HP DesignJet Security White Paper (Condensed)
26 August 2022
There are lots of features and options for HP DesignJet printers which allow them to be configured or modified which, ultimately, can increase (or decrease) security in terms of the ability to block the outside world from getting in while also limiting or extending the capabilities using access levels, in terms of what employees or visitors can see or do. This is in addition to settings that can be added for increased productivity (via various advanced workflow options). This paper forms a condensed version of HP's 94 page document (link at the bottom) to help you wade through key highlights more quickly - but obviously does not in any way fully cover everything provided by HP.
While these features are very much "model dependent" (i.e. NOT all DesignJets have them), in the future we know that more and more DesignJet models will be offering these increased enhancements. The following DesignJet models currently have some (if not all) of these offerings: DesignJet T1700, Z6, Z9, T2600 and T830 MFP. The most recent additions of the T200, T600 and Studio series also include elements of increased security.
These enhancements and options are worth studying and understanding if you plan to purchase a new printer where you know that network, data and access control security are (or will be) important.
1. Configurable Protection Options
1.Disable Protocols - various protocols can be disabled if you don't plan to use them - such as preventing users from sending files via FTP or connecting through Telnet to manage the printer network settings. This can be accessed through the "Mgmt Protocols" option in the Embedded Web Servicer or the Network Enable Features in Web Jetadmin
2. SNMP Compatibility - SNMP is a protocol to get printer information and configure it. SNMPv3 is the encrypted version. When enabled, only the client application that knows the key can access the printer. This stops data being modified in the data flow and also protects and encrypts data from being accessed by a third party, it authenticates and verifies the data source, and restricts data accessible by each Network Management System. HP recommend you work with SNMPv3 and keep SNMPv1/v2 disabled if your system allows it. You can set up an account that allows a management application to access the SNMPv3 agent
3. Disable Connectivity Interfaces - depending upon the printer, some USB network interfaces can be disabled to restrict access to the printer. In others, you can install a Jetdirect card to add extra security features and you can disable the onboard Ethernet. If you amend a connectivity option the printer will automatically restart. Disabling an option could cut off network access and you cannot disable the connection you use to access the Embedded Web server
4. Control Panel Access - there are 2 modes of controlling access - "Control Panel Access Lock" and "Access Control" (model dependent). You'd need to define an admin account and password. In some models when you set the Embedded Web Server admin password, you also restrict access to some front panel features. Protected features on the front panel include: network & internet connectivity, control firmware upgrades, reset factory defaults, external Hard Disk connection and Security. If you lock the control panel and the user has lost the password, you'll need to contact HP Support as you'll be unable to reset it yourself!
- Control Panel Access Lock - enables locking of the control panel by using either HP Web Jetadmin or the printer's Embedded Web Server (dependent upon the printer). It allows the ability to specify level of access and prevent unauthorised users where you can select lock, minimum lock, moderate lock, intermediate lock or maximum lock. For example for Moderate lock (level 2) permission would deny the user access to: Connectivity App Details Access, Settings App Internet Connectivity, Settings App Connectivity Troubleshooting, IDS App Actions, Printer Information App AFU Access, Job Queue App Access, Settings App System Entry Access, Settings App FW Update. When the Intermediate or Maximum locks are set, the user won't be able to load/unload paper or replace ink/printheads without first unlocking the front panel but none of the levels locks the scan, copy or print applications
- Access Control - this function allows you to manage three roles of use (depending on the firmware) and can be found in the Setup tab under Access Control. Here you can enable the sign-in methods to the device, create/edit/delete user accounts available on the printer and set up sign-in requirements for specific tasks and restrict user access by role. Settings are Admin user, Device User and Guest user. Privileges granted can be edited in the Access Control page
5. SCL Certificates - there are 2 certificate types. (1) The Jetdirect identity certificate can be managed via the HP Jetdirect print server which identifies the Jetdirect print server as a valid web server for network clients and a valid client requesting access on a secure network. By default, the Jetdirect print server contains a self-signed, pre-installed certificate. (2) The Certificate Authority certificate can be installed and managed in the printer. The CA certificate validates the identity of the network servers such as SSL or LDAP servers secured with SSL
6. Unique Admin Password for EWS access control - HP have started to adhere to new regulatory policies in some countries specifying that governmental devices should have a non-blank default admin password and that all printer administration/configuration resources should be protected by an admin password. Currently, this is only present in the HP DesignJet T200/T600 and Studio printer series but will be rolled out to further products. The default admin password will be assigned at the manufacturing stage and be unique for every printer. This can be found on some models on the printer label and on others by using the front panel to discover the default password, via settings menu, security, administrator password (or through printer information). This password can be changed /reset but resetting will require assistance from HP for some models while others will require a factory reset
7. Embedded Web Server (EWS) access control - this facility enables direct management of devices but with no security in place anyone with a web browser and IP address of the printer can configure it. To solve this, you can implement 2 levels of access via the security page which restricts access by setting an admin user account and allows either an Administrator or Guest access. If the two levels of access have been set but you have no password then access to the EWS information will be denied. As an administrator you will be able to perform the following restricted operations: cancel/delete/preview a job in the print queue, delete a stored job, clear accounting information and configure cost assignment (in some models), change printer settings on the device setup page, access the setup tab to configure the printer, view protected printer information pages, access the customer involvement program page, access the service support. A guest user needs an account to be set up, username and password and can access restricted operations (administrators have access to all operations). A username, password and account aren't required for unrestricted operations. There are some limitations on passwords - i.e. a maximum of 16 characters and a limited set of characters are supported
8. USB drive control - all printers can be controlled in terms of USB usage - you can enable/disable the USB to print or scan and you can enable/disable the ability to upgrade the firmware via USB. These features are available in the control panel, the Embedded Web Server and Web Jetadmin
9. Jetdirect Security Wizard - this is available specifically for T9x0, T15x0, T25x0, T3500 DesignJets and enables you to configure security settings for HP Jetdirect printer server management at 3 levels (Basic, Enhanced, Custom)
10. Hide IP from Front Panel - this option is available with the aide of a HP Support Agent only and allows you to hide all IP info from the front panel to prevent people physically around the printer from obtaining the IP and connecting to it
11. IPSec - A firewall or IP Security (IPsec) enables you to control traffic to/from the device by using network-layer protocols. Either a firewall or IPSec/Firewall will appear (depending on whether IPSec is supported by the print server and device). Before enabling a firewall or IPSec policy, ensure that access to your configuration management settings is secured via an admin password so that it can't be easily disabled through Telnet, control panel menus or other management tools. A detailed description of wizard settings can be found here: https://support.hp.com/us-en/document/c00832500
12. Encrypt web communications - using a web browser and HTTPS protocol you can manage your network-connected printers but to authenticate the HP Jetdirect web server you can configure a certificate (or use the pre-installed self-signed certificate). The encryption strength specifies the strength of ciphers the web server will use for secure communications. You can configure the SSL/TLS protocols via the printer's EWS. When encryption is enabled, the web server will encrypt all web communication forcing all connections to use HTTPS. For secure environments choose to encrypt all web communications. You can choose to allow HTTP (unencrypted) as well
13. Access control list (ACL) - this list specifies the IP addresses on your network which are allowed to access the device (maximum of 10) and blocks communications from all other addresses. If empty, any system is allowed to access
14. 802.1X authentication - this relates to port-based Network Access Control and provides an authentication mechanism for devices that want to connect to a LAN. To configure initial 802.1X settings you can use an isolated LAN or direct computer connection via a cross-over cable
15. Self-encrypted Hard Disk - ensures data is auto-encrypted every time data is sent to the printer and written to the hard drive
16. Secure File Erase - this is a feature which manages how files are deleted from the printers hard disk - there are 3 security modes where the settings can be changed via Web Jetadmin, EWS and control panel (via the Service Menu with the HP support representative help) - namely: Non-secure fast erase (default), Secure Fast Erase and Secure Sanitizing Erase. The default setting is where temporary data remains on the Hard Disk until overwritten, the Secure Fast Erase is slower but the temporary job is overwritten with a fixed character pattern and the Secure Sanitizing Erase has the temporary job repeatedly overwritten to prevent any residual data, meeting the US Dept of Defence requirements. You can also set jobs to be stored in the printer queue to 0 if you don't want to store the jobs in the printer. This can be configured via the front panel/setup menu/job management setup
17. Secure Disk Erase - for each of the 2 'secure' options with Secure File Erase you can sanitise the disk and is only available with the help of an HP Support representative
18. Job storage and PIN printing - to access job storage features open printer Properties, select Printing Preferences, and click on the Job Storage tab. Here you can select 'Print and Store' for printing and allowing future reprints, 'Print and Delete' to have the job removed from the printer once printed, 'Retrieve from Front panel (Personal job)' to specify job can't be printed until released from the printers front panel - to preview it in Embedded Web Server you'll need to enter the PIN, 'Retrieve from front panel (Private job)' to specify job can't be printed until released with a PIN - once printed it is automatically removed from the printer
19. ePrint center connection - allows users to print any supported file via email and is available from the front panel and EWS - this feature can be enabled/disabled so that users are unable to remotely send items to print
2. Advanced Workflow Options*
1. Printing using LPR Protocol - this allows you to print any supported file without drivers or other programs. Jobs sent using this method will be printed with the default settings and you'll be able to manage some options using PJLs below (point 3). It can be useful to develop internal programs to manage production or develop programs for Operating Systems without a driver. This protocol is enabled in the EWS or Web Jetadmin. If you don't plan to use it, keep it disabled for security
2. Printing using FTP Protocol - As with the LPR command it can be used for developing specific tools to simplify your workflow and again allows you to print any supported file without drivers or other programs and can be used through command line or as a drag and drop system, combined with any FTB client program. It is enabled in the EWS or Web Jetadmin and should be disabled if you don't plan to use it
3. Printing with PJLs - this allows you to add and modify various print settings to a PDF file (not compatible with other files). Typical properties that are amended (not a complete list) include the following: Job Name setting, margin layouts, print quality setting, various render settings, resolution setting, media source, media destination, folding method type, auto-rotation, scale, number of copies etc
*At time of writing the advanced workflow option are available for the HP DesignJet T1700, Z6, Z9 printers
For a full overview we recommend visiting HP's website which will include more extensive information: http://h10032.www1.hp.com/ctg/Manual/c01698396
