
Elevation of privilege
The following sections explain how each type of threat relates to MFPs:

Spoofing Identity

Spoofing identity is masquerading as someone else to fool others or to get unauthorized access. Here are some ways spoofing identity can relate to MFPs:
Placing another person's email address in the From address field of an email message. Example:
Someone could place the address of a co-worker in the From address field and send embarrassing or malicious messages to others as though the co-worker wrote them.
Using another person's email credentials to log in to the email server to gain access to address
books
Using another person's email credentials to have free use of an email service
Using another person's email credentials to view that person’s email messages
Using another person's log on credentials for access to use MFPs or networks
Using another person's log on credentials for administrative access to MFPs
You can address the risks of spoofing identity in the following ways:
Protect the from address field in the MFP Digital Sending and Fax configurations.
Protect MFP disk access.
Configure authentication.
Configure the administrator password.
Configure SNMPv3.

Tampering with Data

Tampering with data can include any method of changing, destroying, or adding to information that stored on an MFP or being transferred to or from an MFP. Examples:
Canceling another person's job. The person who sent a cancelled job gets no warning; only part or
none of the job is printed.
Intercepting a print job before it reaches the MFP, altering it, and sending it on to the MFP.
Intercepting remote configuration data, such as communications between Web Jetadmin and the
MFP, to get passwords and other information.
You can address the risks of data tampering in the following ways:
Disable Cancel Job button.
Disable Go (Pause) button.
Configure SNMPv3.
Prevent unnecessary remote access: close down all unused ports and protocols.
Configure HTTPS for EWS access.

Repudiation

Repudiation is using an MFP without leaving usage information. This includes preventing the MFP from logging data or bypassing security checks such as user authentication. Examples:
Accessing usage logs to delete entries
Removing origination information from file metadata
Bypassing user authentication
Using remote management software to access the MFP
You can address the risks of repudiation in the following ways:
Install Jetdirect 635n Print Servers and set up IPsec to encrypt the data stream to include log data
and file metadata (look for this product at hp.com or contact your hp product supplier). Edgeline MFPs already IPsec functionality. Look for information on configuring it at hp.com.
Close unused ports and protocols.
Save copies of log data at a separate location
Add security solutions such as swipe-card readers and thumbprint readers
Configure MFP settings that restrict remote management

Information Disclosure

Information disclosure is gathering information from an MFP and providing it to unauthorized users. This can include authentication information, usage log information, or information from the contents of a job. Examples:
Reading stored print jobs on the MFP hard drive
Downloading log information
Downloading address books
Intercepting print jobs, copy jobs, fax jobs, or digital send jobs (such as email)
You can address the risks of information disclosure in the following ways:
Install Jetdirect 635n Print Servers to encrypt the data stream to include log data and file metadata
(look for this product at hp.com or contact your hp product supplier). Edgeline MFPs already IPsec functionality. Look for information on configuring it at hp.com.
Close unused ports and protocols.
Configure all possible password settings.
Configure authentication.
Configure SNMPv3.

Denial of Service

Denial of service is any type of interference with normal use of an MFP. Examples:
Canceling or pausing the print jobs of others
Turning off the MFP remotely
Disconnecting power to the MFP
Pulling out the MFP formatter board
Disconnecting the MFP from the network
Causing interference with network communication to the MFP
Changing the network location of the MFP
Causing an error state that interrupts service
Changing access configurations
You can address the risks of denial of service attacks in the following ways:
Lock the control panel.
Lock EWS configuration settings.
Close unused ports and protocols.
Disable controls such as the Job Cancel button and the Go button.
Enable the resume feature to allow the MFP to resume operations after an error state.
Configure Job Timeout.
Control physical access to the MFP.
Lock physical access to removable hardware.

Elevation of Privilege

Elevation of privilege is any method of upgrading authorized access to include unauthorized access. Examples:
Non-administrators changing settings to get administrator privileges
Unauthorized use of management software to provide access for other unauthorized users
Using management software to bypass job accounting functions
You can address the risks of elevation of privilege attacks in the following ways:
Configure the administrator (device) password.
Configure SNMPv3 and HTTPS.
Lock the control panel.

Network Security

This chapter explains how to configure security settings for one or more MFPs. You should use HP Web Jetadmin Version 8.1 with Service Pack 4 to configure as many of these settings as possible, but some settings are available only in the MFP control panels as noted.

Overall Network Settings

Before you get started, be sure that your network environment provides reasonable security in which your MFPs can operate. This includes configuring network firewalls and providing up-to-date virus controls.
This checklist covers only the security settings that apply to MFPs as they are delivered in the box. You might consider other measures that are available to provide further security for MFPs:
HP Digital Send Service (software). Digital Send Service is a separate solution available at
It provides valuable security features such as encrypting digital send jobs and more types of authentication.
HP Jetdirect 635n Print Server Card. This accessory provides added network security using IPSec
and IPv6 protocols. This technology enables security for network traffic including the content of print jobs, the content of email jobs, and the content of digital sending jobs. Look for the HP Jetdirect 635n Print Server Card at
hp.com.
hp.com.
Note:
Edgeline MFPs have IPsec and IPv6 capabilities, but they are not covered in this checklist. This is because HP Web Jetadmin does not provide support for them, and because they require advanced network configurations. Look for information on these settings in the Edgeline MFP user guides and at
hp.com.

Notes on the Process of Configuration

This checklist covers every reasonable security setting for each model. The overall configuration is tested and known to be successful in the most common network environments as long as the settings are configured in the correct order and on one model at a time. However, your network environment might be different. Be sure to follow the instructions in order, and consider making adjustments to accommodate to your needs.
Since this is a complicated configuration, sometimes a setting can fail in the process. If this happens, try again. If it fails again, try using the individual configuration pages in Web Jetadmin or use the MFP EWS. Sometimes also, Web Jetadmin might show a false failure; the setting will have actually been successful. You can verify the success of a setting using the individual configuration pages in Web Jetadmin or in the MFP EWS.
Keep in mind that the Web Jetadmin Multiple Device Configuration Tool lists the aggregate of all settings for all models it is managing. However, each model has a different set of settings. For instance, the MFPs with Edgeline Technology have several unique authentication features. When you configure a setting, Web Jetadmin sends it to all of the MFPs selected in the device list. Each individual MFP accepts applicable settings and ignores those that do not apply.
Tip:
Use the Web Jetadmin filters to configure one MFP models at a time. This will work faster with better results.
Tip:
Use a printout of the Settings List chapter to check off each item as you configure it.

Notes on Passwords

This checklist includes configuration of several passwords. These passwords are valuable to overall security. Try to follow good practices for these passwords:
Use the maximum possible characters. Current data shows that a password of 8 or more characters
is extremely difficult or almost impossible to guess even using the latest password cracking tools.
Use complicated passwords. Some of the passwords allow only numeric digits, but others can
accept 96 or more different characters (upper case, lower case, numeric, special characters, and punctuation marks). Use a variety of character types whenever possible.
Use a different password for each setting. Many of the latest password cracking tools can follow
patterns to make guessing easier.
Use meaningless random characters. Real words or phrases are easier to guess. The latest
password cracking tools follow dictionaries to narrow down the possibilities.
Record the passwords in a safe but hidden place. The passwords are designed to restrict access to
management options on the MFPs. Losing a password can eliminate your access to settings. This is most important for the Bootloader Password (the Startup Menu Administrator password for Edgeline
MFPs), which is a permanent setting that can never be changed or reset without the correct password.

Configuring MFP Security Settings

This section provides instructions for configuring the MFPs for best-practice security. Most all of these settings are found in HP Web Jetadmin Version 8.1. The exceptions are noted in the instructions below.
The instructions are divided into five sections:
Setting up HP Web Jetadmin: This section explains how to prepare Web Jetadmin to display the
MFPs you are configuring and to provide the correct functions.
Configuring Initial Settings: This section provides instructions on settings that are required before the
remaining settings can be configured.
Configuring Settings for all MFPs (including Edgeline MFPs): This section provides instructions for
configuring settings that apply to all MFPs including Edgeline MFPs, LaserJet-based MFPs, and Color LaserJet-based MFPs.
Configuring Settings for Edgeline MFPs: This section provides instructions for configuring settings
that apply only to Edgeline MFPs.
Configuring Final Settings: This section provides instructions for configuring settings that should not
be configured until all other settings are finished.
Note:
Web Jetadmin displays all supported settings for all MFPs it is managing even though not all MFPs support all of the settings. Each MFP ignores settings that do not apply and continues without issues.
For the same reason, some of the settings may not appear in HP Web Jetadmin. Web Jetadmin displays only the options that apply to the MFPs you are managing. Ignore settings in this checklist if they do not appear on your Web Jetadmin screen.
Whenever you attempt to configure a setting that is not supported on an MFP, Web Jetadmin shows setting failed – not supported. This is the expected behavior, and the MFP will continue without issues.
For best results, configure one MFP model at a time.

Setting up HP Web Jetadmin

Follow these instructions to prepare Web Jetadmin for configuring the MFPs:
1. Open Web Jetadmin to view the device list (Figure 2), which appears by default.
Figure 2: Web Jetadmin showing the device list in the default view.
2. Check to see that the MFPs you wish to configure appear in the Device Model List. If they are
not in the list, use the Discovery options to find the MFPs on your network.
Note:
This checklist does not cover Device Discovery. See Web Jetadmin user guidance for more information. In most cases, the MFPs already appear in the default view.
Note:
It is possible for Web Jetadmin to lose contact temporarily with an MFP that is configured for DHCP. Use the Discovery options to restore contact, or configure the MFPs with static IP addresses. You can also use the MFP host names to find them.
3. Click to select the MFPs to configure in the Device List view, and click Configure in the Device
Tools dropdown menu (
Figure 3).
Figure 3: The Device List showing devices selected and the Device Tools menu showing Configure selected.
Tip:
To select more than one MFP in the Device Model list, hold CTRL while clicking each MFP.
Note:
This chapter covers settings for all MFP models. However, you should configure only one model at a time. Thus some settings in this checklist may not appear for the model you are configuring. This is because some settings may not apply to that specific model. Ignore instructions for settings that do not appear in Web Jetadmin.
Remember that the steps in this checklist are for the specified HP MFPs. Other devices may appear in the Device Model list. It may be possible to configure them with these settings, but the results may vary.
The Multiple Device Configuration Tool will appear (Figure 4) showing the Configure
Devices tab.
Figure 4: The Multiple Device Configuration Tool showing the Configure Devices tab outlined in green.
The Configure Devices tab contains most all of the settings recommended in this checklist.
Tip:
Sometimes Web Jetadmin can lose track of MFP credentials. If this happens, some settings might fail. Clear the Web Jetadmin Device Cache (see Web Jetadmin Help) and re-enter the MFP credentials.

Configuring Initial Settings

In order to ensure a successful and secure configuration, you should configure a few of the settings first. The following instructions explain how to configure these settings:
Configuring SNMPv3
SNMPv3 provides encryption for communication between Web Jetadmin and the MFPs. It helps to ensure that only authorized and authenticated administrators have access to the configuration settings. It also helps to ensure that no one can gather sensitive information, such as passwords, usernames, and other codes, over network lines.
Note:
It is best to configure SNMPv3 by itself to ensure that the settings are saved properly.
Follow these steps:
4. Click Security in the Configuration Categories menu (Figure 5). The Security menu will
appear.
Figure 5: The Security category.
5. Scroll down to the SNMPv3 option, and select the SNMPv3 checkbox (Figure 6).
Figure 6: The Security menu showing SNMPv3 selected.
6. Click to select Enabled below the SNMPv3 checkbox, and fill in the New User, the New
Authentication Passphrase, and the New Privacy Passphrase fields (
Figure 7). See
below for details.
Figure 7: The SNMPv3 settings enabled and the fields filled out.
The New User Name field can be any name you choose.
The New Authentication Passphrase field can be any word or phrase that is at least 8 characters.
The New Privacy Passphrase field can be any word or phrase that is at least 8 characters.
CAUTION:
Be sure to remember these credentials and provide them to authorized users. If these credentials are forgotten, the only way to restore communication between HP Web Jetadmin and the MFPs is to restore the
MFPs to factory default settings. These instructions are for the initial configuration of SNMPv3. Once you finish this configuration, the MFPs will require these credentials whenever anyone attempts to access settings over the network.
Note:
Web Jetadmin retains the SNMPv3 credentials for each MFP, and it will not prompt for them as long as the authorized administrator is logged onto Web Jetadmin and the credentials remain the same. You can clear the Web Jetadmin Device Cache to cause Web Jetadmin to require the credentials again. Web Jetadmin stores the SNMPv3 credentials encrypted.
7. Scroll down below the Privacy Passphrase field, and select SNMP Version 3 Only (Figure
8
).
Figure 8: The SNMP Version 3 Only setting.
This setting limits communication between Web Jetadmin and the MFPs to only SNMPv3. The MFPs will ignore communications via other versions of SNMP or any other protocols.
8. Select the devices you wish to configure in the Device Model list (Figure 9).
Figure 9: The Device Model list.
Click Configure Devices (Figure 10) to execute the configuration.
Figure 10: The Configure Devices button.
After you click Configure Devices, a View Log page (Figure 11) will appear.
Figure 11: The View Log page showing that SNMPv3 is executing.
9. Wait a few seconds (sometimes this can take a few minutes), and click Refresh to see the
progress. The View Log page will reappear with the status. Once the configuration is complete, the View Log page will show success (
Figure 12).
Figure 12: The View Log page showing successful configuration of SNMPv3.
Now, whenever you click Apply to configure settings, the MFP will check for the SNMPv3 credentials.
Note:
Web Jetadmin stores the credentials for each MFP for convenience, but it may prompt for them on occasion. Web Jetadmin stores these credentials encrypted.
10. Click Go Back to view Multiple Device Configuration Tool, and continue with the
instructions below:
Configuring the Device Password
The Device password restricts access to many of the configuration settings. The MFPs require it to be configured before they allow configuration of some of the other settings.
Follow these instructions:
1. Click the Security option in the Configuration Categories menu (Figure 13).
Figure 13: The Security Configuration Category option.
2. Scroll down, and click to select Device Password (Figure 14).
Figure 14: The Device Password Options.
3. Type a password of up to 12 characters in the field next to Device Password, and repeat it
exactly in the Repeat Password field.
4. Select the devices to configure in the Device List, and click Configure Devices.
The View Log page will appear to show the status of the configurations.
5. Click Refresh to update the status. Once the configurations are successful, click Go Back to
continue.
Configuring the Access Control List (ACL)
The ACL limits network access to allow only to the IP addresses or subnets that you specify. This includes printing and all other access.
Tip:
You can ensure that no one but you has access to the MFPs while you are configuring this checklist: List only the computer you are using until you are finished with the checklist.
The MFPs will accept IP addresses without masks to limit access to single computers. If you wish to provide access to all computers in a subnet, include the subnet mask along with an IP address that is within the subnet.
Note:
The following MFP models also have a Jetdirect Firewall feature along with the Access Control List: HP LaserJet M3035 MFP HP LaserJet M4345 MFP HP LaserJet M5025 MFP HP LaserJet M5035 MFP HP CM 8050 Color MFP HP CM 8060 Color MFP HP Web Jetadmin does not provide options to configure the Jetdirect Firewall settings. Look for them in each MFP EWS.
Follow these instructions:
1. Click to select Network (Figure 15) in the Configuration Categories menu.
Figure 15: The Configuration Categories Menu Network option.
2. Scroll down, and click to select Access Control List (Figure 16).
Figure 16: The Access Control List option.
3. Add an IP address or a subnet mask by filling in the fields (Figure 17).
Figure 17: The ACL IP address field.
CAUTION:
Be sure to include the IP address of the computer that Web Jetadmin is using to connect to the MFPs (it might be a computer other than the one you are using, such as a proxy server). Otherwise, the ACL will block your access, and you will not be able to continue.
Note:
The Mask option requires an entry in the IP address field to determine the subnet for which to grant access.
4. If you wish to make sure all of the MFPs are configured only with your new listings, click to select
Clear all ACL Table entries (see above) the first time you add a listing.
Note:
To find out which IP addresses are already configured in the ACL of a single MFP, open the device page in Web Jetadmin, and navigate to the ACL options (all of the MFPs should be the same if you are configuring them all at once). It will list the IP addresses or subnets that are already configured. You can also see the ACL list in each MFP EWS.
5. Click to deselect Allow Web Server (HTTP) access to ensure that the ACL restricts access to
the MFP EWSs.
6. Select the MFPs you wish to configure in the Device Model list, and click Configure Devices
(
Figure 18).
Figure 18: The Configure Devices button.
Note:
These ACL options allow you to add one IP address or one mask at a time. To add more IPs or masks, repeat these steps. Remember to deselect Allow Web Server (HTTP) access each time.
The View Log page will appear to show the status of the configuration. Click Refresh to update the status. When the settings are successful, click Go Back to view the Multiple Device
Configuration Tool, and continue with this checklist.
Configuring Fax Send Setup (Edgeline MFPs)
If you are configuring Edgeline MFPs, follow these instructions to enable fax functions (if you plan to use the fax functions):
Tip:
This setting applies only to Edgeline MFPs. To save time, you should apply this setting only to the Edgeline MFPs you are configuring.
1. Click Fax in the Configuration Categories menu (Figure 19).
Figure 19: The Fax Configuration Category.
2. Click to select Fax Send Setup (Figure 20).
Figure 20: The Fax Send Setup option.
3. Click to select Enable Fax Send, and select Internal Modem in the Fax Send Method
dropdown menu.
Note:
This checklist assumes you are using analog fax. If you wish to use another method, choose that method, and configure the appropriate settings later in the fax configuration section. This checklist does not cover alternative fax configurations because they require other network solutions or support.
4. Select the MFPs you wish to configure in the device list (Note that this setting is only for Edgeline
MFPs. All other MFPs will ignore this setting).
5. Click Configure at the bottom of the page. The View Log page will appear showing progress.
6. Wait a few seconds, and click Refresh to update the progress.
7. Once the View Log page shows results for all of the MFPs, click Go Back to continue.
Configuring Email Send Setup, and Send to Folder Setup for Edgeline MFPs
Edgeline MFPs also require Email Send Setup and Send to Folder Setup before they allow configurations for related settings. Follow these instructions:
Tip:
This setting applies only to Edgeline MFPs. To save time, you should apply this setting only to the Edgeline MFPs you are configuring.
1. Click Digital Sending in the Configuration Categories menu (Figure 21).
Figure 21: The Digital Sending option in the Configuration Categories menu.
2. Scroll down, and click to select Enable Send to Email (Figure 22).
Figure 22: The Enable Send to Email option.
3. Click to select Enable Send to Email to the right.
Note:
You might have to configure the SMTP Gateways Settings as well.
4. Scroll down, and click to select Enable Send to Folder (CM8060) (Figure 23).
Figure 23: The Enable Send to Folder options.
Important:
Be sure to select the Enable Send to Folder Setting that is labeled CM8060.
5. Click to select Enable Send to Folder (CM8060) to the right.
6. Click Configure at the bottom of the page. The View Log page will appear showing progress.
7. Wait a few seconds, and click Refresh to update the progress.
8. Once the View Log page shows results for all of the MFPs, click Go Back to continue.

Configuring the Bootloader Password or the Startup Administrator Password

Each MFP has a startup process that includes settings for features such as the reset options. These features are not commonly known, but they can severely affect the MFPs if they are executed improperly. You can protect these settings using either the Bootloader password for LaserJet MFPs or the Startup Menu Administrator Password for Edgeline MFPs. The Bootloader password can be configured using HP Web Jetadmin, but the Startup Menu Administrator Password can be configured using only the MFP control panel. See instructions for each type below:
Configuring the Bootloader Password for LaserJet-Based MFPs:
This section explains how to configure the Bootloader Password for the LaserJet MFPs. Skip this section if you are configuring only Edgeline MFPs.
Follow these instructions:
1. With Web Jetadmin open to the Security Configuration page, scroll down to view the
Bootloader Password option (
Figure 24: The Bootloader Password option.
Figure 24).
2. Click to select Bootloader Password.
Type a password of up to 16 numeric digits in the New Password field, and repeat it exactly in the Repeat Password field (do not type in the Current Password field; it has not been configured yet).
WARNING:
Take great care to create a password that can be remembered. Losing this password can cause permanent loss of access to the MFP bootloader settings. It is not possible to reset this password without the correct current password.
3. Select the MFPs you wish to configure in the device list (note that Edgeline MFPs might appear in
the list, but they will ignore this setting if they are selected).
4. Click Configure at the bottom of the page. The View Log page will appear showing progress.
5. Wait a few seconds, and click Refresh to update the progress.
6. Once the View Log page shows results for all of the MFPs, click Go Back to continue.
Note:
To reset (clear) this password, click to select Bootloader Password, type the correct current password, and leave the New Password and Repeat Password fields blank. Then click Configure, and the bootloader password will be cleared.
Configuring the Startup Menu Administrator Password for Edgeline MFPs:
Edgeline MFPs use a different process for start up, and the settings for it are available only on the control panel. Follow these instructions to configure the Startup Menu Administrator Password:
1. Press the power button on the control panel. The power button is located at the upper left of the
control panel display. A list of Power Options will appear in a dialog box.
2. Touch Restart, and touch OK. The MFP will shut down and restart. Continue to watch the control
panel as the MFP begins to start up.
3. As soon as the HP logo appears on the control panel, touch the START button (the large green
button on the right side of the control panel). The Startup Menu will appear with a list of options. Note that the touch screen is not operational at this point. Use the number keys to navigate as follows 2 moves highlight up 8 moves the highlight down 4 moves the highlight to the left 6 moves the highlight to the right (or shows further options) 5 selects the highlighted option (the START button also selects the highlighted option)
4. Press 2 (to move the highlight down) until Administrator Tools is highlighted.
5. Press 5 to view the Administrator menu.
6. Press 2 to highlight Change Administrator Password.
7. Press 5 to view the Enter New Password dialog box.
8. Enter a password of up to 20 characters.
WARNING:
This password cannot be reset or cleared without the correct password. Use a password that can be remembered, and store it in a safe place. To clear the password, reset it using a blank password. Once the Startup Administrator password is configured, the administrator menus cannot be accessed without the correct administrator password.
9. Press START to execute the setting. A dialog box will appear with a Confirm New Password
field.
10. Repeat the password exactly in the Confirm New Password field.
11. Press START to configure the password. A message will appear stating that the password was
changed successfully.
12. Press START to continue. The Administrator Tools menu will appear.
13. Press STOP to exit the menu. The Startup Menu will appear.
14. Press STOP to exit. The MFP will resume its startup process.
Optional Setting: Hiding the MFP IP address
Some of the MFPs provide their IP addresses on the control panel by default:
HP LaserJet M4345 MFP
HP LaserJet M3027 MFP
HP LaserJet M3035 MFP
HP LaserJet M5025 MFP
HP LaserJet M5035 MFP
HP Color LaserJet M4730 MFP
HP CM8050 Color MFP with Edgeline
HP CM8060 Color MFP with Edgeline
Hiding the IP address can be done only using the MFP Control panel. Follow these instructions:
1. Touch Administration on the home screen. The Administration menu will appear.
2. Touch Management. The Management menu will appear.
3. Touch Network Address Button. A menu will appear with options for the network address
display function.
4. Touch Hide, and touch Save. This will remove the Network Address button from the control
panel.
Once you are finished with these settings, continue with the instructions below.

Configurations for all MFPs (Including Edgeline MFPs)

This section covers settings for all MFPs. This includes Edgeline MFPs, LaserJet-based MFPs, and Color LaserJet-based MFPs. It does not cover settings that are only for Edgeline MFPs. If you are configuring Edgeline MFPs, complete this section, and continue with Configurations for Edgeline MFPs.
IMPORTANT:
Remember to configure one model at a time. You can configure any number of individual MFPs of a given model.
The instructions below cover settings for all models. Some settings may not apply to the specific model you are configuring, and they may not appear in Web Jetadmin. Ignore these settings if they do not appear in Web Jetadmin.
Also, keep in mind that some settings that are not supported for the model you are configuring may appear in Web Jetadmin. The MFPs will ignore these settings without issues. Web Jetadmin will show that they failed – not supported.
Configurations on the Device Page
The Device page contains settings that affect normal use of the MFPs including a few settings related to security. Follow these instructions:
1. Click Device in the Configuration Categories menu.
Note:
If you are configuring color MFPs, the Device page will display settings to restrict color printing for users and for applications. These settings are not covered in these instructions, but you should consider configuring them to help control the costs of color printing.
2. Scroll down, and click to select Job Retention (Figure 25), and select Enabled.
Figure 25: The Job Retention and Job Hold Timeout options.
This allows users to store print jobs for printing when they can be present to control the printouts.
3. Click to select Job Hold Timeout (Figure 25, above), and select a reasonable time for printing.
This ensures that certain types of jobs stored on the MFPs are erased after a reasonable time. Be sure to allow time at least for a person to walk to the MFP, select printing options, and print a document.
Note:
Job Hold Timeout does not apply to fax jobs.
4. Select the devices to configure in the Device List, and click Configure Devices at the bottom of
the page. The View Log page will appear to show the progress.
5. Click Refresh to update the page to see the results. Click Go Back to continue.
Configurations on the Fax Page
The Fax configuration page provides a few security options for the analog fax functions. Follow these instructions:
Note:
Be sure to configure the MFPs for fax capabilities before continuing with the instructions below. At the minimum, configure the modem settings for the country, the company, and the phone number.
1. Click Fax in the Configuration Categories menu (Figure 26).
Figure 26: The Fax Configuration Category.
2. Click to select Fax Printing (Figure 27).
Figure 27: The Fax Printing options.
3. Enter a four-digit number in the PIN Number field, and repeat it in the Confirm PIN Number
field. This setting requires users to provide the PIN number at the MFP control panel to print fax jobs.
Note:
This setting also enables PIN printing.
Also note that this setting does not apply to Edgeline MFPs.
4. Select Store all Received Faxes in the Enable Mode dropdown menu.
The Store all Received Faxes option holds incoming faxes for printing until someone enters the correct PIN number and selects the menu options at the control panel. You also may wish to use the fax scheduling options to print all faxes at a time when security is optimal.
5. Select the devices to configure in the Device List, and click Configure Devices.
The View Log page will appear to show the status of the configurations.
6. Click Refresh to update the status. Once the configurations are successful, click Go Back to
continue.
Configurations on the Digital Sending page
The Digital Sending page includes options for email and for send to network folder.
Follow these instructions:
1. Click Digital Sending in the Configuration categories menu.
2. Scroll down, and click to select Email Message Text (Figure 28).
Figure 28: The Email Message Text options.
This setting provides a standard message for the MFPs to send with email attachments. It eliminates the possibility of users sending improper messages from the MFPs.
3. If you wish to use the default message, click to select Message Language, and choose a
language. If you wish to use a custom message, click to select Use a Custom Message, and type a message.
4. Select No in the Editable by User drop down list (just below the Use a Custom Message
field). This ensures that no one can send improper email messages from the MFPs.
5. Scroll down, and click to select Default 'From:' Address (Figure 29).
Figure 29: The Default From Address options.
Note:
HP recommends configuring the default from address to ensure that no one can send email using false or misleading identification; however, if you configure LDAP authentication (later in this chapter), the MFP will use the
email address of the authenticated user as the from address, and it will not allow users to change it.
6. Click to select Prevent users from changing the Default 'From:' Address.
7. Fill in the Email Address field with any address that includes the at symbol (@).
Tip:
You might wish to use the email address of an administrator who can receive responses such as email send notices and failures.
8. Fill in the Display Name and the Default Subject fields as desired.
9. If your network includes LDAP, configure the Accessing the LDAP Server options (Figure 30).
Figure 30: The Accessing the LDAP Server options.
These options enable the MFPs to provide the LDAP address book to users.
10. Select Kerberos in the LDAP Server Bind Method dropdown menu if your network provides
Kerberos capabilities. Otherwise, choose Simple over SSL (requires uploading a certificate and configuring other settings that appear later in this chapter).
Note:
If possible, you should choose either Kerberos or Simple over SSL for the bind method. Kerberos is preferable it is provided in your network. Otherwise, you should choose Simple over SSL and configure the remaining settings for SSL later in this chapter.
CAUTION:
If you choose Simple for the bind method, usernames, email addresses, passwords, and all other data will be sent over the LDAP protocol in clear text.
11. Click to select either Use Device User's Credentials or Use Public Credentials under
LDAP Credentials.
If you choose Use Device User's Credentials, each MFP will prompt the user at the control panel for a valid username and password.
If you choose Use Public Credentials, each MFP will use the username and password that you provide in the Username and Password fields below this option. Enter the credentials of a valid network user, such as an administrator.
12. Scroll down, and click to select Time-outs (Figure 31).
Figure 31: The Time Outs options.
This setting ensures that the information displayed on the control panel will be removed if the user walks away without clearing the menu.
13. Select either Immediately reset to default settings or Delay before resetting the
default settings.
If you choose Immediately reset to default settings, users will be able to send only one job at a time.
If you choose Delay before resetting the default settings, users will be able to send multiple jobs to a location without having to retype all of the information in the control panel. Choose a reasonable time to allow them to send a new job.
14. Select the MFPs to configure in the Device List, and click Configure Devices.
The View Log page will appear to show the status of the configurations. Click Refresh to update the status. Once the configurations are finished, click Go Back to continue.
Configurations on the Embedded Web Server Page
Each MFP has an Embedded Web Server (EWS) that provides network access to view MFP status, to set preferences, and to configure the MFP. You can view an MFP EWS by typing the MFP IP address into a web browser. This section covers settings that Web Jetadmin accesses through the EWS.
Note:
Later, at the end of this checklist, you will disable EWS Config. This will disable all of the functions of EWS including those managed in Web Jetadmin. Now, however, you should configure the settings below for security while you execute the settings in this checklist.
Follow these instructions:
1. Click Embedded Web Server in the Configuration Categories menu (Figure 32).
Figure 32: The Embedded Web Server page.
Note:
The first option in the Embedded Web Server Configuration Categories page is Embedded Web Server Password. This setting should already be configured. The MFPs automatically configure this password to be the same as the Device Password, which you should have configured earlier. See the Initial Settings section earlier in this chapter.
If you change either the Embedded Web Server password or the Device Password, the MFP will configure the other one to be the same.
2. Click to select Embedded Web Server Configuration Options (Figure 33).
Figure 33: The Embedded Web Server Configuration Options.
3. Click to enable Continue Button, and leave the remaining options blank. See below for more
information:
The Embedded Web Server Configuration Options are either enabled or disabled in this menu. They will be reconfigured regardless of their current state (which is not displayed). If you select an option, you are enabling it; if you leave an option blank, you are disabling it.
The following table lists the recommended setting for each item in this list:
Embedded Web Server Configuration Option
Outgoing Mail (enabled by default) Enable as desired
Incoming Mail (disabled by default) Leave blank to disable
Cancel Job Button (disabled by default)
Go Button (enabled by default) Leave blank to disable
Recommended setting Explanation
Outgoing Mail enables the MFP to send alerts and AutoSend messages to a designated recipient. This is not necessarily a security-related feature. Use it as you see fit.
This setting does not affect the MFP Send to Email feature.
Normally, the MFP does not receive incoming mail; however, some legitimate network solutions might use it for certain communications. Unless your network is using it, you should disable Incoming Mail.
Leave blank to disable
Disabling Cancel Job Button prevents users from remotely cancelling the jobs of others.
Disabling Go Button prevents users from delaying or stopping the jobs of others. It is the Pause/Resume button in the MFP EWS.
Command Invoke (enabled by default) Leave blank to disable
Command Download (enabled by default)
Leave blank to disable
Command Invoke does not apply to the MFPs. Disabling it is only a best practice.
Command Download does not apply to MFPs. Disabling it is only a best practice.
Command Load and Execute (enabled by default)
Leave blank to disable
Command Load and Execute enables the MFPs to install and run Chai services, such as workflow applications and job accounting solutions. You should disable it unless you are using installed applications on your MFPs.
Continue Button (enabled by default) Select to enable
Print Service (enabled by default) Leave blank to disable
Continue Button allows the MFPs to resume after they are set to pause.
Print Service enables users to send print-ready files directly to an MFP without having the MFP installed on a computer.
4. Select the devices to configure in the Device List, and click Configure Devices. The View Log
page will appear to show the status. Click Refresh to update the status. Once the View Log page shows success, click Go Back to continue.
Configurations on the Filesystem Page
The Filesystem configuration page provides settings for access to the MFP hard drive, the Compact Flash card, and optional data storage devices. This page contains effective security settings that can help prevent unauthorized access to data.
Follow these instructions:
1. Click Filesystem in the Configuration Categories menu (Figure 34).
Figure 34: The Filesystem page.
The first option is Secure Storage Erase. Secure Storage Erase requires significant downtime, and it permanently deletes all user (non-system) data stored on the MFP. It is useful for cleaning out all traces of print jobs, fax jobs, copy jobs, digital send jobs, stored fonts, and even some stored settings from an MFP, but it is not meant for routine use.
CAUTION:
Secure Storage Erase requires considerable downtime. It permanently destroys all user data including installed applications. Use it only as
needed to clean MFPs for resale, for reuse, or for conforming to high-level security requirements such as Department of Defense regulations.
The instructions continue with the File System password:
2. Click to select Set Filesystem Password (Figure 35).
Figure 35: The Set Filesystem Password option.
3. Type a password of 8 characters in the File System Password field, and repeat it exactly in
the Confirm File System Password field. With this configuration, the MFPs will require the password whenever anyone or any device requests access to the storage devices.
Note:
When Web Jetadmin is used to configure MFPs, it saves all of the passwords, including credentials for SNMPv3, in an encrypted device cache. As long as an authorized administrator is logged into Web Jetadmin, Web Jetadmin will supply the passwords automatically without prompting.
4. Select the devices to configure in the Device List, and click Configure Devices. The View Log
page will appear to show the status. Click Refresh to update the status. Once the View log page shows success, click Go Back to continue.
Note:
The MFPs Require that the File System password be configured before they allow the other files system settings to be configured.
5. Click to select Set Secure File Erase Mode (Figure 36), and select Secure Sanitizing Erase
in the dropdown menu.
Figure 36: The Secure File Erase Mode setting.
This setting determines the level of overwriting applied to delete files during routine functions. This includes removal of files for the Secure Storage Erase function (see the explanation earlier).
Secure Sanitizing Erase is recommended for this setting because it ensures that data is completely unrecoverable by overwriting files with three passes. It slows the MFP slightly but is not noticeably slower than the Secure Fast Erase mode, which overwrites files with one pass.
6. Click to select File System External Access (Figure 37).
Figure 37: The File System External Access Setting.
7. Disable all options but PostScript (see the table below).
The following table lists and explains the recommended settings:
Filesystem Access Option Recommended Setting Explanation
PJL Disabled
PML Disabled
Prevents access to the file system through this protocol
Prevents access to the file system through this protocol
NFS Disabled
Prevents access to the file system through this protocol
NOTE: Disabling the NFS option disables the entire protocol for the MFPs.
PostScript Enabled
The PostScript protocol is not as sensitive, and it is more likely to be used for common types of print jobs.
8. Select the devices to configure in the Device List, and click Configure Devices. The View Log
page will appear to show the status. Click Refresh to update the status. Once the View log page shows success, click Go Back to continue.
Configurations on the Network Page
The Network Configuration page provides options that relate to the Jetdirect Print Servers.
Follow these instructions:
1. Click Network in the Configuration Categories menu (Figure 38).
Figure 38: The Network Configuration Category.
2. Click to select either Upload Jetdirect Certificate to Server or Upload CA Certificate to
Server or both, depending on the requirements of your network (
Figure 39).
Figure 39: The Upload Certificate Options.
These certificate settings are to enable SSL, which is a secure protocol used for communicating with the LDAP server (You should have chosen to use this protocol if you configured LDAP access settings earlier in this chapter). SSL requires certificates to be exported either from the server to the MFPs or to the server from the MFPs depending on the configuration of your network.
3. Configure the certificate settings as applicable to your LDAP server requirements.
4. Click Encryption Strength (Figure 40).
Figure 40: The Encryption Strength option.
5. Click the Encryption Strength dropdown menu, and select the highest setting that your browser
supports.
The Encryption Strength setting allows you to choose the strength of the encryption algorithm that will be used for communication between the MFP EWS and the web browsers connecting to it (this is related to the HTTPS Setting option later on the Network page).
6. Scroll down, and click to select Enable Features (Figure 41).
Figure 41: The Enable Features option.
The following table lists and explains the recommended settings for the Enable Features: option:
Feature Recommended Setting Explanation
EWS Config Enabled
NOTE:
The recommendation is to disable EWS Config, but you should leave it enabled until you are finished configuring this checklist. Otherwise, it will prevent you from configuring some of the remaining settings.
Telnet Config Disabled
SLP Config Disabled
FTP Printing Disabled
LPD Printing Disabled
Disabling EWS Config closes down the EWS and it eliminates the configuration settings that are controlled by the EWS. It also removes the affected settings from Web Jetadmin menus. This includes settings for email, send to folder, and fax. You should disable EWS Config while the MFPs are in use, and enable it only to make changes to the affected configurations.
Disabling Telnet Config prevents access to configuration settings and other features through Telnet.
Disabling SLP Config prevents access to configuration settings and other features through SLP.
Disabling FTP Printing prevents access to configuration settings and other features through FTP. It also prevents printing through FTP.
Disabling LPD Printing prevents access to configuration settings and other features through LPD. It also prevents printing through LPD.
9100 Printing Enabled
IPP Printing Disabled
MDNS Config Disabled
9100 Printing is the access point for normal printing through standard HP print drivers.
Disabling IPP Printing prevents access to configuration settings and other features through the IPP. It also prevents printing through IPP.
Disabling MDNS Config prevents access to configuration settings and other features through MDNS.
IPv4 Multicast Config Disabled
Disabling IPv4 Multicast Config prevents access to configuration settings and other features through IPv4 Multicast.
Note:
As a rule, you should close down all MFP access points when they are not in use.
The Privacy Setting option appears later on the Network page (Figure 42).
Figure 42: The Privacy Setting option.
The Privacy Setting option is not considered security-related. It is explained here to assure you that it does not compromise your network security. It allows HP to collect statistical data about the MFPs.
HP will not collect network-specific or personal data. For information on HP privacy policies, read the Hewlett-Packard Online Privacy Statement available by clicking privacy statement at
http://www.hp.com. If you enable this feature, information collected by HP will be limited to the
following items:
HP Jetdirect product number, firmware version, and manufacturing date
Model number of the MFP
Web browser and operating system detected
Local language selections used for viewing Web pages
Network communications protocols enabled
Network management interfaces enabled
Device discovery protocols enabled
Printing protocols enabled
TCP/IP configuration methods enabled
SNMP control methods enabled
Wireless configuration methods enabled
HP can collect this information only when the MFPs have internet access.
7. Click RCFG Setting (Figure 43), and leave RCFG Config blank to disable it.
Figure 43: The RCFG Setting option.
This setting prevents access to configuration settings through Novell NetWare linkages; however, you should enable it if your network uses these linkages.
Note:
When you disable RCFG Setting, a warning message will appear explaining that you are disabling this access. If you are not using it, click OK to continue.
8. Click HTTPS Setting (Figure 44), and select Encrypt all web communication.
Figure 44: The HTTPS Setting option.
This setting requires web browsers to use HTTPS when contacting the MFPs. This ensures secure communications with the MFP EWS. This setting is related to the Encryption Strength setting covered earlier.
Note:
The Access Control List options appear next on the Network page, but you should have already configured this. The ACL instructions appear in the Initial Settings section of this chapter to help ensure security during the time you are configuring the MFPs.
9. Click to select Protocol Stacks (Figure 45), and deselect all unused protocol stacks as
applicable to your network. See the table below.
Figure 45: The Protocol Stacks option.
The following table lists each protocol with the recommended setting and an explanation:
Protocol Stack Recommended Setting Explanation
IPX/SPX Leave blank to disable
TCP/IP Select to enable
DLC/LLC Select to enable
AppleTalk Leave blank to disable
This setting disables access for Novell servers.
This is the normal operating protocol for the MFPs.
This setting enables the MFP to communicate at basic levels on the network.
This protocol provides access to older Apple and Macintosh computers. It should be disabled if not in use.
10. Select the devices to configure in the Device List, and click Configure Devices. The View
Log page will appear to show the status of the configurations. Click Refresh to update the status. Once the View Log page shows success, click Go Back to continue.
Configurations on the Security page
The Security Configuration page lists options that are important to MFP security.
Note:
If you are configuring color MFPs, options for restricting the use of color will appear on the Security page. You should configure these options if you wish to control the costs of color printing. These options are not covered in this checklist.
Follow these instructions:
1. Click Security in the Configuration Categories menu. This opens the Security configuration
page (
Figure 46).
Figure 46: The Security Configuration Category.
2. Click to select Authentication Manager (Figure 47).
Figure 47: The Authentication Manager options.
The Authentication Manger allows you to customize access to functions of the MFP. You can use these options to provide varying services to different groups of users.
Caution:
Be sure to configure only settings that are supported and configured on your network. These settings can cause loss of access to the MFPs if they are not properly configured.
The configurations for these authentication features appear later on the Security page. Be sure to select only the authentication features you plan to configure in the subsequent steps.
Note:
LDAP, Kerberos, and Digital Send Service require additional solutions on the network for support.
3. Click the dropdown menu next to Log in at Walk Up, and select from the list (Figure 48).
Figure 48: The drop down menu for Log in at Walk Up.
This feature causes the MFP to require everyone to log in for access to control panel menus. You can choose to require further authentication for specific functions of the MFP.
4. Choose an appropriate authentication method for each of the Device Functions. If you use
varying log in methods for each device function, the MFP will require authentication as needed. The MFP automatically allows authenticated users to continue wherever they are allowed.
Note:
The DSS Secondary E-mail function and the DSS Workflow function require HP Digital Send Service to be installed on the Network. Digital Send Service is an additional solution offered at hp.com.
5. Choose an authentication method for Future Installations as desired. This automatically
requires authentication for new solutions that may be installed on the MFP. You should choose a method for this option as a best practice even if you do not expect to add solutions to the MFPs.
6. If your network includes LDAP, configure the LDAP options (Figure 49).
Figure 49: The Accessing the LDAP Server options.
These settings enable the MFPs to require a user's NT logon credentials for use of the MFPs. This is related to the LDAP access options in the Digital Sending page, which enable the MFP to use the LDAP address book. This setting is required if you chose it for any of the features in the Authentication Manager at the beginning of this section.
7. Select Simple SSL in the LDAP Server Bind Method dropdown menu.
Note:
If possible, you should choose Simple SSL for the bind method and configure the LDAP server for communication over a secure SSL channel. You should have configured the certificate upload setting earlier in this chapter to enable SSL.
CAUTION:
If you choose Simple for the bind method (without using SSL), usernames, email addresses, passwords, and other data will be sent over the LDAP protocol in clear text.
8. Fill in the remaining fields according to your network configuration.
9. If your network has Kerberos authentication capabilities, configure the Kerberos
Authentication options. This setting is required if you chose it for any of the features in the Authentication Manager at the beginning of this section.
10. Click to select PIN Authentication (Figure 50), enter PINs as desired, and repeat the PINs
exactly in the Confirm PIN fields. This setting is required if you chose it for any of the features in the Authentication Manager at the beginning of this section.
Figure 50: The PIN Authentication options.
You can use PIN Authentication with other authentication features to further restrict use of the MFPs. For instance, you can require all users to login at walk up using the LDAP system and then require Group 1 PIN for access to the copy function and Group 2 PIN for access to the fax function.
Note:
Configure NTLM if your network includes NTLM service. This option enables the MFP to authenticate to NTLM for the purposes of digital sending to network folders. It is not for restricting access to MFP functions.
Note:
The Bootloader Password option appears next on the Security Page. You should have already configured this at the beginning of this chapter. See the Initial Settings section.
11. Click to select Printer Firmware Update (Figure 51), and click Disabled to disable it.
Figure 51: The Printer Firmware Update option.
The Printer Firmware Update option disables the MFP function to install new versions of firmware. This feature should be disabled during normal use and enabled only when you are prepared to update firmware. Keep in mind that HP strongly recommends updating MFP firmware regularly.
Note:
The SNMPv3 option appears next on the Security page, but you should have already configured it. The SNMPv3 instructions appear at the beginning of this chapter to help ensure security during the time you are configuring the MFPs. See the Initial Settings section for more information.
Note:
The Disable Direct Ports option appears next on the Security page. This option should be configured only by itself. It requires the MFPs to turn off and turn on, which would cause all other configuration requests to be lost. See the Configuring Final Settings section at the end of this chapter.
Note:
The Device Password option appears next on the Security page. You should have already configured this option at the beginning of this chapter. See the Initial Settings Section for more information.
12. Click to select Control Panel Access (Figure 52), and click to select Maximum Lock.
Figure 52: The Control Panel Access option.
Maximum Lock ensures that no one can access configuration settings in the control panel.
Note:
Control Panel Maximum Lock prevents everyone from accessing configuration settings in the control panel, including digital send and fax settings. If you wish to make changes to settings in the control panel, unlock access using Web Jetadmin, make the changes, and then lock access again. See the Ramifications chapter for more information.
13. Click to select Allow Use of Digital Send Service (Figure 53), and click Disabled (unless
your network is using HP Digital Send Service).
Figure 53: The Allow Use of Digital Send Service option.
Digital Send Service is an HP solution for managing the digital sending functions of MFPs. It is useful and recommended for this purpose, but it is not addressed in this checklist. If you are using Digital Send Service, enable it here, and be sure to configure the security settings in Digital Send Service.
14. Click to select Allow Transfer to New Digital Send Service (Figure 54), and click
Disabled.
Figure 54: The Allow Transfer to New Digital Send Service option.
Digital Send Service claims ownership of the MFPs it manages. Anyone with another installation of Digital Send Service can take over an MFP unless you disable this option.
15. Click to select PJL Password (Figure 55).
Figure 55: The PJL Password option.
16. Type a password that is at least 5 numbers or up to 2147483647, and repeat it in the Repeat
PJL Password field.
The PJL password protects the default features on the MFP. PJL commands are allowed only when the correct PJL password is included. This also affects PCL and PostScript commands.
17. Once you have made your choices, click Configure Devices at the bottom of the page. The
View Log page will appear to show the progress. Wait few moments, and click Refresh to see the updated status. When the View Log page shows success, click Go Back to continue.

Configuring Settings for Edgeline MFPs

Edgeline MFPs have many unique security features that should be configured exclusive to LaserJet and Color LaserJet-based MFPs. This saves time, and it saves complications that can arise from configuring MFPs that reject these settings. Follow these instructions, but select only Edgeline MFPs in the devices list at the end of each configuration category:
Tip:
These settings apply only to Edgeline MFPs. You may wish to use the Web Jetadmin Device Filter feature to exclude other MFPs for these settings.
Configurations on the Device Page
1. Go to the Device configuration page, and click to select Fax Printing Schedule (Figure 56).
Figure 56: The Fax Printing Schedule options.
2. Click to select Always Store Faxes, or select Use Fax Printing Schedule. This enables
users to control when faxes are printed so they can be present during printing.
If you choose to select Use Fax Printing Schedule, be sure to fill out the table with your scheduling preferences. These settings will not work unless you fill them out. Note that the times are in 24-hour format.
3. Once you have made your choices, click Configure Devices at the bottom of the page. The
View Log page will appear to show the progress. Wait few moments, and click Refresh to see the updated status. When the View Log page shows success, click Go Back to continue.
Configurations on the Digital Sending Page
1. Go to the Digital Sending Configuration Category page, and click to select LDAP Server
Settings (
Figure 57).
Figure 57: LDAP Server Settings.
These settings enable the Edgeline MFPs to access the LDAP server to provide addresses and contacts. It is important to configure SSL to ensure that usernames and other information from the LDAP server are encrypted.
2. Configure the Enable Network Contacts setting as desired, and fill in the LDAP Server
Address field according to your network configuration.
3. Click to select Use a secure connection (SSL), and be sure configure the certificate settings
later in this chapter. This setting is important for security. It helps ensure that the usernames and other sensitive data are protected over the network.
4. Configure the Use Custom Port setting as desired.
5. Scroll down, and click to select Server Connection Settings (Figure 58).
Figure 58: The LDAP Server Connection Settings.
6. If your network provides Kerberos capabilities, select Windows Negotiated under LDAP
Server Authentication. Otherwise choose according to the configurations of your network.
7. Configure the remaining Server Connection Settings as desired. You may wish to select Use
MFP user credentials to connect after Sign In, and then configure user access options.
8. Scroll down, and click to select Default Message Settings (Figure 59).
Figure 59: The Default Message Settings options.
These settings restrict users from changing the address fields in email jobs.
9. Click to select Restrict users from editing all address fields.
10. Type an email address that includes the at (@) symbol in the Default E-mail Address field.
You may wish to use the address of an administrator who can receive responses or error reports for messages sent by the MFPs. This setting may be superseded if you choose to use the user's authenticated email address from the LDAP server.
11. Fill in the Default Display Name, the Default Subject, and the Default Messages fields
as desired.
12. Click to select Restrict users at the device from editing the Message field.
13. Once you have made your choices, click Configure Devices at the bottom of the page. The
View Log page will appear to show the progress. Wait few moments, and click Refresh to see the updated status. When the View Log page shows success, click Go Back to continue.
Configurations on the Security Page
1. Go to the Security Configuration Category page.
2. Click to select Default Sign in Method (Figure 60), and choose a method in the dropdown list.
Figure 60: The Default Sign in Method option.
The Default Sign in Method provides a standard method of restricting access to the MFP. The method you choose will be used whenever access restrictions are not configured.
3. Click to select Access Control Level for Device Functions (Figure 61).
Figure 61: The Access Control Level options (Edgeline MFPs).
This feature allows you to create roles for various types of users and to provide varying access to MFP functions and features for each role. Continue with the following steps:
a. Choose either Maximum or Custom for the overall access control level. Maximum
requires all users to log in for all functions of the MFP. Custom allows you to choose the level of access for each function.
b. If you chose Custom for the access control level in Step a, choose a default sign in method
for each device function in the list. Be sure that the sign in method you choose for each function is configured.
c. Add a new user role in the Permission Set field (
Figure 62) by typing a name for a role
and clicking Add New.
Figure 62: The Permission Set options under the Access Control Level options (Edgeline MFPs).
d. After you have added a name, click Permission set. A list of Device Functions with
Access Control (
Figure 63) will appear.
Figure 63: The Device Functions with Access Control list (Edgeline MFPs).
e. Click to select the device functions for which to allow access for that role. f. Click Apply at the end of the list. g. Repeat Steps c-f for as many roles as you wish to create.
4. (Edgeline MFPs) Click to select LDAP Sign in Setup (Figure 64).
Figure 64: The LDAP Sign in Setup options (Edgeline MFPs).
This feature is for setting up LDAP sign in. It is required if you chose LDAP sign in for the Authentication Manager settings earlier in this section or for the Access Control Level settings above.
5. Configure the LDAP Sign in Setup options according to your network LDAP configuration. Be
sure to use an SSL port to ensure secure communication.
6. If you selected Windows sign in for configurations above (only if your network supports it), click
to select Windows Sign in Setup (
Figure 65).
Figure 65: The Windows Sign in Setup options.
7. Configure the Windows Sign in Setup options according to the configurations of your
network.
8. If your network supports Novell, configure the NOVELL Sign in Setup options (Figure 66).
Figure 66: The NOVELL Sign in options.
9. Click to select LDAP Users and Groups (Figure 67).
Figure 67: The LDAP Users and Groups options.
These settings define the users or groups that are provided permissions via the LDAP system. If you chose LDAP for a log in method above, fill out the LDAP Users and Groups settings:
a. Select a permission level in the Default Permission Set for LDAP Users drop down list. b. If you wish to add a user, type a name for the user in the User Name field, choose a
Permission set in the dropdown list, and click Add New.
c. If you wish to add a group, type a name for the group in the Group Name field, choose a
Permission set in the dropdown list, and click Add New.
10. If you selected Windows sign in for configurations above (only if your network supports it),
click to select Windows Users and Groups (
Figure 68).
Figure 68: The Windows Users and Groups options.
These settings define the users or groups that are provided permissions via Windows. If you chose Windows for a log in method above, fill out the Windows Users and Groups settings:
a. Select a permission level in the Default Permission Set for Windows Users drop
down list.
b. If you wish to add a user, type a name for the user in the User Name field, choose a
Permission set in the dropdown list, and click Add New.
c. If you wish to add a group, type a name for the group in the Group Name field, choose a
Permission set in the dropdown list, and click Add New.
11. Click to select Device User Accounts and choose a Default Permission Set for Windows
Users in the dropdown menu.
Note:
Setup for Device User Accounts is available only in the Edgeline MFP Embedded Web Server. If you wish to use Device User Accounts, go to the EWS of each MFP, and configure them. See MFP User Guide for more information.
12. Once you have made your choices, click Configure Devices at the bottom of the page. The
View Log page will appear to show the progress. Wait few moments, and click Refresh to see the updated status. When the View Log page shows success, click Go Back to continue.

Configuring Final Settings

The final settings are for all MFPs. These settings should be configured only by themselves and only at the end of this checklist. Follow these instructions for the final settings:
1. Go to the Network page, and click to select Enable Features (Figure 69).
Figure 69: The Enable Features option.
2. Click to disable EWS Config. EWS Config was required for configuring this checklist, but it
should be disabled during normal use of the MFPs.
Note:
This setting removes all configuration settings from the MFP EWSs. It also removes all EWS-related settings from Web Jetadmin (they will disappear from Web Jetadmin menus). With this setting configured, the only way to make changes to the EWS settings again is to re-enable them using Web Jetadmin. Always remember to disable EWS Config after making changes.
3. Click Configure Devices at the bottom of the page. The View Log page will appear to show
the progress. Wait few moments, and click Refresh to see the updated status. When the View Log page shows success, click Go Back to continue.
4. Go to the Security page, and click to select Disable Direct Ports (Figure 70).
Figure 70: The Disable Direct Ports option.
5. Click to select the Disable Direct Ports option to the right.
The Disable Direct Ports feature shuts down the USB and Parallel ports on the MFPs. It ensures that only network-connected computers can access the MFPs. In order to configure this feature, each MFP will turn off and turn on automatically.
6. Click Configure Devices at the bottom of the page.
7. Wait for a few minutes to allow all of the MFPs to restart.
This is the end of the network settings process. See below for more information on securely managing MFPs.

Notes on IPsec

IPsec is a secure communication method that is available as an accessory to LaserJet and Color LaserJet-based MFPs. It is included with Edgeline MFPs. It is not covered in this checklist because it is not configurable using HP Web Jetadmin. However, you should consider it as a valuable tool to network security.
You can upgrade LaserJet and Color LaserJet MFPs using the HP Jetdirect 635n Print Server Card. This accessory provides added network security using IPSec and IPv6 protocols. This technology enables security for network traffic including the content of print jobs, the content of email jobs, and the content of digital sending jobs. Look for the HP Jetdirect 635n Print Server Card at
hp.com.
You can configure IPsec for each Edgeline MFP using the EWS. See user guides and EWS Help for more information. You can also find helpful information by searching for it at hp.com.

Using Web Jetadmin and MFP Passwords

Web Jetadmin is a powerful tool that allows you to manage any number of MFPs and printers. It provides a wide variety of features and services on the network. Without proper security, Web Jetadmin can enable malicious users the same conveniences for attacking your network. Thus, configuring security features and passwords and updating them regularly for Web Jetadmin and MFPs is important to network security.
This involves several passwords that limit access to important areas of the MFP. When you attempt to make changes to configurations, the MFPs will require all applicable passwords. Web Jetadmin keeps an encrypted cache of these passwords whenever they are configured or used, and it will not prompt you for them if it has them. However, sometimes the cache can loose track of some credentials. Thus, you should keep a log of the passwords in a safe place. Web Jetadmin will prompt for passwords during the configuration process if they are missing from the cache.
CAUTION:
Losing passwords can eliminate access to an MFP. Be careful to record them in a safe place. It is most important to remember the Bootloader password. With it, it is possible to restore the MFPs to factory default settings. Without it, the only way to restore the MFPs is to involve an HP­authorized service technician to reset the entire MFP. You may wish to use a password vault program to organize and store the passwords.
Here is a list of the passwords you should configure:
Web Jetadmin password (required during installation of Web Jetadmin)
SNMPv3 credentials
Bootloader Password
EWS Password
Device Password
File system password
Fax PIN
Device PIN (for MFP functions)
User PIN (for individual user accounts)
PJL password
Use good practices for setting and updating passwords (some of the password settings require certain parameters):
Use alpha and numeric characters.
Use passwords with at least 8 digits.
Avoid using the same password for more than one setting (however, some passwords are
synchronized in the MFP).
Avoid using a pattern for passwords.
Change the passwords often.

Settings List

This chapter is a bulleted list of the settings recommended in this checklist. It does not include instructions or explanations. Use it to check-off each setting as you follow the instructions in the Network Security chapter (above). See the Ramifications section (below) for information on each setting.
NOTE:
These settings are recommended settings for reasonable security on the most common networks that include MFPs. MFPs configured according to this list are considered reasonably secure, but HP does not warrant or guarantee that this configuration prevents or limits networks from malicious attacks.
CAUTION:
Remember that these settings are recommended for the most common types of networks. Your network likely requires some configurations that are not recommended in this checklist. Consider each setting for your unique network.

Initial settings

Configure SNMPv3 (Security page). Configure Device Password (Security page). Configure ACL (Network page).
o Disable Allow Web Server (HTTP) Access .
Configure Fax Setup (Fax page for Edgeline MFPs).
o Select Internal Modem.
Enable Send to Email (Digital Sending page for Edgeline MFPs). Enable Send to Folder (Digital Sending page for Edgeline MFPs). Configure Bootloader password (Security page for LaserJet and Color LaserJet MFPs) or
Startup Administrator Password (control panel for Edgeline MFPs).
Hide the MFP IP Address (Control Panel on all MFPs).

Settings for All MFPs

Device Page Settings

Enable Job Retention. Configure Job Hold Timeout.

Fax Page Options

Configure Fax Printing.
o Establish PIN Number. o Configure Enable Mode to Store All Received Faxes.

Digital Sending Page Options

Configure Email Message Text.
o Choose Message Language for default text, or choose Use a Custom
Message and type message.
o Select No for Editable by User
Configure Default From Address.
o Select Prevent user from changing the Default From Address. o Fill in Email Address, Display Name, and Default Subject as desired.
Configure Accessing LDAP Server settings (if available on your network).
o Configure LDAP Server Bind Method to Kerberos or Simple over SSL
(depending on availability in your network).
o Select either Use Device User's Credentials, or Use Public Credentials as
desired.
o Type a username and a password if you selected Use Public Credentials.
Configure Time-outs to either Immediately reset default settings or Delay before
resetting the default settings
o Type a number of seconds to delay if selected.

Embedded Web Server Page Options

Configure Embedded Web Server Configuration options.
o Enable Outgoing Mail (as desired). o Disable Incoming Mail. o Disable Cancel Job Button. o Disable Go Button. o Disable Command Invoke. o Disable Command Download. o Disable Command Load and Execute. o Enable Continue Button.
o Disable Print Service.

File System Page Options

Configure File System Password (apply the File System Password setting before
continuing).
Configure Secure File Erase Mode to Secure Sanitize Erase. Configure File System External Access.
o Disable PJL. o Disable PML. o Disable NFS. o Enable PostScript.

Network Page Options

Upload SSL Certificate (if available).
o Configure certificate settings according to your network configuration.
Configure Encryption Strength to Medium or High depending on your browser
capabilities.
Configure Enable Features options (do not disable EWS Config at this point).
o Disable Telnet Config. o Disable SLP Config. o Disable FTP Printing. o Disable LPD Printing. o Enable 9100 Printing. o Disable IPP Printing. o Disable MDNS Config. o Disable IPV Multicast Config.
Set the Privacy Setting (as desired).  Disable RCFG Setting. Enable HTTPS Setting to Encrypt all web communication. Configure Protocol Stacks.
o Disable IPX/SPX. o Enable TCP/IP. o Enable DLC/LLC. o Disable AppleTalk.

Security Page Options

Configure Authentication Manager to restrict access to specific MFP functions. Choose
only methods that are available on your network and that you plan to configure.
Configure authentication (LDAP, Kerberos, or Group PIN) according to your choices in
the Authentication Manager.
Disable Printer Firmware Update. Configure Control Panel Access to Maximum Lock. Disable Allow Use of Digital Send Service. Disable Allow Transfer to New Digital Send Service. Configure PJL Password. Configure color restriction settings as desired.

Settings only for Edgeline MFPs

Device Page Options

Configure Fax Printing Schedule.
o Select Always Store Faxes, or Use Fax Printing Schedule.
o If you choose Use Fax Printing Schedule, fill out the table.

Digital Sending Page Options

Configure LDAP Server Settings.
o Select Enable Network Contacts (as desired). o Fill out LDAP Server Address according to the configuration of your network. o Select Use a secure connection (SSL). o Configure Use Custom Port (as desired).
Configure Server Connection Settings.
o Select Windows Negotiated if your network has Kerberos capabilities. o Configure Use MFP user credentials… or Default Credentials… as desired. o Fill in the log in credentials, if you chose Default Credentials… above.
Configure Default Message Settings.
o Select Restrict Users from editing all address fields. o Fill in Default Email Address, Default Display Name, Default Subject, and
Default Message.
o Select Restrict users at the device from editing the Message field.

Security Page Options

Configure Default Sign in Method. Configure Access Control Level for Device Functions.
o Choose either Maximum or Custom under Access Control Level. o If you chose Custom above, choose a sign in method for each device function in the
list.
o Add new user roles as desired, and click Permission Set. o Select from the list of device functions as desired. o Click Apply.
Configure LDAP Sign in Setup.
o Configure settings according to your network configuration, but use an SSL port.
If you selected Windows Sign in for Access Control Levels, configure Windows Sign
in Setup.
If your network supports Novell, configure Novell Sign in Setup. If you selected LDAP for Access Control Levels, configure LDAP Users and Groups. If you selected Windows Sign in for Access Control Levels, configure Windows
Users and Groups.

Final settings

Disable EWS Config. Disable Direct Ports (wait for MFPs to restart).

Default Settings

This chapter lists the default setting for each configuration in the checklist:
Setting Default Setting
Initial settings
Configure SNMPv3. Not configured
Configure Device Password. Not configured
Configure ACL. Not configured
Disable Allow Web Server Access. Configured
Configure Fax Setup Not configured
Select Internal Modem None selected
Configure Send to Email Setup Not configured
Configure Send to Folder Setup Not configured
Configure Bootloader password or Startup Administrator Password
Hide MFP IP Address. Hidden on some models; displayed on others
Settings for all MFPs
Enable Job Retention. Enabled
Configure Job Hold Timeout. Never Delete
Configure Fax Printing. Not configured
Establish PIN Number. Note configured
Configure Enable Mode to Store All Received Faxes. Print All Received Faxes
Configure Default From Address. Not configured
Select Prevent user from changing the Default From Address. Not selected
Configure Accessing LDAP Server settings (if available on your network).
Configure LDAP Server Bind Method to Simple over SSL (if possible).
Configure Time-outs to Delay before resetting the default settings, and type a number of seconds to delay.
Not configured
Not configured
Simple
Not configured
Delay default: 20 seconds
Configure Embedded Web Server Configuration options. (See below)
Enable Outgoing Mail. Enabled
Disable Incoming Mail. Disabled
Disable Cancel Job Button. Disabled
Disable Go Button. Enabled
Disable Command Invoke. Enabled
Disable Command Download. Enabled
Disable Command Load and Execute. Enabled
Enable Continue Button. Enabled
Disable Print Service. Enabled
Configure File System Password. Not Configured
Configure Secure File Erase Mode to Secure Fast Erase or Secure Sanitize Erase.
Configure File System External Access. (See below)
Disable PJL. Enabled
Disable PML. Enabled
Non-Secure Fast Erase
Disable NFS. Enabled
Enable PostScript. Enabled
Upload SSL Certificate. Not applicable
Configure Encryption Strength to Medium. Low
Configure Enable Features options (do not disable EWS Config at this point).
Disable Telnet Config. Enabled
Disable SLP Config. Enabled
Disable FTP Printing. Enabled
Disable LPD Printing. Enabled
Enable 9100 Printing. Enabled
Disable IPP Printing. Enabled
Disable MDNS Config. Enabled
Disable IPV Multicast Config. Enabled
Set the privacy setting as desired. Configured
Disable RCFG Setting. Enabled
Enable HTTPS Setting to Encrypt all web communication. Not enabled
Configure Protocol Stacks. (See below)
Disable IPX/SPX. Enabled
Enable TCP/IP. Enabled
(See below)
Enable DLC/LLC. Enabled
Disable AppleTalk. Enabled
Configure Authentication Manager Choose (all options)
Configure authentication (LDAP, Kerberos, Group 1 PIN, or Group 2 PIN).
Disable Printer Firmware Update. Enabled
Configure Control Panel Access to Maximum Lock. Unlock
Disable Allow Use of Digital Send Service. Enabled
Disable Allow Transfer to New Digital Send Service. Enabled
Configure the PJL Password. Not configured
Configure color restriction settings. Not configured
Settings only for Edgeline MFPs
Configure Fax Printing Schedule. Always Print Faxes
Configure LDAP Server Settings. Not configured
Configure Server Connection Settings. Not configured
Configure Default Message Settings. Not configured
Not configured
Configure Default Sign in Method. Novell NDS
Configure Access Control Level for Device Functions. Not configured
Configure LDAP Sign in Setup. Not configured
Configure Windows Sign in Setup. Not configured
Configure LDAP Users and Groups. None configured
Configure Windows Users and Groups. None configured
Disable EWS Config. Enabled
Disable Direct Ports. Enabled

Ramifications

Raising the level of security on any network product requires giving up some conveniences and usability. This section explains some of the compromises you can expect from configuring this checklist. Keep in mind that this is not a comprehensive list. You should test your system to know how it reacts to these settings and configurations.
The following sections explain some of the known ramifications of each setting:

Initial Settings

Enable SNMPv3.
SNMPv3 is a secure protocol that encrypts information over network lines. Web Jetadmin accesses
all of the MFP configuration settings through the MFP SNMP ports. Once SNMPv3 is configured, the MFPs will prompt for the credentials every time anyone tries to configure settings using Web Jetadmin or any other tool. However, Web Jetadmin includes a convenient device cache feature that stores all of the passwords and credentials for each MFP. Whenever an authorized Web Jetadmin administrator makes a change, Web Jetadmin automatically provides the credentials without prompting. Thus, the administrator is required to remember the credentials only when the device cache credentials are outdated. The device cache is kept encrypted, and Web Jetadmin allows only the authenticated administrator to log in and manage the MFPs. Be sure to configure a robust password for the Web Jetadmin administrator.
With SNMPv3 configured, an unauthorized user will observe a prompt for the SNMPv3 credentials. If a user enters incorrect credentials, the MFPs will not disclose which credentials are incorrect; it will only revert to the prompt for credentials.
SNMPv3 causes some slowing of the configuration process due to the encryption features.
Configure Device Password
The Device Password restricts access to the configuration settings. With it configured, the MFPs require the password whenever anyone or any application attempts to make changes to the settings.
Web Jetadmin keeps all passwords and credentials in the encrypted device cache. It automatically provides the EWS password to the MFPs whenever they prompt for it.
The Device Password is synchronized with the EWS Password, which appears on the Embedded Web Server Configuration Category page. Whenever a change is made to either password, the MFP will change the other one to be the same.
Fill in the Access Control List.
The Access Control List is a table that lists the IP addresses of PCs that are allowed to access the MFPs. This can be helpful toward a highly-secure configuration because it ensures that only those using authorized computers will have network access to the MFPs. The ACL covers all access to the MFPs including printing.
If you wish to provide access to groups of users, use the Subnet Mask feature so you do not have to know a large number of IP addresses. Be sure to include one IP address for each subnet mask to allow the MFPs to determine where to find the subnets.
Users of computers that are not on the ACL will observe errors when attempting to access the MFPs. It will appear as though the MFPs are not connected to the network.
The MFPs allow access to all IP address until the ACL is filled out. Once it is filled out with even a single address, it blocks all other access. Be sure to include the computer that is running Web Jetadmin, or the MFPs will block its access as well (it is possible to operate Web Jetadmin from a remote computer). If your computer uses a proxy for access to the MFPs, be sure to include the proxy server in the ACL.
CAUTION:
If the Access Control List is filled out incorrectly, it can cause complete loss of communication with the MFPs. Be sure to use the correct information. The only way to restore communication is to reconfigure the MFPs to factory default settings.
Disable Allow Web Server (HTTP) access.
The MFPs have Embedded Web Servers that provide many of the configuration capabilities that Web Jetadmin provides. If you enable Allow Web Server (HTTP) access, users will be able to access the MFP EWSs without restriction. If you disable Allow Web Server (HTTP) access, only computers listed on the ACL will have access to the EWSs. Later, this checklist recommends disabling the EWSs completely, but disabling Allow Web Server (HTTP) access provides more assurance that no one will have this access.
With Allow Web Server (HTTP) access disabled, a browser outside the ACL will show that access is denied.
Configure Fax Setup (Edgeline MFPs).
This setting is required to enable other fax-related settings on Edgeline MFPs. It is placed here to ensure that all of the fax settings are available as you continue with the checklist.
Note:
This checklist assumes that you are using analog fax functions of the MFPs. It does not cover other types of fax that are available on Edgeline MFPs. See the MFP user guide for more information.
Configure Send to Email Setup (Edgeline MFPs).
This setting is required to enable other email-related settings on Edgeline MFPs. It is placed here to ensure that all of the email settings are available as you continue with the checklist.
Configure Send to Folder Setup (Edgeline MFPs).
This setting is required to enable other send to folder-related settings on Edgeline MFPs. It is placed here to ensure that all of the send to folder settings are available as you continue with the checklist.
Configure Bootloader Password for LaserJet and Color LaserJet MFPs, or configure the Setup
Administrator Password for Edgeline MFPs.
This password protects against accidental or intentional access to the MFP startup settings. These settings are similar to the BIOS settings on a PC. They affect the services that are loaded when the MFP is turned on.
With this password configured, the MFP will prompt for it whenever anyone tries to access the startup settings. If the user enters the wrong password, the MFP will continue to prompt or it.
Note:
This password setting is permanent. There is no way to reset it or to change it without providing the correct password. Thus, it is extremely important to use a password that can be remembered and to record it in a safe place.
Hide the MFP IP Address
Many of the HP MFPs display buttons to show the IP address. This is meant as a convenience, but it can be considered a security risk. Thus, you may decide to hide this button.

Settings for all MFPs (including Edgeline MFPs)

Device Page Settings

Enable Job Retention.
Job Retention saves fax or print jobs on the hard drive for printing when the user is present. The
security implication is that a user can be sure others will not be able to see the printed documents as they exit the MFPs. For printing, a user sets the PIN at the time of sending the print job to the MFP. For fax printing, one PIN is configured for access to all incoming jobs. The MFP will require the PIN number at the control panel before it will print the job.
Configuring Job Retention allows for more use of the MFP hard drive. Thus, you should configure Job Hold Timeout (see below) to ensure that jobs are eventually removed from the hard drive.
Enable Job Hold Timeout.
Job Hold Timeout is related to the Job Retention setting above. It ensures that certain jobs are
eventually deleted from the MFP hard drives. Job Hold Timeout requires that users are mindful of their print jobs. Users will not be able to
recover jobs that are deleted after the timeout period. Jobs are deleted securely according to the Secure File Erase settings.
NOTE:
Stored faxes are not affected by Job Hold Timeout.

Fax Page Options

Configure Fax Printing.
With Fax Printing configured, the MFPs will hold all fax jobs until someone provides the PIN at the control panel. This improves security by ensuring that printed faxes are not left in the output trays where unauthorized personnel might see them.
NOTE:
Stored faxes are not affected by the Job Hold Timeout. Fax standards require that all incoming faxes are eventually printed or otherwise viewed.
The Fax Printing options can limit access to timely faxes. You may wish to provide the PIN to a number of people to ensure that someone can print a fax on demand. You also may wish to configure the Fax Print Schedule to ensure that all faxes are printed regularly, or configure fax alerts to ensure that personnel know when a fax arrives.

Digital Sending Page Options

Configure the Default From Address, and select Prevent users from changing the
Default From Address.
The Default From Address setting allows you to place a standard and consistent address in the from field of MFP emails jobs. Selecting Prevent users from changing the default from address ensures that users are unable to tamper with it. These features ensure that nobody can use the MFP to spoof identity or to provide erroneous addresses.
Consider using a from address that describes the location or the type of MFP, or use a real address that can monitor reply messages.
With the Default From Address configured, no one can change the From Address in email messages. The address you configure is the only address anyone can use.
Configure Accessing LDAP Server settings (if available on your network).
These LDAP settings enable the MFPs to provide the LDAP address books to users. Access to the address books is not necessarily related to security, but the accompanying security settings are important for its use. They are also required for LDAP authentication, which appears later in the checklist. It is important to use the SSL capabilities to ensure that usernames, passwords, and email addresses are not passed over the network in clear text.
When Accessing LDAP Server settings is configured, an MFPs provide access to the LDAP address book using either the credentials of a valid network user, such as an administrator, or the credentials of the MFP user (depending on your preferences). The MFP will prompt for credentials as necessary.
Configure LDAP Server Bind Method to Simple over SSL (if possible).
Normally, communications between the MFPs and the LDAP servers pass over network lines in clear text. With Simple over SSL configured, communications are encrypted. This setting may require an SSL certificate downloaded either to the MFP, to the LDAP server or both. See the settings for uploading SSL certificates in the Network page section.
Configure Time-outs to Delay before resetting the default settings, and type a number of
seconds to delay. This setting enables the MFPs to remove email addresses or fax information from the control panel if
a user forgets to reset it. With the timeouts configured, an MFP control panel will revert to the default screen, and a user will
have to retype addresses and other destination data.

Embedded Web Server Page Options

Configure Embedded Web Server Configuration Options.
These options limit some of the EWS features that can be misused:
o Enable Outgoing Mail as desired.
An MFP sends some email, such as automatic fax notifications and consumables alerts, depending on configurations. This feature does not affect the MFP send to email functions. It also is not known to affect network security. If you use fax notification or other automatic email alerts, you should enable Outgoing Email.
o Disable Incoming Mail.
Some network solutions can send commands to the MFP via email. If your network uses any of these solutions, it might be best to enable it; otherwise, disable it as a best practice. This setting does not affect any other use of the MFPs.
With this setting configured, the MFPs will ignore all incoming emails.
o Disable Cancel Job Button.
The EWS provides a Cancel Job button that allows users to cancel jobs that are pending in the queue. This includes canceling jobs sent by other users. Disabling the Cancel Job button removes the button from the display. Users will not be able to cancel the jobs of others; however, they will be able to cancel their own jobs from the printer driver or from the control panel.
o Disable Go Button.
The Go Button is the EWS Pause/Resume button, which enables users to pause operations, such as print jobs, indefinitely. Disabling the Go Button removes it from the EWS, preventing users from delaying jobs or even denying service to other users. However, users will be able to pause or resume their own jobs from the print driver or from the control panel.
o Disable Command Invoke.
Command Invoke is a legacy feature that does not apply to the MFPs. Disabling it
is good security practice to ensure that all possible access to it is closed.
o Disable Command Download.
Command Download is a legacy feature that does not apply to the MFPs.
Disabling it is good security practice to ensure that all possible access to it is closed.
o Disable Command Load and Execute.
Command Load and Execute accommodates add-on applications (Chailets),
such as workflow programs and job accounting programs. Disabling it stops the MFPs from running Chailets during start up. This function is called Load Services in the EWS. If you use Chailets, you should enable Command Load and Execute. If not, you should disable it to prevent users from installing this type of application. With this setting configured, the MFPs will ignore all add-on applications.
Tip:
You may wish to (turn off the MFPs and turn them on again (power cycle) after disabling Command Load and Execute. This will stop applications that may be already loaded and running.
o Disable Print Service.
Print Service allows users to send print-ready files such as PDF files directly to MFPs
for immediate printing. This feature is available to anyone who has access to the EWS. Disabling it ensures that only users with the MFP Print driver installed can send print jobs to the MFPs. With Print Service disabled, the print options do not appear on the EWS.

File System Page Options

Configure the File System Password.
The File System password feature restricts access to the MFP storage devices and to the configuration settings that relate to storage. This setting is important to security because it helps protect data stored on the MFPs. It does not affect normal use of the MFPs such as job storage features.
Users or applications attempting to make changes to the file system settings or attempting to access data through network ports will be required to provide this password. Without the password, the MFP denies access to the File System and to File System configurations.
Web Jetadmin stores the file system password in its encrypted device cache. It automatically provides the password when the MFPs request it.
Tip:
You should apply the File System Password setting by clicking Configure Devices before continuing with the remaining File System settings. The MFPs require that the File System Password be configured before they will grant access to the remaining settings.
Set the Secure File Erase Mode to Secure Sanitizing Erase.
Secure File Erase enables the MFPs to overwrite storage space whenever files are deleted. This
helps ensure that the original data is destroyed. Secure Sanitizing Erase mode is recommended because testing shows that it does not significantly affect MFP performance compared to Secure
Fast Erase mode.
Secure Fast Erase mode overwrites files one time. It slows MFP performance a bit, but it provides
reasonable security for most situations. Secure Sanitizing Erase mode overwrites files 3 times. It affects MFP performance, but not
noticeably more than Secure Fast Erase mode does. It provides even more assurance that the data is not recoverable. If your network is required to meet stringent security requirements such as DOD regulations, you should use Secure Sanitizing Erase.
With the MFPs configured for Secure Sanitizing Erase mode, some types of jobs and other MFP operations will take a bit more time. The amount of time depends on the size of the job and the specific model of MFP.
Configure File System External Access.
The File System External Access settings shut down access to the MFP file system (storage devices and configuration settings) through protocols and ports. They eliminate access from various types of management tools. HP recommends shutting down all unused access to the file system. See the ramifications for each protocol below:
NOTE:
Some storage management tools, such as the Web Jetadmin Device Storage Manager (a Web Jetadmin add on available in the Product Update menu), use some of these protocols to access the file system. You might consider enabling these protocols only to update configurations and then disable them during normal MFP operation.
Also note that disabling PJL and PML only affect file system access, but disabling NFS shuts down the protocol for the entire MFP.
o Disable PJL.
PJL (Printer Job Language) includes capabilities to manage configurations in the form of commands inside print jobs. Some of these commands can access MFP storage devices. Disabling PJL access to the file system disables the commands that affect the file system. This will not affect the preferences available for normal print jobs.
With PJL disabled, the MFPs will ignore PJL commands that attempt to access the file system.
o Disable PML.
PML (Printer Management Language) is an HP proprietary protocol that manages MFPs and printers. Web Jetadmin uses PML for many of its configuration settings. Disabling this PML access eliminates the PML commands that affect access to the storage devices even for Web Jetadmin. If you wish to make changes to the file system, enable PML to make the changes, and disable it again. With this setting, MFPs will ignore PML commands that attempt to access the file system.
o Disable NFS.
The NFS protocol is a common UNIX ® and Linux file system protocol. Disabling it disables the entire protocol for the MFPs. With this setting, MFPs will ignore all NFS requests. If your network uses this protocol, you should enable it.
o Enable PostScript. The PostScript protocol enables programs such as Adobe®
products to access the MFPs directly for printing and for access to fonts. This feature is convenient and useful, and it is not known to pose risks to security.

Network Page Options

Upload SSL Certificate (if available).
This setting is sometimes required for network SSL connections. However, even if it is not required, it improves security by providing better trust between the LDAP server and the MFP. You should configure this setting if possible.
If an SSL certificate is not uploaded, the MFPs use a self-signed certificate that might be rejected in some network configurations. If SSL is not used, usernames and even passwords will be passed over network lines in clear text.
Configure Encryption Strength to Medium or High.
The Encryption Strength setting covers HTTP communication between a PC and the EWS. When HTTPS is configured (as recommended in this checklist), communication is encrypted according to this Encryption Strength setting. Configure this setting to the highest level supported by the browser you use to access MFP EWSs.
With Encryption Strength configured, the EWSs are accessible only from web browsers that support that level of HTTPS communications.
Note:
This checklist recommends disabling EWS Config during normal use of MFPs. This removes all access to the EWSs; however, you should configure this setting for times when you temporarily enable EWS Config to make changes.
Configure Enable Features options (do not disable EWS Config at this point).
These options enable or disable various supported features for the MFP. These features are designed for access and convenience on the network, but they should be disabled when not in use. The following list explains the ramifications of each feature:
o Disable Telnet Config.
Telnet Config is an access point used by some older (legacy) printer management
tools. Jetdirect also supports some Telnet commands. Telnet Config transmits data in clear text, and it should not be used. With it disabled, MFPs will deny access to Telnet sessions. Note that Web Jetadmin is the only solution recommended for managing HP MFPs, and it does not use Telnet Config.
o Disable SLP Config.
SLP Config accommodates discovery features of Novell (depending on how Novell
is configured). Disabling it disables these features. With SLP Config disabled, Novell will not recognize the MFPs on the network. You should enable SLP Config only if your network uses these features of Novell.
o Disable FTP Printing.
FTP Printing provides some methods of upgrading MFP firmware, and it allows for
uploading files onto MFP hard drives. You should disable it and use only Web Jetadmin to upgrade firmware. With FTP Printing disabled, the MFPs will deny access to all FTP sessions.
o Disable LPD Printing.
LPD Printing is a protocol for printing in UNIX, HPUX, or Linux environments. You
should disable it unless your network includes UNIX workstations that might print using the MFPs. With LPD Printing disabled, MFPs will deny access to UNIX machines.
o Enable 9100 Printing.
9100 Printing is the standard printing protocol used by MFP print drivers. It should
always be enabled. Disabling 9100 Printing would disable all printing for most users.
o Disable IPP Printing.
IPP Printing is a protocol for printing directly from the Internet. It is not secure, and
it should not be used. With it disabled, the MFPs will deny access to direct printing from the Internet. This does not affect print jobs from web browsers if they are using installed print drivers.
o Disable MDNS Config.
MDNS Config resolves host names with IP addresses. It is meant for small networks
that do not include DNS servers. You should disable it unless you have a non-DNS network. With this option disabled, a non-DNS network will not recognize the MFPs.
o Disable IPv4 Multicast Config.
IPv4 Config configures multiple devices simultaneously over the network. You
should always disable IPv4 Config, and use Web Jetadmin for managing MFPs.
Set the Privacy setting as desired.
The Privacy setting is not considered a security-related setting. It is included here to inform you of its purpose: it allows HP to collect statistical data on the use of MFPs. HP uses such information to help improve the design and development of MFPs. HP will not collect network-specific or personal data. For information on HP privacy policies, read the Hewlett-Packard Online Privacy Statement available by clicking privacy statement at
http://www.hp.com.
If you enable this feature, information collected by HP will be limited to the following items:
o HP Jetdirect product number, firmware version, and manufacturing date o Model number of the attached printer or device o Web browser and operating system detected o Local language selections used for viewing Web pages o Network communications protocols enabled o Network management interfaces enabled o Device discovery protocols enabled o Printing protocols enabled o TCP/IP configuration methods enabled o SNMP control methods enabled o Wireless configuration methods enabled
For HP to collect any information, Internet access must be available.
Disable RCFG Setting.
The RCFG setting (sometimes called RCONFIG) allows remote configuration from IPX/SPX servers. Web Jetadmin may use RCFG to configure Novell NetWare queue-server linkages on older Jetdirect print servers. You should disable RCFG Setting unless your network has Novell and older Jetdirect print servers.
With RCFG Setting disabled, MFPs will deny access to Novell.
Enable HTTPS, and configure the setting to Encrypt all web communication.
This setting enables encryption for configuration data between the PC and the MFP EWS. It prevents sensitive data such as usernames and passwords from passing over the network in clear text. This setting is related to the EWS Encryption Strength setting explained earlier.
Web browsers that do not support SSL and high encryption strength will not be able to access the MFP EWSs.
Note:
This checklist recommends disabling EWS Config during normal MFP operations and enabling it temporarily for changes to configurations. This setting ensures that the network traffic is secure during those configurations.
Disable unused Protocol Stacks.
These options provide for various types of network communication to the MFPs. Closing down unused protocol stacks is affective toward better network security. See the ramifications of each option below:
o Disable IPX/SPX.
IPX/SPX is a network protocol for Novell. It may be required in some Novell
networks; however, most Novell networks are capable of using TCP/IP. IPX/SPX should be disabled unless it is required by a Novell configuration.
o Enable TCP/IP.
TCP/IP is the standard network protocol for MFP operations. It provides the
necessary network communication for printing and for configuration. It should be enabled during normal use of MFPs.
o Enable DLC/LLC.
DLC/LLC is used in small networks where routing is not required. The MFPs include it
for compatibility with older HP products. It should be enabled to ensure that the MFPs can work with other HP products.
o Disable AppleTalk.
AppleTalk is a protocol required for older Apple computers. You should disable it
unless your network includes older Apple or Macintosh computers. With it disabled MFPs will not appear on the network for these computers.

Security Page Options

Configure Authentication Manager.
The Authentication Manager provides settings to require log in for use of the various MFP functions. It is important to be sure to select only the authentication methods that are available and that you wish to configure.
Digital Send Service is a separate solution available at hp.com. It is a valuable tool that provides security and other features for managing MFPs. Select Digital Send Service only if it is installed and available on your network and if you plan to configure it later on the Security page.
Group 1 PIN and Group 2 PIN are features of the MFPs to provide methods of authentication when no other options are available or when you wish to vary authentication methods for each MFP function. Select Group 1 PIN or Group 2 PIN only if you plan to configure them later on the
Security page. LDAP is an authentication method that uses a network database to retrieve user credentials. It is
secure when SSL is configured and trusted certificates are installed. Select LDAP only if it is available on your network and only if you plan to configure it later on the Security page.
Kerberos is a secure authentication protocol that is available with some networks. It provides a high level of security for network communications. Select Kerberos only if it is available on your network and only if you plan to configure it later on the Security page.
With authentication enabled, the MFPs will deny access to users who cannot supply the correct credentials.
Configure Authentication methods.
The various authentication options are meant enable you to customize access to the MFPs using the authentication methods that are available on your network. It is important to be sure to configure all
authentication methods that you select in the Authentication Manager. Otherwise, no one will be able to use the MFPs.
Disable Printer Firmware Update.
Printer Firmware Update enables the MFPs to accept printer firmware updates from various
sources. Disabling it ensures that no one can update the MFPs. With Printer Firmware Update disabled, the MFPs will deny access whenever anyone attempts
to upgrade the firmware. You should disable it during normal MFPs operations and enable when you wish to upgrade firmware.
Configure Control Panel Access Lock to Maximum.
Control Panel Access Lock denies access to configuration settings from the MFP control panel.
This setting places a lock icon on the affected settings on the control panel. If a user selects a locked setting, the control panel states that access denied. Access can be restored only by changing the Control Panel Access Lock configuration using Web Jetadmin.
The Maximum setting also closes all access to the fax menu. This includes the options to Cancel All Pending Transmissions and Cancel Current Transmission. If you wish to provide these options, use the Intermediate option.
Disable Allow Use of Digital Send Service.
Digital Send Service is a useful tool for managing MFP digital sending. It is available for
purchase at hp.com. HP recommends using Digital Send Service, but it is not covered in this checklist. You should disable it as a best practice if you are not using it.
With Allow Use of Digital Send Service disabled, the MFPs will deny access to Digital Send Service.
Disable Allow Transfer to New Digital Send Service.
This setting is related to the previous setting. If you allow use of Digital Send Service, it is possible for any installation of Digital Send Service to take over management of an MFP. Disabling this setting ensures that only one Digital Send Service computer is able to manage the MFPs.
Configure the PJL Password.
The PJL Password restricts access to the default features of the MFP. It requires the password for attempts to change settings via Print Job Language commands. It also restricts this access to PCL and PostScript commands.
With the PJL Password configured, the MFPs will deny access to commands that attempt to change default settings without the correct password.
Configure color restriction settings as desired.
If your network includes Color LaserJet MFPs, you can configure settings to restrict the use of color
printing by users and by applications.
With color restriction settings configured, an MFP will print only in black and white unless the user provides the correct credentials.

Settings Only for Edgeline MFPs

Device Page Options

Configure Fax Printing Schedule.
The Fax Printing Schedule enables the MFPs to hold fax jobs for printing either by a schedule or on demand by an authorized person. This improves security by ensuring that printed faxes are not left in the output trays where unauthorized personnel might see them.
NOTE:
Stored faxes are not affected by the Job Hold Timeout. Fax standards require that all incoming faxes are eventually printed or otherwise viewed.
With the Fax Printing Schedule configured, incoming fax jobs will not print until an authorized person chooses to print them or until they are scheduled to print.

Digital Sending Page Options

Configure LDAP Server Settings.
This setting enables the MFPs to provide the LDAP address books to users. If you plan to use this feature, you should configure the SSL settings. The SSL settings enable the LDAP server and the MFPs to transfer the LDAP data encrypted. Otherwise, LDAP data are transferred in clear text.
Note:
Other settings, such as Upload SSL Certificates, may be required to configure SSL for LDAP access. Be sure to configure all LDAP-related security settings to ensure success. Look for these settings later in the Digital Sending page, in the Network page, and in the Security page.
Configure Server Connection Settings.
The Server Connection Settings are related to the LDAP Server Settings described above. These settings allow you to choose the credentials with which the MFPs access the LDAP server. Windows Negotiated is the preferred option if Kerberos is available on your network. Otherwise, you should choose either Use MFP user credentials or Default Credentials. If you choose MFP user credentials, the MFP will prompt the user for valid LDAP user credentials (usually the user's net login credentials). If you choose Default Credentials, the MFPs will automatically use the credentials that you enter in the Default Credentials fields.
Configure Default Message Settings.
The Default Message Settings provide standard messages and from address for MFP email jobs. These settings are meant as a convenience to relieve users from having to type messages for each email job. They also provide security measures to prevent users from sending inappropriate messages using false from addresses.
With these settings configured, the MFPs prevent users from changing the information that is sent with email jobs. All email jobs will have the same from address and the same message.

Security Page Options

Configure Default Sign in Method.
The Default Sign in Method provides authentication whenever a feature is configured to use the default authentication method. This includes new solutions installed on the MFPs. Be sure to choose a method that is available on your network and that you plan to configure.
Configure Access Control Level for Device Functions.
The Access Control Level for Device Functions feature is similar to the Authentication Manager for LaserJet and Color LaserJet MFPs. This feature allows you to choose the authentication method used for access to each feature of the MFPs. It also provides options for creating roles for users to enable you to restrict access further.
If you choose Maximum for the Access Control Level, each MFP will require users to sign in for access to the control panel. Be sure to select only the authentication methods that are available on your network and that you wish to configure.
If you choose Custom for the Access Control Level, each MFP will require users to sign in when they choose specific functions at the control panel.
Once a user signs in, the MFP will provide all applicable access to that user.
Configure sign in methods.
The MFPs require configuration of the sign in methods that you selected in the Access Control
Level for Device Functions. These methods include LDAP Sign in Setup, Windows Sign in Setup, and Novell Sign in Setup. These settings provide the data required to access network
account databases in order to authenticate users. If the appropriate sign in methods are not configured, the MFPs will not be able to provide authentication, and they will deny access to everyone.
With these settings configured, the MFPs require the correct credentials before allowing access to the specified features.
Configure users and groups.
The MFPs include features for each sign in method to assign permissions for users or groups of users. This allows you to grant access to specific users or groups for specific functions. Be sure to configure users and groups for all methods that you selected in the Access Control Level for Device Functions.
With users and groups configured, each MFP will grant access to all applicable features once a user signs in.

Final Configurations

Disable EWS Config.
Disabling EWS Config removes the EWSs from the network. They become unavailable to everyone. This eliminates many risks to security.
All of the EWS configuration settings are available in Web Jetadmin, but only when they are enabled. Thus, you will have to enable EWS Config temporarily to make changes to the configurations, and then disable it again.
With EWS Config disabled, the MFPs will not provide the EWSs on the network. Web browsers will return with no such web site found. The EWS settings do not appear in Web Jetadmin.
Disable Direct Ports.
The Direct Ports setting shuts down the MFP parallel ports and USB ports. The ports are completely turned off. This effectively restricts all access to the control panel or to network connections.
Shutting down the parallel and USB ports ensures that no one can configure the MFPs or print using these connections.
This setting causes the MFPs to turn off and turn on. They will be out of service during this time. This is also the reason this setting should be executed alone and at the end of this checklist. If you attempt to disable Direct Ports with other settings, the other settings will likely fail. This is because Web Jetadmin temporarily loses contact with each MFP while the MFP is restarting. Be sure to wait a few minutes until all of the MFPs are online and ready before continuing.
With Direct Ports disabled, the parallel and USB ports are turned off, and the MFPs behave as if the ports do not exist.

Overall Limitations

The overall configuration that you achieve by following this checklist provides a high level of network security for HP MFPs. At the same time, it causes some limitations. Here are some known affects of this overall configuration:
Extra steps to use MFPs: Users will be required to provide usernames and passwords at the control
panels before they can use the MFPs.
No access to control panel configuration menus: The control panels block access to configuration
settings for everyone. Configuration settings will be available only using Web Jetadmin. Some settings will have to be enabled using Web Jetadmin before they can be accessed.
No way to cancel print jobs from the control panel: The MFPs will not allow users to cancel the print
jobs of others. A user would have to go to the person who submitted the job and ask that person to cancel it.
No way to cancel a fax job: The maximum lock setting on the control panel includes removing the
fax job cancelling options. Once a user selects Send, there is no way to stop an outgoing fax (other than disconnecting the phone line). You can enable fax cancelling by configuring Control Panel Access Lock to Intermediate Lock.
Extra steps for printing faxes: A user will be required to provide a fax PIN before printing a fax
(LaserJet and Color LaserJet MFPs only. Edgeline MFPs will require sign in credentials for a user trying to print a fax).
• No Embedded Web Servers: Disabling EWS Config disables the entire EWS feature.
No way to change the from address on email send jobs: Depending on the capabilities of your
network, the MFPs will place either a default from address or the user's email address as the from Address. It will provide no method to change it.

Physical Security

Many of the most notable features of a HP MFPs involve hard copy documents. MFPs can print them, scan them, send them to email, send them to network folders, send them to other printers, and fax them. Handling hardcopy documents can involve a variety of activities that can lead to compromise of data security:
Leaving documents in the printer output trays exposed to possible unauthorized viewers.
Leaving documents in Automatic Document Feeder (ADF) or on the flatbed scanner exposed to
possible unauthorized view.
Use PIN printing and PIN fax printing to ensure that authorized users are present during printing. If you have Edgeline MFPs, configure the Access Control Levels to include printing and fax printing. Stay with the MFP while using the ADF or the flat bed scanners, and keep the MFPs in enclosed rooms to allow for controlled access for sensitive printing or scanning.
Physical security also involves access to the location where an MFP is installed. Limiting physical access can easily prevent many security risks. Such risks include the following:
Access to configurations on the control panel
Access to power cycle the MFP, to initiate cold resets, and to change other configurations
Access to removable storage devices such as hard drives and memory cards
Access to input trays, output trays, and automatic document feeder trays where hardcopy
documents may be left after processing
Access to network cables and phone lines connected to the MFP
Access to digital sending services and features
Access to stored print jobs (depending on settings)
Access to copy features (unauthorized overuse of resources such as toner and paper)
You can help minimize all of these risks by placing the MFPs in access-controlled locations.
You can also control access to the MFP internal hardware (hard drives, Compact Flash cards, and formatter boards) using hardware locks. Use a lock, such as a Kensington Lock, as recommended in the MFP User Guide.

Appendix 1: Glossary of Terms and Acronyms

The following table lists terms and acronyms found in this checklist:
Term Description
ACL
Analog fax
Bootloader
Control Panel The control panel is the display and the buttons on the front of an MFP.
Digital sending
DSS
Edgeline MFPs
EWS
Access Control List. The ACL restricts network access to the MFP by allowing only those IP addresses or subnets that are listed in it.
Analog fax is fax functions via telephone lines. The fax module is available in most HP MFP bundles and it is covered in this checklist. MFPs are also capable of sending fax via LAN fax or internet fax using additional solutions on the network. LAN fax and Internet fax are not covered in this checklist.
The bootloader is the program that starts up an MFP when the power is turned on. It loads the MFP operating systems and the configurations. The bootloader includes settings, such as cold resetting, that are accessible via special codes (not covered in this checklist). These settings are protected by the bootloader password.
Digital sending is a function of the MFP that sends scanned documents to email destinations or to network destinations. Faxing is also considered digital sending, but it is separate from the network functions.
Digital Send Service. DSS is an HP solution to enhance MFP digital sending functionality and security. For instance, it can encrypt the contents of digital send jobs. It can be purchased and downloaded at hp.com. DSS is useful and recommended, but it is not covered in this checklist.
This checklist abbreviates HP CM8050 Color MFP with Edgeline Technology and HP CM8060 Color MFP with Edgeline Technology as Edgeline MFPs.
Embedded Web Server. The EWS is a web page built into an MFP to provide status and configuration settings. The EWS is accessible over network lines using any Web browser connecting to the MFP network IP address or host name.
Firmware Firmware is the program that operates an MFP and controls all of its functions.
Formatter
HP Jetdirect 635n Print Server
IPsec
JDI
Job Retention
The formatter is the main circuit board of an MFP. It is similar to the motherboard of a PC. The formatter accommodates the MFP hard drive, the Compact Flash cards, the Jetdirect card, the CPU, the analog fax accessory card, and the DC Controller, which is the power supply for the MFP. The formatter also accommodates accessories such as wireless cards.
Since the formatter is removable (using common tools), it includes the capability to be locked using devices such as Kensington locks.
The HP Jetdirect 635n Print Server is an accessory to LaserJet and Color LaserJet MFPs and printers. It provides extra security features such as IPsec to encrypt all communications over the network.
IPsec is a secure protocol that requires advanced network configurations. It provides high-level security for network communications. It is included with Edgeline MFPs and it is available as an accessory for all other MFPs and printers (see Jetdirect 635n Print Servers). IPsec is not covered in this checklist due to its complexity. You can find more information on it in the MFP user guides or by searching for it at hp.com.
Jetdirect Inside. Many of the MFPs include internal Jetdirect hardware as standard equipment. Other MFPs, such as HP Color LaserJet 9500 MFPs require EIO Jetdirect cards for network connectivity.
Job Retention is the MFP capability of storing print jobs or fax jobs for printing on demand at the control panel. PIN printing and PIN fax printing are functions of Job Retention.
Term Description
MFP
PIN
Scanner , ADF, or flatbed scanner
SNMPv3
SSL
Storage device
WJA
Multi-Functional Peripheral – An MFP is a device that includes multiple capabilities such as print, copy, fax, and digital sending (email and send to network folder).
Personal Identification Number. A PIN in a numeric password. MFPs use PINs for authentication, secure printing and secure fax printing.
The top of the MFP is a scanner that converts paper documents into digital images for copying, fax, or digital sending. The scanner can scan a document in two ways: Automatic Document Feeder (ADF) or flatbed.
The ADF is part of the top cover of the flatbed scanner. The ADF draws sheets into a paper path from an input tray similar to the input paper tray on a printer. It runs each sheet past the scanner and places it in an output tray.
The flatbed scanner is a flat pane of glass under a cover (the ADF) that opens to allow placement of one surface for scanning. The flatbed scanner is for documents such as folded paper or books that will not go through the ADF.
SNMPv3 is a secure network protocol that encrypts network traffic. It is available with Web Jetadmin encrypt data between Web Jetadmin and the MFP.
Secure Socket Layer. SSL is the encryption capability of the internet. It is the system used for web communication via HTTPS.
A storage device is a component that stores data. The MFP includes two types of storage devices: hard drive and Compact Flash cards.
MFP storage devices store two types of data: system data, such as configurations, and user data, such as print jobs, address books, and installed applications.
HP Web Jetadmin: HP Web Jetadmin is a peripheral management tool that provides access to multiple devices for status and configuration. It is capable of configuring multiple MFPs simultaneously. Web Jetadmin is the recommended tool for configuring most all settings in this checklist.
© 2007 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Microsoft® is a U.S. registered trademark of Microsoft Corporation.
Adobe and PostScript are trademarks of Adobe Systems Incorporated.
UNIX® is a registered trademark of The Open Group.
Itanium is a trademark or registered trademark of Intel Corporation or its subsidiaries in the United States and other countries.
4AA0-XXXXENW, May 2006
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use