HP JetAdvantage Security Manager User Guide
Copyright 2017 HP Development Company, L.P. Reproduction, adaptation, or translation without prior written permission is prohibited, except as allowed under the copyright laws. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Applicable product: J8023AA Edition 10, 12/2017 (version 3.1) Microsoft, Windows, Windows XP, Windows Vista, and Windows Server are U.S. registered trademarks of Microsoft Corporation. Adobe, Acrobat, and PostScript are trademarks of Adobe Systems Incorporated. VMware is a registered trademark of VMware, Inc.
Table of contents 1 Introduction... 1 2 Getting started with Security Manager... 3 Access the Security Manager application... 3 Features of the Security Manager... 3 Common controls and notifications... 6 What you must provide... 7 3 Setting up Security Manager... 9 Verify device remediation and hostname resolution... 10 Install licenses... 11 Set up Instant On Security... 13 Configure the email server settings... 16 Set up global credentials... 17 4 Using Security Manager... 19 Create a security policy... 20 Policies page navigation... 20 Create a policy... 20 Edit a policy... 21 Policy editor icons... 22 Set severity, remediation, and unsupported behavior to policy items in Quick Settings... 22 Set policy options for a single item... 23 Set policy options for all the items or for a category... 24 Export and Import policies... 24 Add and edit device information... 26 Create a group... 26 Manual Group... 26 Automatic Group... 27 Discover devices... 28 ENWW iii
Add devices using Automatic Discovery... 28 Add devices using Manual Discovery... 28 Devices page navigation... 29 Export device addresses... 30 Edit device and group information... 30 Manage Groups... 31 Move... 31 Rename... 31 Edit Auto Group Filter... 32 Delete... 32 Add, remove, or delete a device from a group... 32 Assign a license manually... 33 Set device credentials... 33 Set SSL/TLS enforcement... 35 Assess and remediate... 37 Run or Schedule an assessment or remediation... 37 Task page navigation... 38 Modify a task... 39 View assessment results... 39 View results from the Devices page... 40 View results from the Reports page... 40 Run reports... 41 Export and Scheduling reports... 42 Appendix A Use the Security Manager certificate management solution... 43 Appendix B Network port assignments... 45 Appendix C Legal statements... 47 End User License Agreement... 48 Copyrights... 52 log4net license... 52 nhibernate license... 54 iv ENWW
1 Introduction HP JetAdvantage Security Manager (Security Manager) is a security compliance solution for a fleet of HP products. It enables administrators to create a security policy to reduce network risks and monitor security for a fleet of printers. The key benefits of using Security Manager are the following:: Easily and quickly create device security policies. Intelligent prompts guide you through the process by providing advice and recommendations as you configure the policy. Add device IP addresses or hostnames using the following methods: Import a text or XML file that contains the device information. Automatically or manually discover devices. Automatically assess/remediate devices when they are first connected to the network using the Security Manager Instant-On Security feature and allowing automatic remediation. Create a schedule to run assessments or assess/remediate devices at preset intervals. To learn more about Security Manager see the following topics: Getting started with Security Manager Setting up Security Manager Using Security Manager ENWW 1
2 Chapter 1 Introduction ENWW
2 Getting started with Security Manager Security Manager version 3.1 is a web-based application supported by the following browsers: Internet Explorer (IE) 11 or newer versions. Chrome To view the main topics in Security Manager Home page, see Introduction The following sections will help you to get started with Security Manager: Access the Security Manager application Features of the Security Manager Common controls and notifications What you must provide Access the Security Manager application Follow these steps to log into Security Manager: 1. Install Security Manager. For Security Manager installation instructions, see the HP JetAdvantage Security Manager Installation and Setup Guide. 2. Make sure you have a supported web browser, and then open HP JetAdvantage Security Manager. 3. Type your windows domain username (Domain\username), password, and then click Login. If using a local username to the desktop (.\localusername), make sure to add the user name to the Administrator group or HPIPSC group or HPIPSC_Guest Group. If the login operation fails, Security Manager displays an error notification message. Features of the Security Manager The Security Manager features are always present on the top menu tabs, providing a user to easily access each function. The top menu tabs include: Dashboard ENWW Access the Security Manager application 3
The Dashboard page is the default page that displays after a successful login. It provides a graphical overview of the device fleet which includes the following information: Number of devices: The total number of devices in the fleet and the number of licensed and unlicensed devices. The number of licenses for the devices. Assessment status of the devices. Not assessed status of the devices. Policies The Policies page displays information of the number of policies and the status for each policy (valid, invalid, or new). It allows you to create, edit, and import policies. Devices The Devices page displays information of the number of devices on the network, device identity information (IP address, hostname, and model name), whether a device is supported, whether a license is assigned, date assessed, most recent policy name used, and a group name associated with a device. Icons indicate whether the device passed the assessment and the device status. Use the Devices page to perform the following tasks: Create a group to associate devices to the group and manage these groups. Discover devices connected to the network, and add them to a group. Create a task to assess or assess and remediate a group of devices. Assign licenses, set credentials and verify devices. Tasks The Tasks page displays information of the status of tasks (completed, in progress, or scheduled), name and type of a task, associated policy, group name, and the schedule of the tasks (the task last ran and the task schedule to run). It provides options to create and schedule new assessment /remediation tasks. You can schedule a task to run once or to repeat as necessary, such as daily, weekly, or monthly. Use the New Task icon from the Policies, Devices, or Tasks pages to create a new task, and then view the assessments /remediations of devices in the Task page. Reports The Reports page provides options to run reports that display information about devices, policies, and assessments. Use the Executive Summary report in the Reports page to review recommendations and device status. For more information about the various reports (Devices assessed, Devices not assessed, Policy items assessed, Recommendations, and Remediations), see, Run reports. Settings icon ( ) Displays the following options: 4 Chapter 2 Getting started with Security Manager ENWW
Settings: Allows you to configure global settings. About HPSM: Displays a graphical overview of the software. Help: Provides information and instructions for Security Manager. Profile icon ( ) Displays the username (role assigned to a user), and a Logout button. Security Manager assigns the following roles to users: Administrator: Enables a user to access all features and perform all operations in Security Manager. Guest: Enables a user to only view the Dashboard and Reports pages, it does not allow any interactive operation. By default, the domain user account used for installing Security Manager is the administrator. To add additional users, the administrator will add the domain user to an appropriate group based on a specific role. ENWW Features of the Security Manager 5
Common controls and notifications This section provides the controls and notifications consistent across all pages in Security Manager. Common controls in the Devices, Policies and Tasks list panel: Filter - Sorts or filters the contents displayed in a list panel based on a filter criteria. Search - Searches for strings in the list panel. Sort Allows every column in the device list panel to be sorted. Click the arrow next to a column heading to sort the column. To change the order of the columns, you can drag and drop the columns. Common notification types: All notifications are dismissed after five seconds. Success message: A message displays in a green slide out for a successful operation. Information message: A message displays in a blue slide when the system provides information of the operation. Failure message: A message displays in a red slide out for a failed operation. 6 Chapter 2 Getting started with Security Manager ENWW
What you must provide The following are the basic requirements to use Security Manager: A supported Microsoft Windows computer. The following Microsoft Windows 64-bit operating systems are supported: Windows Server 2016, 2012, and 2012 R2 Windows 10, 8.1, and 8. Security Manager is supported in a VMware environment. Requirements: Microsoft Windows Server 2012 R2 or later (64-bit versions) is a compatible guest operating system in VMware ESX and ESXi versions 4.0 Update 4 or later. A supported HP device (printer, MFP, or digital sender). For a current list of supported HP devices, go to www.hp.com/go/securitymanager. The latest HP device firmware version. HP recommends that you install the latest firmware version to ensure that the devices contain the latest security updates and features. For firmware upgrade instructions, see the setup or user guides provided with the device. The latest HP Jetdirect firmware version. You must use V.40.xx or later. For firmware upgrade instructions, see the setup or use guides provided with the HP Jetdirect product. ENWW What you must provide 7
8 Chapter 2 Getting started with Security Manager ENWW
3 Setting up Security Manager Use the instructions in this section to set up the Security Manager settings. Configure the Security Manager settings: 1. Log into Security Manager and select the Settings icon ( ), and then select the Settings option. 2. In the left navigation pane, select one of the following menus and configure the settings: General - Enables device remediation and hostname resolution. Licenses - Installs Security Manager licenses. Instant-On Security - Discovers and configures devices when they are first connected to the network. Automated Output - Sets up email settings and notifications. Global Credentials - Sets up global credentials to verify device credentials. To view the main topics in Security Manager Home page, see Introduction Verify device remediation and hostname resolution Install licenses Set up Instant On Security Configure the email server settings Set up global credentials ENWW 9
Verify device remediation and hostname resolution HP recommends to verify the global remediation setting that controls whether an out-of-compliance device is remediated (corrected) during the assessment process. To control how individual out-of-compliance policy items are processed during remediation, use the policy's Quick Settings (Policy). For more information, see Set severity, remediation, and unsupported behavior to policy items in Quick Settings. Security Manager resolves IP addresses to hostnames only during the initial discovery. To resolve IP addresses to hostnames at a later time, delete the device, and then add the device again. Follow these steps to set the device remediation and hostname resolution option: 1. Log into Security Manager, select the Settings icon ( ) and then select the Settings option. 2. On the left navigation pane, in the General menu, select the appropriate remediation option for devices. Enable device remediation (Remediate and Report) - This is the default option selected and enables to remediate out-of-compliance devices. Disable device remediation (Report Only) - Select this option to not remediate out-of-compliance devices. When set to Disable device remediation (Report Only) option, the setting applies to all policies and takes precedence over an individual policy's advanced remediation settings (Quick Settings (Policy)). To prevent accidental changes to devices on the network, disable device remediation. 3. In the Hostname Resolution section, enable or disable the Resolve IP addresses to hostnames when devices are added option. By default, this option is set to enabled and allows Security Manager to resolve IP addresses to hostnames when devices are added. When set to enabled, this option requires that the DNS entry functions in both directions. Otherwise, the device import fails. To disable the option, select to clear the check box. 4. Click Save. The Save button is disabled, if the default options are selected. 10 Chapter 3 Setting up Security Manager ENWW
Install licenses Licenses are provided using a license file. Install a Security Manager device license to assess and remediate the devices on the network. Without a device license, all other actions are available, such as sorting, filtering, and verifying. Security Manager is installed with a demonstration license that allows a limited assessment for up to 20 devices. Only a demonstration policy is available for use and the Policy Editor is limited to a few items. This license is overridden when a trial or full license is installed. Contact your HP representative for more information. If HP JetAdvantage Security Manager service is not running, an error message will display on the Security Manager application. The purchase of Security Manager should include device licenses. Licenses are node locked using the device's MAC address. After licenses are installed, devices are automatically licensed when the following actions occur: when adding devices using a text or xml file. For more information, see Add devices using Manual Discovery. when discovering devices using the Instant-On Security feature. For more information, see Set up Instant On Security. If there are insufficient licenses available during an import, the devices are added but not licensed. For devices that are not licensed, add licenses in the Settings page, and then use the Assign Licenses icon located in the device toolbar in the Devices page. To reduce the risk of depleting all the licenses, make sure that there is a sufficient quantity before importing. To return licenses to the license pool, delete the licensed device. Deleting a licensed device removes that device's historical data. Follow these steps to install licenses or add additional licenses: 1. Log into Security Manager, select the Settings icon ( ), and then select the Settings option. 2. On the left navigation pane, click Licenses. 3. Click Add Licenses. 4. Locate where the license file (.lic) is stored in the file browser, and then double-click to open the file. Security Manager reads the license file and updates the Settings page with the available licenses and expiration information. If an error displays, the causes are: Security Manager cannot connect to the license server. Security Manager tried to update a demonstration license. A new demonstration license will not override an existing demonstration license. Security Manager tried to install a demonstration license when a normal license is currently installed. ENWW Install licenses 11
Security Manager tried to install the same license file. Security Manager tried to install a corrupted or invalid license file. 12 Chapter 3 Setting up Security Manager ENWW
Set up Instant On Security HP Enterprise printers running the latest firmware version use the Instant-On Security and the HP Device Announcement Agent features to automatically discover and configure devices when they are first connected to the network. Automatic assessment/ remediation of newly discovered devices requires a device license and a valid initial assessment policy. To implement Instant-On Security, the device must support HP Device Announcement Agent, which is found in firmware version 11.3 (released December 2011) or later. For a list of devices that include HP Device Announcement Agent, go to www.hp.com/go/securitymanager. Automatic discovery requires that the Accept Device Announcements feature is enabled (disabled by default) and the device's HP Device Announcement Agent feature is enabled (enabled by default). In addition, the corporate DNS server must be configured with an entry that points the hostname hp-print-mgmt to the IP address of the Security Manager server. When the device announcement agent is activated on a compatible printer, the HP device announcement agent looks for a host with the DNS hostname of hp-print-mgmt. If found, the device announces itself directly to Security Manager. If Accept Device Announcements is enabled and the device passes the minimum authentication requirements, the device is automatically added to Security Manager. If Allow Automatic Remediation is enabled, an automatic assessment/ remediation of the device occurs. A device is not added to Security Manager if it fails the minimum authentication required for the assessment. When the device announcement agent is enabled, it announces itself to the Security Manager server in the following situations: When the device is turned on. When a cold reset is performed on the device. When the IP stack comes up (for example, after a network configuration change). When the configuration server IP address changes (use this if a DNS entry cannot be used). When the HP Device Announcement Agent feature is enabled using the check box in the device HP Embedded Web Server or the device control panel. When Accept Device Announcements is enabled, each device that passes the authentication is assigned a device license from the license pool. Follow these steps to set up Instant-On Security: The Instant-On Security feature might fail, if IPsec, Windows firewall, or other firewalls does not allow communication with Security Manager using port 3329. 1. To activate Instant-On Security and automatic remediation, request the site administrator to add an entry in the corporate DNS server that points hp-print-mgmt to the IP address of the Security Manager server. 2. Click the Settings, icon, and then select the Settings option. 3. In the left navigation pane, select Instant-On Security. ENWW Set up Instant On Security 13
4. Select the Accept Device Announcements check box, and then click OK in the confirmation dialog box to enable communication with port 3329. 5. Select a setting to specify the minimum authentication required for the assessment. The default setting is the No Authentication (Out of the Box) option. Mutual Authentication a. Select this option for the highest authentication level and then click Select Certificate. This authentication method is most secure and requires certificates to be configured on the device and in Security Manager. This enables the Security Manager server and the device to verify that the certificate for the other is valid. When the device announces itself or other events occur, such as an IP address change or cold reset, the device and the Security Manager server communicate using the secure socket layer (SSL) to validate certificates before automatic remediation occurs. The certificates must be valid identity certificates signed by a trusted certificate authority and installed on the Security Manager server and each device. Each device must be set to require mutual authentication using certificates during a pre-staging process. Because certificates remain after a cold reset, this method of Instant-On Security provides protection even if a cold reset is performed on the device. b. On the Select Certificate window, select a certificate from the list of certificates found on the Security Manager server, and then click Select. Optionally, you can use Security Manager to manage the identity certificates on the Security Manager server and the devices. No Authentication (Out of the Box) a. Select this option to not use any authentication. This is the simplest authentication method because no pre-staging is required. Security Manager automatically configures devices to be compliant with the security policy when they are taken out of the box and connected to the network. This method also works on devices when a cold reset is performed because no authentication is required for auto discovery, assessment, and remediation. b. To restrict and control the devices entering Security Manager, select the Use Device Serial Number List check box, and then click Add Device Serial Number(s). c. Select one of the following methods to add serial numbers on the Add Device Serial Number(s) window: Type the printer s serial number in the Device Serial Number text box, and then click Add to list. Click Add from file, locate the xml or text file from your file browser, open the file in Security Manager, and then click Add. Security Manager uses the list of serial numbers to accept a device the first time, and then automatically removes the serial number from the list. It recognizes all future announcements by that device as a valid device. 6. Create a valid policy from the Policies page. For instructions, see Create a policy You must create a valid initial policy to use with Automatic Remediation. 7. Select the Allow Automatic Remediation check box to activate automatic remediation. 14 Chapter 3 Setting up Security Manager ENWW
8. Select a policy from the Initial Assessment Policy drop down box to ensure new devices are compatible with the requirement. The valid policies are sorted in the list from the oldest to latest policy. This policy is used for newly announced devices and ensures that the device is fully compliant with the requirements. The selected Initial Assessment Policy is used once for the initial remediation. After the initial assessment, Security Manager uses the most recently applied policy. If the policies are not valid, a No valid policies message displays in the Initial Assessment Policy text box and the Save button is disabled. 9. Click Save to save the entries. If HP JetAdvantage Security Manager service is not running, the Security Manager application will not save the entries, and display an error message. After configuring the Instant-On Security settings, devices powered on will automatically populate and remediate in Security Manager. Devices automatically discovered display in the Instant-On Auto Discovered column in the Devices page. ENWW Set up Instant On Security 15
Configure the email server settings Use the Automated Output setting option to configure the email server to authenticate and send email notifications when scheduled tasks are completed. Follow these steps to configure email server settings: 1. Log into Security Manager, select the Settings icon ( ) and then select the Settings option. 2. On the left navigation pane, click Automated Output. 3. In the E-mail Settings section, type the information required to identify the email server. SMTP Server Contains the hostname or IP address of the email server. Port Contains the network port to use to contact the email server. By default, the network port is set to 25. Enable SSL Enables or disables the use of SSL when working with the email server. By default, this option is set to enabled. Use Default Credentials Sets whether user credentials need to be supplied or not. If enabled, then the Username, Password, and Domain text boxes are disabled (grayed out). Username Provides the name used to log into the SMTP (email) server. Password The password used to log into the SMTP server. The characters are encrypted when typed. Domain (Optional) The username is often related to a domain. If so, then the domain is needed to qualify the username. 4. In the Automatic Notification Settings, type the information required. Email Subject The subject used in the email that is sent. From Address The address used as the sending email in the message. Recipient(s) An email addresses of one or more recipient. Addresses (if more than one) must be separated by a space, comma, or semicolon. If an email address is incorrect, tasks will run for a longer time and fail. 5. Send a test email. a. Click Send Test E-mail button to make sure that the server and the configured settings are correct. b. Check your email for the test email. 6. Click Save. Click Yes to confirm the changes to the settings in the confirmation dialog box. 16 Chapter 3 Setting up Security Manager ENWW
Set up global credentials Global credentials are used as part of the device verification process when performing tasks which include device discovery, verifying devices, assess only, assess and remediate of a device and setting the Instant-On Security feature. Use the Global Credentials feature to set global credentials for all existing devices and custom groups. When verifying devices, Security Manager first attempts to check the assigned device credentials for a device. If the verification fails with device credentials, it checks the device s default credentials. If the default credentials verification fails, it verifies the device with the global credentials. The device, default, and global credentials are also applicable for Assess Only and Assess and Remediate policies on a device. Follow these steps to set up the Global Credentials: 1. Log into Security Manager, select the Settings icon ( ) and then select the Settings option. 2. On the left navigation pane, click Global Credentials. 3. On the SNMP Credentials section, complete the following steps to set the SNMPv1/v2 Read, Read/Write or/and SNMPv3 credentials: a. Select the Set v1/v2 Read Community Name check box, type the SNMP v1/v2 Community name in the first text box, and then type the name again in the second text box to confirm. b. Select the Set v1/v2 R/W Community Name check box, type the SNMP v1/v2 Read/ Write Community name in the first text box, and then type the name again in the second text box to confirm. c. Select the Set v3 Credentials check box, and then complete the following steps to set the SNMP v3 credentials: i. Type the SNMP name in the User Name text box. ii. iii. iv. Type the Authentication Passphrase, and then type the passphrase again to confirm. Select the Authentication Protocol (MD5 or SHA). Type the Privacy Passphrase, and then type the passphrase again to confirm. v. Select the Privacy Protocol (DES or AES). 4. On the Other Credentials section, complete the following tasks to set credentials in the HP Embedded Web Server, file system, and PJL: a. Select the Set Admin (EWS) Password check box, type the administrative password set in the HP Embedded Web Server, and then type the password again to confirm. b. Select the Set File System Password check box, type the password for the file system on the device, and then type the password again to confirm. c. Select the Set PJL Password check box, type the password for the Printer Job Language on the device, and then type the password again to confirm. d. Select the Set Bootloader Password check box, type the password for the bootloader on the device, and then type the password again to confirm. 5. Click Save. ENWW Set up global credentials 17
18 Chapter 3 Setting up Security Manager ENWW
4 Using Security Manager This section discusses how to add and edit device information, create a policy, assess and remediate, and run reports. To view the main topics in Security Manager Home page, see Introduction This section provides information on the following topics: Create a security policy Add and edit device information Assess and remediate Run reports Export and Scheduling reports ENWW 19
Create a security policy Use the Policies page to create, edit, and import a policy. Select a policy or policies to configure the settings using the Policy Editor and the policy buttons displayed in the Policies page. A new policy is initially invalid. You must provide the device credentials and configure any required settings using the Policy Editor. This section focuses on the following topics: Policies page navigation Create a policy Edit a policy Export and Import policies Policies page navigation The Policies toolbar icons located in the Policies page allows you to modify a policy. Total policies selected control Displays the number of policies selected in the Policies page. Policies toolbar icons: This toolbar is located above the Policies list panel and allows you to modify a policy. Policies toolbar icons Refresh Updates the Policies list panel. New Task Allows you to create a new task, set a policy, and schedule Assessment or Assessment and Remediation tasks for a device group or multiple groups. A task cannot be created for an individual device. Set as Instant On Policy Sets valid policies as an instant-on policy. Make sure to select the Accept Device Announcements option in the Settings tab. Create a policy Rename Allows you to type a new name for a policy. Make sure not to use names that are existing in the Policy page. Edit Displays the Policy Editor page. Export Exports the selected valid policy to an.xml file. Delete Deletes the selected policy. Unlock Unlocks a policy. Follow these steps to create a new policy: 20 Chapter 4 Using Security Manager ENWW
1. Log into Security Manager, and then select the Policies tab. 2. Hover on the left navigation pane, and then select the New Policy icon ( ). 3. Complete the following steps on the New Policy window to create a policy: a. Type a name for the policy in the Policy Name text box. Use a policy name that indicates its purpose, such as Initial Instant-On Policy. b. Select a template from the Selected Template drop-down list. Click the Help icon ( ) for more information of the Security Manager templates. Security Manager includes the following policies: HP Security Manager Base Policy: Use this template for a new policy. It includes specific credentials that are vital for a secure policy. HP recommends that you select this policy to use as a template. HP Security Manager Limited Policy: This template is designed primarily for assessments only as it provides a quick look of a secure fleet. It contains a minimal amount of security related features. Blank Policy: This template does not have any pre-defined settings and is used to create a security policy from scratch. After you choose a policy name and template to use, you can modify it to suit your needs. c. Click Save. The new policy automatically displays in the Policies page. To set a policy for a single item, see Set policy options for a single item To globally set the advanced remediation options (severity, remediation and unsupported behavior) in a specific category or the entire policy, see Set severity, remediation, and unsupported behavior to policy items in Quick Settings. Edit a policy Use the Policy Editor to set security settings on a device group so that each device in the group complies with the company security policies. The Policy Editor page displays the policy icon (new, valid, or invalid) and the selected policy name. The main categories of the policy settings display on the top navigation bar and the left navigation pane displays the sub categories of the policy settings These categories also display the number of policy items selected in parenthesis. The check boxes displayed in the Related Policy Items section located on the right panel are visual indicators representing the enabled status of the policy items and are always disabled. Only one policy can be selected for configuring at a time. A policy is automatically locked when an administrator configures the settings in the Policy Editor and is unlocked when it is closed. If another user tries to open a policy when it is being edited, a Policy In Use dialog box displays stating that the policy is edited and only a read option is available. Policy editor icons ENWW Create a security policy 21
Set severity, remediation, and unsupported behavior to policy items in Quick Settings Policy editor icons The following lists the icons used in the policy editor category panel. The following table lists the icons used in the policy editor. Policy editor icons (Green padlock) (Yellow padlock) (Red padlock) (Information bubble ) (Red text box) (Yellow text box) Grayed field Description The selected setting adds more security and is the recommended security option. The selected setting provides some security, other choices might provide a more secure policy. The selected setting is less secure. Provides information about a setting. Click the bubble to display the information of a setting. Indicates an error. A list of errors displays on an error panel. Indicates a warning. The information provided for the settings might cause issues on some devices or in certain situations. Information is required for this setting. Set severity, remediation, and unsupported behavior to policy items in Quick Settings The Quick Settings function allows a user to set the severity, remediation, and unsupported setting on policy items in the Security Manager Settings located in the main category or sub category policy settings or in the Quick Settings (Policy) window. A policy can be set to include or exclude items. The following settings can be set at the top level: Include All Items: This setting at the top level creates a valid policy that includes all the recommended settings. Exclude All Items: This setting at the top level deselects all the items in the policy. Quick Settings can be configured for selected policy items. Items can also be included or excluded at the sub category level. Remediation options are available for each item in the policy and can include the severity level reported during an assessment, whether to remediate a failure, and how to report an unsupported feature. You can use the policy's default remediation settings, individually set the options for each item in the policy, or set remediation options to apply to a specific policy category. Set Severity: Indicates the security risk of the assessed feature when it is not in compliance with the policy. Set Remediation: Indicates whether the item is remediated during an assessment and remediation task. When global remediation is set to Disable device remediation (Report Only), this setting applies to all policies and takes precedence over a policy's advanced remediation settings. For more information about the global remediation setting, see Verify device remediation and hostname resolution. 22 Chapter 4 Using Security Manager ENWW
Enable: Security Manager changes out-of-compliance items on the device to match the policy's setting. Disable: Security Manager reports out-of-compliance items, but does not change the item on the device. Set Unsupported Behavior: Defines how Security Manager reports a feature that a device does not support during an assessment. This is useful when creating a single policy for use across a fleet of devices. Instead of failing when a specific feature is not supported, set the policy to ignore the item. Fail: Security Manager reports a failure when the item does not exist on the device. Ignore (default): Security Manager does not report the item. For example, if a device does not support a FAX PIN, Security Manager does not report that a FAX PIN is blank. Set policy options for a single item After a policy is created, follow these steps to configure the policy setting items and to set the severity, remediation, and unsupported behavior options for specific items in a policy: 1. Log into Security Manager, and then select the Policies tab. 2. On the Policies page, select a policy from the policies panel, and then click on the Edit button. 3. On the Policy Editor page, select a policy setting from the main category located in the top navigation tabs. 4. On the left navigation pane, select a sub category policy setting. 5. Select a Quick Settings policy item panel check box to enable the policy settings. 6. Click a policy item arrow to expand a policy item panel. 7. In the Security Manager Settings section, set the Severity option to High, Medium, or Low. 8. Set the Remediation option to Enable or Disable. 9. Set the Unsupported option to Fail or Ignore. 10. Configure the required policy settings To ensure a valid policy, click the Authentication tab, select the Credentials sub category, and then make sure to configure the following settings: For example, click the Authentication tab, select the Credentials sub category, and then configure the following settings: Admin (EWS) Password SNMPv1/v2 Read Community Name and SNMPv1/v2 Read/Write Community Name File System Password PJL Password Remote Configuration Password 11. Click Validate and then click Save. ENWW Create a security policy 23
For invalid policy settings, the policy items will display in red font. An error panel will display below the policy item panel name and will include the number of errors and list the details of the errors. 12. Click Preview to view the policies. To cancel, click Cancel. Set policy options for all the items or for a category Follow these steps to set the severity, remediation, and unsupported behavior options for all the items in the policy or for a category: 1. Log into Security Manager, and then select the Policies tab. 2. Select a policy from the policies panel, and then click on the Edit button. 3. On the Policy Editor page, select Quick Settings (Policy) from the main category located in the top navigation tabs. 4. In the Quick Settings (Policy) window, select the Policy Item inclusion check box, and then select an option in the Policy Item inclusion drop-down list. 5. Select the Severity check box, and then select a High, Medium, or Low option. 6. Select the Remediation check box, and then select the Enable or Disable option. 7. Select the Unsupported Behavior check box, and then select the Fail or Ignore option. Export and Import policies Export a policy Valid policies can be imported into a compatible version of Security Manager. Policies are encrypted with a passphrase to protect sensitive data, such as passwords and network information. A passphrase must be provided to import each policy. 1. Log into Security Manager, and then select the Policies tab. 2. On the Policies page, click on the check box to select a policy. An invalid (incomplete) policy cannot be exported and is grayed-out. 3. On the Policies toolbar, click the Export icon. Only one policy can be exported at a time. 4. Enter the passphrase to use for this policy, and then click OK. The passphrase can be any characters up to a maximum of 80 characters. The Export policy file is downloaded in the Downloads folder. 24 Chapter 4 Using Security Manager ENWW
Import a policy 1. Log into Security Manager, and then select the Policies tab. 2. Hover on the left navigation pane, and then click the Import Policies icon ( ). 3. Locate the folder where the policy is stored, select the.xml file, and then click Open. 4. In the Import Policy window, type the passphrase for the policy (.xml file), and then click Import to import the file in Security Manager. If the passphrase is not correct, an Import Policy Error window displays and requests the user to type the correct passphrase. An error message will also display if the imported file is not valid. If the invalid file is imported again with a valid policy file, it is not required to change the policy name for the imported file. If the same policy is imported, an error message displays and you will have to type a new policy name. ENWW Create a security policy 25
Add and edit device information Create a group Manual Group Security Manager enables you to add devices using any of the following features: Discover Devices in the Devices page. For more information, see Discover devices Accept Device Announcements option in the Instant-On Security setting. For more information, see Set up Instant On Security. When adding devices, Security Manager can resolve IP addresses to hostnames only if the Resolve IP addresses to hostnames when devices are added option is selected in the General settings. For more information, see Verify device remediation and hostname resolution. Use the Devices page to discover devices, and then associate these devices to a group. The Devices toolbar icons in the Devices page allows you to modify the device information. For an overview of the icons and controls on the Devices page, see Devices page navigation. Security Manager licensing occurs automatically when devices are added. For more information, see Install licenses. Create a group Discover devices Devices page navigation Export device addresses Edit device and group information A group is a collection of devices. In Security Manager, the All Devices Group is the default master group and cannot be changed. You can create a group and the new group will always be a sub group to the All Devices Group. The Groups section displays the device group names in a hierarchical order. Devices can be categorized in one of the following groups: Manual Group Automatic Group To assign devices to a Manual group, create a group, and then manually assign devices to the group. A Manual group cannot be created under an Automatic group. Follow these steps to create a Manual group: 1. Log into Security Manager, and then select the Devices tab. 2. Hover on the left navigation pane, and then click the Manage Groups icon ( ). 26 Chapter 4 Using Security Manager ENWW
3. On the Manage Groups window, create a group in the New Group section. a. On the Group Name text box, type a name for a device group. The maximum length for this text box is 256 characters. b. In the Group Type drop-down list, select Manual. c. In the Parent Group drop-down list, select a group (All Groups, for example), click Add, and then click Close. The new group will be set as a sub group to All Groups. Automatic Group 4. On the Devices page, click on the check box to select a device. You can also use the Filter or Search text box to search for devices. 5. Click on the Add to Group icon. 6. On the Add to Group window, select a group from the Select Group to Add.. drop-down list, and then click Add. The new group will be set as a sub group to All Groups. For more information about editing a Manual Group, see Manage Groups Devices can be assigned based on a specified filter criteria. The filter criteria set on a Automatic Group is scheduled to run every 24 hours. Follow these steps to create an Automatic group: 1. Log into Security Manager, and then select the Devices tab. 2. Hover on the left navigation pane, and then click the Manage Groups icon ( ). 3. On the Manage Groups window, create a group in the New Group section. a. On the Group Name text box, type a name for a device group. The maximum length for this text box is 256 characters. b. In the Group Type drop-down list, select Automatic, and then click Specify Filter Criteria. c. In the Filter Criteria window, select the following criteria in the Add Filter section, and then click Add. Device Property NOT operator Function Value Options d. Click Save to save the settings, and then on the Manage Groups window, click Close. The new group will be set as a sub group to All Groups. ENWW Add and edit device information 27
For more information about editing an Automatic Group, see Manage Groups Discover devices The Discover Devices feature in the Devices page enables you to add devices to a group by using the Automatic or Manual discovery options. Add devices using Automatic Discovery Add devices using Manual Discovery Add devices using Automatic Discovery Use the Automatic discovery type option to discover devices connected to a network and to add them to a device group. Security Manager will use the credentials set in the Global Credentials when discovering devices. Follow these steps to automatically discover and add devices in the Devices page: 1. Log into Security Manager, and then select the Devices tab. 2. Hover on the left navigation pane, and then click the Discover Devices icon ( ). 3. Select a group from the Group to Add drop-down list. The default group is set to Add Devices. 4. In the Discovery Type list box, select the Automatic option. 5. Select one of the following options in the Automatic Discovery section: Number of Network Hops : Select the number of network hops or routers required to traverse in the multicast query. The default is 4 hops. This option uses a multicast UDP discovery mechanism to ask HP devices to identify themselves. Range: Type an IP address in the Start Address and End Address text boxes to initiate a discovery using an IP range. This option scans the given IP address range for all devices that are supported by Security Manager. Invalid IP addresses will disable the Discover button. 6. Click Discover. fails. A successful discovery will display a green slider and an error message displays if the discovery Add devices using Manual Discovery Use the Manual discovery type to discover devices by entering IP address or by using a text or xml file to add devices to a group. To add a file for discovery, use a plain text editor to create a text file or valid.xml file, type one IP address or hostname per line, and then make sure to note the location of the saved file. 28 Chapter 4 Using Security Manager ENWW
Security Manager will use the credentials set in the Global Credentials when discovering devices. Follow these steps to manually discover and add devices in the Devices page: 1. Log into Security Manager, and then select the Devices tab. 2. Hover on the left navigation pane, and then click the Discover Devices icon ( ). 3. Select a group from the Group to Add drop-down list. The default group set is All Devices. 4. In the Discovery Type list box, select the Manual option. 5. On the Manual Discovery section, use one of the following methods to add devices: Security Manager displays an error if an unknown IP address or hostname is entered. Type an IP address or hostname of a device in the IP Address/Hostname text box, and then click Add to list for Discovery. Each valid IP address and hostname is displayed in the Devices section. Click Add from file for Discovery, select the text or.xml file that contains a list of device IP addresses or hostnames, and then click Open. If the file is readable, the valid IP addresses and hostnames are displayed in the Devices section. A dialog box displays for the invalid addresses found in the file. These IP addresses will not be included in the Devices section. To exit from the dialog box, click Close. HP Web Jetadmin can be used to export an.xml file that can be imported into Security Manager. At a minimum, the device IP address must be exported. By default the devices listed in the Devices section sorts the devices by the IP address column. 6. To remove an IP address or hostname from the Devices section, select the IP address or hostname row in the Discover Devices window, and then click Delete. 7. Click Discover to add the IP addresses and hostnames listed in the Devices section. To close the Discover Devices window, click Cancel or the Exit button. Devices page navigation This section provides an overview of the icons and controls in the Devices page. Total devices selected control Displays the number of devices selected in the Devices page. Devices toolbar icons: This toolbar is located above the Devices list panel and allows you to modify the discovered devices. Devices toolbar icons Refresh Updates the devices list panel. Column Organizer Allows you to select or deselect the columns to display in the Devices list panel or use the Reset to Default button. ENWW Add and edit device information 29
New Task Allows you to create, assess or assess and remediate, and schedule a task for a device group or multiple groups. A task cannot be created for an individual device. Verify Initiates a verification task on the selected devices or groups To view the status of the verification, click the Tasks page. EWS Web Opens an HP Embedded Web Server (EWS) in a the default browser using the device's IP address or hostname. Add to Group Adds a device to a different group. Remove from Group Removes a device from a group. Assign Licenses Assign licenses to the selected devices. Remove Licenses By default, Remove licenses is enabled. Set Credentials Set device credentials to the selected devices to assess/remediate. Set SSL/TLS Enforcement Enable or disable validation of the ID certificate whenever Security Manager communicates with the HP device. Reset to Not Assessed Reset the Device Status to unassessed and will remove recommendations and assessment information. Export Device Export the selected devices to an.xml file. Delete Deletes the selected devices. Device List Panel: Lists the devices discovered and information of the devices in columns. Examples are the following: IP Address Displays a Device Properties window listing information of the device status, identification and credentials. It also provides recommendations for a device. Assessment status Displays icons for devices that are not assessed, assessed, low risk failure, medium risk failure and high risk failure. Export device addresses Follow these steps to export information about individual devices or a group of devices to an xml file: 1. Log into Security Manager, and then select the Devices tab. 2. On the Devices page, click the check box in the first column to select a device in the Devices list panel or a group from All Devices. 3. Click the Export Devices icon located in the Devices toolbar icons. 4. When the file browser opens, browse to a location to store the device file, provide a file name, and then click Save. Edit device and group information In Security Manager, the Manage groups feature in the Devices page allows you to add, move, remove and delete devices from a group. This changes the hierarchy in the Groups section. 30 Chapter 4 Using Security Manager ENWW