HP JetAdvantage Security Manager 10 Device E-LTU Manuel d'utilisateur

1 HP JETADVANTAGE SECURITY MANAGER Policy Editor Settings CONTENTS Introduction ...

10

100 Certificate Management Service When enabled, HP Web Jetadmin can manage and configure the certificates on the device. Select the check box t

101 FTP Firmware Update Select the check box to assess File Transfer Protocol (FTP) firmware update. If File Transfer Protocol (FTP) printing

102 using certificates. Setting the mutual authentication feature without also using CA signed Identity certificates will cause self-signed certi

103 Outgoing E-mail (SMTP) Outgoing E-mail (SMTP) The outgoing e-mail (SMTP) server is used to send e-mail messages to Internet addresses. You m

104 HP recommends that authentication be required to use these features (public user name and password). You can share the Outgoing E-mail setting

105 HP Color LaserJets

106 HP Color LaserJets

107 HP Color LaserJets

108 HP Color LaserJets

109 HP LaserJets

11

110 HP LaserJets

111 HP LaserJets

112 HP LaserJets

113 HP Other Devices

114 HP Other Devices

115 HP Other Devices

116 HP Other Devices

12 HP Security Manager Limited Policy The HP Security Manager Limited Policy contains a minimal amount of security related features to obtain

13

14 Adding Security Settings When any of the templates are chosen after selecting New Policy, the policy appears in edit mode where changes can b

15 settings. For the Base Policy, some require attention under the Authentication, Credentials section. While in the policy editor, policy valid

16 Some settings are very complex and offer several settings with several options to choose for each. Severity is customizable by the policy c

17 desire Key Length or Signature Algorithm settings that are too strong to be generated in a CSR from some devices. In such cases, Security Mana

18 Policy Preview Clicking on the link to a policy brings up the Policy Preview screen. It can also be displayed while editing a policy by cl

19 Sliding the Preview All Items slide bar to the right displays a combined view of enabled settings in the policy and all otheravailable settin

2 Fax PIN Presence ... 37 Authentication Servi

20 Search Feature A search feature is available to quickly find specific policy items. Click the checkbox next to a policy and click the Edit ic

21 Quick Settings Quick Settings are available in three locations to quickly enable settings to be automatically set for either a main category,

22 POLICY CATEGORIES The remainder of this document breaks down each policy category in Security Manager and describes each security

23 File Erase Mode Retain Print Jobs Stored Data PIN Protection Retain Print Jobs After reboot Job Held Limit Logging System Lo

24 AppleTalk DLC/LLC Novell (IPX/SPX) Digital Services Fax Send Fax Folder Send to Folder E-mail E-mail Encryption E-mail Sig

25 validating access methods to various print device features such as Copy, Send to Email, and various Job Storage settings. Authentication Manag

26 The above pictures attempt to demonstrate where each setting in Security Manager resides under EWS for older and newer devices. Guest Access

27 Options for each configuration setting will vary from a drop-down menu as seen below to control access to the setting: Job Storage Authentica

28 Print and Copy Authentication Select the check box to assess whether user authentication is required for access to the print and copy functio

29 Digital Services Authentication Select the check box to assess whether user authentication is required for access to the digital service f

3 Bonjour ... 73 Printing ...

30 Credentials Authenticate the admin (EWS) password, SNMPv1/v2, SNMPv3, bootloader password, device PIN, file system password, and PJL password

31 Admin (EWS) Password The Admin (EWS) Password feature helps protect the device from unauthorized access through remote applications such as Em

32 Account Lockout can be enabled to define how many incorrect attempts occur before lockout (3-30), reset attempts after (0-1800 seconds), how lo

33 create the account, provide a user name, an authentication key, a privacy key, and an encryption algorithm. Note: If FIPS 140 is enabled, the

34 The File System Password feature helps protect the MFP data storage system options from unauthorized access. With the File System password con

35 set on the device, HP DSS and other remote configuration tools use this password to connect. This allows administrators to use separate HP EWS

36 For cases where there is an existing bootloader password set, the assessment behavior of Security Manager will differ between older devices and

37 Group One PIN / Group Two PIN The device personal identification number (PIN) controls access to specific features from the control panel on de

38 Authentication Services Authenticate users on specific services, including 802.1x, LDAP server and Windows. 802.1x Authentication This authent

39 Security Manager can provide a complete solution for adding devices to a protected 802.1x network as it can not only remediate the 802.1x sett

4 TFTP Configuration File ... 98 HP Jetdirect XML Serv

40 Security Manager has no way of comparing it to what is in the policy to know whether to remediate or not. A checkbox is provided to Always Rem

41 Click Edit to automatically navigate down to the LDAP Settings under Shared Items to create a new LDAP configuration. Once the desired conf

42 Certificate Management Digital certificates are a primary foundation of security providing authentication and encryption between two nodes. HP

43 Choosing Best Possible as the CSR Source allows Security Manager to determine if the device or if Security Manager will generate the CSR. If t

44 If the Include Subject Alternate Name slide bar is enabled to the right, the identity certificate will include the IP Address, hostname, and

45 A CA certificate tells Jetdirect which identity certificates should be trusted (i.e. must be signed by that CA) when Jetdirect is receiving a

46 For devices that have unified these certificates into one location, Security Manager supports installing multiple CA certificates. Merely cli

47 Device Control Device Control settings assist with security related to print jobs, specific device functionality and local device access. Some

48 Retain Print Jobs Job retention allows storage of print and fax jobs until you can be present to print them. Select the check box to assess w

49  PIN Required to store a print job to device memory - All Save To Device Memory Jobs must be PIN protected. We do not allow non-PIN jobs to

5 INTRODUCTION HP JetAdvantage Security Manager offers a wide variety of security related settings and remediates them on devices to keep the devi

50 Job Held Limit This item sets the maximum number of print jobs that are retained on the device's hard disk. If the maximum is reached, o

51  Server Name - IP address of the Syslog Server. If set via BOOTP then SNMP set will fail. If not set via BOOTP then SNMP set will succeed.

52 Control Panel Lock The control panel access lock can prevent unauthorized configuration changes to the device from the control panel. If ena

53 Threats: • Spoofing Identity can occur if a user remains logged in when leaving the device Display Job Status When enabled on the device, p

54 Direct Connect Ports Direct Connect Ports (such as USB or RS232) provide direct hardware connections to the device. If these ports are activ

55 Legacy products support disablement of “Direct Ports” that prevent the user to print directly from computer through those ports. When this se

56 Security Manager isn’t remediating or downloading firmware to the device, it is merely reading the device’s firmware version and comparing it w

57 Security Manager isn’t remediating or downloading firmware to the device, it is merely reading the device’s Jetdirect firmware version and com

58 Secure Boot Presence Secure Boot is a security solution that verifies device firmware after power-on before it is executed. This feature (HP

59 Whitelisting Presence Whitelist refers to the list of CA certificates stored in the device certificate store that digital signatures are vali

6 Repudiation Repudiation is using a device without leaving usage information. This includes preventing the device from logging data or bypassing

60 Erase Data If the Erase Data item is enabled on the device, ALL settings, including configuration information and stored certificates, are er

61 NFC, short for Near Field Communication, is a short range wireless RFID technology that makes use of interacting electromagnetic radio fields

62 owner’s information. If that same person loses her smartphone and has it password protected the criminal cannot access any private info. Throug

63 from a wireless mobile device directly to an HP wireless direct-enabled printer without requiring a connection to a network or the Internet. W

64 File System Access Protocols The File System Access Protocols settings shuts down access to the MFP file system (storage devices and configurat

65  Enable - allows color-printing capabilities for all users.  Enable If Allowed - allows the network administrator to allow color use for

66  Old device with EIO HDD – encryption needs to be turned on. Assessment fails until drive encryption is turned on. This policy item is check

67 Trusted Platform Module (TPM) Status Select the check box to assess the device's HP Trusted Platform Module (TPM) status (if so equipped

68 Fax Speed Dial Lock Using the Fax Speed Dial Lock, you can prevent the use of a specific range of speed dial FAX number entries. For example,

69 Device Discovery Assess protocols used to discover devices which include service location protocol (SLP), IPv4 multicast link local multicast

7  Close unused ports and protocols  Disable controls such as the Job Cancel button and the Go button  Enable the resume feature to allow th

70 attribute accuracy confusion for recipients. RFC 2608 states “SLP is intended to function within networks under cooperative administrative con

71 typically associated with a specific switch port, multicast packets can flood the switch’s ports. This may also result in data reaching uninte

72 practices can protect from outside intrusion. Although not part of the HP Best Practices policy template, it is always recommended to disable

73 Bonjour Bonjour, also referred to as mDNS (Multicast Domain Name System), is Apple’s implementation of the zero-configuration-networking (zero

74 Apple Bonjour (also known as multicast domain name system or mDNS) is used for discovering Apple services over the TCP/IP protocol. You can sa

75 the fastest and most efficient way of delivering data to a printer using the TCP/IP protocol suite. Raw data delivered over TCP is sent to the

76 device. AirPrint security can be handled by disabling the protocol or securing the wireless network in use. If AirPrint is not in use, disabl

77 Internet Print Protocol (IPP) This is a standard network protocol for remote printing, and for managing print jobs and device media using th

78 Secure Internet Print Protocol When enabled, the Internet printing protocol over SSL (IPPS) provides a secure method for sending print jobs t

79 Web Services Print (WS-Print) A network printing protocol used on Windows Vista and later systems. This protocol can safely be disabled if W

8  All solutions o Control Panel timeout = 60s (this is the device default. Policy was 20s)  HPAC o Legacy Firmware Upgrades = enabled (for in

80 File Transfer Protocol (FTP) File transfer protocol (FTP) printing sends print files from a client system to the print device using a TCP con

81 remained available as a Macintosh communications suite until 2009 when support was dropped due to its diminishing usefulness on large enterpris

82 In JetDirect, the LLC protocol stack was implemented as a separate module from the LLC print application and was expanded to provide support fo

83 allowing for unique identification of the device on the IPX network. SAP packets are broadcast only after an IPX network and supported frame t

84 Folder Send to Folder The digital sending feature's Send to Folder allows you to scan files and send them to folders on the network.

85 algorithm to use for encrypting the e-mail (Encryption Algorithm). To use a Public Key Attribute, enter it in the field, then select whether to

86 Send to E-mail (Digital Send) The HP Send to E-mail feature is automatically selected when Outgoing E-mail (SMTP) is selected. This feature all

87 Incoming E-mail (POP3) This feature was used to send configuration information to the device. (This feature is not available on newer devices.

88 Allow Access to LDAP Address Book Allowing access to the LDAP address book provides auto-completion of a recipient's name (To, Cc, Bcc)

89 General Internet Protocol Security IPsec/Firewall features provide network-layer security on IPv4 and IPv6 networks. The Firewall provides sim

9 Template Choices Three template choices are available to select:  Blank Policy  HP Security Manager Base Policy  HP Security Manager Limi

90 Access Control An access control list (ACL) specifies the individual host systems that are allowed access to the device. (Not all devices s

91 Verify Certificate for IPP/IPPS Pull Printing Internet Printing Protocol (IPP) is an Internet-standard protocol that allows you to print docum

92 WINS Registration Windows Internet Name Service (WINS) is Microsoft's implementation of NetBIOS Name Service (NBNS), a name server and se

93 Assess Web-based settings for Web-based device access: HTTPS redirect, Web encryption strength, phone home, Web file printing, Go button, Canc

94 Cross Origin Resource Sharing When enabled, cross-origin resource sharing (CORS) allows the product's resources to be accessed by Web

95 Note: The Admin (EWS) Password must be set to select the Require Administrator Password for Access option. Phone Home Phone Home is a leg

96 Continue Button When enabled, allows any user with Web browser access to continue paused print jobs by executing the device's Continue b

97 solutions. Support for the IPX/SPX protocol stack has been removed in many of the new HP Future Smart devices. Because of the direct linkage

98 TFTP Configuration File BOOTP and TFTP provide a method to configure HP print devices. When the HP device is turned on, a BOOTP request is s

99 HP Jetdirect XML Services HP Jetdirect XML Services allows access by HP Web service applications to XML-based data on the device. IPSec is a