Basic Steps for Securing HP MFDs

Hewlett-Packard Multi-Function Devices (MFDs) arrive with all protocols enabled by default and with all device passwords set to blank. This document contains information on how to implement basic security restrictions. This is not an exhaustive document, and those who wish to secure their printers beyond basic security should refer to HP's document on the topic.

Six basic steps for securing an HP MFD

  1. Set the EWS (Embedded Web Server) password
  2. Change the SNMP Set Community name from Public
  3. Set the PJL password (This step requires Web Jetadmin in many older systems)
  4. Delete documents after printing
  5. Turn off unused protocols
  6. Set a moderate-lock on control panel

Aside from Step Three, all of the above can be accomplished by just using the Embedded Web Server, accessed via point your browser to the printer's IP address or DNS name. However, since setting the PJL password is considered a vital step, instructions for doing all six steps via Web Jetadmin are included below.

Additional information

Web Jetadmin is an HP application that will allow you to manage your HP devices. While it can scan and recognize other printers, it is only able to manage HP devices. HP recommends installing Web Jetadmin on the following operating systems:

  • Microsoft Windows Server 2008 (R2 or 64-bit edition)
  • Microsoft Windows Server 2003 SP2 or later (64-bit edition)
  • Microsoft Windows 7 (64-bit edition)

Minimum requirements

Although you can use the following operating systems, HP does not recommend using them for production installations. HP does not test HP Web Jetadmin on these operating systems and does not guarantee the results.

  • Microsoft Vista Business Edition
  • Microsoft Windows XP Professional SP3 or later
  • .Net Framework 3.5 Service Pack 1 or greater (available from Microsoft)
  • Windows Installer 4.5 (also available from Microsoft)
  • 2GB of RAM
  • 4GB storage
  • SQL Server Express (which it will install automatically. Alternately, you can point it at a MSSQL server)
  • Internet Explorer 6 or greater

More details are available in Hewlett-Packard's Web Jetadmin Installation and Setup Guide.

Configuring EWS, Control Panel, SNMP, and the PJL Password

  1. After installing, scan your subnet. It will ask you to do so immediately after installation. Otherwise, select "Discover devices on my network" from the Common Tasks bar at the right, select IP broadcast and IP range, then enter your IP range.
  2. Select the device to remediate. Right click, select Configuration, then Configure devices.."
  3. Select the Security section
  4. Under the Embedded Web Server Password section, enter and confirm a password. This must be between 8 and 16 characters.
  5. In the Control Panel Access section, select Moderate Lock.
  6. Under SNMP Version Access Control, set a community name in the Set Community Name field.
  7. Under select the PJL Password section and enter and confirm a password. Unless you have already set this, the Current PJL Password will be blank. The password must be a numerical and between 111111111 and 2147483647.

Turning Off Unused Protocols

Each organization has different protocols they consider necessary. It is advisable to disable all protocols not necessary for printing within your organization. It is best to disable features incrementally until you begin disabling desired features. Secure those, and leave the rest disabled.

  1. In Web Jetadmin's Configure Devices, select Network for the devices you are configuring.
  2. De-select features that are unnecessary in your environment. Telnet Config and FTP Printing are particular sources of vulnerabilities, though FTP Printing may need to be enabled on occasion to perform device firmware modifications.
  3. Make sure that the Encrypt all web communication option is set to Enabled

As mentioned earlier, most of the security precautions can be enabled via the Embedded Web Server. Web Jetadmin should still be used to secure the PJL password, but these instructions can be followed in circumstances where Web Jetadmin is not yet available.

  1. Load the printer's management page by entering its address or IP into a web browser.
  2. Log in via the link in the top-right corner. The username is either admin or blank, and password is blank unless it has been set otherwise.
  3. Select the Settings tab, then select Security.
  4. Under the Device Security Settings section click Configure.
  5. Under the Device Password setting, select an EWS password, which must be between 8 and 16 characters.
  6. Under the PJL Password', select a numerical password between 111111111 and 2147483647.
  7. Under the Control Panel Access Lock section, select a Control Panel security level of at least Moderate Menu Lock.
  8. In the Settings menu, select Configure Device, then select the Initial Setup, Networking and I/O, and then Embedded Jetdirect drop-downs.
  9. In this menu, set any un-needed protocols to disabled.
  10. Select the Networking tab at the top of the page, then select Network Settings.
  11. In the SNMP tab, either Disable SNMP, or set the Community Name to something other than Public.
  12. Turn off unused protocols
  13. Change the SNMP Set Community name from Public
Print This Page Share:
Date Posted: April 18, 2013 Tags: Security, Multi Function, Printer, Provider Resource

Was this information helpful?

Login with PennKey to view and post comments