HP JETADVANTAGE SECURITY MANAGER

Transcription

1 HP JETADVANTAGE SECURITY MANAGER Policy Editor Settings CONTENTS Introduction... 5 Spoofing Identity... 5 Tampering with Data... 5 Repudiation... 6 Information Disclosure... 6 Denial of Service... 6 Elevation of Privilege... 7 Solutions... 7 Creating a Policy... 8 Template Choices... 9 Blank Policy... 9 HP Security Manager Base Policy... 9 HP Security Manager Limited Policy Adding Security Settings Policy Preview Search Feature Quick Settings Policy Categories Authentication Authentication Manager Guest Access Administrative Function Authentication Job Storage Authentication Print and Copy Authentication Digital Services Authentication EWS Authentication Credentials Admin (EWS) Password SNMPv1/v SNMPv File System Password PJL Password Remote Configuration Password Bootloader Password Service Access Code

2 Group One PIN / Group Two PIN Fax PIN Presence Authentication Services x Authentication (wired) x Authentication (wireless) LDAP Server Authentication Certificate Management Identity Certificate CA Certificate Device Control Stored Data File Erase Mode Retain Print Jobs Stored Data PIN Protection Retain Print Jobs After Reboot Job Held Limit Logging System Logging Control Panel Control Panel Lock Control Panel Timeout Display Job Status External Connections Direct Connect Ports Host USB Plug and Play Device Security Checks Check for Latest Firmware Check for Latest Jetdirect Firmware Secure Boot Presence Intrusion Detection Presence Whitelisting Presence General Role Based Access Control Assign Roles to User and Group Erase Data PJL Access Commands Near Field Communication (NFC) Extended Signature Verification Wi-Fi Direct Wireless Direct Print Fax Receive Command Load and Execute File System Access Protocols Color Access Control Disk Encryption Status Secure Disk Password Trusted Platform Module (TPM) Status I/O Timeout Fax Speed Dial Lock Cancel Print Jobs

3 Device Discovery General Service Location Protocol (SLP) IPv4 Multicast Link-Local Multicast Name Resolution Protocol (LLMNR) Web-Services Discovery (WS-Discovery) Bonjour Printing General Standard TCP/IP Printing AirPrint Line Printer Daemon/Line Printer Internet Print Protocol (IPP) Secure Internet Print Protocol Web Services Print (WS-Print) File Transfer Protocol (FTP) AppleTalk Data Link Control (DLC) / Logical Novell (IPX/SPX) Digital Services Fax Send Fax Folder Send to Folder Encryption Signing Send to (Digital Send) Alert Incoming (POP3) General Digital Send Allow Access to LDAP Address Book Web Scan Network Security General Internet Protocol Security (IPsec)/Firewall Internet Protocol Security (IPsec)/Firewall Rule Configuration FIPS 140 Compliance Library Access Control Windows Verify Certificate for IPP/IPPS Pull Printing Enable WINS Port WINS Registration HP Connection Inspector Enable Cross-site Request Forgery (CSRF) Prevention Network Services Web Web Encryption Settings Require HTTPS Redirect

4 Cross Origin Resource Sharing Embedded Web Server Access Information Tab Phone Home Go Button Cancel Button Continue Button General Novell Remote Configuration Telnet TFTP Configuration File HP Jetdirect XML Services Certificate Management Service Legacy Firmware Upgrade Remote Firmware Upgrade (RFU) FTP Firmware Update FTP Firmware Downgrade Device Announcement Agent Shared Items LDAP Settings LDAP Settings Outgoing (SMTP) Outgoing (SMTP)

5 INTRODUCTION HP JetAdvantage Security Manager offers a wide variety of security related settings and remediates them on devices to keep the devices in compliance with company security policies. This document describes the various security settings that can be added to policies in Security Manager and why they are important for securing a fleet. As technology improves, malicious users may target MFPs and other network peripherals to misuse resources or to gain access to networks or the internet. The Microsoft STRIDE model provides an explanation of typical threats many of the Security Manager policy settings can prevent: Spoofing identity Tampering with data Repudiation Information disclosure Denial of service Elevation of privilege Spoofing Identity Spoofing identity is masquerading as someone else to fool others or to obtain unauthorized access. Examples include: Placing another person's address in the From address field of an message. Using another person's credentials to log in to the server to gain access to address books Using another person's credentials to have free use of an service Using another person's credentials to view that person s messages Using another person's log on credentials for access to use devices or networks Using another person's log on credentials for administrative access to devices You can minimize the risks from identity spoofing in the following ways: Protect the From Address field in the Digital Sending and Fax configurations Protect disk access Configure authentication Configure the administrator password Configure SNMPv3 Tampering with Data Tampering with data can include any method of changing, destroying, or adding to information that is flowing to or from a device or stored on it. Examples include: Canceling another person's job Intercepting a print job before it reaches the device, altering it, and sending it on to the device Intercepting remote configuration data to get passwords and other information You can minimize the risks from data tampering in the following ways: Disable Cancel Job button Disable Go (Pause) button Configure SNMPv3 Prevent unnecessary remote access: close down all unused ports and protocols Configure HTTPS for EWS access 5

6 Repudiation Repudiation is using a device without leaving usage information. This includes preventing the device from logging data or bypassing security checks such as user authentication. This also includes finding ways to use an MFP without paying by bypassing job accounting software. Examples include: Accessing usage logs to delete entries Removing origination information from file metadata Bypassing user authentication Using remote management software to access the device You can minimize the risks of repudiation in the following ways: Enable IPSec to encrypt the data stream to include log data and file metadata Close unused ports and protocols Save copies of log data at a separate location Add security solutions such as smartcard, swipe-card and thumbprint readers Information Disclosure Information disclosure is gathering information from a device and providing it to unauthorized users. This can include authentication information, usage log information, or information from the contents of a job. Such data stored on your hard drive is considered at rest while data being transmitted by your MFP device is considered in transit. Examples include: Reading stored print jobs on the device hard drive. Downloading log information Downloading address books Intercepting print jobs, copy jobs, fax jobs, or digital send jobs (such as ) You can minimize the risks of information disclosure in the following ways: Enable IPSec to protect data in transit Use hardware encryption to protect data at rest Close unused ports and protocols Configure all possible password settings Configure authentication Configure SNMPv3 for Web Jetadmin Denial of Service Denial of service is any type of interference with normal use of an MFP. Examples include: Canceling or pausing the print jobs of others Turning off the device remotely Disconnecting power to the device Removing the device formatter board Disconnecting the device from the network Causing interference with network communication to the device Changing the network location of the device Causing an error state that interrupts service Changing access configurations Here are some methods of minimizing opportunities for denial of service on a device: Lock the control panel Lock EWS configuration settings 6

7 Close unused ports and protocols Disable controls such as the Job Cancel button and the Go button Enable the resume feature to allow the device to resume operations after an error state Configure Job Timeout Control physical access to the device Lock physical access to removable hardware Elevation of Privilege Elevation of privilege is any method of upgrading authorized access to include unauthorized access. This can be any of the following: Non-administrators changing settings to get administrator privileges Unauthorized use of management software to provide access for other unauthorized users Using management software to bypass job accounting functions Here are some methods of minimizing opportunities for elevation of privilege: Configure the administrator (device) password Configure SNMPv3 and HTTPS Lock the control panel SOLUTIONS Care should be exercised when creating security policies if third party solutions are installed on the devices. It is possible that certain security settings can disrupt the operation of any solutions that may be installed on devices. See the solution documentation to determine whether policy changes are required to accommodate specific functionality. Testing a small number of devices in a sandbox or test environment when solutions are present on devices is highly recommended before applying settings to a fleet as undesired behavior may occur with certain settings on certain solutions. Solutions may fail to install/operate or potentially even worse behavior can occur on devices when some settings are applied to devices with solutions present. For example, solutions that have been tested on HP printers may potentially require the following settings in order to either install or run the solutions: - DNS server configured - SNMP GET Community Name (Read Community Name) required for installation and configuration - EWS password required for installation and configuration - Command Load & Execute enabled - PJL Access Commands enabled - Remote Firmware Updates enabled - Allow PJL Access enabled - PJL Password not set - Legacy Firmware Upgrades enabled (Current versions of firmware are signed with the SHA- 256 hashing algorithm. Enabling this option allows installation of legacy firmware signed with the less secure SHA-1 algorithm) - Control Panel Timeout set to 60s Testing of several common solutions against the policy below (a modified Base policy) yielded the following results: 7

8 All solutions o Control Panel timeout = 60s (this is the device default. Policy was 20s) HPAC o Legacy Firmware Upgrades = enabled (for install and run) o Allow PJL Access = enabled (for run) o Remote Firmware Upgrade (RFU) = enabled (for run) SafeCom o Legacy Firmware Upgrades = enabled (for install and run) v310 and earlier only (v312 uses SHA-256) Equitrac o No changes to policy needed HPCR o SNMP v1/v2 write = enabled (for install and run) Therefore, for a solution such as HP Access Control, the important settings and their values to ensure the solution installs and runs properly are the following: EWS password required for installation and configuration Remote Firmware Upgrade enabled File Access and PJL Disk Access enabled PJL password not set Information Tab Requires Administration Password for Access disabled. PJL Access Commands enabled Printing, WS-Discovery, OXPd Services, and Web Services print must be enabled. Legacy Firmware Upgrade enabled CREATING A POLICY The Security Manager Policy Editor allows print administrators with minimal security knowledge, as well as experienced security administrators, to build a valid, comprehensive security policy to deploy across the HP imaging and printing fleet. The Policy Editor provides security setting intelligence through basic definition, recommendations, validations and constraints to ensure creation of a valid policy. A new policy is created on the Policies tab by selecting New Policy in the menu bar that slides open from the left hand side of the screen. 8

9 Template Choices Three template choices are available to select: Blank Policy HP Security Manager Base Policy HP Security Manager Limited Policy Blank Policy The Blank Policy selection, as expected, begins with a clean slate and nothing is selected by default. HP Security Manager Base Policy The Security Manager Base Policy is a great place to begin creation of a custom policy or to use as is, if appropriate, as a baseline policy for your environment. This template is based on NIST recommendations and common security settings found in many environments that practice print environment security. Every environment will be different, and every customer will likely have a specific set of mandatory security features that define compliance, but the Base Policy provides an excellent starting point for cases where security isn t quite yet fully defined in an organization. The following picture contains each of the settings contained in the Base Policy and how they are defined to behave as default settings. Remember, the Base Policy is provided as a starting point to begin building a security policy that meets the standards and security compliance of a company. 9

10 10

11 11

12 12

13 HP Security Manager Limited Policy The HP Security Manager Limited Policy contains a minimal amount of security related features to obtain a quick look at how secure the fleet is. It is designed primarily for assessments only as a snapshot of security. Remember, the Limited Policy is the one that can be used in Security Manager until a valid trial or purchased license is installed. 13

14 14

15 Adding Security Settings When any of the templates are chosen after selecting New Policy, the policy appears in edit mode where changes can be made and saved. The security setting main categories are provided along the top of the editor, sub-categories are displayed in the left-hand column coinciding with each main category selected, and the settings themselves appear in the main portion of the screen. Each setting will be discussed in detail in next section of this document. The number in parentheses after each category indicates the number of settings enabled in the policy. A red category indicates there are settings that are not valid and require some editing. A checkbox appears next to each security setting to enable/disable the setting in the policy. The Blank Policy obviously has nothing checked while the Base Policy and Limited Policy have pre-selected settings. For the Base Policy, some require attention under the Authentication, Credentials section. While in the policy editor, policy validation is always occurring to ensure that a good policy is created. This validation is provided via the policy constraint engine. Caution: Depending on how recommendations are answered and addressed, it is possible to build an invalid policy. Clicking on the question mark (?) next to any setting provides a helpful description of the setting in a separate window. Policy settings range from the basic enabling or disabling of certain network protocols to the more complex device authentication and certificate management settings. Various settings have different options for how they are selected. For example, many settings will provide a simple desired state as enable or disable for basic on/off functionality. The slider dragged to the right enables while the slider dragged to the left disables. 15

16 Other settings may offer a drop-down list of selections instead of basic enable/disable. Some settings are very complex and offer several settings with several options to choose for each. 16

17 Severity is customizable by the policy creator and indicates the appropriate risk level for the environment or business impact. These values of low, medium, and high will be reflected in the status of an assessment, worst case bubbles to the top and is displayed as status. The Executive Summary report will also use these values to apply a calculation against the fleet assessment and provide a score. Remediation allows the policy creator to inform the policy to remediate (fix) the setting if it is out of compliance on the device against the value in the policy. Set remediate to enable or disable. Unsupported can either be set to Ignore or Fail. If set to Ignore, a particular device that does not support the security setting is excluded from the assessment and recommendations report. If set to Fail, the recommendations reports sets the status as Not Supported By Device if a particular device does not support the setting. Best Possible is available in the drop-down menu for some configuration settings to handle the disparity in models and versions of HP devices by always choosing the best setting for that device. For example, devices that support both MD5 and SHA-1 are set to SHA-1 as the strongest encryption algorithm available under the configuration settings for SNMPv3. The Identity Certificate configuration item under Certificate Management also offers a Best Possible selection in case you desire Key Length or Signature Algorithm settings that are too strong to be generated in a CSR from some devices. In such cases, Security Manager will choose itself as the source of the CSR instead of Device. 17

18 Related Policy Items includes built-in intelligence to notify the policy creator of other related policy settings. In some cases, enabling a setting can cause the options of a related technology to be limited. For example, if FIPS 140 is enabled, the options available under the related technologies of SNMPv3 and Web Encryption Strength will be limited by removing the less strong options as they are not supported with FIPS

19 Policy Preview Clicking on the link to a policy brings up the Policy Preview screen. It can also be displayed while editing a policy by clicking the Preview box in the bottom left hand corner. This screen displays every setting that has been added to a policy, its severity, whether remediation is set to enable or disable, and whether the setting should appear as a failure in reports when the device does not support it. 19

20 Sliding the Preview All Items slide bar to the right displays a combined view of enabled settings in the policy and all otheravailable settings for reference. Search Feature A search feature is available to quickly find specific policy items. Click the checkbox next to a policy and click the Edit icon to bring up the policy editor. The name of a security setting can be typed in the Search in policy box as shown below to quickly find a security setting. Click on the link to the setting to open it. When viewing Policy Preview, a security setting can be typed in the Search in policy preview box to quickly locate whether a setting is enabled in the policy or not. 20

21 Quick Settings Quick Settings are available in three locations to quickly enable settings to be automatically set for either a main category, a sub category under a main category, or the entire policy instead of having to enable the settings individually for every security item. Settings that can be controlled include whether all security settings are enabled or disabled, the severity for each setting, whether remediation is enabled or disabled for each setting, and whether the settings will indicate failed or not on reports if unsupported by a device. 21

22 POLICY CATEGORIES The remainder of this document breaks down each policy category in Security Manager and describes each security setting in detail. Here is an index of the available categories and security settings that reside in each. Authentication Authentication Manager Credentials Guest Access Administrative Function Authentication Job Storage Authentication Print and Copy Authentication Digital Services Authentication EWS Authentication Admin (EWS) Password SNMPv1/v2 SNMPv3 File System Password PJL Password Remote Configuration Password Bootloader Password Service Access Code Group 1 PIN Group 2 PIN Fax PIN Presence Authentication Services 802.1x Authentication (wired) 802.1x Authentication (wireless) LDAP Server Authentication Certificate Management Device Control Identity Certificate CA Certificate 22

23 Stored Data File Erase Mode Retain Print Jobs Stored Data PIN Protection Retain Print Jobs After reboot Job Held Limit Logging System Logging Control Panel CP Lock Control Panel Timeout Display Job Status External Connections Direct Connect Ports Host USB Plug and Play Retrieve from USB Save to USB Device Security Checks Check for Latest Firmware Check for Latest Jetdirect Firmware Secure Boot Presence Intrusion Detection Presence Whitelisting Presence General Role Based Access Control Assign Roles to User and Group Erase Data PJL Access Commands Near Field Communication (NFC) Extended Signature Verification Wi-Fi Direct Wireless Direct Print Fax Receive Command Load and Execute File System Access Protocols Color Access Control Disk Encryption Status Secure Disk Password Trusted Platform Module (TPM) Status I/O Timeout Fax Speed Dial Lock Cancel Print Jobs Device Discovery General Service Location Protocol (SLP) IPv4 Multicast LLMNR WS-Discovery Bonjour Printing General Standard TCP/IP Printing (P9100) AirPrint 23

24 LPD/LPR Digital Services Fax Folder General Internet Print Protocol (IPP) Secure Internet Print Protocol (IPPS) Web Services Print (WS-Print) File Transfer Protocol (FTP) AppleTalk DLC/LLC Novell (IPX/SPX) Send Fax Send to Folder Encryption Signing Send to (Digital Send) Alert Incoming (POP3) Digital Send Allow Access to LDAP Address Book Web Scan Network Security General Internet Protocol Security (IPsec)/Firewall Internet Protocol Security (IPsec)/Firewall Rule Configuration FIPS 140 Compliance Library Access Control Windows Network Services Web General Verify Certificate for IPP/IPPS Pull Printing Enable WINS Port WINS Registration HP Connection Inspector Enable Cross-site Request Forgery (CSRF) Prevention Web Encryption Settings Require HTTPS Redirect Cross Origin Resource Sharing Embedded Web Server Access Information Tab Phone Home Go Button Cancel Button Continue Button Novell Remote Config (RCFG) Telnet TFTP Configuration File HP Jetdirect XML Services Certificate Management Service 24

25 Legacy Firmware Upgrade Remote Firmware Upgrade (RFU) FTP Firmware Update Firmware Downgrade Authentication Device Announcement Agent Authentication settings control user access to the device and authorize capabilities. In addition, device authentication and credentials are also controlled. They assess user identity, which might include validating access methods to various print device features such as Copy, Send to , and various Job Storage settings. Authentication Manager This category assesses authentication for administrative functions (such as control panel, administration, new function execution), guest access, job storage, print and copy, and digital services (such as address book, send to and send fax). Under EWS for older devices, it appears as Authentication Manager. 25

26 On Futuresmart and newer devices, it appears under EWS as Access Control under the Security tab. Access Control basically replaces CP Lock on newer Futuresmart devices. The above pictures attempt to demonstrate where each setting in Security Manager resides under EWS for older and newer devices. Guest Access If enabled, guests have access to all of the device functions without providing any authentication such as a user PIN, Smart Card, LDAP, or Windows credentials. If disabled, credentials are required to access all of the device functions. Note: If this item is disabled and other authentication methods are not set, access to the device functions might be denied. 26

27 Administrative Function Authentication Requiring user authentication for access to the administrative functions of the device can prevent unauthorized changes. Select the check box to assess whether user authentication is set, then select the specific authentication methods required for each function. Note: On some devices, you might also need to set control panel lock (Device Control) to prevent unauthorized configuration changes. Options for each configuration setting will vary from a drop-down menu as seen below to control access to the setting: Job Storage Authentication Select the check box to assess whether user authentication is required for access to the job storage functions of the device, then select the specific authentication methods required for each function. For 27

28 example, a user might be required to first enter the local password and then enter a Group One PIN to access the Job Storage Authentication functions of the device. Options for each configuration setting will vary from a drop-down menu as seen below to control access to the setting: Print and Copy Authentication Select the check box to assess whether user authentication is required for access to the print and copy functions of the device, then select the specific authentication methods required for each functionfor example, a user might be required to first enter the local password and then enter a Group One PIN to access the Print functions of the device. Options for each configuration setting will vary from a drop-down menu as seen below to control access to the setting: 28

29 Digital Services Authentication Select the check box to assess whether user authentication is required for access to the digital service functions of the device, then select the specific authentication methods required for each function. For example, a user might be required to first enter the local password and then enter a Group One PIN to access the Address Book functions of the device. Options for each configuration setting will vary from a drop-down menu as seen below to control access to the setting: 29

30 EWS Authentication Select the check box to assess whether user authentication is required for access to the EWS functions of the device. Then select the specific authentication method for each function. If further authentication is required for a specific function, click the plus icon to add additional methods. 30

31 Credentials Authenticate the admin (EWS) password, SNMPv1/v2, SNMPv3, bootloader password, device PIN, file system password, and PJL password to protect against unwanted access to the device. Admin (EWS) Password The Admin (EWS) Password feature helps protect the device from unauthorized access through remote applications such as Embedded Web Server (EWS) or HP Web Jetadmin. With the Admin (EWS) Password configured, the device will not allow changes to configuration settings unless the correct password is provided. The Admin (EWS) Password is also called the Administrator Password or Device Password in some applications. 31

32 Keep in mind that the Jetdirect Security Configuration Wizard includes options to configure the Administrator Password. If you ran the Jetdirect Security Configuration Wizard first (as recommended), the Admin (EWS) Password is already configured. Note: If you synchronize passwords using the HP Embedded Web Server (EWS), the Admin Password is also used by other configuration tools such as Telnet, SNMPv1/v2, and HP Web Jetadmin. Account Lockout can be enabled to define how many incorrect attempts occur before lockout (3-30), reset attempts after ( seconds), how long for lockout duration ( seconds), and minimum password length (0-16). Password Complexity ensures the password is complex enough so they cannot be easily compromised. 32

33 SNMPv1/v2 These settings provide support for specific tools that rely on SNMPv1/v2 for device discovery and status. If you select Read Only, enter the Read Community Name and then re-enter it to confirm. If you select Read and Write Enabled, enter the Read/Write Community Name, and then re-enter it to confirm. Note: If you synchronize passwords using the HP Embedded Web Server (EWS), the Admin Password can also be used by other configuration tools such as Telnet, SNMPv1/v2, and HP Web Jetadmin. According to the RFC for Community Names, a Read/Write Community Name can be used for performing SNMP Set Requests and SNMP Get Requests. Thus, Security Manager will attempt to use the Read/Write Community Name for Gets and Sets. Click Enable Default SNMPv1/v2 Credential Access if it is desired to allow Public to be used for SNMP Get Requests. SNMPv3 SNMPv3 employs a user-based security model (RFC 2574), and features user authentication and data privacy through encryption. To fully assess SNMPv3, you must typically create an SNMPv3 account on the device and implement the account information on the SNMPv3 management application. To create the account, provide a user name, an authentication key, a privacy key, and an encryption algorithm. Note: If FIPS 140 is enabled, the SNMPv3 Encryption Algorithms must be set to SHA-1/AES. MD5/DES is not allowed. 33

34 Best Possible can be chosen to instruct Security Manager to choose the best Encryption Algorithm in accordance to other security settings being enabled such as FIPS 140. File System Password The File System Password prevents unauthorized users from making changes to the file system configuration options and from performing a secure storage erase. File System Passwords are no longer used in Futuresmart devices and newer. 34

35 The File System Password feature helps protect the MFP data storage system options from unauthorized access. With the File System password configured, the MFP requires the password before it will allow configurations to features that affect the data storage system. Some of these features are the File Erase mode, the Secure Storage Erase feature, and the File System Access options. To configure the Files System Password, type 8 or fewer characters into the Enter Password and Confirm password fields. PJL Password Printer Job Language (PJL) commands provide two way communication with the printer and can be used to change control panel settings. Note: In order for Security Manager to assess the PJL Password item, the PJL Access Commands item must be set to Enable. Otherwise, assessment of the PJL Password cannot occur and the password will always be remediated, even if it matches. The PJL password feature helps protect the MFP from unauthorized configurations through Print Job Language (PJL) commands. It does not affect ordinary print jobs. Once the PJL password is configured, the MFP requires it before it will process any of these commands. The PJL password is different from the option to disable PJL Disk Access (another setting in the EWS Security page). Configure both settings for better security. Set the PJL password by typing any number between 1 and into the Enter Password and Confirm password fields. Remote Configuration Password By default, HP Digital Sending Software (DSS) uses the HP Embedded Web Server (EWS) administrator password to connect to the device. However, if the Remote Configuration Password is set on the device, HP DSS and other remote configuration tools use this password to connect. This allows administrators to use separate HP EWS and HP DSS administrator passwords. To enable (remediate), select the check box and then enter/confirm the Remote Configuration Password to use. To disable, clear the password fields and deselect the check box. 35

36 Bootloader Password The bootloader password is used to prevent unauthorized access to the device's bootloader settings from the control panel. These settings control system-wide options such as cold resets, NVRAM and disk initialization, and clearing RFU errors. If improperly set, these options can severely impact the device's operation. On most devices, the bootloader password is not set by default. Note: Once set, the bootloader password cannot be recovered if lost. Losing the password permanently prevents access to the bootloader settings. If you plan to use this password, HP recommends individually setting it on each device, rather than across multiple devices. Knowledge of an existing bootloader is required before a new bootloader password can be set. Therefore, the credential store allows for adding an existing bootloader password so it can be used to set the bootloader password to a new value. If Security Manager can change the password on the device, it will store the new password in the credential store to be used for future bootloader password transactions. If the bootloader password is blank on the device, during remediation Security Manager will set whatever is entered in the policy as the bootloader password on the device and will store the new password in the credential store to be used for future bootloader password transactions. For cases where there is an existing bootloader password set, the assessment behavior of Security Manager will differ between older devices and newer Futuresmart devices. Older devices use SNMP to manage the bootloader password, and Security Manager can use SNMP to test an existing password on a device against one in a policy to know when to remediate. However, newer 36

37 Futuresmart devices use web services to manage the bootloader password, and there is not a technique whereby Security Manager could test a password on a device against one in a policy. Therefore, Security Manager has no way of knowing whether to remediate or not. A checkbox is provided to Always Remediate if it is desired for Security Manager to always set the value in the policy on the device regardless of whether it matches or not. As this could cause remediation reports to always indicate the password is being changed without knowing it of really is out of compliance, another checkbox is present to Suppress reporting for the bootloader password. Service Access Code The Service Access Code is used to prevent unauthorized access to the device's Service menu from the control panel. It must be 8 digit long. Note: Leave the Service Access Code fields blank to reset the Service Access Code to the factory default value. Group One PIN / Group Two PIN The device personal identification number (PIN) controls access to specific features from the control panel on devices prior to Futuresmart devices. You can assign specific features such as print or copy to a group (Group One or Group Two), and then assign the group to a specific PIN. When the PIN is 37

38 entered correctly, the features in the group are accessible. Both Group One PIN and Group Two PIN can be assessed and remediated. Fax PIN Presence When the FAX personal identification number (PIN) is set, the device holds all received FAX messages for printing until the PIN is correctly entered on the control panel. This password can only be assessed for presence only, it cannot be remediated as there is no technique over the network to read/test the value against one in a policy. Authentication Services Authenticate users on specific services, including 802.1x, LDAP server and Windows. 38

39 802.1x Authentication (wired) This authentication method provides a port-based authentication protocol where a network port allows or blocks use, depending on client authentication results. Select from the PEAP, LEAP, or EAP-TLS EAP/802.1X port-based Authentication Protocols. Protected EAP (PEAP) is a mutual authentication tool that uses digital certificates for network server authentication and passwords for client authentication. Lightweight EAP (LEAP) is a proprietary Cisco Systems protocol that uses passwords for mutual authentication (the client and the server authenticate each other). Extensible authentication protocol transport layer security (EAP-TLS) is a mutual authentication protocol based on X.509v3-compliant digital certificates for authentication of both the client and the network authentication server. Before assessing the PEAP or EAP-TLS authentication protocol, the certificate must be fully configured on the device and the associated server. Provide the 802.1X user name, the encryption strength, authentication server name, whether to require an exact server name match, and the protocol. 39

40 Security Manager can provide a complete solution for adding devices to a protected 802.1x network as it can not only remediate the 802.1x settings but also can install the necessary certificates. The scenario at each customer site may differ though in the process to be used to setup devices. Some sites may opt to use a staging area to configure devices to join the protected network. Other sites may provide temporary access to the protected network via whitelisting for example until the devices can be successfully configured to join via PEAP or EAP-TLS. In some situations, one installation of Security Manager could configure devices for 802.1x and install necessary certificates. In other situations, two installations of Security Manager may be required to perform the same actions. It just depends on how the network is setup and whether Security Manager will have access to the devices and the CA server. IEEE 802.1X Port Access Control is a generic framework that allows infrastructure devices to control an end-node s access to the network. The end-node device must authenticate itself to the network before the local switch will grant it access to the network. The end-node device has a valid link to the switch, but the only frames the switch will forward from the end-node to the network are 802.1X Extensible Authentication Protocol (EAP) frames. Multiple protocols have been developed under the EAP framework. All HP Jetdirect products supporting 802.1X also support Protected EAP (PEAP). Many HP Jetdirect products also support EAP- Transport Layer Security (EAP-TLS). These two EAP flavors are the most popular for wired 802.1X deployments. Both protocols utilize SSL/TLS running under EAP to authenticate the Authentication Server which sets up a secure tunnel. A cornerstone of trust in SSL/TLS is the digital certificate. For PEAP and EAP-TLS, the Authentication Server sends over a digital certificate which the supplicant will attempt to validate. After a series of checks are performed, the supplicant will need to establish that the digital certificate was created by a trusted authority. If it passes that test, an SSL/TLS tunnel can be established. At this point, PEAP and EAP-TLS diverge. PEAP uses the tunnel to securely pass credentials via another protocol, typically a username and password, to the Authentication Server while EAP-TLS uses a client digital certificate for authentication. PEAP can be referred to as the password implementation of 802.1x as it requires an 802.1x username and password to authenticate onto the 802.1x network, plus a CA certificate so it can trust the Certificate Authority on the Radius server. EAP-TLS can be referred to as the certificate implementation of 802.1x as it requires both a CA certificate and an identity certificate to authenticate onto the 802.1x network. It does not use an 802.1x username or password to authenticate, however, the device itself requires a username and password to enable 802.1x. By default, Jetdirect behavior is to set the hostname of the device as the 802.1x username. If for some reason the 802.1x username is blank on the device, if the Security Manager is also blank for 802.1x username, during remediation Security Manager will recognize that the device is blank and will set the device hostname to be the 802.1x username since one is required on the device. This allows for the 802.1x username to still be unique on each device, if desired. Otherwise, you could enter an 802.1x username into the Security Manager policy, and that same username would be set on all devices during remediation. If the 802.1x Password is blank on the device, during remediation Security Manager will set whatever is entered in the policy as 802.1x Password on the device. The 802.1x Password cannot be read from the device nor is there a technique whereby Security Manager could test a known password against what is set on the device. Therefore, if there is an existing 802.1x Password on the device, Security Manager has no way of comparing it to what is in the policy to know whether to remediate or not. A checkbox is provided to Always Remediate if it is desired for Security Manager to always 40

41 set the value in the policy on the device regardless of whether it matches or not. As this could cause remediation reports to always indicate the password is being changed without knowing it of really is out of compliance, another checkbox is present to Suppress reporting for the 802.1x Password. To remediate the 802.1x features on the device, the Authentication Failure item should be set to Connect Anyway (802.1x Failover) on the device. If Block Network(Secure Failure) Is present, then remediation is unsuccessful. Connect anyway allows the device to participate on an unprotected network while setting up the 802.1x parameters. If something fails in joining protected network, the device will remain active under EWS so additional attempts to configure can be made. Otherwise, if Block network is selected, and something fails in joining protected network, the device will no longer be active under EWS and the 802.1x settings will have to be reset from the front panel of the device. NOTE: After remediating the 802.1x feature on HP Officejet devices, the devices go into a Network Connection Error status initially until a Verify operation is performed again for the device to come online and appear as Good status. Reauthenticate on Apply just ensures the device attempts to authenticate onto the protected network after clicking Apply under EWS when changing x settings. Otherwise, the device will still attempt to reauthenticate under other scenarios such as disconnecting and reconnecting the network cable. While an Authentication Server is required to be entered, it will only be enforced if Require Server Name Match is checked. NOTE: Some devices, such as HP Officejets, may go into a Network Communication Error state after enabling 802.1x. A simple Verify task again will bring the devices back to a Good state x Authentication (wireless) This authentication method provides a port-based authentication protocol where a network port allows or blocks use, depending on client authentication results. Select from the PEAP, LEAP, or EAP-TLS EAP/802.1X port-based Authentication Protocols. Protected EAP (PEAP) is a mutual authentication tool that uses digital certificates for network server authentication and passwords for client authentication. Lightweight EAP (LEAP) is a proprietary Cisco Systems protocol that uses passwords for mutual authentication (the client and the server authenticate each other). Extensible authentication protocol transport layer security (EAP-TLS) is a mutual authentication protocol based on X.509v3-compliant digital certificates for authentication of both the client and the network authentication server. Before assessing the PEAP or EAP-TLS authentication protocol, the certificate must be fully configured on the device and the associated server. Provide the 802.1X user name, the encryption strength, authentication server name, whether to require an exact server name match, and the protocol. 41

42 LDAP Server Authentication The lightweight directory access protocol (LDAP) server contains names and addresses. The device's digital sending feature can use the repository for user authentication. Within the Security Manager Policy Editor you will notice a Shared Items configuration category. The Shared Items category is aptly named because it includes common configuration settings that can be shared by multiple policy items. The LDAP Settings configuration setting contains a drop-down to select from a pre-defined LDAP configuration. Click Edit to automatically navigate down to the LDAP Settings under Shared Items to create a new LDAP configuration. 42

43 Once the desired configuration settings are satisfied, this specific policy item group can now be saved as a Shared Item instance and used by any policy item that references these specific LDAP settings. Certificate Management Digital certificates are a primary foundation of security providing authentication and encryption between two nodes. HP printers use certificates for authentication in a variety of use cases such as IPPS, IPSEC, 802.1x, etc. Installing and managing certificates through a device s embedded web 43

44 server (EWS) can be a tedious and time consuming venture for a fleet of devices. Security Manager provides an excellent avenue for managing certificates on a fleet of devices. Certificates can be used on HP printers to provide the following: Authentication/trust - verifies the identity of a recipient which ensures that information is only available to the intended audience. Encryption - disguises information so that unauthorized readers are unable to decipher it. The most common use of a digital certificate is to verify that a client sending a message is who it claims to be, and to provide the receiver with the means to encode a reply. In cryptography, a public key certificate (also known as a digital certificate or identity certificate) is an electronic document used to prove ownership of a public key. The certificate includes information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. Identity Certificate Identity certificates, which are issued by a certificate authority (CA), are used to prove identity and encrypt information. Select the check box to assess whether identity certificates are installed on the device, then enter the required identity certificate configuration information. For the Certificate Signing Request (CSR) Source, select whether the CSR is generated by HP Security Manager or the device. If HP Security Manager is selected, the CSR is generated and sent to the certificate authority (CA). When the certificate is returned, Security Manager installs it on the device. If the device is selected, Security Manager requests that the device generate the CSR, sends it to the CA, and then installs the certificate on the device. One advantage to having Security Manager generate the CSR is that it may offer more selections for Key Length and Signature Algorithm than the device can generate on its own. There are cases on some devices where the device can accept more values for these fields in a certificate that it can generate itself in its own certificate request. It should be noted that if Security Manager generates the CSR, it naturally will have knowledge of the private key but only temporarily before it removes any knowledge of it. Once Security Manager retrieves the certificate from the CA, it places the certificate and the private key on the device and removes all knowledge of the private from Security Manager. Choosing Best Possible as the CSR Source allows Security Manager to determine if the device or if Security Manager will generate the CSR. If the device supports generating the desired parameters in its own CSR, then Device will be chosen as the source for that device. However, if the device does not support generating the desired parameters in the CSR, HP Security Manager will be chosen as the source to generate the CSR for the device. 44

45 Security Manager handles all communications to the Certificate Authority (CA) on behalf of the device. Security Manager must have machine to machine access to the CA and proper permissions to submit requests. By default this would be the machine account for the Security Manager server that represents the account (Network Service) under which the Security Manager service runs. For more information pertaining to how to configure the CA to accept requests from Security Manager, see the whitepaper titled HP JetAdvantage Security Manager Certificate Authority Access. The policy contains the name of the server running the CA, the Certificate Authority name itself, and the template name when using an Enterprise Microsoft CA. The template provides additional parameters not included in the certificate request. For the Certificate Authority Type, select whether the certificate creator is standalone or enterprise. A standalone creator is optionally included in the Active Directory, and by default, requires manual approval of certificate requests. An enterprise creator must be in the Active Directory and requires a template. By default, enterprise CA servers automatically approve certificate requests. If remediation is enabled, and a certificate is not installed, Security Manager requests and installs a valid certificate on the device. If a certificate is already installed, Security Manager verifies that it is valid and up to date. The Subject Alternative Name field lets you specify additional common names, or subject names, to be protected by a single SSL Certificate. HP Security Manager must be chosen as the CSR Source in order to write hostname, FQDN and IP Address as SANs into the certificate. This means you can now browse to IP Address, hostname or FQDN in a browser without receiving an error regarding the certificate not matching the subject. To see an example of Subject Alternative Names, in the address bar when browsing to a printer EWS page, click the green padlock in the browser to examine the SSL Certificate. In the certificate details, you will find a Subject Alternative Name extension that lists IP Address, hostname and FQDN if this option is checked in Security Manager when installing identity certificates. Newer devices where certificates are unified and completely managed under the Security tab in EWS allow for reading whether SANs entries are present, thus they can be compared to a policy and remediated if not matching. Reporting will also indicate when SANs were remediated. However, older devices where the identity certificate is managed under the Networking tab in EWS do not allow for reading whether SANs are present in the certificate, thus they cannot be compared against the SANs setting in a policy and remediated if not matching. For the case of these older devices, something else in the policy for identity certificates must be mismatched in order for Security Manager to remediate the SANs settings. In this case, SANs still not appear in reporting as having been remediated. 45

46 If the Include Subject Alternate Name slide bar is enabled to the right, the identity certificate will include the IP Address, hostname, and FQDN as SANs. If the Domain Name box is populated, the User Principal Name (UPN) will also be included as a SAN in the certificate. The UPN is constructed by taking the 802.1x User name from the device and appending the domain name entered into the box e.g x User domain name.com. The UPN is critical to be included as a SAN for 802.1x networks where the printers are created as User objects in Active Directory. If the printer is represented in Active Directory by a Computer account, then the FQDN becomes critical to be included as a SAN in the certificate. Support is also provided for Symantec and OpenTrust certificate authorities as shown below. 46

47 47

48 CA Certificate Select the check box to have Security Manager locate, view/install, or delete the CA certificate on the device. Click Browse to manually browse to the CA certificate file location. A CA certificate tells Jetdirect which identity certificates should be trusted (i.e. must be signed by that CA) when Jetdirect is receiving a certificate from another entity. Once a CA certificate is installed, any identity certificates signed by that certificate authority can be trusted. Installing CA certificates is a much simpler process than installing identity certificates. A CA certificate is merely exported from the CA server itself, then imported into Security Manager to be installed on the fleet. Since the CA certificate is not unique per device, other tools such as HP Web Jetadmin could also install the CA certificate on the fleet. However, Security Manager expands the functionality by supporting multiple CA certificates per device. The Jetdirect CA certificate has traditionally been located under the Networking tab in the same place as the identity certificate. Devices also support other types of CA certificates under the Security tab. When the device connects securely to a server such as LDAP or SMTP, these CA certificates under the Security tab are used to authenticate the authenticity of the server so that data is not exchanged with an imposter. Newer HP devices such as the HP LaserJet M604/605/606, HP Color LaserJet MFP M577, HP Color LaserJet M552, and others began to unify the location of CA certificates previously located in these 48

49 two separate places under EWS. Both the Jetdirect and device CA certificates have been combined to be located under the Security tab. For devices that have unified these certificates into one location, Security Manager supports installing multiple CA certificates. Merely click the + symbol to create a new entry, browse to the location of the certificate and upload it. NOTE: For devices that do not support this unification of Jetdirect and device CA certificates and still place the Jetdirect CA certificate on the Networking tab under EWS, the first certificate in the list in the policy will be installed under the Networking tab of the device, while all of the certificates will be installed under the Security tab. Security Manager by default will perform an append operation meaning if the certificates in the policy are missing on the device, they will be installed, but existing certificates on the device not in the policy will remain untouched. A replace operation can be performed by checking the box titled Remove certificates from device not present in policy. If this box is checked, existing certificates on the device not in the policy will be removed. 49

50 Device Control Device Control settings assist with security related to print jobs, specific device functionality and local device access. Some of these settings must be enabled for device solutions to function properly. Assess direct connect ports, control panel lock, control panel timeout, command load and execute, file erase mode, external disk access, disk encryption status, and retaining print jobs. Stored Data Assess various stored data settings such as file erase mode, whether to retain print jobs and how long to hold them, and the use of PIN protection. File Erase Mode File Erase Mode enables the MFPs to overwrite the HDD sectors containing a file s data whenever files are deleted. This ensures that the original data cannot be recovered. For secure erase, you might need to set the file system password to remediate the device. Non-Secure erase - removes access, but the actual data remains on the disk. Although this is the fastest method, it offers no security. Secure Fast Erase - removes access, and the data is overwritten with a specific data pattern. Although this method is slower than Unsecure erase, it provides security. Secure Sanitizing Erase - removes access, and the data is overwritten repeatedly with an algorithm that prevents residual data persistence. This method affects performance. However, it is the most secure erase method. Threats: HDDs can retain file data in individual sectors which can be reclaimed using specialized software. User configurations and job data are at risk. 50

51 Retain Print Jobs Job retention allows storage of print and fax jobs until you can be present to print them. Select the check box to assess whether print and fax jobs are retained on the device. Job Held Timeout - sets the maximum time to store a temporary print job before deleting it (Does not apply to stored FAX jobs.) Select from 1 hour, 4 hours, 1 day, 1 week, or never delete. This allows the printer to automatically clean up jobs that have been forgotten (held but never released). This only applies to temporary held jobs such as Personal, Quick Copy, and Proof and Hold. This is a global timer that only affects the jobs that are sent after it is set. Standard Job Held Timeout sets the maximum time to store all standard stored jobs (both Private and otherwise) on the device before deleting them. Standard stored jobs include Save to Device Memory jobs and jobs sent from a print driver in Stored Job Mode. NOTE: When the Retain Print Jobs box is checked, Security Manager also automatically checks the boxes for Stored Data PIN Protection, Retain Print Jobs After Reboot, and Job Held Limit. Threats: Jobs not deleted by a timeout are left on the HDD indefinitely and are vulnerable to disk access (when disk access protocols are not disabled) or release by unauthorized users. Stored Data PIN Protection Print jobs stored on the device can be protected by a personal identification number (PIN). Select the check box to assess whether print jobs are protected. Then select the specific situations where the PIN is required, such as printing, storing, or saving the print job to memory. In addition, a PIN can be required to access print jobs managed by the print driver. 51

52 PIN Required to store a print job to device memory - All Save To Device Memory Jobs must be PIN protected. We do not allow non-pin jobs to be started. The PIN check box is not visible, this is because it is always enabled when this feature is enabled. The PIN does not have to be a certain length when this feature is used by itself. PIN Required for Print Driver Stored Jobs - Jobs cannot be stored on the device unless they have a PIN assigned to access the job. Cancel stored jobs without a PIN - All print jobs not previously saved via the Save To Device Memory App that do not have a PIN will be canceled upon being sent to the printer or being printed. A warning icon will appear and the status message will tell the user the job has been canceled when it occurs. In Job status the details of the cancel will pertain to this feature. All PINs must be 4 digits the PIN must be 4 digits in length before the job can be stored. Retain Print Jobs After Reboot The job retention item controls whether print jobs are retained on the device after it is restarted. Select the check box to assess this item, and then select whether to enable or disable job retention. Today all temporary stored jobs sent from a print driver are deleted at reboot. This feature provides a configuration option to retain these stored jobs after a power cycle. Changes to this option will immediately affect existing stored jobs (if the feature is turned on, all stored jobs will be preserved even those that were stored when the feature was turned off). 52

53 Job Held Limit This item sets the maximum number of print jobs that are retained on the device's hard disk. If the maximum is reached, older retained print jobs are deleted. Select the check box to assess this item, then enter the maximum number or print jobs (up to 100). This feature configures job timeout for "Permanent Jobs" (Stored jobs initiated through the print driver, Save to Device Memory jobs and Secure jobs. Note: Fax jobs will NOT be affected by this setting). Logging Assess whether computer system logging is set on the device. System Logging When activated, computer system logging captures event messages for specific devices such as printers/mfps. Select the check box to assess whether system logging is set on the device. If system logging is enabled, provide the server name, protocol, and other configuration information. 53

54 Server Name - IP address of the Syslog Server. If set via BOOTP then SNMP set will fail. If not set via BOOTP then SNMP set will succeed. Value saved across warm boot power cycles. BOOTP will always overwrite SNMP set values. Communication Protocol - Protocol used by SysLog server for communication. Default set to UDP. Choices include TCP or UDP. Server Port - Syslog Server Port. Default set to port number 514. Possible values include Maximum Messages per Minute - Maximum number of syslog packets to be sent per minute. 0 = Disabled. Possible values include Priority - Priority below which the syslog messages will not be sent. Valid priority levels = 0 through 7. Disabled = 8. Logging Facility - The syslog facility is used to separate out log messages by application or by function. Control Panel Assess various control panel settings such as control panel lock, control panel timeout, and whether to display the job status. 54

55 Control Panel Lock The control panel access lock can prevent unauthorized configuration changes to the device from the control panel. If enabled, select the security level. (Notes: On some devices, you might also need to set administrative function authentication for the control panel (Authentication Manager) to prevent unauthorized configuration changes. The RETRIRVE JOB menu requires a PIN to access for all levels except Unlock. Unlock - Allow access to all setting levels. Minimum - The SYSTEM SETUP, I/O, and RESETS menus are all locked. Moderate - In addition to the Minimum level, the CONFIGURE DEVICE and DIAGNOSTICS menus are locked. Intermediate - In addition to the Minimum and Moderate levels, the PAPER HANDLING menu is locked. Maximum - In addition to the Minimum, Moderate, and Intermediate levels, the INFORMATION menu is locked. To summarize, the control panel lock feature provides these options for removing specific types of menus from the control panel: Unlock - This option allows access to all settings Minimum Menu Lock - This option removes only system settings menus that affect the MFP on the network Moderate Menu Lock - This option removes all settings menus other than those for specific jobs Intermediate Menu Lock - This option the paper handling menu and all settings menus other than those for specific jobs Maximum Menu Lock - This option removes all configuration settings menus Selecting Moderate Menu Lock will allow users to work with their own jobs, but they will not be able to interfere with the jobs of others. Control Panel Timeout Select the check box to assess the control panel timeout. The possible range is from 10 to 300 seconds. This setting determines how long before the control panel resets after an MFP sending job before an inactivity timeout resets the control panel and / or logs out the current user. 55

56 Threats: Spoofing Identity can occur if a user remains logged in when leaving the device Display Job Status When enabled on the device, print job status is displayed on the control panel. By default, HP printing and imaging devices are configured with the ability for a walk-up guest to view current job status and job log entries at the front panel. This would include the ability to view, cancel, and promote all print, fax, copy, , etc. jobs. The ability to print the job log is also available. Job Status security audit concerns range from deletion of needed accounting software job log entries to the malicious cancelling of pending critical print jobs. As a best practice, it is recommended to disable Job Status capabilities at the front panel or at the minimum, implement authentication for certain front panel tasks. External Connections Assess external device settings for ports, USB plug and play, and retrieving from or storing to a USB drive. 56

57 Direct Connect Ports Direct Connect Ports (such as USB or RS232) provide direct hardware connections to the device. If these ports are active, walk-up users can access a device through a direct connection. In addition, the device is open for file access and firmware upgrade. In HP LaserJet printers, there are direct ports available for printing other than the network port. USB ports are the most common and in some older printers, parallel and serial ports are also available. Walk up USB printing is a feature found on the latest HP LaserJet printers. Unlike a USB printer connection to a pc, this feature allows users to print supported file formats (.pdf,.prn,.pcl,.ps,.cht) directly from a supported USB storage device. Users can bypass server based printing queues and customized print drivers via this method of printing. Printer firmware can also be upgraded through the USB port. Although being a very convenient, somewhat mobile way of printing, some security concerns shouldn t be ignored. For example, (.prn) is one of the USB supported print file formats and in addition to including the proper print format, could include malicious embedded PJL commands. PJL (Printer Job Language) is an extension of PCL (Printer Command Language), which allows control of the device at the print job level. Local firmware upgrades are also possible through the USB port. If malicious firmware was installed through the local USB port, it would be nearly impossible to detect on a printer s embedded system. Each time the printer is powered on, it will perform a boot-up sequence. During the boot-up sequence, the printer detects all installed USB storage devices and configures them in a standard way for HP and non-hp applications. Users who leave USB storage devices installed during this boot-up sequence will notice that the printer stores folders and files on the device. Users who do not want files written to the USB storage device must be careful to remove the USB storage device from the printer during the boot-up sequence. The USB mass storage device cannot interact with the printer s network card or transfer data to the network. To only use the network port for printing, disable all active direct ports. If the direct ports are active (this is the default setting), choosing to disable them will power cycle the printer. The power cycle sequence must complete before the remediation task can report success. Please keep this necessary increase in remediation time in mind when including the disabling of direct connect ports as part of your security policy. Host USB Plug and Play The Host USB plug and play feature allows the device to access USB accessories that are connected by walk-up users, such as scanning or saving to a USB storage device. 57

58 Legacy products support disablement of Direct Ports that prevent the user to print directly from computer through those ports. When this setting is disabled, printing on that device would be only allowed through a network connection. Host USB Plug and Play supports disablement of the host USB ports on the device that are used to plug USB accessories, like a USB storage device. If these ports are disabled, control panel applications that require this will not be allowed, such as Save to USB. To print from a computer directly to the device using a USB connection, the Device USB port must be enabled. To use USB accessories, such as scanning to a USB storage device, Host USB Plug and Play must be enabled. Device Security Checks Assess external device settings for ports, USB plug and play, and retrieving from or storing to a USB drive. Check for Latest Firmware This item is used to determine if the printer/mfp is currently at the latest firmware version. The latest firmware on device ensures that device is better protected from security threats. Security Manager is using an index file at the following location that HP Web Jetadmin also uses to determine the most recent firmware versions available for devices: ftp://ftp.hp.com/pub/networking/software/pfirmware 58

59 Security Manager isn t remediating or downloading firmware to the device, it is merely reading the device s firmware version and comparing it with device s latest version from the following file over an HTTPS connection: If the current device s firmware version does not match with the latest in the pfirmware.glf file, then an assessment failure is shown. There are three options to choose from to dictate how Security Manager will compare the firmware versions: File, Web (hp.com), and Best Possible. Web (hp.com) provides the best accuracy as a real time query is made to the ftp location to ensure the most recent data is being read. However, this accuracy involves a query outside the company firewall, which may not be desired or possible on the server. File allows for manually downloading the pfirmware.glf file at any desired frequency from any client with web access, then the file can be uploaded into Security Manager to be used for comparisons in assessments. This eliminates Security Manager having to query outside the firewall as it will merely read from the file that is uploaded, but accuracy will only be as good as how recently the file was uploaded. Best Possible combines both techniques, Security Manager attempts to gather the most recent pfirmware.glf file from the web, but falls back on an earlier downloaded firmware index file or can use the user provided pfirmware.glf file in the case of web connectivity not available. The frequency or threshold in which Security Manager queries the web for the pfirmware.glf file is set to be every 24 hours by default. That means Security Manager will use what has previously been downloaded for up to 24 hours before it will query the web again for a more current file. The threshold can be changed if desired in the following file: C:\Program Files (x86)\hp JetAdvantage Security Manager\HPSM_Service.exe.config Change the following to define the threshold. Default is 24 hours: <add key="firmwareindexupdatethreshold" value="24:0:0" /> Check for Latest Jetdirect Firmware This item is used to determine if the Jetdirect device in the printer/mfp is currently at the latest firmware version. The latest firmware on device ensures that device is better protected from security threats. Security Manager is using an index file at the following location that HP Web Jetadmin also uses to determine the most recent firmware versions available for Jetdirect devices: ftp.hp.com/pub/networking/software/jetdirect/firmware 59

60 Security Manager isn t remediating or downloading firmware to the device, it is merely reading the device s Jetdirect firmware version and comparing it with device s latest Jetdirect version from the following file over an HTTPS connection: If the current device s firmware version does not match with the latest in the firmware.glf file, then an assessment failure is shown. There are three options to choose from to dictate how Security Manager will compare the firmware versions: File, Web (hp.com), and Best Possible. Web (hp.com) provides the best accuracy as a real time query is made to the ftp location to ensure the most recent data is being read. However, this accuracy involves a query outside the company firewall, which may not be desired or possible on the server. File allows for manually downloading the firmware.glf file at any desired frequency from any client with web access, then the file can be uploaded into Security Manager to be used for comparisons in assessments. This eliminates Security Manager having to query outside the firewall as it will merely read from the file that is uploaded, but accuracy will only be as good as how recently the file was uploaded. Best Possible combines both techniques, Security Manager attempts to gather the most recent firmware.glf file from the web, but falls back on an earlier downloaded firmware index file or can use the user provided firmware.glf file in the case of web connectivity not available. The frequency or threshold in which Security Manager queries the web for the firmware.glf file is set to be every 24 hours by default. That means Security Manager will use what has previously been downloaded for up to 24 hours before it will query the web again for a more current file. The threshold can be changed if desired in the following file: C:\Program Files (x86)\hp JetAdvantage Security Manager\HPSM_Service.exe.config Change the following to define the threshold. Default is 24 hours: <add key="firmwareindexupdatethreshold" value="24:0:0" /> 60

61 Secure Boot Presence Secure Boot is a security solution that verifies device firmware after power-on before it is executed. This feature (HPSureStart) validates preboot firmware and UEFI applications including the OS loader. The printer s BIOS is a set of boot instructions to initiate hardware components and load the HP FutureSmart firmware. HP SureStart validates the integrity of the BIOS image using a SHA-256 hash signed with HP s digital signature. If validation of the primary BIOS image fails, a protected Golden Copy is used to boot the device providing a self-healing capability. HP SureStart is dependent on a hardware component and is only available on devices introducing Spring 2015 and later. Note: This cannot be turned on/off by user selection on the device. Intrusion Detection Presence Intrusion detection is a security solution through which admin can proactively detect and be alerted to malicious code and virus attacks across HP devices to maintain the security, integrity and uptime of the fleet. Intrusion Detection detects potential malware intrusions in system memory. Firmware runs in the background to validate the memory space and reboots the device if a possible intrusion is detected. If the Auto-recover feature is disabled, or a possible intrusion occurs twice within 30 minutes, the device reboots and holds at the preboot menu to prevent a potential malware exploit from executing. The device will attempt to wait until in process print jobs have been cancelled to reboot. Note: This cannot be turned on/off by user selection on the device. 61

62 Whitelisting Presence Whitelist refers to the list of CA certificates stored in the device certificate store that digital signatures are validated against. DLLs and EXEs are allowed to load if they are signed with a certificate that chains back to a certificate in the whitelist. Whitelisting validates the integrity of firmware system files during the load process using a SHA-256 hash signed with HP s digital signature. If validation fails the device reboots and holds at the preboot menu to prevent a potential malware exploit from executing. Digital signatures for HP and 3rd party developed solutions residing on the printing device are validated using a SHA-256 hashing algorithm for HP firmware and a SHA1/256 hash for 3rd party firmware. If validation fails during the load of HP firmware, the device will reboot. If validation fails during the load of 3rd Party solution firmware, the firmware will not be loaded to prevent a malware exploit. Note: This cannot be turned on/off by user selection on the device. General 62

63 Role Based Access Control This feature affects the Access Control feature found under the Security tab under EWS. Custom roles can be created, and permission sets can be assigned to any roles to dictate what functionality exist for that role on the control panel or under EWS. NOTE: When the device already has 20 custom roles created and Security Manager tries to append more, the device may throw an error depending upon the model, and a Write Verification Failed error is posted. Also, role names on a device are case-insensitive, but Security Manager treats roles to be case sensitive. Therefore, if you create two separate roles of same name but different case (i.e.test and test), a Write Verification Failed error appears during remediation. 63

64 Assign Roles to User and Group This feature affects the Access Control feature found under the Security tab under EWS. Built-in or custom roles can be assigned to users or groups if a custom role was created in the same policy. 64

65 Erase Data If the Erase Data item is enabled on the device, ALL settings, including configuration information and stored certificates, are erased on the next cold reset. Enabling this setting will erase certificates during a cold reset. To retain certificates, disable this setting. If Security Manager is being used to automatically manage certificates, this setting becomes less important than it would if certificates are being handled through the manual EWS process. PJL Access Commands Select the check box to assess whether access to PJL commands is restricted. If set to Disable, the HP Embedded Web Server (EWS) restricts access to PJL commands. Note: In order for HP IPSC to assess the PJL Password item, the PJL Access Commands item must be set to Enable. Otherwise, assessment of the PJL password cannot occur and the password will always be remediated, even if it matches. PJL is unique compared to all other config items. To implement the match function, Security Manager uses port 9100 and the PJL access commands to change a PJL timeout value and if it changes, the password matches. Then Security Manager changes the timeout back the way it was. If the password is not set, then the process is very fast as SNMP informs if set/not set. If P9100 is closed, or if the PJL access commands are disabled, then the match logic is skipped and Security Manager will remediate the password to insure it matches the policy. When the PJL Device Access Commands setting is disabled on the device, the following PJL commands are no longer executed: PJL Command DEFAULT OPMSG, RDYMSG, STMSG DMINFO, DMCMD INITIALIZE SET Description Sets default values for environment variables. Ready, Status and Operator messages SNMP over PJL commands Resets PJL values to factory default Sets environment variable to specified value for duration of a PJL job. 65

66 Near Field Communication (NFC) HP Near Field Communication (NFC) allows simple device-to-device touch printing with NFC-enabled mobile devices. Near field communication (NFC) capabilities enable an easy one-to-one HP wireless direct print connection by using a simple device-to-device touch. Users can quickly connect to the printer and print documents and images from a mobile device, such as a smartphone or tablet, by touching the mobile device to the NFC antenna on the printer. Use this option to enable and disable the NFC feature on the printer. NFC, short for Near Field Communication, is a short range wireless RFID technology that makes use of interacting electromagnetic radio fields instead of the typical direct radio transmissions used by technologies such as Bluetooth. It is meant for applications where a physical touch, or close to it, is required in order to maintain security. NFC is planned for use in mobilephones for, among other things, payment, in conjunction with an electronic wallet, and for setting up connections between Bluetooth devices (rendering the current manual Bluetooth pairing process obsolete). Near Field Communication is sometimes referred to as tap-to-print or touch-to-print and provides mobile devices the ability to directly print to NFC supported printers without connecting to the network. New users of near field communication, especially for payment purposes such as storing credit card information, are understandably concerned at first about the security and safety of their private information. Possible security attacks include eavesdropping, data corruption or modification, interception attacks, and physical thefts. Below we cover the risks and how NFC technology works to prevent such security breaches from occurring. Eavesdropping is when a criminal listens in on an NFC transaction. The criminal does not need to pick up every single signal to gather private information. Two methods can prevent eavesdropping. First there is the range of NFC itself. Since the devices must be fairly close to send signals, the criminal has a limited range to work in for intercepting signals. Then there are secure channels. When 66

67 a secure channel is established, the information is encrypted and only an authorized device can decode it. NFC users should ensure the companies they do business with use secure channels. Data corruption and manipulation occur when a criminal manipulates the data being sent to a reader or interferes with the data being sent so it is corrupted and useless when it arrives. To prevent this, secure channels should be used for communication. Some NFC devices listen for data corruption attacks and prevent them before they have a chance to get up and running. Similar to data manipulation, interception attacks take this type of digital crime one step further. A person acts as a middleman between two NFC devices and receives and alters the information as it passes between them. This type of attack is difficult and less common. To prevent it, devices should be in an active-passive pairing. This means one device receives info and the other sends it instead of both devices receiving and passing information. No amount of encryption can protect a consumer from a stolen phone. If a smartphone is stolen, the thief could theoretically wave the phone over a card reader at a store to make a purchase. To avoid this, smartphone owners should be diligent about keeping tight security on their phones. By installing a password or other type of lock that appears when the smartphone screen is turned on, a thief may not be able to figure out the password and thus cannot access sensitive information on the phone. While it may seem like NFC would open up a world of new security risks, it may actually be safer than a credit card. If a user loses her credit card, a criminal can read the card and find out the owner s information. If that same person loses her smartphone and has it password protected the criminal cannot access any private info. Through data encryption and secure channels, NFC technology can help consumers make purchases quickly while keeping their information safe at the safe time. Extended Signature Verification When checked, the product will perform additional integrity checks on the solution at installation time and when the solution runs. Some Embedded Solutions may not load properly if the extended signature verification is enabled. Wi-Fi Direct HP Wi-Fi Direct printing provides the ability to print from a mobile device, such as a smartphone or notebook computer, directly to a printer without connecting to a Wi-Fi network. The mobile device must be within range of the printer. Use this option to configure the settings that are used to connect the mobile device to the printer. 67

68 The printer accepts all Wi-Fi connections. When Connection Method is set as Auto, user is not required to enter a passphrase on the printer control panel. However, if the mobile device requires a passphrase, the user must enter the default passphrase on the mobile device before the Wi-Fi connection is established. The default passphrase is Wireless Direct Print When enabled, HP wireless direct allows wireless mobile devices to print directly to HP wireless direct-enabled printers without a network connection or Internet access. Use this option to enable or disable the HP wireless direct printing feature on the device. This feature provides the ability to print from a wireless mobile device directly to an HP wireless direct-enabled printer without requiring a connection to a network or the Internet. Wireless Direct Printing allows any Wi-Fi capable device to print directly to the printer when in proximity without connecting through the corporate network. This solution works by leveraging the Wi-Fi Direct standard that was developed by the Wi-Fi Alliance and the Apple AirPrint technology that eliminates software or driver installation on Apple mobile devices. The user simply needs to connect to the Wi-Fi network that the printer advertises, then print. 68

69 Fax Receive When enabled, a Fax device can receive incoming Fax messages. Command Load and Execute The Command Load and Execute feature allows a device to install and run Chai service applications (Chailets) such as workflow and job accounting. Note: This item also includes the legacy features Command Download and Command Invoke, which provide similar functionality. Command Load and Execute allows add-on applications (Chailets) to run on startup, such as job accounting programs. This function is called Service Loading in the EWS. This setting may require enabling for certain solutions to run properly. File System Access Protocols The File System Access Protocols settings shuts down access to the MFP file system (storage devices and configuration settings) through protocols and ports. They eliminate access from various types of management tools. HP recommends shutting down all unused access to the file system. 69

70 PML (Printer Management Language) is an HP proprietary protocol that manages HP devices. Web Jetadmin uses PML for many of its configuration settings. Disabling this PML access eliminates the PML commands that affect access to the storage devices even for Web Jetadmin. If you wish to make changes to the file system, enable PML access to make the changes, and disable it again. With this setting, MFPs will ignore PML commands that attempt to access the file system. Network File System (NFS) is primarily used by UNIX, and Linux, and Norton systems. Disabling it disables the entire protocol for the MFPs. With this setting, MFPs will ignore all NFS requests. PostScript enables programs such as Adobe products to access the MFPs directly for printing and for access to fonts. Some of the commands it uses can access MFP storage devices. Disabling PostScript access to the file system disables only the commands that affect the file system. PJL (Printer Job Language) includes capabilities to manage configurations in the form of commands inside print jobs. Some of these commands can access MFP storage devices. Disabling PJL access to the file system disables only the commands that affect the file system. Color Access Control The Color Access item controls the use of color printing allowing you to manage color printing costs. If selected, choose Disable Color (all jobs print in black), Enable Color (all jobs print in color), or Color If Allowed (permissions determine whether the job prints in color). 70

71 Enable - allows color-printing capabilities for all users. Enable If Allowed - allows the network administrator to allow color use for select users and/or applications. Use the embedded Web server to designate which users and/or applications can print in color (Color printing access only). Disable - denies color-printing capabilities to all users. Disk Encryption Status Select the check box to assess the device's HP Secure Hard Disk status. The HP Secure Hard Disk encrypts data stored on its disk. By default, encryption is enabled on the HP Secure Hard Disk. Note: Remediation is not available for this policy item. Typical scenarios include: New printers with HDDs The disk is already encrypted via onboard firmware for the disk. Firmware doesn t do the encryption. No configuration required and it is set to AES-256. All data on HDD is encrypted. Assessment passes. New printers with SSD or emmc the memory is NOT self-encrypting and will list on config pages and in EWS as cannot be encrypted. However, the printer firmware WILL write any customer data encrypted AES-128 (default), and it can be configured to write AES-256. However, there may be some performance impact. The firmware partition is NOT encrypted on these devices only customer data partition. Assessment fails. New HDD accessory when installed self encrypted at AES-256. Assessment passes. Old device with EIO HDD encryption needs to be turned on. Assessment fails until drive encryption is turned on. This policy item is checking the status of hard disk drives only. If you set the policy item to active and run an assessment: if the assessment indicates Not Supported, then encryption is impossible. This means the printer cannot even accommodate an encrypted drive. If the assessment indicates Failed - Value Mismatch, the policy is active but device is not active, then the device supports an encrypted disk but one is not present. If the assessment indicates Passed, then an encrypted device is present and active. 71

72 HP recommends purchasing printing devices with spinning disk drives for secure environments. All models support a SKU with a HDD, and some have HDD accessories. A HDD allows real-time file overwrite erase. SSD/eMMC cannot perform overwrite erases because of a NAND technology limitation. Secure Disk Password Use this policy to configure a password for the secure disks installed on the device. This password locks all of the secure disks but does not encrypt the data on the disks. However, locking the disk can change the disk encryption status from Not Encrypted to Encrypted, even though the disk is always encrypted. This policy has to be used separately, as this may reboot the printer automatically. Therefore, it is not recommended to use it along with other policy items. The device automatically generates a separate encryption key for each disk to encrypt the data. If you change the password, no data on the secure disks is lost. If you remove the secure disk from the device, access to the encryption key is lost and the data on the secure disk cannot be decrypted. NOTE: The password can be cleared only through the BIOS on the device. Clearing the password renders the data on the device unusable and makes the secure disk appear as a new disk. If Generate a new random password is selected, any value entered under Enter Password will not be used. Remediation will fail if a secure disk is not installed on the device. Trusted Platform Module (TPM) Status Select the check box to assess the device's HP Trusted Platform Module (TPM) status (if so equipped). The HP Trusted Platform Module securely stores information, such as passwords and encryption keys. 72

73 Not Installed: Module is not installed on device. Disabled: Module installed on device. Module is disabled. Enabled: Module installed on device. Module is enabled. Note: Remediation is not available for this policy item I/O Timeout Select the check box to assess the I/O Timeout to End Print Job, which specifies the amount of time in seconds that a device waits between packets before cancelling a job. This timeout can help prevent corrupt or invalid print jobs from tying up a print resource. If selected, enter the I/O Timeout value (5 to 300 seconds). The default is 15 seconds. Fax Speed Dial Lock Using the Fax Speed Dial Lock, you can prevent the use of a specific range of speed dial FAX number entries. For example, if you enter the range 0-20, the speed dial entries from 0 to 20 are locked. A range of 0-99 locks all speed dial entries. The entry must not contain spaces. 73

74 The admin must be able to prevent users from editing certain speed dials on the device. Each speed dial must have a lock/unlocked property that can be set independently by the admin. Unlike the legacy implementation, the speed dials do not need to be in a consecutive range. From the main Fax application screen on the control panel, if a locked speed dial is selected and then the Speed Dials button is pressed, a popup should indicate to the user that the speed dial is locked down and should not continue to the speed dials screen. If the user enters the speed dials screen by selecting a non-locked speed dial, then any speed dials that are locked should appear grayed out and cannot be selected. Cancel Print Jobs Use this feature to prevent unauthorized users from printing jobs after clearing an error. If set to Enable, all jobs are deleted from the print queue after the inactivity timeout period. Inactivity timeout period value is between seconds. Default value set on the device for inactivity timeout period is 60 seconds. 74

75 Device Discovery Assess protocols used to discover devices which include service location protocol (SLP), IPv4 multicast link local multicast name resolution protocol (LLMNR), Web services discovery (WS_Discovery), and Bonjour (also known as mdns). Device Discovery settings control printer discovery protocols. Discovery packets can be spoofed, causing production disruption. Disable unused protocols to preserve network bandwidth, as well. In the Device Discovery category, you can control the enabling and disabling of printing device discovery protocols. Security risk associated with printing device discovery protocols usually fall into the category of being production disruptive. That is, behavior associated with falsely representing the identity or attributes of a specific printing device. Disabling unused discovery protocols is also a good practice relative to preserving network bandwidth. General Service Location Protocol (SLP) Service location protocol (SLP) is used to automate print device discovery in environments using the common Unix print system (CUPS), and to query devices for network services they provide. If enabled on the print device, SLP packets are sent to automate discovery. If SLP uses multicast protocols, you must enable IPv4 multicast. In its broader definition, Service Location Protocol (SLP) is an IETF standard protocol that provides network applications the ability to discover the identity, location and configuration of a network service. Usually implemented as a connection-less UDP (Port 427) packet-oriented protocol, TCP can be used if lengthier packet transmission is required. SLP scales very well in large networked environments, but requires specific configuration of routers and switches for the appropriate traversing of SLP packets. SLP network service discovery can be offered in either active or passive fashion. A network application requesting network service information would be considered SLP active discovery. A network service advertising its information without a request would be considered SLP passive discovery. HP printers (Jetdirect) advertise their attributes through passive SLP, which is enabled by default. Attributes include model number, hardware address, IP address, port number, hostname, manufacturer and command set. SLP packets are generated during printer power cycles, cold resets, IP address changes and hostname changes. SLP/Multicast addresses fall in the IP range of through HP printers are assigned and use the destination IP address of HP Web Jetadmin can discover and process SLP packets with the destination address of when configured for SLP Listen discovery. SLP security vulnerabilities mostly fall into the category of being production disruptive. For example, the deployment of unauthorized service agents creating false or duplicate attribute replies, resulting in 75

76 attribute accuracy confusion for recipients. RFC 2608 states SLP is intended to function within networks under cooperative administrative control. Such networks permit a policy to be implemented regarding security, multicast routing and organization of services and clients into groups which are not being feasible on the scale of the Internet as a whole. If SLP is not being used by HP Web Jetadmin or any other network application to discover HP printing devices, it is recommended that it be disabled. IPv4 Multicast IPv4 multicast allows a device to transmit IP version 4 datagrams (messages) to a group of hosts (multicast group address) on a TCP/IP network. In order to communicate, each device must be configured to send and receive the datagram. IPv4 multicast allows a print device to be discovered by a client utility that uses Bonjour (also known as mdns) or service location protocol (SLP) for device discovery. If you disable IPv4 Multicast, other protocols that use multicast, such as Bonjour and SLP, might be disabled without notification. In addition to traditional IP communication of a host sending packets to a single host via a unicast transmission or to all hosts via a broadcast transmission, IP multicast enables communication to a subset of all hosts as a group transmission. IP multicast uses an appropriately capable and configured network environment to efficiently deliver a single packet to many receivers, without requiring knowledge of the quantity or identity of the receivers. The most common protocol used in multicast addressing is UDP (User Datagram Protocol), a connection-less method of communication that excludes a packet delivery guarantee. Without packet delivery acknowledgement, network bandwidth is additionally preserved. With multicast, switches and routers typically handle the replication of a single packet to reach multiple receivers and determine the scalability of multicast in the networked environment. An IP multicast group address is used by sources and the receivers to send and receive multicast messages. Sources use the group address as the IP destination address in their data packets. Receivers that are interested in receiving packets sent to that group will normally join the group by using the IGMP (Internet Group Management Protocol) protocol. The protocol most widely used to route the multicast packet is PIM (Protocol Independent Multicast). Multicast is historically known as a Class D address with address assignment ranging from to Every packet that includes a destination address of will receive a response from all multicast enabled devices. HP Jetdirect utilizes a proprietary network device multicast address of and UDP port 427. HP Web Jetadmin no longer possesses the ability to actively discover multicast enabled HP devices. However, WJA can still discover devices by listening for SLP packets. The efficiency of multicast does present security challenges. As mentioned, multicast transmitters typically do not know the identity of its receivers. Packets are simply sent to the group address. Due to lack of group address granularity, it is possible for receivers of one group to receive packets from another. Since group addresses can never be used as source addresses, and group addresses aren t 76

77 typically associated with a specific switch port, multicast packets can flood the switch s ports. This may also result in data reaching unintended receivers or serve as a gateway for DoS (Denial of Service) attacks against all port connected hosts. As is the case with unicast transmission, source address spoofing can occur as well. If IPv4 multicast is not being used to discover HP devices, it is recommended that it be disabled. Link-Local Multicast Name Resolution Protocol (LLMNR) In an IPv6 environment, link-local multicast name resolution (LLMNR), which is based on the domain name system (DNS) packet format, is used to discover the link-local address of a newly added device. Typically LLMNR is used when the DNS service is not available. Queries are sent to and received on port Link-local Multicast Name Resolution (LLMNR) is a relatively new protocol (defined in RFC 4795) and a component of the zero-configuration-networking (zeroconf) methodology. Zeroconf is a combination of specific technologies that can create a usable local network without manual operator intervention or configuration. Zeroconf is built on three core technologies: assignment of numeric network addresses for networked devices, automatic distribution and resolution of computer hostnames, and automatic location of network services, such as printing devices. The goal of the LLMNR protocol is to achieve name resolution where conventional DNS name resolution is not possible. The LLMNR protocol supports all current and future DNS formats, types, and classes, while operating on a separate port. Consider LLMNR like an extra layer on top of DNS to help supplement and/or replace the DNS process for LOCAL name resolution. LLMNR uses simple request and reply messages similar to DNS, but assigned to a different port (UDP Port 5355) and different cache. Since LLMNR only operates on the local link, it cannot be considered a substitute for DNS. Link-scope multicast addresses are used to prevent propagation of LLMNR traffic routers, potentially flooding the network. LLMNR queries can also be sent to a unicast address. For IPv4, the Responder listens to the link-scope multicast address of For IPv6, the Responder listens to the multicast address of FF02::1:3. LLMNR is a competing technology with mdns, more commonly known as Bonjour. Bonjour, previously known as Rendezvous, has been promoted and primarily associated with Apple Inc. products. The push for LLMNR support, came from Microsoft s Vista operating system. Both the technologies main goal is to enable networking in the absence of configuration and administration. Primary differences: Bonjour allows multiple questions to be asked per single query, but LLMNR does not. Bonjour allows responses to be sent to a multicast address, but LLMNR only allows unicast responses. On HP Jetdirect devices, LLMNR and mdns are enabled by default. LLMNR security vulnerabilities mostly fall into the category of being production disruptive. Malformed requests or modified broadcast queries to port 5335 could cause DoS (Denial of Service) attacks if an attacker gained access to the network. If LLMNR is required in the print environment, firewall best 77

78 practices can protect from outside intrusion. Although not part of the HP Best Practices policy template, it is always recommended to disable unnecessary protocols. Web-Services Discovery (WS-Discovery) Web services discovery (WS-Discovery) defines a multicast protocol that is used to discover network devices on a local network, typically in Windows Vista or later environments. You can safely disable this item if Windows Vista or later are not used. Web Services Discovery (WS-Discovery) is a multicast dynamic discovery protocol capable of locating Web Services in unmanaged or managed networks. WS-Discovery is transport independent and may be used over http, udp, and other transports. The most common transport implementation is SOAP (Simple Object Access Protocol) over UDP (User Datagram Protocol). DPWS (Devices Profile for Web Services) is a profile that enables plug-and-play for networked devices. A PC or other device can detect Web Services enabled devices on a network, then discover and invoke the Web Service functionality each device provides. The DPWS objective are similar to those of Universal Plug and Play (UPnP), but are fully aligned with Web Services technology and includes extensibility to transition from local to enterprise-wide environments. When a capable, enabled HP printer joins the network, it sends a Hello announcement message to the multicast group. This Hello message contains general information about the HP device. After receiving notification of the HP device s services through the Hello message, a client will then send a specific Probe request. To preserve network bandwidth, the HP device will respond with a Probe Match Response that contains the necessary device information (similar to the information found in an SLP packet) to avoid the need for additional Probe requests. WS-Discovery uses multicast address and IANA registered port 3702 for IPv4 networks. Multicast address FF05::C (site-local scope), instead of FF02::C (link-local scope), is used for IPv6. There are 4 defined WS- Discovery packets generated by HP Jetdirect; Hello, Bye, Probe Match Response and Resolve Match Response. Hello is the announcement of network arrival and Bye is the departure. Probe Match Response is a reply to a Probe Match by specific service type and Resolve Match Response is a reply to more of a general request for service location. HP Printer installers utilize WS-Discovery quick installation and HP Web Jetadmin can be configured to passively discover WS-Discovery capable HP printers. The most common security exploit scenario requires the attacker to know the target s unique WSD address, a value that is automatically sent in the UDP broadcast to port However, this would require the hacker to have access to the same subnet. If on the same subnet, a device could be exploited via the Web Services Discovery API. It is recommended to disable WS-Discovery, if not needed for network plug and play. WS-Print/WS-Discovery being disabled blocks Windows Phone Print, along with the V4 UPD. 78

79 Bonjour Bonjour, also referred to as mdns (Multicast Domain Name System), is Apple s implementation of the zero-configuration-networking (zeroconf) methodology. Zeroconf is a combination of specific technologies that can create a usable local network without manual operator intervention or configuration. Zeroconf is built on three core technologies: assignment of numeric network addresses for networked devices, automatic distribution and resolution of computer hostnames, and automatic location of network services, such as printing devices. The goal of the Bonjour protocol is to achieve name resolution where conventional DNS name resolution is not possible. Bonjour is built into Apple s OS X and ios, but can also be installed on Windows systems. Bonjour uses DNS-SD (DNS Service Discovery) to search for services on the network. When Bonjour is enabled on an HP printer, the printer s services are advertised to allow a Bonjour capable host the ability to automatically discover and add the HP printer without knowing the address or model of the printer. This is a very easy process for the user when compared to the previous situation, where the user was required to enter the IP address of the printer, and then determine the correct model for appropriate driver assignment. The burden of knowing the details for configuring the printer is now removed from the user and is automatically handled by the host and printer using Bonjour. Mobile users who plug their laptops into different networks can benefit from the Bonjour service. The HP Universal Print Driver can utilize Bonjour to automatically locate local printers. The Jetdirect mdns module processes packets on multicast address and port Service advertising occurs in the local domain. Wide area Bonjour service discovery is possible via an appropriately configured DNS server. When enabled, Jetdirect service advertising includes Port 9100 printing, LPD Printing, IPP Printing and EWS Configuration services. If, after having advertised any of the above services, the service goes down or is disabled, then the mdns module will deadvertise the service. The service can be named and the advertised services can be prioritized. Consumer technology has penetrated Enterprise IT, and as a result has presented plenty of challenges related to network performance and security. Users in the enterprise are demanding the same conveniences they enjoy at home and in public environments with Apple ipads, iphones, and other relative technology. Seeing the modernization of technology and potential of increased user productivity, corporate is embracing this request. Bonjour, as with many of the multicast discovery methods, is chatty. It is a common practice in many enterprise networking environments to filter multicast packets for this very reason. This filtering practice can truly limit the use of Bonjour. The traditionally controlled enterprise networking environments must now embrace this consumer related technology and determine newer methods to maintain control. In addition to network performance, there is security risk associated with Bonjour. Like most of the discovery protocols, risks usually fall into the category of being production disruptive. A weakness in the DNS protocol may allow a remote attacker to spoof DNS responses, resulting in the requesting application receiving a forged response. It is always recommended to disable Bonjour wherever it is not required. 79

80 Apple Bonjour (also known as multicast domain name system or mdns) is used for discovering Apple services over the TCP/IP protocol. You can safely disable this policy item if the device is not using Apple services on the network. If Bonjour is disabled, many print paths may stop working: AirPrint, Android, and UPD dynamic discovery. Printing In the Printing category, you can control the enabling and disabling of device printing protocols. Because printer control commands can be embedded in print jobs, this is an extremely important category regarding DoS (Denial of Service) attacks. The Printing settings control device printing protocols. Embedded printer control commands can cause Denial of Service attacks. To control print job sources, use this category. General Standard TCP/IP Printing Standard TCP/IP printing, also called standard network printing or AppSocket, is the most common method for printing over the network and is the standard printing protocol used by HP print devices. It is the fastest, most reliable way to print over the network. Because this is the standard network printing method, remediation is disabled by default. TCP Port 9100 succeeded line printer remote (LPR), which had been widely adopted as the de facto standard in TCP/IP network printing for many years. Due to LPR limitations, TCP port 9100 became 80

81 the fastest and most efficient way of delivering data to a printer using the TCP/IP protocol suite. Raw data delivered over TCP is sent to the printer as if it had been delivered over a parallel port, serial port, or any other port. With Port 9100 enabled, clients are able to bypass print servers and print directly to the device. Device access control lists can limit the amount of this behavior. This could be of concern to those who track job accounting at the print server level. Upgrading firmware is accomplished through Port Extra safeguards should be established to protect against malicious firmware uploading. The most common vulnerability for TCP Port 9100 is print jobs with embedded PJL commands. These PJL commands can do a variety of things, some extremely malicious. TCP/IP headers are stripped and data is presented to the printer as if it were directly connected to a PC. Years ago, printer drivers would use the PJL command suite to control the PC attached printer in a variety of ways. In the networking world, this presents an obvious potential for misuse. The PJL Password setting is linked as a Relative Technology to the Port 9100 setting. Since Port 9100 will remain enabled in most environments as the network printing protocol of choice, it is suggested that security be applied to the PJL settings. If Port 9100 is to be disabled in a customer environment, this usually indicates a more uncommon printing protocol such as LPD, IPP or IPPS may be in use. Make sure the policy is set accordingly or print productivity could be affected. AirPrint Apple AirPrint is a mobile printing solution included with Apple ios v4.2 and later operating systems. Using AirPrint, ipad, iphone, and ipod touch users can print wirelessly to any eprint-enabled HP printer that is connected to the same local wireless network. (Most HP printers released in 2010 and later support AirPrint.) AirPrint is a mobile printing solution included with the Apple ios v4.2 and later mobile operating systems. Through AirPrint, full-quality printed output is achievable without the need to download or install drivers. Users can print wirelessly from an ipad, iphone and ipod to any HP printer that supports AirPrint and is connected to the same local wireless network as the user. Most HP printers released in 2010 and later support AirPrint. AirPrint is not backward compatible with older products and there is no workaround to enable backward compatibility with older HP products. AirPrint uses Bonjour, Apple's zero-configuration networking, to automatically discover AirPrint capable wireless printers over the local network. If Bonjour is disabled at the printer, AirPrint functionality is disabled, as well. AirPrint is wireless network based, thus requiring a wireless access point for print job throughput. Some attachable JetDirect wireless accessories act as an access point with a broadcasting SSID, default gateway IP address of and no wireless network security as the default. The default wireless network SSID is based on the device model and is fairly easy to identify. Example: HP-Print-0D-X585 Officejet. Without access point/wireless network security, a user can easily locate the network SSID, connect to the wireless network, locate the printer and anonymously print to that 81

82 device. AirPrint security can be handled by disabling the protocol or securing the wireless network in use. If AirPrint is not in use, disabling the protocol is recommended. Line Printer Daemon/Line Printer This protocol and set of programs is typically associated with line-printer spooling services on various TCP/IP systems, such as Berkeley-based (BSD) UNIX, HP-UX, Linux, and Windows Server. The Line Printer Daemon protocol/line Printer Remote protocol (LPD/LPR) is a TCP/IP network print and print server protocol, widely used by a multitude of operating systems and print services. Nearly all operating systems now support at least the rudimentary LPD options in a service or daemon. The original implementation of LPD was in the Berkeley Printing System (BPS) as part of the Berkeley Software Distribution (BSD) UNIX operating system. In order to provide a complete printing system, LPR/LPD is used with a printer driver that converts the data into the command format required by the printer. The terms LPD and LPR are sometimes used synonymously. LPR was originally the name of the software, and LPD was the name of the daemon that waited for server requests. LPD/LPR is considered an essential offering and is available on all HP Jetdirect internal or external print servers. When LPD/LPR is enabled, JetDirect listens on port 515 for print job requests. The JetDirect LPD module maintains states so that it can detect errors based on information in packets received and the timing of the information. In short, the host sends data, the LPD modules receives it, checks it and adjusts its state. If the state is right and the data is intended for the printer, the data is forwarded. Otherwise the LPD module interprets it, storing information regarding the job in a temporary buffer and later discarding it. Windows clients are easily able to configure an LPR port and print direct to HP printers. Mac OS X provides the same capability. In addition to these clients, there is also IBM Mainframe, Unix, and Linux print services to be aware of. The Common Unix Printing System (CUPS) uses LPD, unless directed to use IPP or JetDirect sockets (Port 9100). LPD print jobs, unless sent over a secure connection, travel in clear text format that anyone using a sniffer or other packet-analysis software can read. Using buffer overflow exploitation to execute arbitrary code or creating a denial-of service (DoS) condition are the most common (generally speaking) vulnerabilities associated with LPD. Since Port 515 printing is widely used, the general disabling of LPD will likely affect print production in most large print environments. Disable LPD if not used in the customer s environment or only enable LPD on the devices where required. Access Control Lists can also provide LPD related security by only accepting print jobs from hosts designated in the list. 82

83 Internet Print Protocol (IPP) This is a standard network protocol for remote printing, and for managing print jobs and device media using the common UNIX print system (CUPS). If enabled, you must configure your firewall to accept incoming IPP requests. Born in the mid-90s, IPP is an IETF standard protocol (RFC 2567) that allows an end user to print to a remote printer not located on the same physical network. Built upon HTTP (Hypertext Transfer Protocol) technology, IPP is independent of any operating system and can provide a print-over-theinternet solution. IPP supports more print operations than the simplistic print job submittal capabilities of LPD. Additional operations include printer control and print job management. IPP uses the TCP stack and is a connection-based request/response protocol. Any client that establishes an IPP connection to the printer can submit print jobs with the appropriate drivers. By default, IPP uses TCP port 631 as its well-known port and usually requires firewall access to allow operation over the internet. IPP implementations such as CUPS (Common Unix Printing Systems) also use UDP with port 631 for IPP printer discovery. With Windows, IPP can use the standard port 80 (http) or secure socket port 443 (https). As mentioned, IPP is implemented using HTTP and inherits all of the HTTP streaming and security features. IPP Printing is primarily used as a protocol for printing directly from the Internet. With the emergence of IPP Everywhere, powerful mobile devices are now commonly used to access Cloud and enterprise print services across the public internet. Similar to Apple s AirPrint, IPP Everywhere is an IPP Printer Work Group (PWG) standard defining an extension of IPP to support network printing without vendorspecific driver software, including the transport, various discovery protocols, and standard document formats. Because of this, end user and enterprise documents are at greater risk than ever before. As is the case with LPD, print jobs, unless sent over a secure connection, travel in clear text format that anyone using a sniffer or other packet-analysis software can read. If IPP is used within a given corporation over a private network, the risks of exposing print data might be low enough to negate the need for data encryption. However, if print data is being transferred over a public network, encryption is most likely warranted. For secure communication (privacy in particular), IPP should be run using a secure communications channel. Both TLS and IPsec provide secure communications channels and provide for mutual authentication. Newer HP devices support the Secure Internet Print Protocol (IPPS), covered in the next section of this document. By using IPPS with unique identity certificates, a secure method is created for sending print jobs to the device over the Internet or Intranet. Unless there is a requirement for IPP printing, it should be disabled. If IPP printing is required, device security may be applied by configuring a device access control list or configuring the firewall. 83

84 Secure Internet Print Protocol When enabled, the Internet printing protocol over SSL (IPPS) provides a secure method for sending print jobs to the device over the Internet or an intranet. (A properly configured IPPS client system is required.) Secure IPPS uses identity certificates in the device. Consider installing CA signed certificates before enabling. Select the check box to assess Secure Internet Print Protocol (IPPS) and then select whether to enable or disable the item. IPP can use HTTPS as the transport mechanism to achieve secure IPP printing and is best known as IPPS. The IPP over HTTPS transport binding and URI scheme specification was defined to enable high availability combined with secure operation in popular dynamic environments such as wireless hotspots in airports, hotels and cafes. The secure form of the Internet Printing Protocol (IPP) uses SSL/TLS, with TLS as the best practice recommendation. By securing IPP, clear text print job data is replaced with secure, encrypted data. Securing IPP doesn t require additional network hardware and provides easy compliance with some data protection laws. IPP encryption protects against data leakage from network communications, assuming SSL/TLS is secure and assuming there are no compromised Certificate Authorities issuing bogus certificates for your domain. Instead of utilizing device default self-signed certificates, security is enhanced by deploying unique identity certificates with higher levels of encryption strength and key length. HP IPSC version 2.1 provides an easy, automated method for deploying unique identity certificates across the printer fleet. Port 631 is used for both IPP and IPPS, referring to an IPP print service or a network managed by such a service for the purpose of IETF consistency. IPP/IPPS targets of attack are typically associated with: induced congestion of the network via the compromising of the routing infrastructure the compromising of normal IPP behavior via forged packets or TLS version downgrades the corruption of documents being transferred over IPP Faked or rogue IPP secure print service Unauthorized or unauthenticated IPP clients If IPP printing is desired or required, it is recommended that IPPS be used to secure the print job data and certificates to authenticate the client. Company firewall protection can also be deployed to protect against outside abuse. If IPPS printing is not required, disabling the protocols is recommended. 84

85 Web Services Print (WS-Print) A network printing protocol used on Windows Vista and later systems. This protocol can safely be disabled if Windows Vista or later systems are not used. Windows Vista was the first Microsoft Windows operating system to provide Web Services on devices as a connection protocol for printing and scanning peripherals. The computer uses the Web Service function of Windows Vista or later to automatically detect the device connected to the network (WS-Discovery) and easily install the device as a Web Service printer. WS-Print is based on the Web Services common framework for describing and sharing information, including a set of protocols for consuming and controlling services on these network-connected, Web Service enabled devices. Web Services for Description Language (WSDL) is the XML format for describing these network services. A WS-Print job is based on the Web Services for Devices (WSD) Printer Job Object schema and consists of a print ticket that describes the job. Job processing and document processing attributes are also included in the print ticket. A WS-Print compatible printer must conform to the WSD Printer Service schema and provide elements that describe the printer itself, printer configuration, printer status, print job status and document properties. The print service deploys an eventing model to inform the print job control point when the device configuration changes, when the device condition changes, and when there is a job progress update. In web services frameworks, XML documents are passed from client to server in the form of a SOAP request. XML is then processed within the web service, possibly opening it up to a variety of XML based attacks. However, as is the case with WS-Discovery, the most common security exploit scenario requires an attacker to know the target s unique WSD address, a value that is automatically sent in the UDP broadcast to port It is recommended to disable WS-Print, if not needed for direct client printing. 85

86 File Transfer Protocol (FTP) File transfer protocol (FTP) printing sends print files from a client system to the print device using a TCP control and data connection. Although FTP provides user name and password authentication, the credentials are sent unencrypted over the network. FTP (File Transfer Protocol) is a basic TCP/IP connectivity utility to transfer data between systems. FTP printing is a way to use FTP to send print files from a client system to an HP Jetdirect-connected printer. In an FTP printing session, the client connects and sends a print file to the HP Jetdirect FTP server which in turn passes the print file to the printer. The HP Jetdirect FTP server transfers print files to the printer but does not interpret them. For proper printing, print files must be in a language recognized by the printer (such as PostScript, PCL, or unformatted text). For formatted print jobs, you must first print to a file from your application using the driver for the selected printer, then transfer the print file to the printer through an FTP session. FTP printing can be somewhat secured via a login and password, but both are sent unencrypted over the network. FTP print and download (for firmware updates) were introduced into JetDirect products many years ago. Certain customers still require this feature in the printers and print server products they purchase. User access to the FTP server is available using the standard FTP clients that are supported on most operating systems. The FTP client is an Internet standard for file transfers. The FTP print and download features were tightly coupled in Jetdirect at one time, but are now decoupled into separate functionality packages. The download functionality is now referred to as FTP Firmware Update. Both FTP print and download use two TCP connections to transfer a file, just as in standard FTP. The control connection is established through the well-known TCP port (21) that passively awaits a client connection. Once connection is established, it will stay active the entire time that the client communicates with the server. The second connection, a data connection is created each time a file is transferred between client and server. Security vulnerabilities related to HP Jetdirect FTP (and FTP in general), have existed for almost as long as FTP functionality itself. FTP servers are prone to remote denial-of-service (DoS) vulnerabilities that can affect device access for legitimate users. DoS attacks such as buffer overflows, rogue commands and malformed packets have been historically known to crash FTP print servers or destroy firmware. If FTP printing is not required in the environment, this protocol should be disabled. If required on legacy HP devices where FTP print and download are coupled together, only enable FTP for the firmware download, then disable when complete. AppleTalk AppleTalk is an obsolete protocol used by the original Apple networking. Apple no longer supports AppleTalk. Released by Apple in 1985 with the original Macintosh, Appletalk was a protocol suite that provided addressing, routing, data stream services, naming services and file/print sharing. Appletalk 86

87 remained available as a Macintosh communications suite until 2009 when support was dropped due to its diminishing usefulness on large enterprise networks. Using a very simplistic approach, AppleTalk connected Macs together in small local area networks and automatically managed a name based approach to host identification and network communication. Much of the Appletalk feature set was later introduced in Bonjour and Universal Plug and Play. Appletalk contained several primary protocols; Appletalk Address Resolution Protocol (AARP), Name Binding Protocol (NBP), Printer Access Protocol (PAP), Routing Table Maintenance Protocol (RTMP) and Zone Information Protocol (ZIP), just to name a few. AARP allowed hosts to generate their own addresses and NBP was a dynamic system for mapping network addresses to user-readable names. PAP managed printer connections and other servers, plus conveyed status and coordinate actual data transfer. RTMP managed routing information over Appletalk networks and ZIP managed the relationship between network numbers and zones. The Appletalk protocol is available on many of HP s existing installed base of legacy printing devices, but has since been eliminated on newer Future Smart devices. On HP devices that support it, Appletalk is enabled by default. At Appletalk startup, a socket is created and set to listen for any print requests. Printer status and the printer s ability to accept jobs is provided to the network at this time. When a client request for print is received, a peripheral channel is locked for Printer Access Protocol (PAP) exclusive use. Data is then forwarded to the printer and the printer establishes reverse channel communication to complete the handshake. Synchronization between the client and printer continues during the forwarding of data. The client then sends a connection close request when data transfer is complete, signaling the peripheral to unlock the PAP channel for future use. Security risks associated with Appletalk are minimal, although Denial of Service (DoS) attacks over Appletalk networks have been recorded. For devices that still support Appletalk, disabling is recommended unless the protocol is required in the print environment. Once again, it is important to note that Appletalk is unsupported on Mac OS X v10.6 (2009) and later operating systems. Today, it would be rare to find any Appletalk use in most enterprise print environments. Data Link Control (DLC) / Logical Data link control (DLC) and logical link control (LLC), which operate at the ISO link layer, are typically used in smaller networks. DLC traffic, which uses the MAC address as its transport, can only be routed within a single subnet. Data Link Control (DLC) was originally developed for IBM mainframe communications. The term DLC referred to a higher level API to the Logical Link Control (LLC) protocol that was defined by IBM. DLC was designed as a protocol for sending data from a print server to an HP networked printer, not as a general network communications protocol. Although there is no DLC interface present in JetDirect, the LLC printing solution is historically referred to as DLC or DLC/LLC. LLC is a reliable, non-routable protocol that is supported in legacy Jetdirect products. 87

88 In JetDirect, the LLC protocol stack was implemented as a separate module from the LLC print application and was expanded to provide support for protocols other than TCP/IP, including IEEE LLC. This allows the LLC print application to use a conventional sockets style interface, with a special socket type, to access LLC network services. LLC was simplified by using a standard sockets networking API, minimizing involvement with connection establishment/maintenance, and delegating the handling of flow control to the protocol stack. In contrast to some of the print applications for other protocols, LLC does not process or inspect the contents of any data packets that it handles. The LLC print application supports Locally Administered Address processing. The Logical Link Layer and the Media Access Control (MAC) layer make up the Data Link Layer. A major security concern of the data link layer is the Address Resolution Protocol (ARP) process. ARP is used to resolve known network layer addresses to unknown MAC addresses. ARP is a trusting protocol and, therefore can be used by hackers for ARP poisoning, allowing them access to traffic on switched they should not have. If your device still supports the DLC/LLC printing protocol, it should be disabled if not in use. Novell (IPX/SPX) Internetwork packet exchange (IPX) and sequenced packet exchange (SPX) are protocols primarily used on networks that run the Novell NetWare operating system. These protocols are obsolete. Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX) was a very popular protocol suite throughout the 1980 s and midway into the 1990 s. In it s prime, the IPX/SPX protocol stack was supported by a number of network operating systems, including Windows. However, IPX/SPX was mostly thought of as the protocol for Novell Networks and specifically brought forth the practice of connecting multiple networks together, or internetworking. IPX and SPX connection services are very similar to TCP/IP and were primarily designed for local area networks. The efficiency of the IPX/SPX stack contributed to performance that typically exceeded TCP/IP on a local area network. However, TCP/IP became the industry standard due to its superior performance over wide area networks and the internet. Novell attempted to support TCP/IP with NetWare/IP by tunneling IPX in IP packets, but complex implementation and performance loss due to the tunneling overhead kept NetWare/IP from being widely adopted. TCP/IP is now the primary Novell NetWare internetwork protocol. Although IPX usage has declined dramatically in recent years due to TCP/IP being the pervasive internet protocol, it wouldn t be rare to find IPX/SPX still being used in some Windows environments. In addition, some supported legacy system management tools still support the stack. Many of the HP Future Smart devices do not provide support for the IPX/SPX stack. The HP JetDirect implementation of the Novell NetWare Printing subsystem is composed of the IPX/SPX stack, IPX Direct Mode, Queue Server, Remote Printer, and NetWare Configuration modules. For many of the Future Smart devices, this capability no longer exists. When IPX/SPX is enabled on devices that support this protocol suite, the generation of Service Advertising Protocol (SAP) packets are also enabled. The JetDirect print server name and service type are broadcast via SAP packets, 88

89 allowing for unique identification of the device on the IPX network. SAP packets are broadcast only after an IPX network and supported frame type are detected. Once detected, SAP packets are periodically broadcast (at some configured interval) on all sensed frame types. Jetdirect responds to service queries with a service response packet that includes the specific object type of 030c. This object type allows Netware configuration tools to identify the print server as JetDirect. Most IPX security vulnerabilities are associated with Denial of Service (DoS) attacks. Malicious users have created malformed packets that match source and destination addresses, broadcast pings, or fill gateway buffers. HP recommends disabling IPX/SPX if not used in the print environment. If IPX/SPX is required for client printing or device management, HP then recommends disabling Novell Remote Configuration (RCFG), an IPX/SPX related technology used to remotely configure Novell queues. Digital Services Assess digital sending features which can include setting the timeout and workflow authentication. The category also includes sub-categories for assessing LDAP, , fax and folder settings. Fax Send Fax The Send Fax feature allows you to scan and then fax to specific destinations such as a LAN fax, the fax modem on your computer, or to an Internet fax provider. To prevent access to this feature, select the check box (the feature is assessed). It will be disabled during the assessment. 89

90 Folder Send to Folder The digital sending feature's Send to Folder allows you to scan files and send them to folders on the network. Assess digital sending feature s settings which can include outgoing server (SMTP), send to , e-alerts, and incoming (POP3). Encryption When enabled on the device, s are encrypted. Select the check box to assess whether encryption is set, then select whether to enable or disable encryption. If enabled, select the 90

91 algorithm to use for encrypting the (Encryption Algorithm). To use a Public Key Attribute, enter it in the field, then select whether to optionally allow users to send s unencrypted and whether to verify the public key. Signing When enabled on the device, s are digitally signed. Select the check box to assess whether e- mail signing is set, then select whether to enable or disable signing. If enabled, select the algorithm to use for signing the (Signature Algorithm) and then whether to allow the user to optionally send s unsigned. 91

92 Send to (Digital Send) The HP Send to feature is automatically selected when Outgoing (SMTP) is selected. This feature allows you to scan a document and send it to one or more addresses. If enabled, HP recommends restricting destinations to addresses in the device address book (select the Restrict Addresses to Address Book check box), and limiting the maximum file size (Maximum Attachment). To prevent access to this feature, verify the check box is selected (the feature is assessed), and select Disable to verify the feature is disabled during the assessment. For some devices, enabling Send to E- mail might require a second remediation. (The first remediation can result in a reported failure.) To use a shared SMTP instance, select the instance name in the Outgoing (SMTP) field. To create a new instance, click Edit and enter the SMTP configuration information. Select Secondary E- mail Authentication to provide extra data security by employing a secure third-party system to deliver the message. If required, select the credentials needed to use the secondary feature. You might need to authenticate your identity by providing a user PIN, Smart Card, LDAP, or Windows credentials. Alert Alert is automatically selected when Outgoing (SMTP) is selected. This feature reports device status and issues to specific addresses. To use a shared Outgoing instance, select the instance name in the Outgoing field. To create a new instance, click Edit and enter the Outgoing configuration information. 92

93 Incoming (POP3) This feature was used to send configuration information to the device. (This feature is not available on newer devices.) Because this feature allows commands to be ed to a device for execution, HP recommends disabling it on any device in which it is supported. If selected (and enabled), provide the POP3 Server Name and the Device POP3 Username. General Digital Send Automatic Reset after Send will reset the device to default settings after a send. Choose for the reset to be immediate or delayed. If delayed, specify a Reset Timeout in seconds, then select the Workflow Authentication. Note: Automatic Reset after Send might disable signed authentication on HP MFPs/digital senders with an HP Smartcard installed. If the device resets immediately after selecting send, access to the Smartcard signing certificate is prevented, and the message is not sent. 93

94 Allow Access to LDAP Address Book Allowing access to the LDAP address book provides auto-completion of a recipient's name (To, Cc, Bcc) as you type it in the send to Panel. Using this digital sending feature requires access to the LDAP server. To use a shared LDAP Settings instance, select the instance name in the LDAP Settings field. To create a new instance, click Edit and enter the LDAP configuration information. Web Scan The Web Scan (escl) feature is used to send scanned documents from printer to a network. The Secure Web Scan (Secure escl) feature is used to send scanned documents securely from printer to network. If Airprint configuration is enabled along with Web Scan or Secure Web Scan, it is used to send scanned documents from an Airprint-enabled printer to an IPad, iphone, ipod Touch, or Macintosh computer. 94

95 Network Security This category handles the settings that control the strength, authentication and authorization of protocols and data on the network. General Internet Protocol Security (IPsec)/Firewall IPsec/Firewall features provide network-layer security on IPv4 and IPv6 networks. The Firewall provides simple control of IP addresses that are allowed access. IPsec provides the additional security benefits of authentication and encryption. Whether traffic is allowed or dropped is determined by a set of rules that make up the IPsec/Firewall policy. IPSec uses identity certificates in the device. Consider installing CA signed certificates before enabling. Before enabling this item, you must fully configure IPsec/Firewall on the device. You cannot remediate (disable) this policy item. 95

96 Internet Protocol Security (IPsec)/Firewall Rule Configuration Internet Protocol Security (IPsec) is a protocol for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPSec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). 96

97 97

98 FIPS 140 Compliance Library The Federal Information Processing Standards (FIPS 140) establish minimum cryptographic requirements for software and hardware modules. Select the check box to assess whether FIPS 140 is set on the device. If enabled, the following less secure settings are not allowed: MD5/DES/RC4 and earlier (use SHA1/AES instead) SSL 3.0 and earlier (use TLS 1.0 or higher instead) Web Encryption Strength set to Low or Medium (use High instead). If disabled, these restrictions are removed, but current policy encryption settings are not modified. Access Control An access control list (ACL) specifies the individual host systems that are allowed access to the device. (Not all devices support ACL, and support is limited to IPv4 networks.) By default, hosts with HTTP connections, such as the HP Embedded Web Server (EWS) and IPP, can typically access the device regardless of the access control list. To disable HTTP host access, clear the Allow Web Access check box. Specify host systems by their IPv4 address or network number. If the network contains subnets, use the address mask to identify whether the IP address designates an individual host or group of hosts. You can enter up to nine host systems. Windows Windows authentication validates users in a Windows Domain. When enabled, users at the device must provide valid credentials (user name, password, and realm). Authentication consists of verifying the user's credentials with the key distribution center (KDC) and then searching for the user's address and name by accessing the LDAP server. 98

99 Select the check box to assess the Windows authentication setting on the device, and then select whether to enable or disable it. If enabled, provide the Windows domain, server, and port, and then whether to enable reverse DNS lookup. Note: On some older devices, Windows authentication cannot be disabled. Verify Certificate for IPP/IPPS Pull Printing Internet Printing Protocol (IPP) is an Internet-standard protocol that allows you to print documents and manage print jobs over the Internet. If enabled, you can find out about this printer's capabilities, submit print jobs, and query the status of the printer or its jobs. This configuration enables/disables verifying certificate for IPP/IPPS pull printing. Enable WINS Port Windows Internet Name Service (WINS) is Microsoft's implementation of NetBIOS Name Service (NBNS), a name server and service for NetBIOS computer names. Effectively, WINS is to NetBIOS names what DNS is to domain names a central mapping of host names to network addresses. This 99

100 configuration is used to enable the communication between client and server for WINS registration, by default it is port 137. WINS Registration Windows Internet Name Service (WINS) is Microsoft's implementation of NetBIOS Name Service (NBNS), a name server and service for NetBIOS computer names. Effectively, WINS is to NetBIOS names what DNS is to domain names a central mapping of host names to network addresses. This configuration will register the WINS client hostname (printer hostname) using the WINS port. HP Connection Inspector Introduction HP Connection Inspector is a new intelligent embedded security feature created by HP Labs. The technology inspects outbound network connections typically abused by malware, determines what is normal and stop suspicious activity. If the printer is compromised, it will automatically trigger a system restart to initiate HP Sure Start self-healing procedures. Malware is typically designed to call home to its external server to get further instructions, updates and information on where to send collected data. Early malware used hardcoded IP addresses. Modern malware uses more sophisticated behaviors to establish and maintain contact with its external server. These behaviors can be recognized to detect the presence of malware and block the attackers. When anomalous behavior on outgoing connection requests is detected, the device enters a protected mode of operation for DNS queries, designed to stop the malware communicating with its external server and preventing the malware from causing additional damage, while allowing the printer to function normally. If further anomalous connection requests are detected, the device performs a system restart which is designed to clear the malware by taking advantage of the device s Sure Start and Whitelisting 100

101 features. An IT security alert is generated to communicate a possible attack. HP Connection Inspector settings Settable parameters define how the feature identifies DNS behavior that could indicate anomalous activity. The device enters either of two modes: DNS Protected Mode or a Self-Healing Mode where the device performs a system restart. The settable parameters allow the detection method to be tuned to different customer environments, in terms of typical network behavior and security sensitivity. The HP Connection Inspector feature can be disabled for troubleshooting purposes. Disabling and reenabling the feature resets Protected mode counters and monitoring statistics to their configured values. Network Identification Page Threshold and Duration Settings DNS Failure Threshold: Default: 5 (4 50) The number of unique non-resolving unknown DNS requests within the Monitoring Window resulting in DNS Protected Mode. A higher value will reduce the speed and accuracy of detection but will reduce potential false positives. Monitoring Window: Default: 80 mins (30 mins mins) The length of the window in minutes in which DNS resolution activity is counted. A longer window will detect slower executing connection request activity but will increase potential false positives. Protected Mode Duration: Default: 60 mins (40 mins 120 mins) The minimum time in minutes the DNS Protected Mode is active once triggered. A higher value will mitigate stealthier malware behavior. Self-Healing (Remediation) Settings Number of Tines in Protected Mode: Default: 3 (1 10) Number of DNS Protected Mode events that occur before a system restart. A higher value will increase the time before a system restart. Cumulative Protected Mode Duration: Default: 80 mins (60 mins 140 mins) Total duration of DNS Protected mode events in minutes since device startup before initiating a system restart. The Cumulative DNS Protected Mode setting determines when a system restart occurs. White List Settings The White List option allows adding DNS addresses that will never be blocked and are not counted towards detection statistics. If HP Connection Inspector generates false positives the DNS names or domains that cause the false positives can be added to the white list. Restore Default Settings Restores the HP Connection Inspector to default values and resets Protected mode counters and monitoring statistics to the default values. Protected Mode The device enters Protected mode when the following conditions are met: The number of unique, nonresolved, unknown DNS requests exceeds the DNS Failure Threshold setting. DNS Behavior in Protected Mode DNS resolution is allowed for A user-defined whitelist of domains and associated domain suffixes Domains that have successfully resolved since system startup contained in the History List Destinations in the current domain and associated domain suffixes Trusted domains (when Cross Origin Resource Sharing is enabled) When a device is in Protected Mode, DNS requests that are not in the History or Whitelist are not permitted. Self Healing Mode The device initiates a system restart when one of the following conditions is met: 101

102 The number of DNS Protected Mode events exceeds the Number of DNS Protected Mode Events setting The total DNS Protected Mode duration exceeds the Cumulative DNS Protected Mode Duration setting When a system restart remediation event is initiated, the device will automatically reboot unless the Auto-recover feature is disabled, or a possible network anomaly occurs twice within 30 minutes, the device reboots and holds at the preboot menu to prevent a potential malware exploit from executing. Enable Cross-site Request Forgery (CSRF) Prevention Cross-Site Request Forgery (CSRF) is an exploit that hijacks the authenticated user session to send unauthorized requests to a server. When the device administrator authenticates to the EWS server, it generates a session authentication token. The CSRF feature provides for generating an additional cryptographic randomly generated CSRF token which protects against an attacker sending commands as the authenticated administrator. When enabled the CSRF feature prevents sending commands to the device through the EWS configuration interface without first having initiated a EWS session, which establishes the CSRF Token. This method is referred to as web scraping as the commands are captured and replayed to configure device settings through scripting. This feature is enabled by default. It can be disabled if required. HP Security Manager uses web scraping to configure settings that are not exposed through standard protocols to manage them. If a feature requires web scraping to configure on devices running FS 4.5 firmware, Security Manager 3.1 recognizes the firmware version and configures the settings using CSRF tokens. While web scraping is used to configure quite a few settings on older devices, FS 4.5 devices only require web scraping for configuration of LLMNR and 802.1x remediations. Older versions of Security Manager don t know how to use tokens for web scraping 102

103 sessions, thus CSRF would have to be disabled in order for older versions of Security Manager to configure those setting on FS 4.5 devices. Security Manager 3.1 offers the CSRF setting in a policy for remediation if it desired to disable it. However, since Security Manager 3.1 can use tokens to support CSRF, it doesn t necessarily need to be disabled on devices. Network Services Use this category to control remote access to the device and the ability to upgrade firmware. The Device Announcement Agent (DAA) is also managed here. Web Assess Web-based settings for Web-based device access: HTTPS redirect, Web encryption strength, phone home, Web file printing, Go button, Cancel button and Continue button. Web Encryption Settings For encrypted Web-based communication with the HP Embedded Web Server (EWS), the encryption strength and individual protocols can be set. Select the check box to assess these settings. This will not enable or disable encrypted Web-based communication. Some web encryptions use identity certificates in the device. Consider installing trusted identity certificates before enabling. 103

104 After Microsoft announced insecurities with SSL3.0, it has been disabled by default in a Security Manager policy. It can be enabled if desired, but it will display a warning reminding you on the vulnerabilities exposed by using it. Note: If FIPS 140 is enabled, Web encryption strength is set to High and SSL 3.0 is disabled. SSL = Secure Sockets Layer TLS = Transport Layer Security (follow-on to SSL 1.0, 1.1, 1.2) TLS v1.0 is marginally more secure than SSL v3.0, its predecessor. However, subsequent versions of TLS v1.1 and v1.2 are significantly more secure and fix many vulnerabilities present in SSL v3.0 and TLS v1.0. The newer TLS versions, if properly configured, provide many stronger ciphers and encryption methods. The RC4, DES and 3DES protocols have known vulnerabilities and are no longer recommended for HTTPS encryption. RC4 (Rivest Cipher 4) was designed in 1987 and 3DES was approved in

105 The RC4 and 3DES (DES-CBC3-SHA) based cipher suites are disabled as in the Secure by Default security profile. These cipher suites being disabled by default have no effect on Security Manager behavior. In fact, just the opposite, enabling these cipher suites can have an effect. Individual cipher suites can now be enabled/disabled in Security Manager 3.1 under the Web Encryption strength policy item. If an attempt is made to remediate a device with RC4-SHA/ RC4-MD5 and TLS 1.0 enabled in the policy, the remediation is successful, but after remediation a Verify task on the device results in a Network Connection Error. In order for a communication to take place between a server and client, both need to have the same set of supported ciphers. If the device has RC4-SHA/RC4-MD5 as the active cipher, but the operating system of the client (Security Manager) doesn t support these ciphers, there is a mismatch between the ciphers on the device and Security Manager resulting in a Network Connection Error. Require HTTPS Redirect When HTTPS redirect is enabled, accessing the device via a Web page is redirected through a secure port (HTTPS). HTTPS uses identity certificates in the device. Consider installing CA signed certificates before enabling. 105

106 Cross Origin Resource Sharing When enabled, cross-origin resource sharing (CORS) allows the product's resources to be accessed by Web pages from different domains. Select the check box to assess this item, and then select whether to enable or disable the feature. Embedded Web Server Access This item allows configuration of the device via the Embedded Web Server (EWS). Because IPSC requires access to the EWS to perform assessment/remediation, you cannot remediate this policy item. Note: As devices can be remotely configured, EWS access should be restricted by setting the Admin (EWS) Password. Information Tab Display of the HP Embedded Web Server (EWS) Information tab can require administrator access (the Admin EWS password). Note: You must select Embedded Web Server Access to select this item. Select the check box to assess this item. Then, select whether to require the administrator password to access the Information tab, and whether to allow display of the print page and job log. 106

107 Note: The Admin (EWS) Password must be set to select the Require Administrator Password for Access option. Phone Home Phone Home is a legacy feature that was discontinued and is not included on new devices. Phone Home was used by HP to collect configuration data (with customer permission) to improve feature development. You should disable this feature on all devices. Go Button When enabled, allows any user with Web browser access to indefinitely pause or resume print jobs by executing the device's Go button. If disabled, the Go button is accessible from the control panel. Cancel Button When enabled, allows any user with Web browser access to cancel print jobs by executing the device's Cancel button. If disabled, the Cancel button is accessible from the control panel. 107

108 Continue Button When enabled, allows any user with Web browser access to continue paused print jobs by executing the device's Continue button. If disabled, the Continue button is accessible from the control panel. General Novell Remote Configuration The HP remote configuration protocol (RCFG) is used for remote configuration and management of devices on an IPX/SPX network, typically in a Novell NetWare environment. Remote Config (RCFG) is an HP proprietary protocol which runs over SPX and was primarily used in conjunction with other methods to remotely configure and manage Novell Netware print systems. Most HP Jetdirect products still support this protocol, even though traditional Novell printing over IPX/SPX in customer environments has been replaced with the more widely used Novell TCP/IP 108

109 solutions. Support for the IPX/SPX protocol stack has been removed in many of the new HP Future Smart devices. Because of the direct linkage to IPX/SPX, support for the RCFG protocol has been dropped as well. IPSC policy editor constraints tie the two protocols together for this reason. RCFG is enabled by default on the devices that still support this protocol. RCFG does not support encrypted communications or authentication and therefore is not considered a secure protocol. RCFG was not used for Direct-Mode (peer-to-peer) printing. RCFG was used to remotely configure the Jetdirect print server queues, but could also be used to configure protocols and restart the IPX stack. RCFG should be disabled along with the IPX/SPX stack if not required in the print environment. At the minimum, RCFG should still be disabled if IPX/SPX is required in the environment. Telnet Telnet is a configuration and information protocol that allows you to configure a device from a console directly on the device. The Telnet protocol is used as a communication facility to allow a standard method of interfacing terminal devices or processes. It s well-known port is Port 23. In the context of Jetdirect, Telnet is used for setting or displaying configuration parameters. Jetdirect products have included a Telnet configuration option for a number of years. Although the Web UI may be the configuration method of choice, some customers appreciate the availability of Telnet when browsers are unavailable or the embedded web interface is not accepting connections. Jetdirect configuration items available through Telnet range from Admin password assignment to many of the printing and discovery protocol settings. Telnet only listens for one session at a time. Other Telnet clients cannot see any Telnet menus until their sessions are accepted. The Telnet session can be terminated at any time by either side of the connection. Parameters are not saved if the Telnet session is lost before the user exits from the Telnet main menu. Telnet is sometimes used to easily test TCP/IP connections. Printing is also possible through Telnet by opening up a session using Port 9100, then entering the data to be printed. Enabled Telnet obviously poses a serious security risk in any print environment. Although a Telnet connection may be protected by an administrator password, Telnet connections are not secure. Telnet data is transferred over the network in a clear text, unsecured fashion. Once able to establish a Telnet session, a hacker would almost have complete access to the printer s configuration. Latest reports have shown that hackers appear to be using the telnet remote access protocol approximately 10% of the time to attack corporate servers over mobile networks. Fairly significant statistics considering Telnet is ~40 years old. Due to these Telnet related vulnerabilities, it is becoming increasingly common to see Secure Shell (SSH) replacing Telnet access methods. It is recommended to disable telnet and use a more secure method to configure HP devices. If telnet is required to transport data, it is recommended that an encrypted Telnet solution be deployed. 109

110 TFTP Configuration File BOOTP and TFTP provide a method to configure HP print devices. When the HP device is turned on, a BOOTP request is sent to the server to initiate the configuration, which typically uses a TFTP configuration file. Select the check box to assess whether a TFTP configuration file is used on the device and then whether to enable or disable its use. Note: The TFTP protocol does not support authentication or encryption. Use of this protocol might introduce a security risk. Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol described in RFC It was designed to be a lightweight, minimally featured protocol implemented over UDP Port 69, but can be implemented for any transport protocol. Data transfer is initiated on Port 69, but the data transfer ports are chosen independently by the sender and receiver during initialization of the connection. The ports are chosen at random according to the parameters of the networking stack, typically from the range of ephemeral ports (a predefined range of ports). TFTP lacks most of the features of FTP. Unlike FTP, TFTP is not an interactive protocol, can t list directories or contents, and lacks authentication. TFTP only reads from or writes to a remote server. TFTP has historically been used in Jet Direct products for transferring upgrade images across a network from a host computer to Jetdirect flash. It has also been used for transferring configuration information via a BOOTP request. To configure Jetdirect via BOOTP/TFTP, a :T144 entry in the Bootptab file pointing to the TFTP configuration file would be required. A TFTP configuration file can contain JetDirect configuration items such as administrative passwords, printing and discovery protocol enabling/disabling, TCP/IP configuration, and SNMP configuration, to name a few. Because TFTP provides no means for validating the identity of a computer requesting file transfers, the security of TFTP can be a major concern. If TFTP is not configured correctly, a rogue machine could become a legal machine on the network. A common way for someone to look for machines with TFTP configured incorrectly is to perform directed broadcasts of TFTP Request packets to different networks and see which machines respond. If BOOTP is being used in the environment to assign printer addresses and configure printer settings, the TFTP Configuration File setting will need to be enabled. For most printer firmware, HP Web Jetadmin opens up a port 9100 connection and sends the.rfu file as a print job. For HP Jetdirect firmware, HP Web Jetadmin uses the TFTP protocol to complete the upgrade. It is recommended to disable TFTP if not in use for device configuration and disable when not in use for firmware upgrades. 110

111 HP Jetdirect XML Services HP Jetdirect XML Services allows access by HP Web service applications to XML-based data on the device. IPSec is an example of a security setting that is configured via this service. XML Device Model (XDM) is an HP proprietary standard for modeling printing and imaging device information. A device profile describes the data that will be formatted into the XDM representation. The IXDM Access Interface (IXA) provides SOAP based web service interfaces to allow access to the XDM data. The XDM clients or consumers get or set the well-structured XML information on devices via XDM tickets. The ability to get device configuration data via well-formed XML ensures that consuming applications can represent the device without having prior knowledge of the specific device implementation. As mentioned, XDM is independent of the specific device version and/or model and represents device information such as status, capabilities, configuration information and usage metrics. XDM is not an access protocol, security model, event notification, or SNMP replacement. Per the device management strategy, XDM is meant for configuration of complex data where SNMP is impractical or not available. The HP Jetdirect XML Services setting is used to enable/disable the IXDM Access Interface (IXA). When the HP Jetdirect XML services setting is disabled, the IXA interface is disabled and configuration through XDM cannot take place. XDM configurable device settings are few, representing less than ~5% of total device settings. XDM configurable device settings primarily consist of IPSec, Firewall, and some supply related settings. If HP Web Jetadmin is being used to configure these XDM settings, the Jetdirect XML Services setting must be enabled. The IXA service is only available via an SSL channel: It is not accessible via an unencrypted port, therefore any consumer application is required to be an SSL client. In addition to the requirement of SSL, authentication is also supported. 111

112 Certificate Management Service When enabled, HP Web Jetadmin can manage and configure the certificates on the device. Select the check box to assess the Certificate Management Service setting, and then select whether to Enable or Disable the item. This service is required to enable identity certificate management within the device. Note: Enabling this feature is NOT required for HP IPSC to manage certificates. That functionality is contained within the Certificate Management category under Authentication. The Certificate Mgmt Service setting enables/disables batch certificate management. Using the Certificate Batch plug-in, WJA 10.x can batch manage and configure certificates on devices that support the Certificate Mgmt Service. Legacy Firmware Upgrade Current versions of firmware are signed with the SHA-256 hashing algorithm. Enabling this option allows installation of legacy firmware signed with the less secure SHA-1 algorithm. Remote Firmware Upgrade (RFU) Allows the firmware upgrade file to be downloaded from the Internet and installed remotely. The firmware upgrade operation updates or replaces device operating system code on HP printers and multi-function devices, and is commonly referred to as a remote firmware update (RFU). The Remote Firmware Upgrade setting determines if the firmware update process is allowed to be performed. Performing a Remote Firmware Update (RFU) is typically the responsibility of an administrator within an organization. For security reasons, RFU is an option that should only be enabled when new firmware is being loaded. RFU should be disabled at all other times. 112

113 FTP Firmware Update Select the check box to assess File Transfer Protocol (FTP) firmware update. If File Transfer Protocol (FTP) printing is allowed, you can start an FTP session and transfer the updated firmware image to the device. FTP Firmware Downgrade Select the check box to Enable/Disable firmware downgrades on the device. This setting is supported on HP LaserJet Pro devices only. Device Announcement Agent The Device Announcement Agent allows for automatic configuration out of the box with no administrator intervention. This feature, also known as Instant-On Security, is On by default, and requires a Configuration Server, such as an HP JetAdvantage Security Manager. When the device is powered up on the network it sends an announcement to the Configuration Server, then the Configuration Server pushes configuration settings to the device. Select the Require Mutual Authentication via Certificates check box to require that the configuration server verifies authentication 113

114 using certificates. Setting the mutual authentication feature without also using CA signed Identity certificates will cause self-signed certificate problems. The Device Announcement Agent setting is used to configure the Device Announcement Agent on the devices that support this functionality. When enabled, the device sends an announcement that is used to discover the Security Manager server. Once Security Manager is discovered, the device is added to the discovered devise list and can be automatically remediated with a security policy if desired. Shared Items Use this section to configure LDAP and settings to be used by the relative settings in the policy editor. LDAP Settings LDAP Settings The lightweight directory access protocol (LDAP) server contains names and addresses. The device's digital sending feature can use the repository for user authentication. You can share the LDAP Settings with the Windows, LDAP, and LDAP Address Access (address book). To do this: 1. Click New in the Shared Item Instances panel and provide an instance name such as LDAP1. 2. Enter the LDAP configuration settings and Save the policy. 3. Go to the policy item (Windows, LDAP, or LDAP Address Access). 4. Select the shared item instance name from the LDAP Settings field. Once the desired configuration settings are satisfied, this specific policy item group can now be saved as a Shared Item Instance and used by any policy item that references these specific LDAP settings. 114

115 Outgoing (SMTP) Outgoing (SMTP) The outgoing (SMTP) server is used to send messages to Internet addresses. You must configure outgoing SMTP if you use digital sending features to send messages, E-Alerts, or scanned documents. When selected, Send to and Alert are automatically selected. (You can individually deselect/disable these.) 115

116 HP recommends that authentication be required to use these features (public user name and password). You can share the Outgoing settings with the other policy items Alert and Send to Click New in the Shared Item Instances area, and provide an instance name such as "Out_ 1". 2. Enter the configuration settings. 3. Save the policy. 4. Go to the policy item ( Alert or Send to ). 5. Select the shared item instance name from the Outgoing (SMTP) field. The Shared Items category is aptly named because it includes common configuration settings that can be shared by multiple policy items. The two policy item groups under Shared Items are: LDAP Settings and Outgoing (SMTP). Maximum Attachment Size contains a box to enter an integer value between (0-999). For many devices, the Maximum Attachment Size value has a limit of 100 MB. If any value greater than 100 is entered into the policy, the maximum value supported by device will be set, which is typically 100 MB. Entering a value of 0 means unlimited size and no restriction. Copyright 2017 HP Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. c enw, Rev. 6, November

117 HP Color LaserJets 117

118 HP Color LaserJets 118

119 HP Color LaserJets 119

120 HP Color LaserJets 120

121 HP LaserJets 121

122 HP LaserJets 122

123 HP LaserJets 123

124 HP LaserJets 124

125 HP Other Devices 125

126 HP Other Devices 126

127 HP Other Devices 127

128 HP Other Devices 128