HP Printers - Minimum security settings for products on the open Internet

Overview

Network options

Security options

Embedded Web Server options

Web Services options

Wireless options

Overview

This document provides information on the minimum security settings for the following printers on
the open internet:

HP LaserJet Enterprise printers

HP LaserJet Pro printers
HP Officejet printers
HP Officejet Pro printers
HP PageWide Enterprise printers
HP PageWide Pro printers

HP is dedicated to providing the best and latest security information available for HP printers. This
checklist is intended to help you improve printer security, particularly for printers on networks open
to the public internet.
HP printers are shipped in an un-configured state, which allows the customer to more easily
configure the printer for their network environment. However, if the printer is not properly
configured, it might be vulnerable to intruder attacks. HP strongly recommends configuring minimum
security settings for all HP printers to eliminate the majority of security exposures.

For more information about configuring HP printers in network environments or for more maximum
security recommendations, go to one of the following documents:

Best Security Practices for HP Enterprise printers and scanners (c03137192)

Best Security Practices in HP LaserJet MFP (for printers with non-FutureSmart firmware)
(c03687863)
Best Security Practices for HP PageWide Pro printers and HP Web Jetadmin (c05318850)

Recommended settings
Settings can be configured via the printer's Embedded Web Server (EWS). To access the EWS, type
the printers IP address exactly as it appears on the Configuration Page in the browser url field (e.g.
12.34.567.89) and press Enter.

note:
Security settings can also be configured with HP Web JetAdmin software and/or HP JetAdvantage
Security Manager.

The following settings are recommendations based on printer usage in TCP/IP network environments
using IPPs for printing. Adjust the settings as needed depending on the requirements of your print
environment.
 note:
Not all settings are available on all printers and the setting options will vary depending on the printer
model and firmware version installed, and therefore might be found on different tabs in the EWS.
Please refer to the User Guide for printer-specific configuration options.

Network options

Enable TCP/IP
Enable IPPs Printing
Disable 9100 Printing
Disable SLP Config
Disable LPD Printing
Disable Telnet Config
Disable FTP Printing
Disable WS-Discovery
Disable Web Services Print (unless currently in use)
Disable TFTP Configuration File
Add allowed IPv4 addresses for EWS and print to the Access Control List.

note:

If the printer is on the open internet and not configured to limit access to known IP
addresses, it is open for public access and potential abuse.

Set Encryption Strength to High

Enable HTTPS Setting to encrypt all web communication: Encrypt All Web Communication
(not including IPP)
Disable mDNS Config

note:

If you do not have DNS on your network, leave enabled.

Configure an SNMP community name and disable the default community name of Public.
Disable unused Protocol Stacks. HP recommends the following (unless currently in use):
o Disable IPX/SPX
o Disable DLC/LLC
o Disable AppleTalk/Bonjour

Security options

Set the Administrator password (Local Administrator or EWS Administrator password)

Set the PJL Security Password
Disable PJL Device Access Commands
Disable File System Page (External) Access Settings
o Disable PJL Drive Access or PJL Disk Access
o Disable PS Drive Access or PS Disk Access
Configure File System Page options
o Disable PML
o Disable NFS access
o Disable Postscript
 Disable Allow Stored Jobs on this device
Disable Remote Printer Firmware Updates

note:

This setting will need to be re-enabled anytime the printer firmware needs to be updated
remotely.

o Disable Allow firmware upgrades sent as print jobs (port 9100)

o Disable Allow installation of legacy packages signed with SHA-1 Hashing algorithm
o Disable Remote Firmware Upgrade
Disable SNMP disk access or SNMP access
Configure Secure Disk Encryption Mode (AES128 or AES256)

Embedded Web Server options

Enable Outgoing Mail

Enable Continue Button
Disable Print Service
Disable Incoming Mail
Disable Command Invoke
Disable Command Download
Disable Command Load and Execute
Secure the Information tab (if available) or disable the following settings:
o Disable Cancel Job Button
o Disable Go/Pause/Resume Button

Web Services options

Disable Web Services

o Disable HP ePrint (if enabled)
o Disable proxy services

Wireless options

Configure Wireless security (if using wireless connectivity)