Imag Print Security1lab

HP DOCUMENT SOLUTIONS TECHNICAL
FUNDAMENTALS
d.
te
Book 3: HP Imaging & Printing Security
i
ib
oh
Technical, Rev. 14.41
pr
is
on
si
is
m
er
tp
ou
ith
w
rt
pa
in
or
le
ho
w
in
n
io
ct
du
ro
ep
.R
ly
on
s
Lab guide – book 3 of 4

er
ld
ho
ake
St
&L
C
P
H
HP ExpertOne
Rev. 15.21
Course #: 00990446
Part #: 00990446L31503
H
P
C
&L
St
ake
ho
ld
er
s
on
ly
.R
ep
ro
du
ct
io
n
in
w
ho
le
or
in
pa
rt
w
ith
ou
tp
er
m
is
si
on
is
pr
oh
ib
ite
d.
HP DOCUMENT SOLUTIONS TECHNICAL
FUNDAMENTALS
d.
te
Book 3: HP Imaging & Printing Security
i
ib
oh
Technical, Rev. 14.41
pr
is
on
si
is
m
er
tp
ou
ith
w
rt
pa
in
or
le
ho
w
in
n
io
ct
du
ro
ep
.R
ly
on
s
Lab guide – book 3 of 4

er
ld
ho
ake
St
&L
C
P
H
HP ExpertOne
Rev. 15.21
Course #: 00990446
Part #: 00990446L31503
Notice
© Copyright 2015 Hewlett-Packard Development Company, L.P. The
information contained herein is subject to change without notice.
The only warranties for HP products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for
technical or editorial errors or omissions contained herein.
d.
te
This is an HP copyrighted work that may not be reproduced without the permission of HP.
i
ib
oh
Trademark Credits
pr
Adobe™ and PostScript™ are trademarks of Adobe Systems Incorporated, which may be registered in certain jurisdictions.
is
Apple®, Mac®, and Macintosh® are registered trademarks of Apple Computer, Inc.
on
Windows® is a U.S. registered trademark of Microsoft Corporation.
Microsoft® is a U.S. registered trademark of Microsoft Corporation.
si
is
m
Edition History
er
tp
Rev 14.41 October 2014
ou
ith
w
rt
pa
in
or
le
ho
w
in
n
io
ct
du
ro
ep
.R
ly
on
s
er
ld
ho
a ke
St
&L
C
P
H
Table of Contents:
LAB 01: HP MFP AND PRINTER SECURITY (FUTURESMART DEVICES) ...................................................................... 4
TASK 1: EXPLORING AN UNSECURE ENVIRONMENT .................................................................................................................5
TASK 2: SECURING HP JETDIRECT USING HP’S JETDIRECT SECURITY CONFIGURATION WIZARD.......................................................12
d.
TASK 3: EXPLORING A SECURE MFP FROM THE NETWORK......................................................................................................22
te
TASK 4: SECURING A HP MFP USING THE DEVICE SECURITY SETTINGS AREA ..............................................................................25
i
ib
TASK 5: ANALYZING AN HP MFP USING PUBLIC KEY ENCRYPTION ...........................................................................................30
oh
TASK 6: ENCRYPTING A PRINT STREAM USING IPP AND SSL (OPTIONAL) ..................................................................................35
pr
TASK 7: HP SECURE ENCRYPTED PRINT (SEP) ...................................................................................................................37
is
TASK 8: WALK-UP MFP ACCESS CONTROL .........................................................................................................................40
on
TASK 9: HP JETDIRECT IPSEC /FIREWALL USE AND CONFIGURATION ........................................................................................47
si
TASK 10: NEW SECURITY FEATURES FOUND IN FUTURESMART DEVICES. ...................................................................................55
is
m
APPENDIX ............................................................................................................................................................ 60
er
HOW TO LOAD A SIGNED CERTIFICATE INTO THE HP JETDIRECT AREA (FOR IPPS PRINTING). ..........................................................60
tp
ou
ith
w
rt
pa
in
or
le
ho
w
in
n
io
ct
du
ro
ep
.R
ly
on
s
er
ld
ho
a ke
St
&L
C
P
H
HP Imaging and Printing Security Technical v14.41
Lab 01: HP MFP and Printer Security (FutureSmart Devices)

Estimated Time: 120 minutes
Introduction
d.
HP printers and MFPs have a multitude of access points for printing, performing administration tasks, and managing user
te
configurations. HP offers multiple built-in security measures aimed to protect an MFP from unwanted access and printing. In
i
ib
this lab, students test and configure built in security features on an HP MFP.
oh
What You Need
pr
is
• Factory defaulted HP MFP (cold reset)
on
si
Overview of Tasks
is
m
TASK 1: EXPLORING AN UNSECURE ENVIRONMENT ................................................................. ERROR! BOOKMARK NOT DEFINED.
er
TASK 2: SECURING HP JETDIRECT USING HP’S JETDIRECT SECURITY CONFIGURATION WIZARD........... ERROR! BOOKMARK NOT DEFINED.
tp
TASK 3: EXPLORING A SECURE MFP FROM THE NETWORK........................................................ ERROR! BOOKMARK NOT DEFINED.
ou
TASK 4: SECURING A HP MFP USING THE DEVICE SECURITY SETTINGS AREA ................................. ERROR! BOOKMARK NOT DEFINED.
ith
TASK 5: ENCRYPTING A PRINT STREAM USING IPP AND SSL (OPTIONAL) ..................................... ERROR! BOOKMARK NOT DEFINED.
TASK 6: HP SECURE ENCRYPTED PRINT (SEP) .................................................................... ERROR! BOOKMARK NOT DEFINED.
w
TASK 7: WALK-UP MFP ACCESS CONTROL .......................................................................... ERROR! BOOKMARK NOT DEFINED.
rt
pa
TASK 8: HP JETDIRECT IPSEC /FIREWALL USE AND CONFIGURATION........................................... ERROR! BOOKMARK NOT DEFINED.
TASK 9: NEW SECURITY FEATURES FOUND IN FUTURESMART DEVICES......................................... ERROR! BOOKMARK NOT DEFINED.
in
or
le
ho
w
in
n
io
ct
du
ro
ep
.R
ly
on
s
er
ld
ho
a ke
St
&L
C
P
H
4 Copyright ©2014 HP corporate presentation. All rights reserved.

Demo Guide
Task 1: Exploring an unsecure environment

Activity A: Access an MFP via the device’s Embedded Web Server
1. From your PC, open Internet Explorer and enter the IP address of your demo MFP in the browser’s address bar. This
launches the device’s EWS (embedded web server).
d.
2. Click Continue to this website (not recommended).
ite
3. Click the General tab.
ib
oh
pr
is
Figure 1: General Tab in the device Embedded Web Server (EWS).
on
4. Click on the Restore Factory Settings Menu Item.
si
is
m
er
tp
ou
ith
w
rt
pa
in
or
Figure 2: Restore Factory Settings menu item.
le
Notice that you can perform a Factory Reset remotely. The two options are Reset Settings and Reset Firmware. Reset
ho
Settings restores all previously customized device settings (e.g. paper tray/type; print/copy quality settings) to the out-
w
of-the box default settings. Reset Firmware erases all partitions, settings, installed solutions, job data, and logs on the
in
disk drive. The firmware will not be erased. This allows the disk drive to be reformatted without having to download a
firmware upgrade file, to return the product to a bootable state.
n
io
ct
du
ro
ep
.R
ly
on
s
er
ld
ho
Figure 3: Options to restore the device back to factory state.

ke
a
5. While still in the General menu, click on the Control Panel Customization link.
St
&L
The Home Screen configuration area opens:

C
P
H
Copyright ©2014 HP corporate presentation. All rights reserved. 5

d.
te
i
ib
oh
pr
Figure 4: Home screen configuration that allows for control panel customization.
is
In the Control Panel Customization area you can change the layout, appearance and regional settings of the front panel
on
interface.
si
is
6. Click the Networking tab.
m
er
tp
ou
ith
w
Figure 5: Networking tab in the EWS.
rt
pa
7. Under Configuration, click Other Settings
in
or
le
ho
w
in
n
io
ct
du
ro
ep
.R
ly
on
s
er
ld
ho
ke
a
St
Figure 6: Device network settings that can modified.

&L
C
Here, users can turn off various printing ports, including port 9100, which is the default printing port for TCP/IP printing.
P
H
Activity Conclusion: An MFP with an unsecured EWS allows anyone with a web browser unrestricted access to all the
device configurations and settings. Access is not tracked, so there is no user accountability to changes made through the
EWS. Changes can come from anywhere and be made by anyone.

Demo Guide
Activity B: Access an MFP through telnet
Note:
To complete this task your client operating system will need to have the Telnet Client feature enabled. To turn on (Install) Win 7 Telnet
Client from command line, launch command prompt (cmd.exe) and type in: pkgmgr /iu:"TelnetClient"
d.
ite
ib
oh
1. Click Start, and in the search area type telnet <IP address of your MFP> and click Enter.
pr
is
on
si
is
m
er
tp
ou
ith
Figure 7: A way to telnet to your device.
w
The HP Jetdirect telnet access page appears.
rt
pa
in
or
le
ho
w
in
n
io
ct
Figure 8: Telnet Prompt.

du
2. Type Menu and press Enter.

ro
ep
.R
ly
on
s
er
ld
ho
ake
St
&L
C
P
H

A list of available HP Jetdirect menu configuration options appears:
d.
i te
ib
oh
pr
is
on
si
is
m
er
tp
ou
ith
w
rt
pa
Figure 9: Telnet menu of options.
in
3. Type 2 and then press Enter to bring up the TCP/IP Menu.
or
le
ho
w
in
n
io
ct
du
Figure 10: Telnet TCP/IP Menu of options.

ro
4. Type 2 and then press Enter to bring up the TCP/IP – Print Options Menu.
ep
.R
ly
on
s
er
ld
ho
ke
a
St
&L
C
P
Figure 11: Telnet TCP/IP Print options menu.

H
From here, a user can disable/enable printer ports, including port 9100. Disabling port 9100 would cause the MFP to no
longer accept TCP/IP print jobs from network servers and clients. To a company, the end user’s loss of productivity and
the IT resources needed to resolve the issue could cost thousands of dollars.

Demo Guide
5. Close the telnet session by clicking the X on the dialog box.
d.
ite
ib
oh
pr
is
on
si
Figure 12: Closing a telnet session.
is
m
Next, print to your lab MFP using a telnet session on port 9100.
er
tp
6. Click Start, and in the search area type telnet <IP address of your MFP> 9100 and click Enter.
ou
ith
w
rt
pa
in
or
Figure 13: Initiating a Telnet connection to print.

le
ho
The following connection screen appears:

w
in
n
io
ct
du
ro
ep
.R
ly
on
Figure 14: Open Telnet session.

s
7. Type some text.

er
8. Close the dialog box.

ld
ho
This terminates the TCP/IP port 9100 session and generates a print job at the MFP. Retrieve your printed file.
ake
Activity Conclusion: Telnet offers a means to configure all of the HP Jetdirect settings. Telnet can lock the EWS
St
configuration option altogether (by setting an administrative user name and password). This creates a potential situation
&L
where the MFP could be hijacked until a cold reset is performed from the control panel.
C
P
H
Note:
In addition to configuration entry points (EWS and Telnet), HP Jetdirect servers have the following printing protocols enabled by default.

IPX / SPX – an easy-to-configure internet protocol, suitable for small networks, that provides compatibility with legacy
Novell NetWare networks. A number of network clients also support the protocol, including Microsoft client service for
Netware.
AppleTalk – a network communication protocol developed by Apple to allow Macintosh computers and printers to be
networked. Each computer has a LocalTalk port which communicates with the AppleTalk protocol. AppleTalk can also
communicate via Ethernet and Token Ring. AppleTalk networking has dynamic addressing, so networking is as easy as
d.
plugging the device into the network.
i te
ib
DLC / LCC – Printing using a Media Access Control address (MAC address).
oh
TCP/IP – Basic protocol the Internet is built on, some application functions that use TCP are FTP services, Telnet, SMTP,
pr
HTTP, DNS and SNMP. HP MFPs accept the following TCP/IP printing types:
is
• TCP: Used mainly by Microsoft Windows based operating systems, TCP port 9100 is the default HP printing
on
port.
si
• LPD: Line Printer Daemon (LPD) services on the HP Jetdirect print server. LPD on the HP Jetdirect print
is
server provides line printer spooling services for TCP/IP systems. Mainly used by UNIX/IBM mainframe
m
applications.
er
• IPP: Internet Printing Protocol allows printing to this device over the Internet (or intranet). A properly
tp
configured IPP client system is required using HTTP version 1.1.
ou
• FTP: File Transfer Protocol (FTP) services available on the HP Jetdirect print server.
ith
w
rt
Activity C: Access your MFP via FTP
pa
1. FTP to your MFP (in Internet Explorer type FTP://<MFP IP address>. in
or
le
ho
w
in
n
io
ct
du
ro
ep
.R
ly
on
s
er
ld
Figure 15: A PORT folder is displayed in Internet Explorer browser.

ho
ke
a
St
2. An alternative way to open an FTP connection to your MFP is to use Windows File Explorer. Open Windows File Explorer
and type FTP://<MFP IP address>.
&L
C
The explorer connected FTP session appears:

P
H

Demo Guide
d.
te
i
ib
oh
pr
is
on
si
is
m
Figure 16: Using Windows File Explorer to connect via FTP.
er
FTP access to an MFP allows direct copy of firmware files, PS files, PCL files, Jar (Chai) files, TXT files, and PDF files. Walk
tp
up service procedures such as disk initialization and cold reset can be coded in PCL and sent to the MFP through this port.
ou
ith
Conclusion: Customers need to be aware that HP Jetdirect is a network server, accepting multiple connection methods and
communication protocols at the same time. HP developed HP Jetdirect servers specifically to port into a large range of
w
networks out of the box. Because of this, after an MFP is setup, it is important to secure the device to a level that meets the
rt
customer’s business security policies.
pa
in
or
le
ho
w
in
n
io
ct
du
ro
ep
.R
ly
on
s
er
ld
ho
a ke
St
&L
C
P
H

Task 2: Securing HP Jetdirect using HP’s Jetdirect security configuration wizard

Introduction: In this task students secure an HP MFP using the built-in EWS HP Jetdirect wizard.
1. Connect to the EWS by using the <Device IP address> as the URL in a web browser (http://<hostname or IP address>).
2. Once connected click on the Networking tab.
d.
te
3. Click on the Settings link from the left side options.
i
ib
oh
pr
is
on
si
is
m
Figure 17: Location of Settings in the left hand menu.
er
tp
4. Select the Wizard tab.
ou
5. Click Start Wizard.
ith
w
rt
pa
in
or
le
ho
w
in
n
io
ct
du
ro
Figure 18: Jetdirect Security Configuration Wizard.

ep
.R
6. Select Custom Security to enable/disable specific settings not allowed in the other two security levels.
ly
on
s
er
ld
ho
ke
a
St
&L
C
P
H
Figure 19: Configuring custom security for the device.
7. Click Next.
The Administrator Account area opens:

Demo Guide
d.
ite
ib
oh
Figure 20: Wizard allows you to set credentials for Embedded Web Server (EWS).
pr
is
Note:
on
Enabling the EWS admin password secures the MFP from unwanted EWS and telnet configuration changes.
si
is
m
er
8. Specify the password of hp and click Next.
tp
ou
The Web Management area opens:
ith
w
rt
pa
in
or
le
ho
w
in
n
io
ct
du
ro
ep
.R
ly
on
s
er
ld
ho
ke
Figure 21: Web Management settings focused on securing the device communications.
a
St
When enabling Encrypt All Web Communications, all web-browser-based communication to and from the EWS is secured
from prying eyes on the network. When standard HTTP is used, information sent across the network is done so in clear
&L
text format. Someone with a packet sniffer and access to the network could potentially gain access to the MFP and other
C
network resources. A certificate is stored on the HP Jetdirect server that manages this secure connection. The secure
P
connection works as follows:

H
• Your web browser checks the HP Jetdirect’s certificate to make sure that the MFP’s EWS you are connecting
to is the real EWS and not someone intercepting the HTTPS request.

• Both your web browser and the HP Jetdirect server determine the encryption type that they can both use
to communicate with each other (in this case DES).
• The web browser and HP Jetdirect server send each other unique codes to use when scrambling (or
encrypting) the information that will be sent.
• The web browser and HP Jetdirect server start talking using the encryption and web pages are processed in
secure (HTTPS) format.
d.
Question: What is FIPS 140?
te
Answer: The United States government defines many (several hundred) Federal Information Processing Standards (FIPS)
i
ib
documents. FIPS documents define rules, regulations, and standards for many aspects of handling of information by
oh
computers and by people. FIPS 140 governs the use of encryption and cryptographic services. It requires that ALL
pr
cryptography done by US government personnel MUST be done in "devices" that have been independently tested, and
certified by the National Institute of Standards and Technology (NIST), to meet the extensive requirements of that
is
document.
on
si
is
9. By default, all FutureSmart devices are enabled for HTTPS communication by default. Keep the default encryption level
m
and click Next.
er
tp
The Management Tools configuration area opens:
ou
ith
w
rt
pa
in
or
Figure 22: Enabling/disabling Telnet through the wizard.

le
ho
10. Click to deselect Enable Telnet to isolate the remote management ability to the EWS web page only.
w
11. Click Next.

in
n
The SNMP v1/v2 and v3 Configuration area opens:

io
ct
du
ro
ep
.R
ly
on
s
er
ld
ho
Figure 23: Options to enable SNMP in the wizard.

ke
a
SNMP has a specific purpose as a network communication method. It’s simple design and ease of use has allowed it to
St
become a popular protocol for network device monitoring. With SNMPv3, network administrators can secure their SNMP
&L
communications across the network using HP Jetdirect devices in conjunction with HP Web Jetadmin. Running SNMPv1/2
leaves all SNMP communicated traffic (printer information and read/write password community names) open to prying
C
eyes on the network. In addition, there are some SNMP variables that can be set via SNMP to print internal pages and
P
H
configure device settings if left unsecure.
Overview of the different SNMP versions:

Demo Guide
• SNMP v1: First version of SNMP, never became an openly used standard, and lacked security by passing all
information over the network in clear text.
• SNMP v2: v2 has 4 variants, the most common being SNMPv2c aka community based. The other v2
variants attempted to fix the security issues with v1 but were not widely implemented due to the
increased complexity and configuration overhead needed to secure the SNMP communication. Today,
SNMPv2c uses the v1 community name implementation with enhanced error handling and improved set /
get commands from the other v2 variants. SNMPv2 defines two new operations: GetBulk and Inform. The
d.
GetBulk operation is used to efficiently retrieve large blocks of data. The Inform operation allows HP Web
te
Jetadmin to send trap information to another HP Web Jetadmin installation and to then receive a
i
ib
response.
oh
• SNMP v3: v3 addresses the security weaknesses of v2 by adding the following:
pr
o Authentication of SNMP messages to a valid source
o Encryption of SNMP messages using the Data Encryption Standard (DES).
is
o SNMP message integrity is checked to insure it has not been tampered with.
on
si
12. Click to select Enable SNMPv1/v2 and Enable SNMP V3.
is
m
er
tp
ou
ith
w
rt
pa
in
or
le
Figure 24: SNMP wizard configuration dialog.

ho
w
in
Note
n
HP Web Jetadmin relies on having proper SNMPv3 credentials configured before being able to manage a SNMPv3 device. It is highly
io
recommended to enable SNMPv3 via HP Web Jetadmin, to keep this communication relationship intact. For demonstration purposes we
ct
are going to enable SNMPv3 via the EWS to expose the SNMPv3 encryption key process.
du
ro
ep
13. Click Next.

.R
ly
The SNMPv1/v2 Configuration area opens:

on
s
er
ld
ho
a ke
St
&L
C
P
H
Figure 25: Setting the SNMP Set Community Name passwords in the wizard.
Community names are equivalent to a password in SNMP terms. There are two types of community names in SNMPv1/v2,
Get and Set. A Get community name is used when HP Web Jetadmin wants to get information out of an MFP. A Set

community name is used when HP Web Jetadmin wants to change information on an MFP. In order for the command to
work, the MFP and HP Web Jetadmin must have matching community name values. From a security standpoint, it is
important to specify different Get and Set community names. Even though they will be passed over the network unsecure
(in clear text), having a different Set community name provides some protection against other management tools on the
network from interfering with the HP MFPs SNMP information database.
d.
14. For the Set Community name enter private.
te
15. For the Get Community name enter public.
i
ib
oh
pr
Note:
Private and Public is the RFC SNMP default standards. Any company wanting to migrate to different passwords would need to set them
is
appropriately on all SNMP v2 managers and clients in order for the information exchanges to be successful. HP Web Jetadmin can be
on
used to set this information across a fleet of HP devices easily (www.hp.com/go/wja).
si
is
m
er
tp
ou
ith
w
rt
pa
in
or
le
ho
w
in
n
Figure 26: Setting the Get and Confirm community name.

io
ct
du
Check marking Disable SNMPv1/v2 default Get Community Name of “public” shields the MFP from accepting requests
from the standard de facto pre-configured Public community name, that is widely set by vendors, using SNMP.
ro
ep
16. Click Next.

.R
ly
The SNMP v3 Configuration area opens:

on
s
er
ld
ho
ke
a
St
&L
C
P
H
Figure 27: SNMPv3 configuration settings found in the wizard.
17. For User Name type HPuser.

Demo Guide
SNMP v3 adds data encryption to communication stream, where SNMP v2 uses only simple password (clear text
transmission). In order to have the strongest level of security when passing SNMP information across the network SHA1
should be used for the Authentication Protocol and AES-128 or higher should be used for the Privacy Protocol. The use of
SHA1 and AES-128 will require a passphrase or hexadecimal. That passphrase should be 12 characters or more.
d.
18. Type hpisgreatatprint20 for the Authentication Protocol.
te
19. Type snmpversionthree20 for the Privacy Protocol.
i
ib
oh
pr
is
on
si
is
m
er
tp
ou
ith
w
rt
pa
Figure 28: Settings to configure SNMPv3 in the wizard.
in
or
20. Click Next.

le
ho
The Access Control configuration area opens:

w
in
n
io
ct
du
ro
ep
.R
ly
on
s
er
ld
ho
Figure 29: Part of the wizard that allows for Access Control Lists (ACL) to be configured.
a ke
21. In the first line item, checkmark Save, enter the IP address of your computer, and leave the Mask empty.
St
&L
The ACL allows for individual or blocks of IP addresses to access the EWS, defined by their subnet mask:
C
P
IP Address Mask Description

H
192.0.0.0 255.0.0.0 Allow all hosts (computers) with network number 192.
192.1.0.0 255.255.0.0 Allow all hosts (computers) on network 192, subnet 1.

Allow the host (computer) with IP address 192.168.1.2.

192.168.1.2 In this case, the mask 255.255.255.255 is assumed
and is not a required entry.
Up to 10 entries (blocks of IPs or Individual IPs) can be configured in ACL.
d.
22. Click to deselect Allow Web Server (HTTP) access; this setting limits the EWS access to the IP address entered in the ACL
te
table.
i
ib
oh
pr
is
on
si
is
m
er
tp
ou
ith
w
rt
pa
in
or
Figure 30: The Access Control part of the wizard showing All Web Server (HTTP) access disabled.
le
ho
w
in
23. Click Next.

n
io
The Print Protocols and Service area opens:

ct
du
ro
ep
.R
ly
on
s
er
ld
ho
ke
a
St
&L
C
P
H
Figure 31: Protocols and services running by default.
By default HP MFPs accept a wide range of printing protocols to maximize successful installation on a customer network.
You should always disable any unused printing protocols to minimize unwanted network traffic from interfering or
interrupting the MFP. Always check with a customer to see what printing protocols they use in their environment.

Demo Guide
24. Uncheck the following printing protocols:

• LPD
• FTP
• Web Services Print
• AirPrint
d.
te
Note:
i
ib
Make sure IPP / IPPS is enabled; we will use these protocols in a later lab to demonstrate printing with encryption.
oh
pr
is
on
si
is
m
er
tp
ou
ith
w
rt
pa
Figure 32: Shows protocols and services disabled for the security configuration.
in
or
It is extremely important to disable unused protocols as it can leave an otherwise secure network wide open to
vulnerabilities.
le
ho
25. Click Next.

w
in
The 802.1X Authentication area opens:

n
io
ct
du
ro
ep
.R
ly
on
s
er
ld
ho
a ke
St
&L
C
Figure 33: Wizard 802.1X settings.

P
H
802.1X Authentication works by providing a doorway to a network. When enabled, it acts as the security guard that
allows or denies clients network access. In a wired network, 802.1X requires an Authentication Server to manage the
connection requests. When configured, a client contacts the Authentication Server, who in turns contacts a central
database that houses all user information on the network. It compares the information provided by the client to the
records in the database, if they match, the Authentication Server allows the client to connect into the network.

For a company, 802.1X Authentication provides a way to minimize unauthorized network connections. HP Jetdirect
complies with this standard. Customers can take comfort knowing that they can quickly implement HP Jetdirect devices
into their existing 802.1X architecture.
26. Click Next and keep the default non-configured settings.
d.
te
The Configuration Review area opens:
i
ib
oh
pr
is
on
si
is
m
er
tp
ou
ith
w
rt
pa
in
or
Figure 34: Wizard security configuration review page before finishing.

le
ho
27. Click Finish.

w
in
n
io
ct
du
ro
ep
.R
ly
on
Figure 35: Security Configuration Wizards settings were applied successfully.

s
er
ld
ho
ke
a
St
&L
C
P
H

Demo Guide
Note
The Windows password security window will popup. At this point click cancel.
d.
ite
ib
oh
pr
is
on
si
is
m
Conclusion: Your MFP is now more secure. In the next task we will explore the security measures you implemented to see the
er
results.
tp
ou
ith
w
rt
pa
in
or
le
ho
w
in
n
io
ct
du
ro
ep
.R
ly
on
s
er
ld
ho
a ke
St
&L
C
P
H

Task 3: Exploring a secure MFP from the network

Introduction: In this task, we will attempt to connect to a secure MFP over the network to see the results of our security
settings.
The following steps will test the security settings that have been enabled.
d.
te
1. Click Start, and in the search area type telnet <IP address of your HP device> and click Enter.
i
ib
oh
pr
is
on
si
is
m
Figure 36: Accessing device by Telnet.
er
tp
Notice that Telnet access is no longer available. The connection never establishes.
ou
ith
w
rt
pa
in
or
le
ho
w
Figure 37: Telnet trying to connect to device.

in
n
2. Connect to the EWS using the <MFP’s IP address> as the URL in a web browser http://<hostname or IP address>.
io
ct
du
Only the information tab is available, with limited options, for a non-authenticated user:
ro
ep
.R
ly
on
s
er
ld
ho
ke
a
St
&L
C
Figure 38: Options available to those that have not signed in to the EWS.
P
H
With exception of the Print option, anyone who visits the EWS now sees device information only. All of the other tabs
have been hidden.
3. Connect to the secured MFP using FTP (in a web browser or windows explorer type FTP://<MFP IP address>).

Demo Guide
d.
ite
ib
oh
pr
is
on
si
is
m
er
tp
ou
Figure 39: Result trying to FTP to a device that has the FTP service disabled.
ith
w
4. FTP access has been restricted and you can no longer can read/write information to the MFP via FTP port access.
rt
pa
in
or
le
ho
w
in
n
io
ct
Figure 40: Error message when trying to connect to a disabled FTP service.
du
Test the Access Control list feature by using another computer to connect to the device.
ro
ep
5. Using another computer, try accessing the locked down imaging and printing device. To access the device type the IP
.R
address in a web browser to access the EWS of the locked down device. If the ACL is setup correctly, you will see the error
message shown in Figure 37.
ly
on
Notice you are not allowed access

s
er
ld
ho
Figure 41: Internet Explorer message when the device ACL is setup correctly.
ke
a
Use another computer to attempt to print via the Telnet protocol.

St
&L
6. Click Start, and in the search area type telnet <IP address of another groups MFP> 9100 and click Enter.
C
P
H

d.
te
Figure 42: Initiating a Telnet connection to print.
i
ib
oh
7. Type some text.
pr
is
Notice the connection terminates and nothing prints. Access Control Lists gives administrators another tool to secure the
on
EWS and control who can print to the MFP. ACL has a broad range of IP defining flexibility. Entire networks can be defined
or administrators can focus access to a specific IP address.
si
is
m
er
Note:
tp
If you try to connect to your device, it will allow the connection, because only your workstation’s IP Address is allowed by the ACL we
created during the Security Configuration Wizard exercise.
ou
ith
w
rt
pa
in
or
le
ho
w
in
n
io
ct
Figure 43: Open telnet connection.

du
ro
ep
Conclusion: The MFP you configured operates much different from when you first started. It can only be configured through
the EWS by a specific network IP address. Once connected to the EWS, only the administrator password can unlock the
.R
configuration area. All EWS activities over the network are encrypted (HTTPS) and the MFP only accepts printing via TCP/IP
ly
port 9100, which is currently limited to one static IP address on the network.
on
s
er
ld
ho
ake
St
&L
C
P
H

Demo Guide
Task 4: Securing a HP MFP using the device security settings area

Introduction: In this task, extend the security measures implemented on the HP Jetdirect MFP, by configuring various device
related security settings.
1. Connect to the EWS by using the <MFP’s IP address> as the URL in a web browser (http://<hostname or IP address>).
d.
2. Click the Sign In link on the upper right side.
i te
•
ib
User name: administrator
oh
• Password: hp
pr
is
3. Click on the Security tab.
on
si
is
Figure 44: Security tab selected.
m
er
The General Security Settings area opens:
tp
ou
ith
w
rt
pa
in
or
le
ho
w
in
n
io
ct
du
ro
ep
.R
Figure 45: General security section in the security tab.

ly
on
In this area HP has collected various device specific security options into one place for quick and easy configuration. We
s
have already configured the Device Password. The other options provide the following security measures:
er
ld
Information tab requires administrator access:

ho
By default, users have access to the information tab of any password protected MFP. If desired, an administrator can hide
ke
that tab as well by checking the Information tab requires administrator access option.
a
St
Set the Service Access Code

&L
The Service Access Code controls access to the Service menu at the control panel. It must be 8 digits long.
C
P
H
Set the Remote Configuration Password

By default, HP Digital Sending Software (DSS) uses the EWS administrator password to connect to this product. If the
Remote Configuration Password has been set, it can be used by the DSS and other remote configuration tools to connect.
This allows the administrator to use separate EWS and DSS administrator passwords.

Set Options
By enabling these options anyone who accesses the MFP’s EWS can submit print jobs and access logs on the MFP’s EWS
log in information page.
d.
i te
ib
Figure 46: This figure shows the Information Tab Options are enabled.
oh
pr
PJL Password
is
The PJL password feature helps protect the MFP from unauthorized configurations through Print Job Language (PJL)
commands. It does not affect ordinary print jobs. Once the PJL password is configured, the MFP requires it before it
on
processes any PJL-based commands. It is highly recommended to set a PJL password.
si
is
m
er
tp
ou
ith
w
rt
pa
in
Figure 47: The UI with options to set the device PJL security.
or
le
Enabling the Enable PJL Device Access Commands allows for PJL device attendance commands, SNMP pass-through
ho
commands, and environment commands that affect persistent settings on the device.
w
Firmware Upgrade Security

in
Disabling the feature Allow Firmware upgrades sent as print jobs (port9100) locks the potential firmware upgradability
n
of an MFP. The Allow installation of legacy packages signed with SHA-1 Hashing algorithm provides additional
io
protection for firmware updates.

ct
du
ro
ep
.R
Figure 48: This figure shows the Firmware Upgrade Security setting that are enabled by default.
ly
on
File System Access Settings:

HP recommends disabling (deselecting) PJL Disk Access and PS Disk Access. These access points are for adding and
s
deleting files on the MFP Storage devices, but they are usually not required for normal MFP operations such as printing,
er
copying, faxing, and digital sending.

ld
ho
ke
a
St
&L
Figure 49: This figure shows the File System Access Settings that are enabled by default.
C
P
Hardware Ports:
H
Manage the MFP’s USB connectivity options by either allowing direct printing via USB port (Print from computer through
USB) and or allowing the MFP to locally connect thumb and flash drives (used in scanning).

Demo Guide
Figure 50: This figure shows the hardware port settings that are enabled by default.
d.
Next, explore how to protect the MFP’s stored data.
i te
ib
4. From the options on the left click Protect Stored Data.
oh
pr
The Protect Stored Data area opens:
is
on
si
is
m
er
tp
ou
ith
w
rt
pa
in
or
le
ho
w
Figure 51: This figure shows the Protect Stored Data setting that are enabled by default.
in
Drive Status:
n
io
Hard disk drives installed into the MFP are display in this area, including what content is present and their statuses. Disks
ct
without system data can be managed from this area by either erasing or transferring system information from an
du
existing drive.
ro
ep
Job Data:
.R
Normally, when a file is deleted from a hard drive, the filename entry is erased from the disk’s file allocation table,
removing the file’s presence. The file’s data still exists in the disk’s individual sectors and is overwritten only when that
ly
sector is allocated for a different file.

on
HP Secure Erase technology overwrites a deleted file’s data from the individual sectors with random data using either a
s
er
one pass or three pass overwrite, which conform to U.S. Department of Defense 5220-22.M and NIST SP 800-88
ld
specifications.
ho
ke
a
St
&L
C
P
H
Figure 52: Shows the Job Data erase options.
The File Erase Mode setting allows you to select the level of security at which the MFP erases files as it routinely deletes
them from its storage device. The File Erase Mode feature includes three options for levels of security:
• Non-Secure Fast Erase (No overwrite) - Marks the print job data as deleted only.

• Secure Fast Erase (Overwrite 1 time) - Performs a one pass overwrite of job data which is sufficient to
prevent data from diagnostic recovery per NIST SP800-88 guidelines.
• Secure Sanitize Erase (Overwrite 3 times) - Performs a three pass overwrite of job data as
recommended by the US Department of Defense 5220.22M specification.
HP Secure Erase technology is applied in two different ways to remove data from HDD storage devices.
• Secure File Erase overwrites files on a continuous basis as soon as they are no longer needed to
d.
perform the required function. This is initiated by setting the “File Erase Mode” setting to either
te
i
“Secure Fast Erase” or “Secure Sanitizing Erase”.
ib
o HP recommends using Secure Fast Erase because it is relatively fast, but it effectively
oh
destroys the file data and ensures a reasonable level of security. If your network requires a
pr
higher level of security such as to meet Department of Defense standards, you should select
is
Secure Sanitize Erase.
on
si
is
m
er
tp
Figure 53: Button to click to start the job erase option.
ou
ith
• Selecting Erase invokes a Secure Storage Erase procedure which removes all non-essential data from
w
storage devices in a manner consistent with preparation for decommissioning or redeployment. This
rt
operation can be initiated on demand or scheduled for a later date and time. Secure Storage Erase
pa
overwrites the entire disk including:
o Job Storage documents (even though they have not been retrieved)
in
o Stored Faxes (even though they have not been retrieved)
or
o Installed 3rd party solutions

le
o Installed fonts
ho
w
Secure Storage Erase will not impact:

in
o Flash-based non-volatile RAM containing default printer settings, page counts, etc.
n
o Flash-based system boot RAM

io
o Configuration settings for Digital Sending and Authentication when stored on the system
ct
du
hard disk.
ro
ep
.R
ly
Change Password for Encrypted Drives:

on
Most FutureSmart devices ship with encrypted hard drives. These drives automatically encrypt all data stored using AES
s
128 bit algorithm, by use of unique password (key). This password can be managed from this area, if desired, by
er
administrators.
ld
ho
ke
a
St
&L
C
P
Figure 54: This figure shows the Change Password For Encrypted Drives setting.
H
Managing Temporary Job Files:

There are three options to choose from –
• Non-Secure Fast Erase (No overwrite)

Demo Guide
• Secure Fast Erase (Overwrite 1 time)

• Secure Sanitize Erase (Overwrite 3 times
d.
te
Figure 55: The UI shows the choices for managing temporary job files.
i
ib
oh
When enabled, all data removed from the system by a delete operation is erased using a secure erase mode, either
pr
This includes
is
• Temporary files created during the print, scan, fax, and copying processes
on
• Stored Faxes (deleted when printed)
User initiated delete operations including the four Job Storage type documents
si
is
• Stored Job (manual delete)
m
• Quick Copy (manual delete)
er
• Personal Job (deleted when printed or system reset)
tp
• Proof and Hold (deleted when printed or system reset)
ou
ith
Manage Stored Jobs
w
Administrators can globally enable or disable the ability for the MFP to accept and store incoming stored jobs (Private
rt
Job, Stored Job or Quick Copy Job). If enabled, limits can be placed on Quick Copy Stored jobs along with how Private Print
pa
Jobs and Printed Stored Jobs are sorted at the front panel.
in
Manage Stored Jobs:
or
le
ho
w
in
n
io
ct
du
ro
ep
.R
Figure 56: Shows the security options for managing jobs on the device.
ly
on
Conclusion: Customers need to be aware of the additional features and security measures within the EWS. Customers should
be encouraged to maintain a secure environment by disabling unused features. Something as simple as leaving direct ports
s
enabled on a fleet of MFPs could cost thousands of dollars in a university printing environment built on charging students for
er
their printing output.

ld
ho
a ke
St
&L
C
P
H

Task 5: Analyzing an HP MFP using Public key encryption

Introduction: In this task, HTTPS web encryption using your lab provided HP MFP will be explored.
1. Within Microsoft’s Internet Explorer, open your MFP’s Embedded Web Server (EWS) by typing the MFP’s IP address as the
website location, HTTPS://<your MFP’s IP address>.
d.
te
Notice the web browser message you receive:
i
ib
oh
pr
is
on
si
is
m
er
tp
ou
ith
w
rt
pa
in
or
le
Figure 57: Browser warning messages when a security certificate is not trusted.
ho
w
This message was generated by Microsoft’s Internet Explorer and Google Chrome. The HP MFP’s web server is requesting
in
a secure HTTPS connection. HTTPS, Hypertext Transfer Protocol Secure, allows two clients to pass web information
n
across a secure network “pipe”. HTTPS behaves the same as an HTTP based connection with two exceptions, it operates
io
on TCP port 443 and uses Transport Layer Security (TLS) to perform the encryption.
ct
du
ro
Note
ep
SSL was originally designed by Netscape. Its success led to standardization of the protocol by the Internet Engineering Task Force (IETF)
in 1999 (RFC2246). Today, TLS encrypts the majority of E-commerce transactions performed across the Internet.
.R
ly
on
Question: If this connection is secure, why does the certificate error appear?
s
er
Answer: The basis of this encrypted connection is founded out of an Asymmetric or public key exchange. Microsoft’s
ld
Internet Explorer is warning you it does not know if it can trust the public key the HP MFP is presenting to your web
ho
browser. Looking closer at the message from your web browser, notice the following:
ake
St
&L
C
P
H
Figure 58: Security warning message when certificates are not trusted by the broswer.
Public key exchange operates on the basis of trust for two simple reasons:
• Information encrypted with a public key can only be decrypted by the associated private key.

Demo Guide
• Private keys are never shared, so you never know if a public key really belongs to the intended
recipient.
For example, you have a friend who wants to borrow your car. You have known this person for many years and have
every confidence in his ability to drive responsibly and safely. You have no problem handing the car over to him directly.
However, one day, someone shows up, saying he is there on behalf of your friend to pick up your car and deliver it to him
for use.
d.
te
Normally you would not have a problem giving the car directly to your friend, but now you are being asked to trust
i
ib
someone else in order to accomplish the same task. It’s not so easy to hand over your car to a complete stranger. Public
oh
key encryption operates in this same capacity. For every information exchange between two clients, the sending client
pr
must make a decision if it trusts the receiving client’s public key before using it to send data. The hope, or trust, is that
the public key belongs to the intended recipient and not someone trying to steal your information. Internet Explorer
is
simply alerts you to this dilemma.
on
si
is
Note
m
In addition to trust issues with the HP MFP’s public key, you may also be notified that the certificate has expired, depending on its age.
er
tp
ou
2. Accept any certificate warnings that appear and continue to the HP MFP’s Embedded Web Server.
ith
w
Once in the EWS notice the Certificate Error message displayed within the web browser:
rt
pa
in
or
le
Figure 59: Certificate security warning in Microsoft Internet Explorer.

ho
w
Question: Despite the error message around the trust issues, is the connection to the HP MFP secure?
in
n
Answer: Yes, looking at the web address you see that it is connecting over a secure HTTPS connection.
io
ct
By accepting the warning displayed earlier, you accepted the HP MFP’s public key. At that point, the MFP’s Public key was
du
used to encrypt a one-time generated secret key created by your workstation. That encrypted package was then sent to
ro
the EWS. At the MFP, the package was decrypted using its private key exposing the one-time generated secret key your
ep
workstation created. At this point your client and the HP MFP now know the same “Secret” so they are able to send
encrypted messages over a secure channel or TSL/SSL in this case. Encryption of this manner uses an asymmetric (public
.R
key) and symmetric (secret key) process to execute.

ly
on
HTTPS flow:
s
er
ld
ho
ake
St
&L
C
P
H
Figure 60: Example of how encryption works with a HP device.
3. Click on the Certificate Error.

Figure 61: Certificate security warning in Microsoft Internet Explorer.
The following warning box appears:
d.
ite
ib
oh
pr
is
on
si
is
Figure 62: Microsoft Internet Explorer warning box.
m
er
4. Click on view certificates.
tp
ou
The HP MFP’s Jetdirect Digital Certificate appears:
ith
w
rt
pa
in
or
le
ho
w
in
n
Figure 63: The figure shows certificate information.

io
ct
du
Digital Certificates are electronic files that are used to identify people and resources over a network. They are an intricate
ro
part of a Public Key Infrastructure (PKI). To understand the role of a Digital Certificate in a PKI, consider the following
ep
analogy. A passport is a way to establish your identity and your country of origin. In order to get a passport you must go
.R
through a series of processes that ultimately prove your identity and your direct relationship to a country. Once a
passport has been issued to you, the country signs it stating that the identity (name and picture) on the passport are
ly
legitimate. Like a passport, a Digital Certificate establishes an identity and trust relationship to a higher entity.
on
s
5. Click on the Details tab.

er
ld
ho
ke
a
St
&L
C
P
H

Demo Guide
Figure 64: Untrusted security certificate details.
Digital Certificates fit a form as defined by X.509 and RFC5280 standards.
They contain the following base information:
• Issuer
d.
• Certificate Authority’s digital signature
te
• Company or individual user’s public key
i
ib
• Digital Certificate’s serial number
oh
• Digital Certificate’s expiration
pr
In the case of this HP Jetdirect certificate you can see that the Issuer and Subject are the same. In the world of Digital
is
Certificates, this is referred to as a Self-Signed Certificate.
on
si
is
m
er
tp
ou
ith
w
rt
pa
in
or
le
ho
w
Figure 65: By clicking on the field it reveals additional details.

in
n
To help appreciate the importance of “signing” in terms of a Digital Certificate let’s revisit our analogy around a passport.
io
You decide to travel outside your country. Upon entering a neighboring country, you are asked to display your passport to
ct
the customs department before being given access. You hand over your passport. Customs first scrutinizes your identity
du
(Subject), which is a combination of your name, birthday, height, weight and photograph. Next customs verifies your
ro
passport’s authenticity, as determined by the issuing country’s signature (Issuer). If satisfied by the two, customs grants
ep
you access. Imagine in this same situation you handed over a passport to a customs department where the subject and
.R
Issuer were the same. It would be the equivalent of handing over a personal ID you made from scratch, and saying, “Trust
me, this is really who I am”. Likewise, this Jetdirect Certificate is stating just that, it was signed and issued by the same
ly
person, the HP MFP’s Jetdirect card.

on
6. Click on the Certification Path tab.

s
er
ld
ho
ake
St
&L
C
P
H

d.
tei
ib
oh
pr
is
on
si
is
m
er
Figure 66: Figure shows the error in the certificate status.
tp
ou
Because this HP Jetdirect certificate is self-signed, your workstation is warning you that it cannot be trusted for the
reasons just described. The analogy so far can be directly mapped to PKI terms.
ith
w
Passport Analogy Public Key Infrastructure Purpose
rt
pa
Provides an origin of trust
Country Certificate Authority (CA) in
Creating, validating and revoking
or
Technical Infrastructure to support a public

Customs Department access
key network
le
ho
Identifies the Issuer and Subject

Passport Digital Certificate
w
in
7. Click on OK to close the Certificates dialog box.

n
io
ct
Conclusion: Despite establishing a secure HTTPS connection with your MFP, we have identified that its relationship within a trusted
du
PKI is in question as seen in the reporting via MS Internet Explorer. Insignificant as it may seem, in customer environments where a
ro
PKI infrastructure is in place, security policies may govern the interaction with a non-trusted web server to the extent of complete
isolation within a network. Knowing specifics around asymmetric public key encryption demands that you also know and
ep
understand the PKI that supports and manages it. Self-signed certificates created by HP’s Jetdirect card allow for HTTPS
.R
connections, but cannot be trusted within an existing PKI because the issuer and subject are the same.
ly
on
s
er
ld
ho
ke
a
St
&L
C
P
H

Demo Guide
Task 6: Encrypting a print stream using IPP and SSL (Optional)

Introduction: SSL/TLS is commonly used to protect HTTP web traffic, but it can also be used to protect printing. HP Jetdirect
supports Internet Printing Protocol over TLS (henceforth, IPPS). While we will discuss the steps for setting up a client, it should
be noted certificates need to be configured on the server and printer for this task to work.
d.
te
Caution
i
ib
Certificates need to be installed on the workstation and printer from the same trusted authority for this task to work.
oh
pr
is
Use the following steps to configure a client machine to use IPP over SSL.
on
si
1. Click Start, Devices and Printers.
is
m
2. From the left side options, click Add a printer.
er
3. Select Add a network, wireless or Bluetooth printer.
tp
4. Select The printer that I want isn’t listed.
ou
5. Choose Select a shared printer by name and the HTTPS address of your MFP ending with /IPP (Example: HTTPS://IP
ith
Address/IPP).
w
rt
pa
in
or
le
ho
w
in
n
io
ct
du
ro
Figure 67: Adding IPP Address.

ep
.R
Note
ly
It is important to both specify HTTPS and /IPP when directing a driver to print using an HP Jetdirect IPP URL. Failure to correctly set this
on
URL results in a failure to print, or print with encryption.

s
er
ld
ho
6. Click Next.
ke
7. From the manufacturer list, select HP and the model of your MFP. If your model is not found locate the closest device in
base function. If you are not sure on what to pick – select any LaserJet model and click OK.
a
St
8. Click Next.
&L
9. Set the driver as your default printer and click Finish.

C
Once complete, the following printer appears in your Devices and Printers area:
P
H

d.
ite
ib
oh
Figure 68: IPP printer was added.
pr
is
on
Note
si
Depending on how fast the driver was created, it may not have been able to set it as a default, unlike a normal driver connected to a
is
physical port, such as TCP/IP, this driver is virtually connected to a HTTPS connection (no feedback), because of that Microsoft Windows
m
pauses when trying to create the driver, causing a small delay.
er
tp
ou
10. Using Notepad, print a test document using your IPPS enable print driver.
ith
Question: Can I use IPP / SSL with HP UPD?
w
rt
pa
Answer: No, currently HP UPD employs use of the SNMP protocol to query and build the top level (features) of a driver
prior to printing (dynamic mode) and or managing printing status (traditional mode) while printing. Because of this
in
fundamental SNMP based design, HP UPD is unable to perform these core functions in a strict IPP only printing model, as
or
is the case with IPP over SSL.
le
Conclusion: Leveraging IPP and SSL together creates a secure printing solution without the need to involve third party
ho
solutions. When enabled, any traffic sent from the workstation to the printer is secured from prying eyes. Someone sniffing
w
traffic over the network would be unable to recreate the print job. The result is a secure, easy and free printing encryption
in
solution.
n
io
Screenshot of what the IPPS traffic looks like over the network:
ct
du
ro
ep
.R
ly
on
s
er
ld
ho
ke
a
St
&L
C
P
H
Figure 69: View of the encrypted print stream.

Demo Guide
Task 7: HP Secure Encrypted Print (SEP)

Introduction: This task demonstrates the how to and why to use the Encrypted Job (with password) feature.
HP Secure Encrypted Print (SEP) or Encrypt Job (with password) provides end-to-end secure print job transmission with
mutual authentication on the supported devices. This allows a user to encrypt their print job and password for either personal
d.
jobs or stored jobs on the printer. The print job is sent and stored encrypted, and can only be printed after entering the
te
password on the device. HP uses true symmetric AES256 bit encryption/decryption and the industry standard FIPS-140
i
validated cryptographic module from Microsoft.
ib
oh
Follow these steps to create a Secure Encrypted Print Job using the HP UPD:
pr
1. Install HP Universal Print Driver (www.hp.com/go/upd).
is
on
si
is
m
er
tp
ou
ith
w
rt
pa
in
or
le
ho
Figure 70: Installation wizard for HP Universal Print Driver

w
2. Create a Microsoft Word document and name it Encrypted Job.

in
3. Click File and click Print.

n
io
4. Select the HP Universal Printing driver, and click Properties.

ct
5. Using the dynamic mode interface, locate and select the device you are using.
du
6. Click OK to continue past the dynamic mode interface.

ro
7. Select the Job Storage tab.

ep
8. Select Stored Job.

.R
9. Select Encrypt Job (with password) under Make Job Private/Secure.

ly
10. Type your name in the User Name field.

on
11. Type Encrypted Job in the Job Name field.

s
er
ld
ho
ke
a
St
&L
C
P
H

d.
te
i
ib
oh
pr
is
on
si
is
m
er
tp
ou
ith
w
rt
pa
in
or
le
ho
w
Figure 71: Encrypted Stored job with password.

in
n
12. Click OK to close the driver properties dialog.

io
ct
13. Click OK to print.

du
14. Enter a sequence of numeric characters, from 4 to 12 numeric characters in length, in the Password field.
ro
15. Confirm the password you entered by retyping it in the Confirm field.
ep
.R
ly
on
s
er
ld
ho
ke
a
St
&L
C
Figure 72: The Job Storage Identification dialog.

P
H
16. Click OK.

17. Click OK.
18. At the printer control panel, touch Job Storage (older devices) or Retrieve from Device Memory (newer devices). The
stored job you created appears in the stored job list with an icon showing that it requires a password to print.

Demo Guide
19. Unlock and print the document by selecting the document and entering the password.
d.
i te
ib
oh
pr
is
on
si
is
m
er
tp
ou
ith
Figure 73: Retrieve from Device Memory interaction
w
rt
pa
Conclusion: You have printed a stored job that was encrypted with a password. The stored job feature, combined with a
password, is an effective security feature that helps protect the document. The document can reside on the device until it is
in
deleted.
or
le
ho
w
in
n
io
ct
du
ro
ep
.R
ly
on
s
er
ld
ho
a ke
St
&L
C
P
H

Task 8: Walk-up MFP access control

Introduction: In the MFP’s current configuration, only an authorized IP address (as defined in the ACL task) with the EWS
administrator password can configure the MFP. Remotely, the MFP is secure; what about walk up control panel interaction?
Currently, anyone can perform factory resets, change network settings, and configure digital sending options from the MFP
control panel. There is no control or accountability at the MFP. We are now going to lock the control panel, hide control panel
d.
keys and enable authentication.
te
i
ib
oh
Activity A: Secure the MFP’s control panel
pr
1. Connect to your demo device EWS.
is
2. Click the Log In link on the upper right side
on
• User name: administrator
si
• Password: hp
is
m
3. Select the Security tab in the EWS.
er
4. Click on the Access Control link from the left side options.
tp
ou
ith
w
rt
pa
in
or
le
ho
w
in
n
io
ct
du
ro
ep
Figure 74: Viewing the options in the Access Control menu

.R
The Access Control area shows a granular level of how the device is being accessed. It is divided into five distinct areas,
ly
sign in method, control behavior, relationship between permissions, and how users and groups are managed.
on
In the Enable and Configure Sign-in Methods area, there are three sign in methods – Local device, LDAP, and Windows.
The default sign in method is Local Device. If an environment supports LDAP and or Windows authentication it can be
s
er
configured and used as a sign method at the device.

ld
If Windows authentication is used, it allows the device the ability to negotiate the highest level of authentication possible.
ho
In this case Kerberos authentication is attempted first, and if that fails, NT LAN Manager (NTML) is used. The advantage of
ke
Windows authentication is that it uses built-in MS Windows mechanisms to negotiate and connect via the authentication
methods. This makes it simple to deploy the HP FutureSmart enabled devices in an existing enterprise network that uses
a
St
Microsoft Active Directory.

&L
The Sign In and Permissions Policies area sets the control panel sign in requirements and permissions applied to a user
accounts. By default, all sublevel policy options assume the top-level sign in method. Although it is possible to have
C
various options utilizing different sign in methods, it is recommended to keep each item set to Use Default for standard
P
deployments.
H

Demo Guide
d.
tei
ib
oh
pr
Figure 75: This shows the different configured sign in methods that can be set as the default sign in method.
is
on
Another important area in the Access Control area is Relationships Between Network Users or Groups and Device
si
Permissions. This area becomes useful when LDAP and or Windows authentication is setup. When LDAP and/or Windows
is
authentication is setup, you can create individual policies. For example, if you assign a custom created permission set
m
(like Power User) to the Windows sign-in method and then associate it with an Active Directory Organizational Unit (such
er
as HR, Marketing, ETC) it results in enabling those users unique policy-based access.
tp
ou
ith
w
rt
pa
in
or
le
ho
Figure 76: Shows a sign in relationship method and permission set for users.
w
in
By default, the Sign in Method is set to Local Device. These access credentials are managed under the Device User
n
Accounts area:
io
ct
du
ro
ep
.R
ly
on
s
er
Figure 77: Space where permissions for local accounts can be added.
ld
ho
5. Within your EWS Security, Access Control, Device User Account area, create a local user account, by clicking on New.
ke
a
St
&L
C
P
H
Figure 78: New button used to initiate the new account creation process.

6. Name the Account after your domain account details with a pass code of 1111.
d.
i te
ib
oh
pr
is
on
Figure 79: Entering user account details.
si
7. Click OK.
is
m
er
tp
ou
ith
w
rt
pa
in
or
Figure 80: New device user account created with account details.
le
Next review what policy was in effect for this access session.
ho
w
Within your EWS Security, Access Control, Device User Account area, observe the following two prebuilt default policies:
in
n
io
ct
du
ro
ep
.R
ly
on
s
er
ld
ho
ke
a
Figure 81: The UI is showing the default user accounts and permissions.
St
&L
Once authentication is enabled, albeit Local Device, LDAP or Windows authentication, you assign which policy is applied to
the Sign in Method. The administrator account has all features enabled by default (not selectable), whereas the Device
C
User policy is open to change. This gives administrators an extra level of control, where some users could be assigned as
P
device administrators, others are given user status.

H
By default, all users have open access as a Device Guest:

Demo Guide
d.
tei
ib
oh
Figure 82: Device guest account permissions.
pr
is
This is represented visually by green checkmarks throughout the various policy options under that account.
Administrators who want to offer broad access to the MFP without regard to who is physically at the MFP can check mark
on
any of the various policies to allow that option under this context.
si
is
8. Click to select the Green box under Device Guest.
m
er
tp
ou
ith
w
rt
pa
in
or
le
ho
Figure 83: Showing the Device Guest permission set disabled.

w
in
Notice the results; by making this one change you have effectively disabled the device to any walk up guest activity.
n
io
9. Click Apply at the bottom of the webpage.

ct
10. At the device, push the Sign In button and use 1111 for the access code.
du
ro
ep
.R
ly
on
s
er
ld
ho
ke
a
St
&L
C
P
H
Figure 84: Signed into device control panel.
Next create a custom policy by following the steps below.

11. Click Manage Permission Sets.
d.
tei
ib
oh
pr
is
Figure 85: Location of the Manage Permissions Sets button in the Access Control area.
on
si
12. Click New.
is
m
13. Name the new permission set Power User and click OK.
er
tp
ou
ith
w
rt
pa
in
Figure 86: Creating the Power User permission set.
or
le
14. Click Back.

ho
w
Notice your new Policy appears:

in
n
io
ct
du
ro
ep
.R
ly
on
Figure 87: Policy appears in the Access Control area.

s
15. Take some time to explore the various options by expanding them. After reviewing the details, checkmark various
er
features that you want the Power User policy to have available.
ld
ho
ke
a
St
&L
C
P
H
Figure 88: Customized permissions set for Power user permission set.

Demo Guide
Notice that not only device functions such as fax and email are available for customization, but device menu items as
well. This control gives administrators a high level of granularity to customize a policy that meets an organizations
imaging and printing policy.
16. Click to select your Device User Account created earlier and edit it.
d.
ite
ib
oh
pr
is
on
si
is
m
er
tp
Figure 89: Shows where to click to edit the user account details.
ou
17. Change the permission set to Power User and click OK.
ith
w
rt
pa
in
or
le
ho
Figure 90: Shows where to change the device user permission set.
w
in
18. Click Apply at the bottom of the web page.

n
19. At the MFP Sign in using your 1111 access code and observe the result.
io
ct
du
ro
ep
.R
ly
on
s
er
ld
ho
a ke
St
&L
C
P
H
Figure 91: Shows device control panel with the device user signed in.

If the login is successful the username will appear in the device control panel for the signed in user and permissions will
be enforced. For example, in the Figure 90 above, it shows the Save to Device Memory feature greyed out. That means
that user has not been given the rights to use that functionality.
Lab Conclusion: There are three levels of walk-up security built into the MFP:
• Local Device
d.
• LDAP
te
• Windows (Kerberos / NTLM)
i
ib
oh
In addition to the network security measures implemented using the HP Jetdirect Wizard, the user walk up interaction can now be
pr
limited to authenticated users only, as defined by the Administrator. If managing multiple HP devices, leverage HP Web Jetadmin
to implement fleet-wide access control, to help restrict control panel access.
is
on
si
is
m
er
tp
ou
ith
w
rt
pa
in
or
le
ho
w
in
n
io
ct
Figure 92: HP Web Jetadmin template configuration.

du
ro
ep
.R
ly
on
s
er
ld
ho
ke
a
St
&L
C
P
H

Demo Guide
Task 9: HP Jetdirect IPsec /Firewall use and configuration

Introduction: In this task we learn how to use and configure the built-in IPsec /Firewall HP Jetdirect feature to further control
the flow of information to and from your HP MFP. A Firewall or IP Security (IPsec) policy allows you to control traffic to and
from the MFP using network-layer protocols. Being able to control the data flow at that this level empowers an administrator
d.
with the tools needed to meet even the toughest network security policies. Follow the steps below to create a Firewall Policy
te
to restrict device management to a specific IP address on the network. In this case, the rule would limit the MFP to only being
i
ib
controlled by one HP Web Jetadmin server on the network (based on its IP address).
oh
1. Connect to your imaging and printing device EWS.
pr
2. Click the Sign in link on the upper right side
is
on
• Password: hp
si
is
3. Click the Networking tab in the EWS.
m
er
4. Under the Security area on the left choose IPsec / Firewall.
tp
ou
ith
w
rt
pa
in
or
le
ho
w
in
n
io
ct
du
ro
Figure 93: Shows IPsec/Firewall settings.

ep
.R
5. Click the drop down box and select Allow.

ly
on
s
er
ld
ho
ke
a
St
&L
C
Figure 94: Shows where to set IPsec/Firewall traffic action in template.

P
H
6. Click the Add Rules button.
Rule 1: Specify Address Template area opens:

d.
tei
ib
oh
pr
is
on
si
is
m
Figure 95: IPsec/Firewall address templates.
er
tp
For this task specify a specific IP address. By default there are two IP groups preconfigured that represent the entire
ou
network, one group for IPv4 addresses and a second group for IPv6 addresses.
ith
7. Click on New.
w
rt
The Create Address Template area opens:
pa
in
or
le
ho
w
in
n
io
ct
du
ro
ep
.R
ly
on
s
er
ld
Figure 96: The IPsec/Firewall create address template.

ho
ke
IPs can be as specific or as general as desired when creating address templates using the HP EWS IPsec/firewall feature.
a
St
8. Name the Template Name HP Web Jetadmin Server Management.

&L
9. Under Local Address select Predefined Addresses, All IPv4 Addresses.

C
10. Under Remote address specify the IP address of your workstation.

P
H

Demo Guide
d.
ite
ib
oh
pr
is
on
si
is
m
Figure 97: Custom IPv4 All addresses template with information added.
er
tp
Note
ou
In an applied customer situation, the IP address would be the physical server where HP Web Jetadmin is installed.
ith
We are creating an IPv4 template. If the customer used IPv6 and needed to create an IPv6 template, simply enter the IPv6 IP addresses.
w
rt
pa
11. Click OK. in
12. Select the new address template we just created and click Next.
or
le
ho
w
in
n
io
ct
du
ro
ep
.R
ly
on
s
er
ld
ho
ke
Figure 98: Custom address appears in list of available templates for use.
a
St
The Rule 1: Service Template area opens:

&L
C
P
H

d.
tei
ib
oh
pr
is
on
si
is
m
er
Figure 99: Selecting an All Services template for configuration.
tp
ou
A service is short for network protocol in this case. In order for HP Web Jetadmin to manage this device, it must have
ith
access to certain network protocols. The HP IPsec/Firewall gives administrators the ability to control what network
protocol a MFP either allows or blocks on the network.
w
rt
13. Select All Management Services and click View.
pa
in
The protocol information area opens:
or
le
ho
w
in
n
io
ct
du
ro
ep
.R
Figure 100: Protocol information for the All Management Services option.
ly
on
Scroll through the Management Services protocol list. HP Web Jetadmin uses the SNMP protocol to gather information
from the MFP. In addition to SNMP, HP has combined other common management protocols in this list for easy and quick
s
er
configuration. If an Administrator wanted to narrow down to a specific protocol and/or network port, they could create a
ld
custom services template to accomplish the task, much like we created a custom address template to specify a specific IP
ho
address.
ke
14. Click OK.

a
St
15. With All Management Services selected click Next.

&L
The Rule 1: Specify action area opens:

C
P
H

Demo Guide
d.
te
i
ib
oh
Figure 101: Shows the actions available when applying a template.
pr
is
Here, we can either allow or block network access based on parameters we configured in this rule. Since this is a rule that
on
defines the HP Web Jetadmin server’s access, and what services the MFP allows from this server, we need to select Allow.
si
16. Click Allow traffic to pass without IP/Firewall protection and click Next.
is
m
er
Rule one now shows in the Rule Summary screen:
tp
ou
ith
w
rt
pa
in
or
le
ho
w
in
n
io
ct
du
ro
ep
.R
Figure 102: Shows a summary of the configured rule.

ly
on
Why is this rule not sufficient to force this device to alone be managed by our fictitious HP Web Jetadmin server? Based
s
on this rule, the device knows what IP address is allowed to manage it, but it doesn’t yet know who is denied the right to
er
manage it. To resolve this functional dependence we must specify another rule that tells the MFP who it cannot be
ld
managed by on the network.

ho
ke
17. Click Create Another Rule.

a
18. Select All IPv4 Addresses under the Address Templates area.
St
&L
C
P
H

d.
tei
ib
oh
pr
is
on
si
is
Figure 103: Creating another rule.
m
er
19. Click Next.
tp
20. Select All Management Services under the Service Templates area.
ou
ith
w
rt
pa
in
or
le
ho
w
in
n
io
ct
du
Figure 104: Rule 2 using All Management Services template.

ro
21. Click Next.

ep
22. Select Drop traffic under the Specify Action area.

.R
ly
on
s
er
ld
ho
ke
a
St
&L
C
Figure 105: Shows actions that can be applied to the traffic matching templates criteria.
P
H
23. Click Next.
Your two rules now appear in the Rule Summary area:

Demo Guide
d.
i te
ib
oh
pr
is
on
si
is
m
er
tp
ou
Figure 106: Shows a summary of the configured rule.
ith
w
24. Click Finish.
rt
pa
The enable firewall policy warning screen appears:
in
or
le
ho
w
in
n
io
ct
du
ro
Figure 107: Enable firewall and policy options.

ep
.R
25. Enable the Policy by selecting Yes.

ly
on
Note
s
By default, the policy wizard creates a special testing rule that allows HTTPS traffic regardless of the firewall policy that blocks it. This
er
gives IT administrators the opportunity to test and implement their policies without fear of locking themselves out of the EWS. If this
ld
mode is left on, it is extremely important to secure the EWS with a password.
ho
a ke
26. Click OK.

St
&L
Your active firewall policy is displayed in the IPsec / Firewall area:

C
P
H

d.
i te
ib
oh
pr
is
on
si
is
m
er
tp
ou
ith
w
rt
Figure 108: Shows a summary of the configured/enabled rules.
pa
Because the firewall is rule based, it works by applying the first rule and then second, then third etc. In this case if we
in
follow the rule set, if a second HP Web Jetadmin server attempts to control this device, the firewall will apply the first
or
rule and see if it is the .251 server. If it is not, the rule is bypassed and the second rule is applied. In the second rule, the
le
second HP Web Jetadmin server is part of the ALL IPv4 address group (basically the entire network), so it activates the
ho
rule, which drops all management traffic from the second HP Web Jetadmin server effectively disabling the server’s
ability to manage and control the MFP.
w
in
Conclusion: HP’s IPsec/Firewall extends additional control into the IT Administrator’s hands and supplements HP’s Access
n
Control List EWS feature by adding the ability to allow or block network traffic, at the protocol level, across a network.
io
ct
du
ro
ep
.R
ly
on
s
er
ld
ho
ke
a
St
&L
C
P
H

Demo Guide
Task 10: New security features found in FutureSmart devices.

Introduction: In this task we explore various new security features not found in pre-FutureSmart devices.
1. Connect to your demo MFP’s EWS.

2. Click the Sign in link on the upper right side.
d.
te
i
ib
• Password: hp
oh
3. Click the Security tab in the EWS.
pr
4. Click Certificate Management from the left options.
is
on
The Certificate Management area opens:
si
is
m
er
tp
ou
ith
w
rt
pa
in
or
le
Figure 109: Certification management area in the EWS.

ho
w
FutureSmart devices have a dynamic area to manage certificates. Not to be confused with the Jetdirect Network area’s
in
Certificate Management, which is for the MFP’s EWS web page and LDAP over SSL, this management console provides a
place where solution providers can load and store certificates for use with the OXPd engine.
n
io
ct
For example, HP DSS version 4.91 and greater, when paired with FutureSmart devices, loads a certificate onto each
du
FutureSmart device it manages. It does this because the HP device communicates with the HP DSS using HTTPS via its
ro
OXPd web services engine.

ep
Question: What is OXP and how does a solution vendor interface with it?
.R
Answer: By utilizing a device-based application programing interface for communicating with eternal servers.
ly
on
HP DSS server for example interacts with HP devices by utilizing HP’s OXPd functionality. HP Open Extensibility Platform
OXP was first introduced in 2007 as it became evident that there was a need to implement imaging and printing solutions
s
easily and efficiently over entire fleets of imaging and printing devices. HP OXP is a technology designed for
er
programmers who want to create software solutions for HP imaging and printing products, like HP MFPs. HP OXP is
ld
embedded in the device firmware to provide a common interface for software developers.
ho
ke
a
St
&L
C
P
H

d.
ite
ib
oh
pr
is
on
si
Figure 110: Overview of OXP layers and how they interact.
is
m
HP OXP has three layers. There is the device layer (OXPd), the management layer (OXPm) and the workflow layer (OXPw).
er
Software developers can control these components through web-services protocols. HP OXPd allows IT managers to
tp
deploy solutions, or applications (apps), to the installed base of imaging and printing devices, whose ages may range
ou
from three to seven years old, and any new devices with a quick configuration instead of complex installation procedures.
OXPd updates all devices to the same web-services interface (set of hooks) which creates a unified, stable, interface
ith
across a fleet of devices. Developers can create an unlimited number of apps that end users can access directly from the
w
device’s control panel.
rt
pa
in
or
le
ho
w
in
n
io
ct
du
ro
ep
.R
Figure 111: Example of an OXP app.

ly
on
HP OXPd 1.6 includes a mini web browser, application management features and advanced graphics capabilities. The mini
web browser interface removes the need to install device-specific software on each device. The applications can run on a
s
er
remote web server and display user interface controls and status on the customizable browser-based front panel of the
ld
device.
ho
Looking at an MFP managed by HP DSS you will see the following in the Certificates area:
ke
a
St
&L
C
P
H
Figure 112: HP DSS certificate in the certificate manager.
Because FutureSmart offers a more complex web services interaction than the pre-FutureSmart based devices, solution
developers can deploy their own certificates to FutureSmart devices to encrypt their OXPd communication between the
MFP and server. This means that moving forward; FutureSmart devices contain the necessary platform needed to drive
encrypted communication via HTTPS, not only with OXPd but even SMTP over SSL for example.

Demo Guide
Because this area acts like a store, this interface provides an administrator with an area to manage the collection of these
certificates as desired.
In addition to providing a storage house for incoming certificates, this area also holds the Digital Signing certificate used
when sending digitally signed emails (if you have signing enabled).
d.
Screenshot of the Email Digital Signing area:
ite
ib
oh
pr
is
on
si
is
Figure 113: Email Digital Signing and Encryption setup options.
m
er
Digital Signing is not new to FutureSmart; pre-FutureSmart devices have this ability as well. What is new is that we can
tp
specify which certificate in the store will be used to sign (stamp) the email as it is sent out from the device. This certificate
can be independent from other certificates in the system (not possible in older pre FutureSmart devices).
ou
ith
w
rt
pa
in
or
le
Figure 114: Certificate that is used for Email signing.

ho
This flexibility allows IT administrators the capability to install a unique digital certificate on the MFP that can be used in
w
digital signing workflows, such as sending an email from the MFP.

in
n
5. Click Self-Test from the left options.

io
ct
du
Observe the following areas:

ro
ep
.R
ly
on
s
er
ld
ho
ke
a
St
Figure 115: Shows the Self Test area and available security features.
&L
C
The first section in the Self Test area is the Functionality Integrity Test. This sections verifies the correct operation of
the listed security operations.
P
H

d.
i te
ib
oh
Figure 116: Integrity tests available on the imaging and printing device.
pr
The Function Integrity Test area presents a user with two options Run all tests or Select some tests to run. The Select
is
some tests to run shows a list of tests that can be run. Those tests verify the correct operation of the security functions
on
and that they are running according to expected system parameters. The tests and what they do is as follows:
si
is
• PJL Password Verification: This functional test allows verification that administrative PJL commands
m
are being protected by requiring the PJL password. Before running this test, the PJL password must
er
be configured.
tp
• Timestamp Verification: This functional test verifies that the time source used for timestamps
(added to security auditing log messages) is accurate. Before running this test, the Network Time
ou
Server settings must be configured.
ith
• LDAP Settings Verification: This functional test allows verification that the configured LDAP server is
w
valid and available for LDAP Authentication. Before running this test, LDAP sign in method must be
rt
configured.
pa
• Windows Settings Verification: This functional test allows verification that the configured Windows
Domain is valid and available for Windows Authentication. Before running this test, the Windows sign
in
in method must be configured.
or
• Device User Access Code Verification: This functional test allows verification that Local Device
le
Authentication fails with an invalid device user access code.

ho
w
in
n
io
ct
du
Figure 117: Data Integrity test area shows option to set the device reference point.
ro
Data Integrity Test: helps the customer detect unauthorized changes to the device configuration.
ep
.R
Before the customer can execute the Data Integrity Test, the customer must set a reference point. After a reference point
ly
is set, the customer should periodically execute the Data Integrity Test to detect unauthorized changes to the security
on
data.
s
If the customer executes the Data Integrity Test and it fails, the comparison of the current security data against the latest
er
reference point set did not match. In this case, the customer should contact other administrators of the device and ask
ld
them if they have made any changes to device configuration since the latest reference point set. If no changes to the
ho
device configuration were made by the administrators, the customer should investigate further to determine if the
ke
security of the device has been compromised.

a
St
If the customer executes the test and the test passes, the comparison of the current security data against the latest
reference point set match. In this case, the customer has some assurance that no unauthorized changes have been made
&L
to the device configuration.

C
P
H
Note
A new reference point must be set whenever the device configuration is changed, in order for the Data Integrity Test to provide valid
results.

Demo Guide
Figure 118: Shows where to set the code integrity reference point.
d.
Code Integrity Test: helps the customer detect unauthorized changes to the executable code on the device.
ite
ib
Before the customer can execute the Code Integrity Test, the customer must set a reference point. After a reference point
oh
is set, the customer should periodically execute the Code Integrity Test to detect unauthorized changes to the executable
pr
code on the device.
is
If the customer executes the Code Integrity Test and it fails, the comparison of the current executable code in the device
on
against the latest reference point set did not match. In this case, the customer should contact other administrators of the
si
device and ask them if they have added, removed or changed the executable code in the device since the latest reference
is
point set. If no such changes have been made by the other administrators, the customer should investigate further to
m
determine if the security of the device has been compromised.
er
tp
If the customer executes the test and it passes, the comparison of the current executable code in the device against the
last reference point set match. In this case, the customer has some assurance that no unauthorized changes have been
ou
made to the executable code in the device.
ith
w
rt
Note
pa
A new reference point must be set whenever executable code is added, removed or changed in the device in order for the Code Integrity
Test to provide valid results. in
or
le
6. Click the Scan/Digital Send tab in the EWS.

ho
7. Click E-Mail Setup from the left options.

w
8. Scroll down to File Settings and observe the following:

in
n
io
PDF Encryption:
ct
du
ro
ep
.R
Figure 119: PDF encryption option for files.

ly
on
New with FutureSmart devices, PDF encryption prompts the user with a password request at the time of scan. Once
s
provided by the user, the password is used for two things, one the password becomes a key that is used to AES encrypt
er
the file using a 256-bit based algorithm, and two, when the encrypted file is opened later, a prompt is displayed for the
ld
same password to unlock/decrypt the file. Once provided, the file is unencrypted and opened for further consumption.
ho
Once a password is set, the user is responsible to keep the password in a safe location. If lost, HP cannot assist in
ke
password and/or document recovery.

a
St
Conclusion: HP FutureSmart devices introduce a host of additional security tools. Customers can employ these additional
&L
security measures to aid in protecting their imaging and printing investment, their printing workflows and their business.
C
P
H

Appendix
How to load a signed certificate into the HP Jetdirect area (for IPPS printing).
1. Within Microsoft’s Internet Explorer open your MFP’s Embedded Web Server (EWS) by typing the MFP’s IP address as the
d.
website location, HTTPS://<your MFP’s IP address>
te
2. Accept any certificate warnings that appear and continue to the HP MFP’s Embedded Web Server.
i
ib
oh
3. Click on the Networking tab.
4. When prompted for a login use Admin with a password of hp.
pr
5. Under the Security area, click on Authorization.
is
6. In the Authorization area click on the Certificates tab.
on
si
is
The Certificates area opens:
m
er
tp
ou
ith
w
rt
pa
in
or
le
ho
w
in
n
io
7. Under the Jetdirect Certificate area click on View.

ct
du
ro
The Jetdirect Digital Certificate area opens:

ep
.R
ly
on
s
er
ld
ho
ke
a
St
&L
C
P
H

Demo Guide
d.
ite
ib
oh
pr
is
on
si
is
m
er
tp
ou
ith
w
rt
Under the Extensions area note the following key usage:
pa
in
or
le
Certificates have specific functions (extensions) assigned to them within the PKI. These extensions define the purpose of
ho
the public key contained within the certificate. This extra layer of configuration provides an additional security measure
w
for administrators to control within their PKI.

in
Common Key Extensions:

n
io
ct
Extension Purpose
du
Certificates that server programs use to authenticate themselves to clients.

Server Authentication
ro
ep
Certificates that client programs use to authenticate themselves to servers.

Client Authentication
.R
Certificates associated with key pairs used to sign active content.

ly
Code Signing
on
Certificates associated with key pairs used to sign email messages.

Secure Email
s
er
Certificates associated with key pairs that encrypt and decrypt the
ld
Encrypting File System

symmetric key used for encrypting and decrypting data by EFS.
ho
ke
File Recovery Certificates associated with key pairs that encrypt and decrypt the
a
symmetric key used for recovering encrypted data by EFS.

St
&L
8. Click on OK.
C
9. Click Configure under the Jetdirect Certificate area.

P
H

d.
tei
ib
oh
pr
is
on
10. Select Create Certificate Request and click Next.
si
is
m
er
tp
ou
ith
w
rt
pa
in
or
le
ho
w
in
n
io
ct
du
The Certification Information area appears:

ro
ep
.R
ly
on
s
er
ld
ho
ke
a
St
&L
C
P
H
11. In the Common Name field enter your HP MFP’s IP Address

12. In the Organization field enter Hewlett-Packard.

Demo Guide
d.
ite
ib
oh
pr
is
on
si
is
13. Click Next.
m
er
tp
After a couple of seconds the following screen appears:
ou
ith
w
rt
pa
in
or
le
ho
w
in
n
io
ct
du
ro
ep
.R
ly
on
s
er
ld
ho
ke
14. Select all of the text within the shaded area and right click and select Copy it to your clipboard for later use.
a
St
&L
C
P
H

d.
tei
ib
oh
pr
is
on
si
is
m
er
tp
ou
ith
w
rt
pa
in
or
le
ho
w
in
n
io
ct
du
ro
ep
.R
ly
on
s
er
ld
ho
ke
a
St
&L
C
P
H

Imag Print Security1lab

Uploaded by

Copyright:

Available Formats

Imag Print Security1lab

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Imag Print Security1lab

Uploaded by

Copyright:

Available Formats

HP DOCUMENT SOLUTIONS TECHNICAL

Lab guide – book 3 of 4

Lab guide – book 3 of 4

Lab 01: HP MFP and Printer Security (FutureSmart Devices)

4 Copyright ©2014 HP corporate presentation. All rights reserved.

Task 1: Exploring an unsecure environment

Figure 3: Options to restore the device back to factory state.

The Home Screen configuration area opens:

Copyright ©2014 HP corporate presentation. All rights reserved. 5

Figure 6: Device network settings that can modified.

6 Copyright ©2014 HP corporate presentation. All rights reserved.

Activity B: Access an MFP through telnet

Figure 8: Telnet Prompt.

2. Type Menu and press Enter.

Copyright ©2014 HP corporate presentation. All rights reserved. 7

A list of available HP Jetdirect menu configuration options appears:

Figure 10: Telnet TCP/IP Menu of options.

Figure 11: Telnet TCP/IP Print options menu.

8 Copyright ©2014 HP corporate presentation. All rights reserved.

5. Close the telnet session by clicking the X on the dialog box.

Figure 13: Initiating a Telnet connection to print.

The following connection screen appears:

Figure 14: Open Telnet session.

7. Type some text.

8. Close the dialog box.

Copyright ©2014 HP corporate presentation. All rights reserved. 9

Figure 15: A PORT folder is displayed in Internet Explorer browser.

The explorer connected FTP session appears:

10 Copyright ©2014 HP corporate presentation. All rights reserved.

Copyright ©2014 HP corporate presentation. All rights reserved. 11

Task 2: Securing HP Jetdirect using HP’s Jetdirect security configuration wizard

Figure 18: Jetdirect Security Configuration Wizard.

Figure 19: Configuring custom security for the device.

The Administrator Account area opens:

12 Copyright ©2014 HP corporate presentation. All rights reserved.

connection works as follows:

Copyright ©2014 HP corporate presentation. All rights reserved. 13

Figure 22: Enabling/disabling Telnet through the wizard.

11. Click Next.

The SNMP v1/v2 and v3 Configuration area opens:

Figure 23: Options to enable SNMP in the wizard.

configure device settings if left unsecure.

Overview of the different SNMP versions:

14 Copyright ©2014 HP corporate presentation. All rights reserved.

Figure 24: SNMP wizard configuration dialog.

13. Click Next.

The SNMPv1/v2 Configuration area opens:

Copyright ©2014 HP corporate presentation. All rights reserved. 15

Figure 26: Setting the Get and Confirm community name.

16. Click Next.

The SNMP v3 Configuration area opens:

Figure 27: SNMPv3 configuration settings found in the wizard.

17. For User Name type HPuser.

16 Copyright ©2014 HP corporate presentation. All rights reserved.

20. Click Next.

The Access Control configuration area opens:

IP Address Mask Description

Copyright ©2014 HP corporate presentation. All rights reserved. 17

Allow the host (computer) with IP address 192.168.1.2.

Up to 10 entries (blocks of IPs or Individual IPs) can be configured in ACL.