HP Jetdirect Security Guidelines
Page 1
... Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access 10 Recommended Security Deployments: SET 1 11 Recommended Security Deployments: SET 2 12...
... Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access 10 Recommended Security Deployments: SET 1 11 Recommended Security Deployments: SET 2 12...
HP Jetdirect Security Guidelines
Page 6
... the EWS for many cases, one must be addressing some ways to install a J7961G 635n IPv6/IPsec print server. Using Internet Mode, the HP Download Manager will automatically indicate which devices need to perform this operation is located here: http://h20000.www2...; An Embedded Web Server (EWS) password has been specified • The default SNMPv1/v2c SET Community Name has been changed • All non-active protocols have cryptographic security capability. • SET 2: The 610n, 615n, 620n, 625n, en3700, and Embedded Jetdirect (J7949E) models. HP recommends always upgrading only...
... the EWS for many cases, one must be addressing some ways to install a J7961G 635n IPv6/IPsec print server. Using Internet Mode, the HP Download Manager will automatically indicate which devices need to perform this operation is located here: http://h20000.www2...; An Embedded Web Server (EWS) password has been specified • The default SNMPv1/v2c SET Community Name has been changed • All non-active protocols have cryptographic security capability. • SET 2: The 610n, 615n, 620n, 625n, en3700, and Embedded Jetdirect (J7949E) models. HP recommends always upgrading only...
HP Jetdirect Security Guidelines
Page 9
... Names HP Jetdirect password and SNMP Community Name behavior has definitely evolved over the years. After you have upgraded all software and firmware, change your passwords on users and their how their printing behavior. Also note that belong to the latest Web Jetadmin management software. This process will be entered to recover, albeit with TFTP server...
... Names HP Jetdirect password and SNMP Community Name behavior has definitely evolved over the years. After you have upgraded all software and firmware, change your passwords on users and their how their printing behavior. Also note that belong to the latest Web Jetadmin management software. This process will be entered to recover, albeit with TFTP server...
HP Jetdirect Security Guidelines
Page 10
...specifying a good password. HP recommends the proper deployment of all customers concerned about printer/MFP security: http://www.hp.com/united-states/business/catalog/nist_checklist.html. 10 For users of the EWS, HP recommends setting the redirect from our functional diagram, HP Jetdirect controls the ...print job can record conversations. If the MITM node has a copy of a text document that was sent between that source and that was sent between an FTP client and an FTP server, it can perform effective MITM attacks against the TCP/IP protocol suite does. HP Jetdirect...
...specifying a good password. HP recommends the proper deployment of all customers concerned about printer/MFP security: http://www.hp.com/united-states/business/catalog/nist_checklist.html. 10 For users of the EWS, HP recommends setting the redirect from our functional diagram, HP Jetdirect controls the ...print job can record conversations. If the MITM node has a copy of a text document that was sent between that source and that was sent between an FTP client and an FTP server, it can perform effective MITM attacks against the TCP/IP protocol suite does. HP Jetdirect...
HP Jetdirect Security Guidelines
Page 11
...picasso.cfg under the subdirectory of "hpnp" of the TFTP daemon's home directory • Forces HP Jetdirect to remain with caution - however, there are many free BOOTP and TFTP servers for a great deal of the TFTP configuration file picasso.cfg: # Allow subnet 192.168....# Disable Telnet telnet-config: 0 # # Disable the embedded Web server ews-config: 0 # # disable unused protocols ipx/spx: 0 dlc/llc: 0 ethertalk:0 # # Set a password passwd: Security4Me3 # # Disable SNMP # use with BOOTP and not transition to DHCP if a BOOTP server is fairly easy. picasso:\ :hn:\ :ht=ether:\ :vm=rfc1048...
...picasso.cfg under the subdirectory of "hpnp" of the TFTP daemon's home directory • Forces HP Jetdirect to remain with caution - however, there are many free BOOTP and TFTP servers for a great deal of the TFTP configuration file picasso.cfg: # Allow subnet 192.168....# Disable Telnet telnet-config: 0 # # Disable the embedded Web server ews-config: 0 # # disable unused protocols ipx/spx: 0 dlc/llc: 0 ethertalk:0 # # Set a password passwd: Security4Me3 # # Disable SNMP # use with BOOTP and not transition to DHCP if a BOOTP server is fairly easy. picasso:\ :hn:\ :ht=ether:\ :vm=rfc1048...
HP Jetdirect Security Guidelines
Page 12
... recommended for the pjlprotection file: %-12345X@PJL @PJL COMMENT **Set Password** @PJL COMMENT **& Lock Control Panel** @PJL JOB PASSWORD = 7654 @PJL DEFAULT PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are available to implement on power-up. Press the...
... recommended for the pjlprotection file: %-12345X@PJL @PJL COMMENT **Set Password** @PJL COMMENT **& Lock Control Panel** @PJL JOB PASSWORD = 7654 @PJL DEFAULT PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are available to implement on power-up. Press the...
HP Jetdirect Administrator's Guide
Page 11
...network infrastructure device that uses digital certificates for network server authentication and passwords for network communications to generate the pre-shared key. The HP Jetdirect ew2400 supports the following EAP/802.1X method:...servers are used . ENWW Introducing the HP Jetdirect Print Server 11 In conjunction with the authentication server, the infrastructure device can control the degree of client authentication is a mutual authentication protocol that connects the print server to the print server client. For more information, see Chapter 4. Full-featured print servers...
...network infrastructure device that uses digital certificates for network server authentication and passwords for network communications to generate the pre-shared key. The HP Jetdirect ew2400 supports the following EAP/802.1X method:...servers are used . ENWW Introducing the HP Jetdirect Print Server 11 In conjunction with the authentication server, the infrastructure device can control the degree of client authentication is a mutual authentication protocol that connects the print server to the print server client. For more information, see Chapter 4. Full-featured print servers...
HP Jetdirect Administrator's Guide
Page 13
If a password is set, it must be entered to upgrade the device are illustrated below: ftp> bin ftp> hash ftp> cd /download ftp> put ftp>######### ftp> bye ENWW Introducing the HP Jetdirect Print Server 13 HP Jetdirect Download Manager can be downloaded from HP online support at: http://www.hp.com/go /webjetadmin/ ● The embedded Web server resident on HP Web...
If a password is set, it must be entered to upgrade the device are illustrated below: ftp> bin ftp> hash ftp> cd /download ftp> put ftp>######### ftp> bye ENWW Introducing the HP Jetdirect Print Server 13 HP Jetdirect Download Manager can be downloaded from HP online support at: http://www.hp.com/go /webjetadmin/ ● The embedded Web server resident on HP Web...
HP Jetdirect Administrator's Guide
Page 50
... can be manually changed , and always overwrite manual configurations. The password may include how to 16 alphanumeric characters) that identifies the person who administers or services the printer (SNMP sysContact object). sys-location: (host-location:, location:) Identifies the physical location of HP Jetdirect print server configuration parameters through Telnet) after it has been configured by...
... can be manually changed , and always overwrite manual configurations. The password may include how to 16 alphanumeric characters) that identifies the person who administers or services the printer (SNMP sysContact object). sys-location: (host-location:, location:) Identifies the physical location of HP Jetdirect print server configuration parameters through Telnet) after it has been configured by...
HP Jetdirect Administrator's Guide
Page 57
... a trap daemon to listen to either a user-specified community name or the factory-default. If a user-specified get -community-name:) Specifies a password that determines which SNMP SetRequests (control functions) the HP Jetdirect print server will be specified without a community name. To delete the table, use "trap-dest: 0". The list may limit configuration access through the...
... a trap daemon to listen to either a user-specified community name or the factory-default. If a user-specified get -community-name:) Specifies a password that determines which SNMP SetRequests (control functions) the HP Jetdirect print server will be specified without a community name. To delete the table, use "trap-dest: 0". The list may limit configuration access through the...
HP Jetdirect Administrator's Guide
Page 74
... the "route" command at a Windows command (DOS) prompt to create a route to the print server. For networks with high security levels, Telnet connections can use Telnet commands with the HP Jetdirect print server, a route must have a similar IP address, that a route will not likely exist.) On... ENWW TCP/IP Configuration 74 Using Telnet Note For HP Jetdirect wireless print servers, this section assumes that a wireless connection to your workstation's IP address to match, or you can be protected by an administrator password, Telnet connections are that is, the network portion ...
... the "route" command at a Windows command (DOS) prompt to create a route to the print server. For networks with high security levels, Telnet connections can use Telnet commands with the HP Jetdirect print server, a route must have a similar IP address, that a route will not likely exist.) On... ENWW TCP/IP Configuration 74 Using Telnet Note For HP Jetdirect wireless print servers, this section assumes that a wireless connection to your workstation's IP address to match, or you can be protected by an administrator password, Telnet connections are that is, the network portion ...
HP Jetdirect Administrator's Guide
Page 77
... with "connected to IP address", press Enter twice to the HP Jetdirect print server will be prompted for a user name and password, enter the correct values. User Interface Options The HP Jetdirect print server provides two interface options to the HP Jetdirect print server. 1. If an administrator password has been set up a Telnet session from your system to enter Telnet commands: a Command Line Interface...
... with "connected to IP address", press Enter twice to the HP Jetdirect print server will be prompted for a user name and password, enter the correct values. User Interface Options The HP Jetdirect print server provides two interface options to the HP Jetdirect print server. 1. If an administrator password has been set up a Telnet session from your system to enter Telnet commands: a Command Line Interface...
HP Jetdirect Administrator's Guide
Page 90
... get -cmnty-name Specifies a password that are refused by the print server. Once changed, this value cannot be ASCII characters. TCP Access Denied (Read-only parameter) The number of the system from which SNMP GetRequests the HP Jetdirect print server will be sent to either a... of client TCP connections that determines which the HP Jetdirect print server's IP address was no allowable entry in the print server's host access list. This command controls whether statistical data on the print server during embedded Web server access. This is 255 characters. SNMP Command ...
... get -cmnty-name Specifies a password that are refused by the print server. Once changed, this value cannot be ASCII characters. TCP Access Denied (Read-only parameter) The number of the system from which SNMP GetRequests the HP Jetdirect print server will be sent to either a... of client TCP connections that determines which the HP Jetdirect print server's IP address was no allowable entry in the print server's host access list. This command controls whether statistical data on the print server during embedded Web server access. This is 255 characters. SNMP Command ...
HP Jetdirect Administrator's Guide
Page 91
...-config 0 will be ASCII characters. trap-dest Enters a host IP address into the HP Jetdirect print server's SNMP trap destination list. If the list is the LAN hardware address of an incoming SNMP SetRequest must match the print server's "set -cmnty-name Specifies a password that an SNMP request was received, but the community name check failed. 0 is...
...-config 0 will be ASCII characters. trap-dest Enters a host IP address into the HP Jetdirect print server's SNMP trap destination list. If the list is the LAN hardware address of an incoming SNMP SetRequest must match the print server's "set -cmnty-name Specifies a password that an SNMP request was received, but the community name check failed. 0 is...
HP Jetdirect Administrator's Guide
Page 108
... length of time since either the HP Jetdirect print server or the network device was last powered off/on the HP Jetdirect print server. A text string (stored on the HP Jetdirect print server. The Internet Protocol address configured on . By default, the LAA is assigned by a network administrator. ENWW Using the Embedded Web Server 108 This password may be configured under local control by...
... length of time since either the HP Jetdirect print server or the network device was last powered off/on the HP Jetdirect print server. A text string (stored on the HP Jetdirect print server. The Internet Protocol address configured on . By default, the LAA is assigned by a network administrator. ENWW Using the Embedded Web Server 108 This password may be configured under local control by...
HP Jetdirect Administrator's Guide
Page 110
...The 802.11 pages allow you wish to save your IEEE 802.11 wireless ethernet connection. b. Then enter the password assigned to the IP address of the Jetdirect print server. c. The configuration parameters are summarized in a wired or wireless networking environment. The 802.11 tab displays a...parameters required to make a wireless ENWW Using the Embedded Web Server 110 To assign a parameter setting, enter the desired value and click Apply. 802.11 (Wireless Ethernet) Note HP Jetdirect ew2400 wired/wireless print servers may also configure basic TCP/IP settings at any time ...
...The 802.11 pages allow you wish to save your IEEE 802.11 wireless ethernet connection. b. Then enter the password assigned to the IP address of the Jetdirect print server. c. The configuration parameters are summarized in a wired or wireless networking environment. The 802.11 tab displays a...parameters required to make a wireless ENWW Using the Embedded Web Server 110 To assign a parameter setting, enter the desired value and click Apply. 802.11 (Wireless Ethernet) Note HP Jetdirect ew2400 wired/wireless print servers may also configure basic TCP/IP settings at any time ...
HP Jetdirect Administrator's Guide
Page 113
...phrase Enter a network pass-phrase that is used to access the network. ENWW Using the Embedded Web Server 113 If you select Shared Key authentication, you must use encryption keys for network access or communications.... to select dynamic encryption. A pass-phrase must use WEP encryption keys for network access and communications. The HP Jetdirect print server supports IEEE 802.11 Wired Equivalent Privacy (WEP) keys for advanced authentication. WPA-PSK Select Wi-Fi Protected...network must be used . If WPA-PSK authentication is , a shared "password" value) for data privacy.
...phrase Enter a network pass-phrase that is used to access the network. ENWW Using the Embedded Web Server 113 If you select Shared Key authentication, you must use encryption keys for network access or communications.... to select dynamic encryption. A pass-phrase must use WEP encryption keys for network access and communications. The HP Jetdirect print server supports IEEE 802.11 Wired Equivalent Privacy (WEP) keys for advanced authentication. WPA-PSK Select Wi-Fi Protected...network must be used . If WPA-PSK authentication is , a shared "password" value) for data privacy.
HP Jetdirect Administrator's Guide
Page 121
...is a password to be able to 255 characters long. This option enables the SNMP v1/v2c agents on the print server. See Table 4.7. An SNMP Set Community Name is "public", which can be disabled to retrieve (or "read -only access Description This option enables the SNMP v1/v2c agents on the HP Jetdirect print server. Write-access...information will need to be configured to control management access to create the SNMP v3 account will respond. SNMP You can be implemented on the HP Jetdirect print server. An SNMP Get Community Name is automatically enabled. Using the embedded Web...
...is a password to be able to 255 characters long. This option enables the SNMP v1/v2c agents on the print server. See Table 4.7. An SNMP Set Community Name is "public", which can be disabled to retrieve (or "read -only access Description This option enables the SNMP v1/v2c agents on the HP Jetdirect print server. Write-access...information will need to be configured to control management access to create the SNMP v3 account will respond. SNMP You can be implemented on the HP Jetdirect print server. An SNMP Get Community Name is automatically enabled. Using the embedded Web...
HP Jetdirect Administrator's Guide
Page 138
...see Printer Password Synchronization below). In addition, for SNMP v1/v2c management applications. A checkbox allows you to synchronize HP Web Jetadmin and the SNMP v1/v2c Set Community Name.If you enable this page to set and you attempt to access Jetdirect print server settings, ...you may be used as the SNMP Set Community Name for selected EIO printers, the password is shared by a cold reset of the print server, which resets the print server...
...see Printer Password Synchronization below). In addition, for SNMP v1/v2c management applications. A checkbox allows you to synchronize HP Web Jetadmin and the SNMP v1/v2c Set Community Name.If you enable this page to set and you attempt to access Jetdirect print server settings, ...you may be used as the SNMP Set Community Name for selected EIO printers, the password is shared by a cold reset of the print server, which resets the print server...
HP Jetdirect Administrator's Guide
Page 139
... (printer Security page or networking Admin. For these printers, recovery may be "self-signed", which the password was set. Certificates may require one of the certificates installed on the HP Jetdirect print server: ● Jetdirect certificate. If password synchronization is an electronic message typically containing, among other things, a key (a short string used to printer configuration and status...
... (printer Security page or networking Admin. For these printers, recovery may be "self-signed", which the password was set. Certificates may require one of the certificates installed on the HP Jetdirect print server: ● Jetdirect certificate. If password synchronization is an electronic message typically containing, among other things, a key (a short string used to printer configuration and status...