HP Designjet Printer Series Security Features
Contents
1. Sanity Level Disk Wipe DoD 5220 22 M Security Settings HP Designjet Printer Series 3 2 Control Panel Access Lock The control panel access is a feature intended for IT administrators which allows them to lock the device s control panel using the HP Web JetAdmin or the printers Embedded Web Server depending on the printer model This feature prevents unauthorized users from accessing the control panel and changing the printer s settings Administrators can specify the level of access as follows Unlock Minimum lock Moderate lock Intermediate lock Maximum lock This option can be enabled from the HP Web JetAdmin as shown below Security Settings amp Embedded Web Server amp File System Access Control List a Control Panel Access O Moderate Lock Disable Direct Ports O Intermediate Lock Embedded Web Server Pass i Get Community Name Maximum Lock Status Config Alerts Groups Reports Supplies Storage Applications Detailed Info Capabilities Troubleshoot Firmware PJL Password Printer Firmware Update Set Community Name SNMP Version Access Control This option can be enabled from the T1200 Embedded Web server as shown below 12 She Favorites 4 4shared com free file sh da Filmlabber com Recent MJ HP Drivers Get More Add ons v HP Designjet T1200 PostScript Security t gt v 2 db ov Pager Sa2. credentials that are verified by the HP Digital Send Service software HP Digital Send Service software must be available to use this Log In Method If no DSS server is associated with this device walk up users will not be reguired to authenticate before using the device Kerberos Reguires users to enter a username and password to be verified by a Windows Server About HP Designjet printers www hp com go designjet About HP WebJetAdmin www hp com go webjetadmin 2012 Hewlett Packard Development Company L P The information contained herein is subject to change without notice The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services Nothing herein should be construed as constituting an additional warranty HP shall not be liable for technical or editorial errors or omissions contained herein Microsoft and Windows are U S registered trademarks of Microsoft Corporation Adobe and PostScript are trademarks of Adobe Systems Incorporated which may be registered in certain jurisdictions July 2013 30
3. job management setup For further information refer to the printer s user manual as the actual menu options might change for a specific printer The following is an example of how to change the Secure File Erase setting for the HP Designjet T1100 printer File View Tools Help k Device Management fa New Last Discovery 1 of 57 Selected 88 Layouts Y Filters s Device Model IP Address IP Hostname Port Any Sev Hardware Address 28 ka a P HP Designjet Z6100ps 60in 16 2362 115 dhcppo9emeah 1 o040casc1001 R or ices ye GS Warning Devices 11 a Photosmart 16 23 58 133 HP00127943343 1 O 001279433A3C bes New Last Discovery 57 f HP LaserJet 4350 16 23 56 140 ben03032esphp 1 O 001279DEEACC zada Ungrouped Devices 44 HP LaserJet P3005 16 23 58 162 npi8d7694 emea 1 o 00215A8D7694 fq Groups I H HP Color LaserJet 4600 16 23 56 148 bpo430 esp hp c 1 000TE65B9005 zm El HP LaserJet 4050 16236069 npi2d289a emea 1 00301202894 z D Alerts HP LaserJet M4345 MFP 16 23 58 55 npi90d76d emea 1 00170890D76D fig Firmware SBF HP Designjet Z3200ps 44in Photo 16 23 59 163 1p419 emea hpac 1 E 0040CAA1A664 HP Designjet T1100ps 24in 16 23 59 106 pr 203 emea hpa 1 0040CA9BF701 kopije F HP LaserJet 4100 MFP 16235621 troya22lesphp 1 00306ECDB7C1 HP LaserJet M3035 MFP 16 23 61 106 npi8219a5 emea 1 001708821945 7 HP Color La
4. Eada EK EE EE PAR EAR EREE E Eda Esk ENNEN EEE 20 3 6 PE 20 3 7 SNMP Y3 ike 21 3 8 CA JD Certificates enres ia ie ae a ane eo aa OASEN EANGE 22 3 9 Hide IP from front panel itisnstn ie kon 22 3 10 Encrypt web communi atiON S isis si devcdessetecccsdeveedcbeead ocd avoecdesdeas 22 3 11 Disable USB drive zniki iii elana sans bivaki ai bova NE AE ei vedna da 23 3 12 Disable firmware update through USB 23 3 13 Disable direct print using ePrint8Share nana 23 3 14 Disable ePrint Center connectivity aaa 24 3 15 Usersess gg g g g gsg ti Ok obeh asked 24 3 16 Disable internet connect tni inve jade satja NA ri nn ja dai 24 3 17 Printer ACCESS COMEROL sess cnc ccci ceccsetecadesedslevcdesccsscecedctesdcdtead cece ccoucdcbsvessacdexdelucnd coed oana Eai deitada rentida via 24 E T 24 3 19 Jetdirect Security Wizard HP T920 T1500 Only 26 4 Designjet Security features vs LaserJet 27 Access Controlli Ee EEE de 27 4 2 802 1X Authentica tion nsusrinsvensnanenusenlyneteerineviinkuneindvadtsnestlentsvekevaetvaev see 27 5 Designjet Security features vs LaserJet 28 6 Gossard AS 29 HP Designjet Printer Series Security Settings 1 Introduction amp Overview This document is aimed at providing an overview of the security features supported by HP Designjet printers as of February 2012 The security features described in this document make the HP Designjet printer series particularly well s
5. Enable SNMPv1 v2 read write access Authorization IPsec Firewall Confirm Set Community Name Diagnostics Get Community Name Network Statistics Confirm Get Community Name Protocol Info z 3 Configuration Page Disable SNMPv1 v2 default Get Community Name of public D Enable SNMPv1 2 read only access gt Disable SNMPv1 v2 SNMPv3 Enable SNMPv3 User Name Authentication Protocol MD5 Passphrase Privacy Protocol DES v Passphrase Context Name To enable or change an SNMPV3 setting values must be entered in all three fields 21 HP Designjet Printer Series Security Settings 3 8 CA JD Certificates Request install and manage digital certificates on the HP JetDirect print server Certificates are used to identify the JetDirect print server both as a valid Web server for network clients and as a valid client requesting access on a secure network By default the JetDirect print server contains a self signed preinstalled certificate 16 23 13 181 Windows Internet Explore Ap HP Designjet T2300 PostScript NPI002655882481 16 23 13 181 Networking Configuration Auth s orization TCP IP Settings 2 Network Settings Certificates Other Setti Certificates are used to identify devices on the network Security Jetdirect Certificate Settings By default a pre installed self signed Jetdirect certificate is created to identify Jetdirect You can change
6. for security purposes and supports up to 10 entries The device blocks communications from all other addresses If the list is empty any system is allowed access By default host systems with HTTP connections such as web browser or IPP connections are allowed access regardless of ACL entries This allows hosts to access the device when proxy servers or Network Address Translators NATs are used However unfiltered access by HTTP hosts may be disabled by clearing the Check ACL for HTTP checkbox Host systems that have access are specified by their IP host or network address If the network contains subnets an address mask may be used to specify whether the IP address entry is for an individual host system or a group of host systems For an individual host system the mask 255 255 255 255 is assumed and is not required CAUTION A user may lose the ability to communicate with the device if the system is not properly specified in the list or access through HTTP is disabled If communications with the device is lost restoring network settings to factory default values may be required 4 2 802 1X Authentication 802 1X is an IEEE Standard for port based Network Access Control It provides an authentication mechanism to devices that want to connect to a LAN For most 802 1X networks the infrastructure components such as LAN switches must use 802 1X protocols to control a port s access to the network If these ports do not allow partial or
7. guest access the print server may need to be configured with your 802 1X parameters prior to connection To configure initial 802 1X settings before connecting to a network use an isolated LAN or a direct computer connection using a cross over cable The supported 802 1X authentication protocols and associated configuration depend on the print server model and firmware version For more information on 802 1X features please click here 27 HP Designjet Printer Series Security Settings 5 Designjet Security features vs LaserJet HP LaserJet printers have some security features that are not yet available in HP Designjet printers As a brief comparison please find the comparison between HP LJ 9050 series and Designjet T1200 series Security Feature L9050 DJT1200 Authentication Manager Yes IN File system access settings Ci Yes fn Z ZO Job Held Timeout gt fves IN Job Retenton o o fves fn 28 HP Designjet Printer Series 6 Glossary Active Directory AD Adobe PostScript Color Access Control Device Password LJ feature Domain Naming System DNS Embedded Web Server EWS File System Access settings LJ feature File System Password LJ feature Hide IP address from front Panel HP Web Jetadmin IP multicast IPSec Job Held Timeout LJ feature 29 Security Settings An advanced hierarchical directory service that comes with Microsoft Windows servers ver
8. info From EWS EWS WJA EWS EWS N A accounting Disable features Disable fmw Disable interfaces EWS FP WJA EAGJEP USB EWS FP USB EWS FP printing only printing only Disable direct print with ePrint amp Share N A EWS FP FP FP N A USB Printing Disable eprint N A EWS FP FP FP EWS FP Center connectivity Disable internet EWS FP WJA EWS FP EWS FP EWS FP connection Disable protocols EWS WJA EWS WJA EWS WJA EWS WJA EWS WJA Wizard setup gon O A o os ooa ooa O A Data access mwe eson wee mare mate Communications security Encrypt web comms EWS WJA EWS FP WJA EWS WJA EWS WJA EWS HP Designjet Printer Series Security Settings T1200 T770 Z3100 Z3100ps 4020 4520 T1100 T1120 Z6100 T620 Hide information to user PN Printer access N A N A N A N A N A N A N A N A control Exclude personal info from N A EWS N A accounting Disable features Disable fmw Disable direct print with ePrint amp Share USB Printing Disable ePrint Center connectivity pre connection s EWS WJ Disable protocols EWS WJA A EWS WJA EWS WJA EWS WJA EWS WJA EWS WJA EWS WJA Data access HD ver External HDD Yes from fw 6 0 0 6 Communications security cwsjwia EWS W EWS WJA EWS WJA EWS WJA EWS WJA a WJA EWs WJA A Jetdirect Jetdirect Jetdirect Jetdirect Jetdirect Jetdirect SNMPv3 EWS EWS EWS y EWS EWS poms mws ws Jetdirect Jetdirect Jetdirect EWS Jetdirect Jetdirect Jetdirect CA JD Certif
9. using SNMP management tools such as HP Web JetAdmin SNMP is also the protocol for communicating from the printer to the Windows driver SNMPv3 provides security through user authentication and data encryption A logical division of a local area network which is created to improve performance and provide security A subnet limits the number of nodes that compete for bandwidth It allows administrators to secure Device Functions by reguiring users to log in with a specific Log In Method for each Function For example users may be reguired to log in with an Access Code or PIN to make copies yet be reguired to log in with a username and password to send e mails Log In Methods The following Log In Methods are available with the latest device firmware upgrade Group 1 PIN Reguires users to input a numeric code for access when at the control panel of the device The numeric code entered by the walk up user is compared to the first of two PINs stored on the device by the Administrator When the PIN is entered correctly the user can proceed Group 2 PIN Reguires users to input a numeric code for access when at the control panel of the device The numeric code is compared to the second of two PINs stored on the device by the Administrator LDAP Lightweight Directory Access Protocol Reguires users to input a username and password that are verified by an LDAP server HP Digital Send Service if available Also known as DSS Reguires users to enter
10. Jet printers this would enable setting the same global options across a fleet of HP LaserJet s and HP Designjets The following example shows how to configure the HP Designjet T2300 using the Web JetAdmin Note that in the Web JetAdmin this option is called Secure Storage Erase 2 HP Web Jetadmin File View Tools Help Device Management a All Devices 1 of 3 Selected stal Overview ba Layouts Y Filters BD Efra All Devices 3 a Error Devices 2 Device Model IP Address IP Hostname Port Any Sev Hardware Address Warning Devices 0 SH HP Designjet T2300 PostScript 16 23 13 31 aparedes emea 1 o 0026558804BF New Last Discovery 0 WW HP Designjet T7100ps 16 23 56 125 printcornerb2 3 e 1 O 002655152588 da Ungrouped Devices 3 SS HP Designjet T2300 PostScript npi00 8 1 x 588248 fia Groups og Discovery E Configuration EG Alerts a HA Firmware I Reports gg Storage Sq Solutions Status Config Aerts Troubleshoot Groups Reports olutions Capabilities Fimware Bi View v Templates Device Model IP Hostname IP Address es Storage Media C Sece Storage Ene HP Designjet T2300 PostScript 00265588243 16 23 13 181 maires Quick Device Discovery HM mi to HP Designjet Printer Series Security Settings r EEE eda gt li Select media k imi Specify settings S Select media Secure erase mode E HP Designjet
11. Paper preset management f rv v I deh v Pagev Safetyv Toolsv v gt Printer status E Replace G cartridge ZZ Set account Set the administrator use amp Local intranet Protected Mode Off fa v 15 HP Designjet Printer Series Security Settings EN O GO e http 16 23 45 148 hp device webAccess index htm 2 5 X 8 Googie x Gr sly Favorites g 4shared com free file sh dy Filmlabber com Recent v HP Drivers Get More Add ons v up Designjet T1200 PostScript Security ar v O wm v Pager Safety Toolsv v s O HP Designjet T1200 PostScript e NPIA6343D 16 23 45 148 Printer status Replace G cartridge J HK HE Configuration Printer settings El Eee E mail server Date amp Time Maintenance o Security Settings have been changed successfully Firmware update security Warning the guest user account is not set Click here to set the guest user account Paper preset management Click here to return Yo Gi Local intranet Protected Mode Off fay Rw v If there is no administrator account restricted operations can be accessed without a password 3 4 1 Guest password Once the administrator user account has been set the administrator can also set the guest user account by specifying a password for the guest If the guest user account is set a username and password are required for all EWS operations users indentified as guests have access to restr
12. T2300 PostScript npi002655882481 emea hpqcorp net 16 23 13 181 1 ltem Use setting on device Media Type Capacity KB Used Space KB Read Write Enabled Specify mode HardDisk 152627 0 Read Write Yes Secure Sanitizing Erase x E Retain mode after erase Schedule erase e Printer s Front Panel access Once the Service Menu is entered with the help of an HP Support representative perform the Secure Disk Erase by using the same 3 options that are in Web JetAdmin Note that the name of the feature in the front panel is Disk Wipe DoD 5220 220M and the three options are called Insecure Mode 1 pass mode and 5 pass mode First select the security level and then perform the erase operation The printer will warn that it is a process which deletes all data and takes a long time when accepted the printer begins the process and displays a progress bar until complete all data will be wiped in one of the two selectable methods and the printer s firmware will be restored The following screens show how to perform a secure hard disk erase in the HP Designjet T2300 printer Service utilities Enable Disable Sleep Mode Disk Wipe DoD 5220 220M Hard Disk Recovery Show Hide Front Panel Info 10 HP Designjet Printer Series Disk Wipe DoD 5220 220M Sanity Level Disk Wipe DoD 5220 22 M Sanity Level Insecure Mode 1 Pass Mode 5 Pass Mode Disk Wipe DoD 5220 220M
13. Y Designjet Printer series Security features HP Designjet Printer Series 2013 Hewlett Packard Development Company L P Reproduction adaptation or translation without prior permission is prohibited except as allowed under the copyright laws The information contained herein is subject to change without notice The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services Nothing herein should be construed as an additional warranty HP shall not be liable for technical or editorial errors or omissions contained herein July 2013 Edition Security Settings HP Designjet Printer Series Security Settings Table of Contents 1 introduction amp OVErVIEW ananasen EE EIE ENE AAE A EEEa AEEA A E a NE RS 4 2 Security features available for Large Format scanners 7 3 Security Concepts explanation 8 3 1 Secure File Erase EEEE vaavasdeuda ducveedazanuaaeds 8 Secure DISK Erase sisii rabe AN Aa en ew ae en ete eens 9 3 2 Control Panel Access LOCK 2 3525 sed sccsencs scsssceisctics senaste A lada db oba da rojaka deda e e dass 12 3 3 1 Deadlock Front Panel locked EWS password forgotten 13 Embedded Web Server EWS multilevel access n nnoonnoonnooooooooooosososesesoseseseseseseseseseoeoeoeseoeseseneoeseseseresesesesesese 14 3 3 Exclude personal info from accounting 18 3 4 Disable connectivity interfaces 19 3 5 Disable protocols EEE eL
14. a Administrator Password SNMP Community Names and secret keys may be compromised 22 HP Designjet Printer Series Security Settings 3 11 Disable USB drive Use this option to disable the USB drive preventing somebody connecting a device to print or to scan images Security USB drive nabled gt Firmware upgrade from USB nabled gt Direct print using HP ePrint amp Share nabled gt Enable Internet connection HP Designjet T2300 PostScript Security th gt Bi gt GO mv Pager Safetyv Tools v Paper management oon Ume ET Er a Disable USB printing Note To disable this interface you should access the EWS through a different network interface Disable USB drives Disable firmware update from USB Control Panel Access Lock Select an option to set the level of the control panel access lock 9 Unlock Minimum Lock Moderate Lock Intermediate Lock Maximum Lock Modify 3 12 Disable firmware update through USB Disable the possibility of upgrading the printer by installing the firmware via a USB device 3 13 Disable direct print using ePrint amp Share In some printers when connecting a computer directly with a USB cable one can print without installing any driver this can be done by launching the ePrint amp Share application that resides inside the printer This feature can disable direct printing so that printing through the USB cannot be done unless the driver or ePrint amp Share is i
15. ble timeout value for this setting to allow enough time for a user to walk to the printer to print a job or to allow time for jobs to print in a queue HP Designjet Printer Series Job Retention LJ feature Multicast DNS mDNS PJL Password LJ feature Remote Firmware Upgrade LJ feature Simple Network Management Protocol SNMP SNMPv3 Subnet Authentication Manager LJ feature For more information Security Settings This feature provides job retention options such as private job and hold job A user will be able to ensure that they are present during printing to provide privacy for documents in the printer output bins Also known as Bonjour or Rendezvous mDNS uses IP multicast with DNS to provide the capabilities of a DNS server for service discovery in a small network that does not have a DNS server The PJL password feature helps protect the printer from unauthorized configurations through Print Job Language PJL commands It does not affect ordinary print jobs Once the PJL password is configured the MFP requires it before it will process any of these commands This service allows an administrator to use a custom application to upgrade the printer s firmware remotely Since HP recommends using HP Web Jetadmin to upgrade MFP firmware one should disable Remote Firmware Upgrade This is a network monitoring and control protocol SNMP Simple Network Management protocol allows users to manage the printer
16. el from the Embedded Web Server and it would not be possible to reset the Embedded Web Server from the front panel With HP Designjet Printers there is a menu option accessible to users with the guidance of Customer Support agents Contact HP Support in case of problems related to deadlock 13 HP Designjet Printer Series Embedded Web Server EWS multilevel access The Embedded Web Server is a powerful tool which enables direct management of a device such as an HP LaserJet printer or an HP Designjet printer however with no security in place this tool also has the potential to have a negative effect on many features as they can be configured using just a web browser and knowledge of the IP connection to the printer To solve this situation we have implemented two levels of access to our compatible HP Designjet printers as follows The Security page enables users to e Restrict access to the printer by setting an administrator user account e Define two levels of access Administrator and Guest Security Settings e If the two levels of access have been set and without having either of the passwords access to EWS information will not be permitted see below HP Designjet TLU PostScript Job queue Windows Internet Explorer G 8 tova 1497p device wehAccess indechtmIcontentsjob_queut x amp iy Favorites gg A amp shared com free file sh da Filmlabber com Recent v E HP Drivers Get More Add ons D HP De
17. es to the Secure Files Erase feature These settings can be changed in the Web JetAdmin e Non Secure Fast Erase All file pointers to the data table indexes are erased Temporary data remains on the Hard Disk Drive until the disk space it occupies is needed for another purpose and is then overwritten This is the fastest mode of operation and is the default for all printers e Secure Fast Erase File pointers are erased and the disk space where the temporary job was stored is also overwritten with a fixed character pattern This mode of operation is slower than Non Secure Fast Erase but all data is overwritten e Secure Sanitizing Erase File pointers are erased and the disk space where the temporary job was stored is repetitively overwritten using an algorithm that prevents any residual data This mode of operation may affect product performance The Secure Sanitizing Erase mode of operation meets the US Department of Defense 5220 22 m requirements for clearing and sanitization of disk media When the Secure Sanitizing Erase feature is enabled all temporary files that might contain sensitive data are erased with this method no temporary files are left after a job has completed scan copy or print Furthermore if storing jobs in the printer is not required set the number of jobs to be stored in the printer s queue to 0 To configure this setting perform the following e Go to the printer s front panel e Select the setup menu e Select
18. fetyw Toolsv v Ga HP Designjet T1200 PostScript NPIA6343D 16 23 45 148 Printer status Replace G cartridge ZZ Configuration S ul rity 7 Printer settings sam INNES E mail server Date amp Time Access control is currently disabled To enable access control you must set the administrator user account Maintenance Ci ti Firmware update Paper preset management Check to disable or uncheck to enable connectivity options If any of them are changed the printer will automatically restart Disable on board Gigabit Ethernet Disable USB Note To disable this interface you should access the EWS through a different network interface Control Panel Access Lock fel of the control panel access lod Unlock Minimum Lock Moderate Lock Intermediate Lock Maximum Lock Gi Local intranet Protected Mode Off fay Ruw v HP Designjet Printer Series Security Settings The following table shows the different levels access and what they enable or disable fF Retrieve Job Information Paper handling Configure Designjet Diagnostics Te OK meee intermediate OK fork eee Moderate OK OK OK OK OK OK OK OK e Maximum Lock Denies access to all options Intermediate Lock Denies access to the paper and ink supplies handling options maintenance options and demo prints on top of the Moderate Lock Only viewing printer and supplies information is allowed Moderate Lock Denie
19. files demo plots diagnostic plots e Virtual memory for job processing e Job storage queue e Storage for printer s accounting data The HP Designjet External Hard Disk was designed to fulfill one specific use for those security conscious customers that want to preserve the confidentiality of the jobs being printed in their HP Designjet printers 24 HP Designjet Printer Series Security Settings How the system works 1 Connect the External Hard Disk EHD into the printer s USB host port 2 The printer will detect the EHD and will ask the customer for permission to install it When the customer accepts the printer will perform the following step 3 A copy will be made of all the customer s information that is stored in the internal HD and copied to the external HD 4 The customer s internal HD partition will be deleted after a highly secure erasing process DoD 5220 22 M 5 The printer will be configured to use the EHD as the repository for ALL customer jobs including the temporary processing storage area 6 Once the EHD has being installed all the customer jobs will ALWAYS be stored in the EHD 7 When the printer is switched off as a security measure the EHD can be removed and kept in a secure location Notes Once the printer has an EHD installed it can no longer be initialized without it If for any reason the installed EHD is no longer available the customer loses the EHD or the EHD is broken there is a mechanism thro
20. icates EWS EWS EWS g EWS EWS CAD Certiicates ps ews Jetdirect Jetdirect Jetdirect EWS Jetdirect Jetdirect Jetdirect Enerpiweb EWS WJA EWS WJA EWS WJA ewsywias FWS WJA pysjwar comms EWS EWS k 4 i Jetdirect Jetdirect Jetdirect Jetdirect Jetdirect Jetdirect N A N A N A N A N A N A N A N A HP Designjet Printer Series Security Settings 2 Security features available for Large Format scanners The Multi function printers MFPs are made of two main parts The printer and the scanner For the printer the table above applies for the scanner please refer to the following table DJ 4500MFP T1100MFP HD MFP Series DJ4520 Scanner DJ 4500 Scanner HD Scanner T1120 SD MFP T2300 emfp Firewall Yes Yes Yes Antivirus installation Disable FTP 8 WebAccess Closed systems with very low risk of being infected by a virus no antivirus is required Yes No Yes Access to images in scanner through network Yes by default FTP amp EWS N N Read only 2 Microsoft Security patches Yes through scanner SW update Not needed Linux based Install scanner software into a Possible but not official process No No separate PC HP Designjet Printer Series Security Settings 3 Security Concepts explanation 3 1 Secure File Erase Secure File Erase is a feature that manages how files are deleted from the printer s hard disk There are three security mod
21. ics VI LPD Z Bonjour i m V WINS Registration Network Statistics V Web Semices Print V Multicast IPv4 Protocol Info VI FTP VI WS Discovery Configuration Page Enable Management Protocols Enable Telnet vi V HP XML Services Fa Certificate Mgmt Service a Tle m gt fay 10 v Gi Local intranet Protected Mode Off Status Config Alerts Troubleshoot Groups Reports Supplies Storage Solutions Capabiities Fimware pi Apply Template se View History sn Customize a Refresh Pv4 Information Fa Network Enable Features A IPv6 Information 7 EWS Config 4 Link Setting mDNS Service Name 7 p Tenet Corg mere ol scone SNMP Trap Destination T Ta v System Contact Jed deans E System Location V LPD Printing System Name 7 9100 Printing TCP Idle Timeout TCP IP Configuration Met v mDNS Config Upload CA Certificate a V IPv4 Multicast Config 4 la nen mna 1 ave a Te ate cnedule pp 3 6 IPSec A Firewall or IP Security IPsec policy allows the control of traffic to or from the device using network layer protocols Either a firewall or IPsec firewall pages will appear depending on whether IPsec is supported by the print server and device If IPsec is not supported firewall pages will be displayed and a firewall p
22. icted operations whilst users identified as administrators have access to all operations If the guest account is not set a username and password are not required for unrestricted operations 16 HP Designjet Printer Series Security Settings Gr e http 16 23 45 148 hp device web ccess indexhtm7content security amp op set guest 4 x SB Googie x i sly Favorites 95 4 4shared com free file sh FilmJabber com Recent v HP Drivers Get More Add ons v HP Designjet T1200 PostScript Security f v CI deb Pagev Safetyv Toos v gt K HP Designjet T1200 PostScript NPIA6343D 16 23 45 148 Logged in as administrator Printer status Replace G cartridge Ss ee setup Configuration S u rity H Printer settings Security Set the guest user account E mail server User name Guest Date amp Time New password Maintenance pe Firmware update Confirm ard bedt Paper preset management Administrator password setaccount account G Local intranet Protected Mode Off fay Awm v Notes e Some printers only have 1 level password access to the Embedded Web Server e The networking tab of the Embedded Web Server allows setup of another password If the printer has an EWS 1 level or multi level password then the networking password is common with the general EWS password If the EWS does not have password capabilities then the networking pass
23. igure security settings for HP Jetdirect print server management There are 3 levels of Network Security that can be set 26 Basic Configure Admin password shared with other tools such as Telnet and SNMPv1 v2 Enhanced Disables unsecure management protocols FTP Telnet RCFG SNMP v1 v2c Enable SNMPv3 Enable SNMPv1 v2 read only access Custom Manually adjust all the settings gt Ap HP Designjet T1500 PostScript oS z es en Configuration TOPIP Settings pennas E Network Settings Wizard Other Settings AirPrint Welcome to the HP Jetdirect Security Configuration Wizard Security si The HP Jetdirect Security Configuration Wizard allows you to configure security settings for HP Jetdirect print server management Authorization J Mgmt Protocols Current Security Level None ura 802 1X Authentication IPsec Firewall Caution If you use HP Web Jetadmin to manage your devices we strongly recommend that you configure HP Jetdirect security settings using HP Web Jetadmin Diagnostics Network Statistics Protocol Info Configuration Page HP Designjet Printer Series Security Settings 4 Designjet Security features vs LaserJet Some security features are available only after installing a JetDirect 635n or similar 4 1 Access Control list This feature lets one determine the access control list ACL which is used to specify the IP addresses on a network that are allowed access to the device The ACL is normally used
24. nlock E Minimum Lock Moderate Lock Intermediate Lock Maximum Lock Modify amp Local intranet Protected Mode Off fay 100 v If a connectivity option is enabled or disabled the printer will automatically restart Keep in mind that disabling a connectivity option could cut off network access to the printer As a security measure disabling the connection used to access the Embedded Web server is not permitted Note Contact HP support in case the printer s front panel is locked and cannot be unlocked 19 HP Designjet Printer Series Security Settings 3 5 Disable protocols In some cases disabling all protocols that are not planned on being used to access the printer may be required for example to prevent users from sending files through the ftp or connecting through telnet to manage the printer network settings Disable unused protocols through the Mgmt protocols option in the Embedded Web Server or Network enable features in Web JetAdmin VE 1623 13 181 Win Ap HP Designjet T2300 PostScript NPI002655882481 16 23 13 181 Networking Configuration M mt P Protocols TCP IP Settings g ET al Network Settings Web Mgmt SNMP Other Other Sett i pe Select the protocols and services that you want to enable Security Settings Enable Print Enable Device Services Discovery Authorization P Z LLMNR Mar mm z s 9100 W SLP IPsec Firewall W Enable WINS Port Diagnost
25. nstalled in the computer 23 HP Designjet Printer Series Security Settings 3 14 Disable ePrint Center connectivity Disables the ePrint Center functionality preventing somebody printing remotely to the printer Security YVULGHN GUL LINI Gigabit Ethernet Enabled HP ePrint Center connectivity Enabled User sessions Printer access control 3 15 User sessions Allows setting a timeout so that open sessions to ePrint amp Share from the printer front panel are automatically closed if they are not used 3 16 Disable internet connection Disable the direct connection of the printer to the internet This option would also prevent the printer from automatically performing firmware upgrades 3 17 Printer Access control For some printers when setting an Embedded Web Server admin password it is also preventing access to certain front panel features The features protected in the front panel are e Network connectivity amp Internet Connectivity e Control firmware upgrades e Reset factory defaults e External hard disk connection e Security If a user loses the admin password it is not possible to reset it so the printer would be locked There is a service menu option to reset the admin password 3 18 External hard disk EHD Some printers allow the connection of an external hard disk Any HP Designjet printer with an internal hard disk uses it for four main purposes e Store the printer s firmware 8 resources media pro
26. ol Favorites ly 4 shared com free file sh FilrmJabber com Recent v H HP Drivers Get More Add ons v Je HP Designjet T1200 PostScript Security 7 NPIA6343D 16 23 45 148 Pt Configuration Security Printer settings E mail server Date amp Time Maintenance Firmware update Paper preset management Connectivity Disable on board Gigabit Ethernet Disable USB Note To disable this interface you should access the EWS through a different network interface O deh v Pager Safety Toolsv v Printer status Replace G cartridge ZZ a Access control is currently disabled To enable access control you must set the administrator user account ntrol Panel Access Lock Select an option to set the level of the control panel access lock Unlock Minimum Lock Moderate Lock 3 Intermediate Lock ee Maximum Lock Gi Local intranet Protected Mode Off fay 100 v GO 8 http 16 23 45 148 hp device webAccess index htm content security8top access control X B Googie x Gr oly Favorites A 4 Ashared com free file sh y Filmlabber com Recent v H HP Drivers Get More Add ons v IC HP Designjet T1200 PostScript Security NPIA6343D 16 23 45 148 Configuration Printer settings E mail server Date amp Time New password Maintenance Mm sei Confirm password Firmware update
27. olicy can be configured Note Before enabling a firewall or IPsec policy make sure there is secure access to the configuration management settings for example through an administrator password This will ensure t policy is not easily disabled through Telnet control panel menus or other management tools 20 HP Designjet Printer Series Security Settings Firewall A firewall policy consists of up to 10 rules where each rule specifies the IP addresses and services allowed by the print server and device To add a rule click Add Rule This setting runs a wizard to help configure each rule IPsec Firewall An IPsec firewall policy consists of up to 10 rules As with a firewall policy each rule specifies the IP addresses and services allowed by the print server and device With IPsec support one can apply IPsec authentication and encryption protocols for those addresses and services To add a rule click Add Rule This runs a wizard to help configure each rule For a detailed description of wizard settings and additional help click Jetdirect IPsec Firewall Help 3 7 SNMPv3 Enable and disable the SNMP v3 agent from the printer An account may be set up that allows a management application to access the SNMP v3 agent Networking Configuration Mgmt Protocols TCP IP Settings Network Settings Web Mgmt SNMP Other Other Settings Security SNMPv1 v2 Settings amp
28. rd feature helps protect the printer s data storage system options from unauthorized access With the File System password configured the printer requires the password before it will allow configurations to features that affect the data storage system Some of these features are the Secure disk erase mode the Secure Storage Erase feature and the File System Access options Option in the Service Utilities menu of the front panel to show not show the Internet Protocol IP address of your printer In that way only registered users or network administrations will know the correct address to submit jobs to the printer Web based fleet management software tool for remote installation configuration problem resolution proactive management and reporting For more information go to www hp com go webjetadmin A one to many transmission of data over an IP network Internet Protocol Security IPsec is a suite of protocols for securing Internet Protocol IP communications by authenticating and encrypting each IP packet of a data stream IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session In our case IPsec is used to protect data flows between the host and the printer This feature is part of the Job Retention feature It limits a held job to the selected time and then the printer deletes it A user should select a reasona
29. s Windows Internet Explo GO le http 16 23 45 148 hp device webAccess index htm content device_setup x iy Favorites 93 4 4shared com free file sh Filmlabber com Recent v HP Drivers Get More Add ons v ag v e HP Designjet T1200 Pos X HP Designjet T770 Printe KA HP Designjet T1200 PostScript NPIA6343D 16 23 45 148 un setup Configuration _ Printer settings Security El Printer settings E Printing preferences Graphics language Automatic Maintenance Margin Layout Standard Firmware update E Job management E mail server Date amp Time Paper preset management Queue On Nest Optimized order Max number of printed jobs 32 Start printing After processing Max number of stored jobs 10000 Username is required Off Use crop lines when printing Off Use crop lines when nest is enabled On MA Accounting Max number of logged jobs 10 Require account ID Off Send accounting files Enabled Send accounting files to gclarke hp com Send accounting files every 7 days Exclude personal information from accounting e mail Off G Advanced Units Metric Cutter On Roll switching options Minimize paper waste E web Services HP Printer Utility Enabled Color and paper management Enabled E Embedded Web Server preferences Refresh rate seconds 180 18 HP Designjet Printer Series Security Settings 3 4 Disable connectivity interfaces Depending on the printer serie
30. s there are some ports that can be disabled to prevent unauthorized printing and possible data theft It may be desirable to disable the USB printing port to avoid people from connecting a laptop directly into the printer and printing through the USB If a JetDirect card is installed to add extra security features then disabling the onboard Ethernet may be required 9 E http 16 23 45 148 hp device AwebAccess indexhtm content security X Ad Google x sly Favorites sis dshared com free file sh FilmJabber com Recent v HP Drivers Get More Add ons v GHP Designjet T1200 PostScript Security A O deb gt Page Safetyv Tools v 7 HP Designjet T1200 PostScript lak h k m NPIA6343D 16 23 45 148 Printer status Replace G cartridge Harm Setup Configuration S s ecurity Printer settings H E mail server Date amp Time Access control is currently disabled To enable access control you must set the administrator user account Maintenance nnectivi Firmware update Paper preset management Check to disable or uncheck to enable connectivity options If any of them are changed the printer will automatically restart Disable on board Gigabit Ethernet Disable USB Note To disable this interface you should access the EWS through a different network interface Control Panel Access Lock Select an option to set the level of the control panel access lock o U
31. s access to all printer settings the job queue information and service prints and the printer log on top of Minimum Lock For ePrinters the setting also locks access to these 5 security features Disable USB drive Disable firmware update through USB Disable direct print using ePrint amp Share Disable ePrint connectivity Disable internet connection e Minimum Lock Denies access to the Resets options Enable Disable connectivity options and the Service Menu Note With the Moderate or Maximum locks set it is not permitted to load unload paper or replace printheads ink cartridges without first unlocking the front panel These options should only be set in specific circumstances where the implications are known and understood When the Control Panel is locked the applicable menus show a lock symbol in the front panel If a user attempts to enter in a locked menu entry a warning message is displayed Default printing options Access denied Contact the printer administrator 3 3 1 Deadlock Front Panel locked EWS password forgotten Under certain circumstances a printer might be blocked if the control panel has been locked and the administrator has lost the password needed to unlock it This could happen if the front panel is locked through the printer s Embedded Web Server and the Administrative password in the EWS is lost In this situation it would not be possible to unblock the front pan
32. serJet 5500 16 23 56 228 ben03021esphp 1 00110AF20B43 JER HP Designjet 800PS 162356213 bcn02142 esp hp 1 0030C18C3260 Status Config Alerts Groups Reports Supplies Storage Applications Detailed Info Capabilties Troubleshoot Fimware 4 Apply Template se View History R Customize Refresh Quick Device Discovery 7 m z Set Community Name aii lt Secre File Erase Mode Changes Pending Sk Apply to continue E File gae 1 Fyfe System Password SEE m r A VA FRERE J HP Web Jetadmin sA HP Web Jetadmin O WH 11 50 HP Designjet Printer Series Security Settings Secure Disk Erase In either of the two secure methods described above Secure Fast Erase and Secure Sanitizing Erase there is also the option to sanitize the whole disk The sanitizing method removes any user data in a secure manner so the device can be moved out from a secure location to unsecure location All disk erasing will be done via the same level of security erase This setting can only be used via Web JetAdmin or the Front Panel Service menu which is only accessible with the help of an HP Support representative e HP Web JetAdmin access The user interface that manages the Secure File Erase and Secure Disk Erase functionality is the HP Web JetAdmin This is the same functionality that is used in the Web JetAdmin device plug ins for Laser
33. signjet T1200 PostScript Job queue A x 38 Googie 3 teh Pages Saletye Tooke Printer status Replace G cartridge E The server 16 23 49 140 at prvieged LW5 requires usemane ard password Warning This server is requesting that your username and passweed be sent in an insecure manner basi authentication without amp secure connection HP Protemaional PANTONE Feautation E amp amp amp G amp amp amp 8 K ts amp c Administrator password Access control is enabled by setting the Admin account password specifying a password for the user account at Admin level The Admin password must then be provided in order to perform any of the following restricted operations e Cancel delete or preview a job in the job queue e Delete a stored job e Clear accounting information e Change printer s settings on the Device Setup page e Update printer s firmware e Change printer s date and time e Change security settings e View protected printer information pages 14 GE vere metresn 1707 08 14 48 1707 08 14 48 1707 08 14 48 17107709 1448 1707 09 14 48 17707109 14 48 1707 08 14 48 1707 08 14 48 170709 14 37 17107109 14 37 17407109 14 37 17107109 14 37 1707 08 14 37 HP Designjet Printer Series Security Settings GO 8 http 16 23 45 148 hp device webAccess index htm cantent security x SB Googie x
34. sion 2000 or later It is LDAP compliant and built on the domain naming system DNS used on the Internet Workgroups are given domain names exactly like Web sites and any LDAP compliant client such as Windows Mac or Unix can gain access Developed by Adobe this is the standard page description language PDL for the graphics arts industry and commercial printing Many printing devices support PostScript with a built in PostScript interpreter Settings to determine which users and or applications are allowed to print in color This is eguivalent to the designjet s web server password It helps protect the printer from unauthorized access through remote applications Converts host names and domain names into IP addresses on the internet or on local networks that use the TCP IP protocol The EWS resides on a hardware device such as an HP Designjet or in the printer firmware The EWS allows you to review configure and change settings on an HP Designjet after inputting an IP address into a Web browser from the computer File system access settings The File System Access options allows to completely disable many of the access points to the printer s data storage system These access points are for various types of usage for the printer The options are e PJLdiskaccess e SNMP disk access e NFS disk access e PS disk access HP recommends enabling PS Disk Access to allow to print PS files and disable the rest The File System Passwo
35. this certificate to more accurately identify the device and to update the length of time the certificate is valid Mgmt Protocols IPsec Firewall Status Installed Diagnostics Network Statistics CA Certificate Protocol Info i A Certificate Authority CA certificate is required for some authentication methods It is used to verify the authentication server s certificate The CA certificate must be the Configuration Page certificate of the CA that signed the authentication server s certificate Status Not Installed Configure 3 9 Hide IP from front panel Some printers includes an option in the Service Menu accessible with the help of an HP Support agent only that allows hiding all IP information from the printer s front panel 3 10 Encrypt web communications Securely manage the network device using a Web browser and the HTTPS protocol To authenticate the HP Jet Direct Web Server when HTTPS is used configure a certificate or use the pre installed self signed X 509 Certificate The encryption strength specifies what ciphers the web server will use for secure communications Supported cipher suites are DES RC4 3DES By enabling encryption the web server encrypts all web communication forcing all connections to use HTTPS Enabling encryption can also be configured to allow both HTTP unencrypted and HTTPS connections In secure environments choose to encrypt all web communications Otherwise sensitive management dat
36. ugh a special bootmode controlled with an specific front panel key combination that reconfigures the printer to work without the EHD However in that particular case all the information stored in the EHD is lost Once the EHD is installed on a particular printer it becomes fully tied to it It is not possible to move this EHD to another HP Designjet printer without losing the stored information When the printer detects an EHD that has been installed on a different printer it will advise the customer about it If the customer decides to go ahead and use the EHD on a different printer the printer will erase the contents of the EHD once again using the highly secure DoD 5220 22 M process The EHD has its own software based encryption mechanism that prevents anyone reading the contents of the EHD for instance by plugging it into a PC The encryption system is not a standard one and cannot be considered as an extremely secure encryption mechanism such as the standard encryption system DES RSA FIPS 140 but it does add a level of security that makes it difficult when trying to read the contents by just connecting the disk to a PC The EHD is not intended to be used as an USB memory stick that is to copy documents from a PC plug it into the printer and to print them 25 HP Designjet Printer Series Security Settings 3 19 Jetdirect Security Wizard HP T920 T1500 only The HP Jetdirect Security Configuration Wizard allows a user to conf
37. uited to being deployed into environments where network data access control and security are important The following is a table summarizing the new and existing security features of HP Designjet printers series and how they are implemented using the Embedded Web Server and or HP Web JetAdmin WJA Please make sure that the printer has the latest firmware version to benefit from all security features Note If the printer is not listed in the table then these features are not implemented 26200 23200 Z2100 Z5200ps Hide information to user z Control panel lock Hide IP from fp N A Ews EWS 1 level N A Ews EWS EWS Z5200ps only EWS multilevel Printer access control Exclude personal info From accounting Disable features Disable USB drive N A Disable fmw update thru USB N A N A Disable interfaces Disable direct print with ePrint amp Share USB Printina N A Disable internet connection N A N A Data access WJA FP WJA FP N Communications security Disable ePrint Center connectivity Disable protocols Wizard setup configuration Secure file erase Secure disk erase External HDD IPSec SNMPv3 CA JD Certificates Encrypt web comms HP Designjet Printer Series Security Settings T7100 T1500 T920 T2300 T1300 T790 T120 T520 Hide information to user Control panel lock EWS WJA EWS WJA EWS WJA EWS WJA Printeraccess N A EWS FP WJA EWS FP EWS FP N A control Exclude personal
38. word is only used for controlling access to the networking area of the EWS e For most printers that have a EWS password capability it is also possible to setup the admin password through Web JetAdmin however only one level can be set so that Guest password cannot be setup from Web JetAdmin 17 HP Designjet Printer Series Security Settings 3 3 Exclude personal info from accounting Enable or disable the printer to send an e mail containing accounting information if this setting is enabled it is imperative to also fill in the destination of the report using the Send accounting files to setting and also configure the e mail server on the Setup Page In some cases customers prefer not to send personal data from the printers via email and so the option Exclude Personal information from accounting e mail is now available in the Embedded Web server If this option is selected accounting e mails will not contain personal information user name job name account ID will be left blank in the accounting file sent by email from the printer Typically this option is used for managed print or pay per use contracts to ensure that only the data counters relevant for billing are being sent by the printer Personal information about who printed which file is not reguired for billing purposes and can be excluded from the accounting email This personal information is typically used for cost allocation within a company SIGI 1200 PostScrip ter setting
Download Pdf Manuals
Related Search