HP Designjets and HP Security Features

Similar documents
HP DesignJet and PageWide XL Printers. Security features

HP DesignJet and PageWide XL Printers. Security features

HP Color LaserJet Managed E55040 Series Firmware Readme

HP PageWide Managed Color P75250dn Firmware Readme

Solid State Drive Security For HP Printing Devices

HP Color LaserJet Managed E55040 Series Firmware Readme

HP JetAdvantage Security Manager. User Guide

HP Imaging and Printing Security Best Practices

Configuring Security Mitigation Settings for Security Bulletin HPSBPI03569 Protecting Solution Installation Settings

HP Universal Print Driver: Technical F.A.Q.

HP PageWide Managed Color P75250dn Firmware Readme

Legal Notes. Regarding Trademarks. Models supported by the KX printer driver KYOCERA Document Solutions Inc.

Legal Notes. Regarding Trademarks. Models supported by the KX printer driver KYOCERA MITA Corporation

HP SmartTracker. Installation guide

Security Guide: For the safety use of Digital Multifunction Printer (Digital MFP) Version 1.1

LASERJET ENTERPRISE M4555 MFP SERIES. Quick Reference Guide

HP Easy Printer Care. System Administrator's Guide

Management and Printing User Guide

Legal Notes. Regarding Trademarks. Models supported by the KX printer driver KYOCERA Document Solutions Inc.

HP Web Jetadmin Feature Pack Readme

HP JETADVANTAGE SECURITY MANAGER. Credential Management

HP LaserJet 5200/5200L Series printers Service Manual

HP Video Over Ethernet. User Guide

Printer Driver User Guide

HP LaserJet M5025 and M5035 MFP Product Series - Solutions provided by the firmware roll

Table of contents. Security and privacy white paper. Technical white paper HP Partner Link Pay-per-use Portal 1. About this white paper

HP AutoPass License Server

Configuring Embedded LDAP Authentication

Legal Notes. Regarding Trademarks. Models supported by the KX printer driver KYOCERA MITA Corporation

Printing System Driver User Guide

HPE 1/8 G2 Tape Autoloader and MSL Tape Libraries Encryption Kit User Guide

Printer Driver User Guide

HP SmartTracker. User Guide

HP Roam - Business Deployment Guide

HP Autostore Server Software Version Install Guide

Legal Notes. Regarding Trademarks. Models supported by the KX printer driver KYOCERA MITA Corporation

HP Web Jetadmin 8.0 Credential Store Feature

Printer Driver User Guide

HP LF Printing Knowledge Center

HP LaserJet MFP Analog Fax Accessory 300. Supplemental Information

Legal Notes. Regarding Trademarks. Models supported by the KX printer driver. Copyright 2009 KYOCERA MITA Corporation All rights reserved.

Printer Driver User Guide

HP JetDirect Print Servers. HP JetAdmin. Setup Guide

HP Identity Driven Manager Software Series

Wireless USB Port Multi-Functional Printer Server. Model # AMPS240W. User s Manual. Ver. 1A

KMnet Viewer. User Guide

HP Web Jetadmin Report Generation Plug-in

HP UFT Connection Agent

Wireless-G. User Guide. PrintServer for USB 2.0. GHz g WPS54GU2. A Division of Cisco Systems, Inc. WIRELESS. Model No.

HP Deskjet 6800 series

HP Color LaserJet 4730mfp HP Embedded Web Server User Guide

User's Guide Applied Functions

NETWORK PRINT MONITOR User Guide

HP Accelerated iscsi for Multifunction Network Adapters User Guide

Common Access Card for Xerox VersaLink Printers

Legal Notes. Regarding Trademarks. Models supported by the KX printer driver KYOCERA Document Solutions Inc.

Simplify printing with HP connectivity solutions

HPE Security ArcSight Connectors

Printer Driver User Guide

HP LaserJet P3010 Series Firmware Readme

HP LaserJet 4200, 4250, 4300 and 4350 Series printers

Achieving regulatory compliance with reports from ProCurve PCM, IDM, and NIM

D-Link DPR-1020 USB 2.0 MFP Server. Manual. Rev. 01 (November, 2008)

Equitrac Integrated for Konica Minolta

A Division of Cisco Systems, Inc. GHz g. Wireless-G. User Guide. Access Point WIRELESS. WAP54G v2. Model No.

External Devices. User Guide

HP Database and Middleware Automation

Equitrac Integrated for Konica Minolta. Setup Guide Equitrac Corporation

HP Designjet printers for professional graphics and technical drawings

HP StoreOnce Recovery Manager Central for VMware User Guide

User Guide. MIPA and MIPA-MFP. Document Version

CREATE AND USE VARIABLE DATA

TABLE OF CONTENTS COPYRIGHT INTRODUCTION...3 PRODUCT OVERVIEW...3 COMPONENTS AND FEATURES...3 HARDWARE INSTALLATION

External Devices User Guide

Command Center RX User Guide

HP Scanjets. Help meet your business s document management hardware solution needs with the clear winner. Give your customers the options they need

HP D6000 Disk Enclosure Direct Connect Cabling Guide

HP LaserJet 3050/3052/3055 All-in-One Service Manual

HPE ControlPoint. Software Version: Support Matrix

Xerox IJ Print Server Powered By Fiery. Information Assurance Disclosure

Administrator Guide. Windows Embedded Standard 7

Multilayered Print Protection: How Dell empowers organizations to take control of printer security

BACK UP, RESTORE, AND CLONE AN HP WEB JETADMIN INSTALLATION

HPE RDX Utility Version 2.36 Release Notes

Operating Instructions Driver Installation Guide

Equitrac Embedded for Kyocera Mita. Setup Guide Equitrac Corporation Equitrac Corporation

Longshine Technologie Europe GmbH

Dolby Conference Phone 3.1 configuration guide for West

HP JETADVANTAGE SECURITY MANAGER

HP ProCurve Manager Plus 3.0

HP JetAdvantage Solutions

Xerox Phaser 6700 Color Printer Imprimante couleur. System Administrator Guide Guide de l administrateur système

HP Security Event Logging Messaging Reference. For Interfacing with Security Information and Event Management Systems

HP Velocity User Guide for Thin Clients

ProLiant Cluster HA/F500 for Enterprise Virtual Array Introduction Software and Hardware Pre-Checks Gathering Information...

HP LASERJET ENTERPRISE MFP M630 SERIES Firmware Readme

KYOCERA Net Admin User Guide

HP Accessibility Guide

HP Service Health Reporter

HP COLOR LASERJET ENTERPRISE M855 PRINTER SERIES

Transcription:

HP Designjets and HP Security Features Overview and solutions for managing Security features in HP Designjets using the printers Embedded Web Server technology, Front Panel and Web Jetadmin Table of contents Introduction & Overview... 2 Designjet Security features vs LaserJet... 4 Appendix: Security Concepts explanation... 4 Secure file and disk erase... 4 Embedded Web Server (EWS) multilevel access... 7 Control panel Access... 10 Deadlock: Front Panel locked + EWS password forgotten... 12 Disable connectivity interfaces... 13 Exclude personal information from accounting e-mail... 14 Glossary... 15 For more information... 17

Introduction & Overview This document is aimed at providing an overview of the security features supported by HP Designjet printers as of November 2009. HP Designjets are well suited to being deployed into environments where network, data, access control and security are everyday issues thanks to the security features explained below. Below is an executive table summarizing the new and already existing security features of HP Designjet printers and how they can be implemented using the Embedded Web Server and/or HP Web Jetadmin. Security Feature by November 09 DJ Z6100/ Z6100PS DJ T1100/ T1100PS DJ T1120/ T1120PS DJ Z2100 Z3100/Z3100PS Z3200/Z3200PS DJ 4000/ 4500 DJ 4020/ 4520 How To Apply this setting Secure File erase Yes Yes Yes Yes Yes Yes WJA Secure disk erase Yes Yes Yes Yes Yes Yes Service Menu Or WJA Control panel Access Yes Yes No No Yes Yes WJA Embedded Web Server multilevel access passwords Admin and Guest Yes Yes Admin pwd only (Guest Future) Admin pwd only Yes Yes WJA (Admin only) or EWS (Admin & Guest) Exclude personal information from accounting e-mail Yes Yes Yes No Yes Yes EWS Disable interfaces Yes Yes No No Yes Yes EWS IPSec SNMPv3 Hide IP address from Front Panel Yes Yes No No Yes Yes Service Menu

Security Feature by November 09 T610 T620 T770 T770 HDV T1200 T1200 PostScript How To Apply this setting Secure File erase Yes Yes Yes Yes Yes Yes WJA Secure disk erase No No No Yes Yes Yes Service Menu Or WJA Control panel Access No No No No Yes Yes WJA or EWS Embedded Web Server multilevel access passwords Admin and Guest No No No No Yes Yes WJA (Admin only) or EWS (Admin & Guest) Exclude personal information from accounting e-mail No No Yes Yes Yes Yes EWS Disable interfaces No No No No Yes Yes EWS IPSec SNMPv3 Yes Yes Hide IP address from Front Panel Yes No No No Yes Yes Service Menu Note: If the printer is not listed in the above table then these features are not implemented

Designjet Security features vs LaserJet HP LaserJet printers have some security features not yet available in HP Designjet printers. As a brief comparison, please find the comparison between HP LJ 9050 series and HP DJ 4020 series. In the appendix we explain what each security feature is. Security Feature LJ 9050 DJ 4020 Authentication Manager Yes No Control panel Access Yes Yes Device Password Yes Yes Direct Connect Ports (USB/IEEE 1284) Yes Yes File erase mode Yes Yes File system access settings Yes No File system password Yes No Job Held Timeout Yes No Job Retention Yes No PJL Password Yes No Remote FW upgrade Yes Yes When comparing HP Designjets to competitive products in a more secure environment such as an Enterprise customers look for these feature sets to compare Appendix: Security Concepts explanation Secure file and disk erase Secure File Erase can be divided in 3 parts: 1. File erase allowing printer working mode of continuous removal of files in a non-secure and secure manner 2. Disk erase allowing a complete removal of all user data in HDD content 3. The user Interface providing access to the secure erase functionality Let s look at how each of these features can be used in a secure manner within our printing environment. 1. File Erase There are three modes of operation regarding File Erase; this means that each file that the printer creates and removes follows a specification, so minimal data is left at any time without being sanitized:

I. Non-Secure Fast Erase: In this mode, all file pointers to the data (table indexes) are erased. Temporary data remains on the Hard Disk Drive until the disk space it occupies is needed for other purposes, and it is then overwritten. This is the default mode (out of the box) of operation and how the product works today. This is the fastest mode of operation. II. III. Secure Fast Erase: In this mode of operation, file pointers are erased and the disk space where the temporary job was stored is also overwritten with a fixed character pattern. This mode of operation is slower than Non-Secure Fast Erase, but more secure and all data is overwritten! Secure Sanitizing Erase: In this mode of operation, file pointers are erased and the disk space where the temporary job was stored is repetitively overwritten using an algorithm that prevents any residual data. This mode of operation may affect product performance. The Secure Sanitizing Erase mode of operation meets the US Department of Defense 5220-22.m requirements for clearing and sanitization of disk media. When SDE feature is enable, all temporary files that might contain sensitive data are erased with this method and no temporary files are left around after a job has completed (scan, copy, or print). 2. Secure Disk Erase There s also the option to delete the complete disk in either of the two secure methods commented above, (Secure Fast Erase and Secure Sanitizing Erase) this will sanitize the whole disk in one shot by removing any user data in a secure manner so the device can be moved out from a safe to a non safe environment. This setting can be done via Web Jetadmin or the Front Panel Service Menu by an HP authorized engineer or by contacting HP Support directly with a request to access. All disk erasing will be done via the same level of security erase. The Secure Disk Erase feature is already implemented for these printers: o HP Designjet Z3100/Z3200 o HP Designjet Z6100 o HP Designjet T1100 o HP Designjet T1120 o HP Designjet T770 HDV o HP Designjet T1200/T1200 PostScript o HP Designjet 4000/4500 o HP Designjet 4020/4520 3. User Interface We will discuss how to set these options using two user interfaces: HP Web Jetadmin and the printers Front Panel Service Menu. HP Web Jetadmin access: When the user interface used to manage Secure File Erase and Secure Disk Erase functionality is HP Web Jetadmin, we use the same SFE/SDE functionality that is used in the WJA device plug-ins for LaserJet printers, this means that you can set the same global options for SFE/SDE across your fleet of HP LaserJet s and HP Designjets. The example below shows the T1100ps being configured using WJA

Secure File Erase: Secure Disk Erase:

Note: the file system password needs to be set for a device before the file erase/disk erase mode can be configured. Printer Front Panel: Once selected in the Service Menu you can perform Secure Disk Erase, The printer will warn you that it is a process which destroys all data and takes a long time, when you accept the printer starts the process and shows a progress bar until complete, all data will be wiped in one of the two selectable methods and the printer firmware will be restored. Note: the T1200 series now has an optional accessory for added disk security, an external HDD to replace the printer's internal hard disk as a repository of personal data storage (job queue, including temporal processing data, accounting,..). In that way, the EHD could be removed from the printer to store it in a secure place. Embedded Web Server (EWS) multilevel access The Embedded Web Server is a tool which enables one to one management of a device such as an HP LaserJet printer or an HP Designjet printer, however without any security being implemented this tool can also be damaging as many features can be configured using just a web browser and an IP connection to the printer. To alleviate this problem we have implemented two levels of access to our compatible HP Designjets as follows. The Security page allows users to: Restrict access to the printer by setting an administrator user account We can now define two levels of access: Administrator and Guest If the two levels of access have been set, and the user has neither of the passwords they will not be able to gain access to EWS information at all. See below

Administrator password Access control is enabled by setting the Admin account password: that is, by specifying a password for the user account Admin. Users will then have to provide the Admin password in order to perform any of the following restricted operations: See below Cancel, delete or preview a job in the job queue Delete a stored job Clear accounting information Change the printer settings on the Device Setup page Update the printer's firmware Change the printer's date and time Change security settings View protected printer information pages

Guest password Once the administrator user account has been set, the administrator can also set the guest account password: that is, by specifying a password for the user account Guest. If the guest user account is set, a username and password are required for all Web server operations: users identified as guests have access to restricted operations, whilst users identified as administrators have access to all operations. Control panel Access The control panel access is a feature intended for IT administrators that allow them to lock the device front panel using HP Web Jetadmin or the printers Embedded Web Server (T1200 series only), preventing unauthorized users from accessing it and changing the printer s settings. Administrators can specify the level of access as follows: Unlock Minimum Lock Moderate Lock Intermediate Lock Maximum Lock This option can be enabled from HP Web Jet Admin as shown below:

Picture below: Control Panel Access feature settings. This option can be enabled from the T1200 series Embedded Web Server as shown below:

Options Below: Retrieve job Information Paper handling Configure Diagnostics Designjet Maximum OK ----- ----- ----- ----- Intermediate OK OK ----- ----- ----- Moderate OK OK OK ----- ----- Minimum OK OK OK OK OK Maximum Lock - This option denies access to all options. Intermediate Lock - This option denies access to the paper and ink supplies handling options, maintenance options and demo prints, on top of the Moderate Lock. Only viewing printer and supplies information is allowed. Moderate Lock - This option denies access to all printer settings, the job queue, information and service prints and the printer log, on top of the Minimum Lock. Minimum Lock - This option denies access to the Resets options, Enable/Disable connectivity options and the Service menu. Note: with Moderate or Maximum lock set you will not be able to load/unload paper or replace printheads/ink cartridges without first unlocking the front panel, and so these options should only be set in specific circumstances where the implications are known and understood. Some printers like T1100 Series will also allow controlling the Front Panel Access from the Embedded Web Server. When the Control Panel is locked, locked menus show a lock symbol in the FP. If a user makes an attempt to enter in a lock menu entry, the following message is shown: Deadlock: Front Panel locked + EWS password forgotten The main implication from a Customer Support point of view is related to the management of situations where a printer is blocked because of the loss of the Administrator s Password that is needed to unblock its Front Panel. This could happen if the Front Panel is locked through the printer s Embedded Web Server and the Administrative password in the EWS is lost. In this situation, it would not be possible to unblock the FP from the EWS and it would not be possible to reset the EWS from the FP. With HP Designjet Printers the solution will be to implement a menu option in the Diagnostic Boot Mode accessible to users at start up.

Customer Support agents would be able to guide customers that have found themselves in a deadlock situation to this menu in order to unlock the printer and recover from this situation. Disable connectivity interfaces Depending on the printer series, there are some ports that can be disabled to prevent unauthorized printing and possible data theft: Customers concerned about the data stream sent to the printer should use an HP JetDirect card which implements the IPSec security standard (JetDirect ) install this card and then disable all other ports using the printers EWS as shown below. Here is a table showing the connectivity options that can be disabled. HP DJ 4020 Series HP DJ 4520 Series HP DJ T1200 Series HP DJ T1200 Series On board Gigabit Ethernet 1394 FireWire On board Gigabit Ethernet USB If you enable or disable a connectivity option, the printer will automatically restart. Bear in mind that disabling a connectivity option could cut off network access to the printer. As a security measure, you cannot disable the connection you are using to access the Web server. There is an option in the Service menu to enable all connectivity interfaces in case a user ends up without connectivity due to an improper use of this feature.

Exclude personal information from accounting e-mail You can enable or disable the printer to send an e-mail containing accounting information. If you enable this setting, you have also to fill in the destination of the report using the Send accounting files to setting. Please note that you also have to configure the e-mail server on the Setup page. In some cases customers prefer not to send personal user data from the printers via email and so the option Exclude personal information from accounting e-mail is now available in the Embedded Webserver, accounting e-mails will not contain personal information (user name, job name, account ID will be left blank in the accounting file sent by email from the printer). Typically this option is used for managed print or pay-per-use contracts to ensure that only the data (counters) relevant for billing are being sent by the printer. Personal information about who printed which file is not required for billing purposes, and can be excluded from the accounting email. This personal information is typically used for cost allocation within a company. Supported printers: T1100, T1120, Z6100, 4020/4520, 4000/4500, T770, T1200 Series

Glossary Active Directory (AD): An advanced, hierarchical directory service that comes with Microsoft Windows servers (version 2000 or later). It is LDAP-compliant and built on the domain naming system (DNS) used on the Internet. Workgroups are given domain names, exactly like Web sites, and any LDAP-compliant client such as Windows, Mac, or Unix can gain access. Adobe PostScript: Developed by Adobe, this is the standard page description language (PDL) for the graphics arts industry and commercial printing. Many printing devices support PostScript with a built-in PostScript interpreter. Color Access Control: Settings to determine which users and/or applications are allowed to print in color. Domain Naming System (DNS): Converts host names and domain names into IP addresses on the Internet or on local networks that use the TCP/IP protocol. Embedded Web Server (EWS): The EWS resides on a hardware device (such as an HP Designjet) or in the printer firmware. The EWS allows you to review, configure, and change settings on an HP Designjet after inputting an IP address into a Web browser from your computer. HP Web Jetadmin: Web-based fleet management software tool for remote installation, configuration, problem resolution, proactive management, and reporting. IP multicast: A one-to-many transmission of data over an IP network. Multicast DNS (mdns): Also known as Bonjour or Rendezvous, mdns uses IP multicast with DNS to provide the capabilities of a DNS server for service discovery in a small network that does not have a DNS server. Simple Network Management Protocol (SNMP): This is a network monitoring and control protocol. Subnet: A logical division of a local area network, which is created to improve performance and provide security. A subnet limits the number of nodes that compete for bandwidth. IPSec Internet Protocol Security (IPsec) is a suite of protocols for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. In our case, IPsec is used to protect data flows between the host and the printer. SNMPv3 SNMP (Simple Network Management protocol) allows users to manage the printer using SNMP management tools, such as HP Web JetAdmin. SNMP is also the protocol for communicating the printer with the Windows driver. SNMPv3 provides security through user authentication and data encryption. Hide IP address from front Panel Option in the Service Utilities menu of the front panel to show/not show the Internet Protocol (IP) address of your printer. In that way, only registered users or network administrations will know the right address to submit jobs to the printer Device Password (LJ feature) This is equivalent to designjet s web server password. It helps protect the printer from unauthorized access through remote applications. PJL Password (LJ feature) The PJL password feature helps protect the printer from unauthorized configurations through Print Job Language (PJL) commands. It does not affect ordinary print jobs. Once the PJL password is configured, the MFP requires it before it will process any of these commands. File System Password (LJ feature)

The File System Password feature helps protect the printer data storage system options from unauthorized access. With the File System password configured, the printer requires the password before it will allow configurations to features that affect the data storage system. Some of these features are the Secure disk erase mode, the Secure Storage Erase feature, and the File System Access options. File System Access settings (LJ feature) File system access settings: The File System Access options allow users to completely disable many of the access points to the printer data storage system. These access points are for various types of usage for the printer. The options are: PJL disk access SNMP disk access NFS disk access PS disk access HP recommends enabling PS Disk Access to allows users to print PS-type files, and disable the rest Remote Firmware Upgrade (LJ feature) This service allows an administrator to use a custom application to upgrade the printer s firmware remotely. Since HP recommends using HP Web Jetadmin to upgrade MFP firmware, you should disable Remote Firmware Upgrade. Job Retention (LJ feature) This feature provides job retention options such as private job and hold job. Users will be able to ensure that they are present during printing to provide privacy for documents in the printer output bins. Job Held Timeout (LJ feature) This feature is part of the Job Retention feature. It limits a held job to the selected time, and then the printer deletes it. You should select a reasonable timeout value for this setting to allow enough time for a user to walk to the printer to print a job or to allow time for jobs to print in line at the queue. Authentication Manager (LJ feature) The Authentication Manager allows administrators to secure Device Functions by requiring users to log in with a specific Log In Method for each Function. For example, users may be required to log in with an Access Code or PIN to make copies yet be required to log in with a username and password to send e-mails. Log In Methods The following Log In Methods are available with the latest device firmware upgrade: Group 1 PIN: Requires users to input a numeric code for access when at the control panel of the device. The numeric code entered by the walk up user is compared to the first of two PINs stored on the device by the Administrator. When the PIN is entered correctly, the user can proceed. Group 2 PIN: Requires users to input a numeric code for access when at the control panel of the device. The numeric code is compared to the second of two PINs stored on the device by the Administrator. LDAP: Lightweight Directory Access Protocol, Requires users to input a username and password that are verified by an LDAP server. HP Digital Send Service (if available): Also known as DSS. Requires users to enter credentials that are verified by the HP Digital Send Service software. (HP Digital Send Service software must be available to use this Log In Method. If no DSS server is associated with this device, walk-up users will not be required to authenticate before using the device.) Kerberos: Requires users to enter a username and password to be verified by a Windows Server.

For more information About HP: www.hp.com/go/designjet 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Adobe and PostScript are trademarks of Adobe Systems Incorporated, which may be registered in certain jurisdictions. Windows is a U.S. registered trademark of Microsoft Corporation. Microsoft is a U.S. registered trademark of Microsoft Corporation. April 2009

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback