HP Jetdirect Security Guidelines
Page 1
... of rather poor quality and inflammatory; whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access 10 Recommended Security...
... of rather poor quality and inflammatory; whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access 10 Recommended Security...
HP Jetdirect Security Guidelines
Page 6
...cryptographic security capability. • SET 2: The 610n, 615n, 620n, 625n, en3700, and Embedded Jetdirect (J7949E) models. As you can see, replacing a discontinued 400n MIO model with a new external parallel port print server like the 300X will not upgrade the security capabilities of the easiest...An Embedded Web Server (EWS) password has been specified • The default SNMPv1/v2c SET Community Name has been changed • All non-active protocols have been discontinued for many cases, one must be effective. The administrative guideline for HP Jetdirect, four different ...
...cryptographic security capability. • SET 2: The 610n, 615n, 620n, 625n, en3700, and Embedded Jetdirect (J7949E) models. As you can see, replacing a discontinued 400n MIO model with a new external parallel port print server like the 300X will not upgrade the security capabilities of the easiest...An Embedded Web Server (EWS) password has been specified • The default SNMPv1/v2c SET Community Name has been changed • All non-active protocols have been discontinued for many cases, one must be effective. The administrative guideline for HP Jetdirect, four different ...
HP Jetdirect Security Guidelines
Page 9
... the HP Download Manager and HP Web Jetadmin are trusted to print. In addition, HP's Web Jetadmin includes functionality called Report Generator which allow an administrator to control the amount of HP Jetdirect devices is described here: http://www.hp.com/go/webjetadmin_firmware. To better protect passwords from HP, and upgrade to the latest Web Jetadmin management software. HP Jetdirect devices...
... the HP Download Manager and HP Web Jetadmin are trusted to print. In addition, HP's Web Jetadmin includes functionality called Report Generator which allow an administrator to control the amount of HP Jetdirect devices is described here: http://www.hp.com/go/webjetadmin_firmware. To better protect passwords from HP, and upgrade to the latest Web Jetadmin management software. HP Jetdirect devices...
HP Jetdirect Security Guidelines
Page 10
...SET 4) as a guideline to bypass HP Jetdirect security. HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them Easily available network tools that can perform effective MITM attacks against TCP/IP MITM attacks is nonetheless a general vulnerability of the password, FTP upgrades are also used to ...force network infrastructure equipment to open it with PostScript or simple text, a print job can be opened using other applications without having to send it to the source) in a manner that was sent between an FTP client and an FTP server...
...SET 4) as a guideline to bypass HP Jetdirect security. HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them Easily available network tools that can perform effective MITM attacks against TCP/IP MITM attacks is nonetheless a general vulnerability of the password, FTP upgrades are also used to ...force network infrastructure equipment to open it with PostScript or simple text, a print job can be opened using other applications without having to send it to the source) in a manner that was sent between an FTP client and an FTP server...
HP Jetdirect Security Guidelines
Page 11
....255.255.0 # # Disable Telnet telnet-config: 0 # # Disable the embedded Web server ews-config: 0 # # disable unused protocols ipx/spx: 0 dlc/llc: 0 ethertalk:0 # # Set a password passwd: Security4Me3 # # Disable SNMP # use with very little administration overhead once configured. Many... customers associate BOOTP/TFTP with BOOTP and not transition to DHCP if a BOOTP server is unavailable. An example of the contents of the TFTP daemon's home directory • Forces HP Jetdirect...
....255.255.0 # # Disable Telnet telnet-config: 0 # # Disable the embedded Web server ews-config: 0 # # disable unused protocols ipx/spx: 0 dlc/llc: 0 ethertalk:0 # # Set a password passwd: Security4Me3 # # Disable SNMP # use with very little administration overhead once configured. Many... customers associate BOOTP/TFTP with BOOTP and not transition to DHCP if a BOOTP server is unavailable. An example of the contents of the TFTP daemon's home directory • Forces HP Jetdirect...
HP Jetdirect Security Guidelines
Page 12
... recommended for the pjlprotection file: %-12345X@PJL @PJL COMMENT **Set Password** @PJL COMMENT **& Lock Control Panel** @PJL JOB PASSWORD = 7654 @PJL DEFAULT PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in the left-hand navigation bar, and then...
... recommended for the pjlprotection file: %-12345X@PJL @PJL COMMENT **Set Password** @PJL COMMENT **& Lock Control Panel** @PJL JOB PASSWORD = 7654 @PJL DEFAULT PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in the left-hand navigation bar, and then...
HP Jetdirect Administrator's Guide
Page 11
.... The network infrastructure device that must access the embedded Web server through a Pre-Shared Key (PSK). Wireless Print Server Authentication HP Jetdirect ew2400 wired/wireless external print servers do not support server-based authentication. When selecting WPA-PSK authentication, a user-specified.... They are intended for small-office networks where authentication servers are used for network communications. ● WPA-PSK. PEAP is highly desired. A device that uses digital certificates for network server authentication and passwords for secure communications.
.... The network infrastructure device that must access the embedded Web server through a Pre-Shared Key (PSK). Wireless Print Server Authentication HP Jetdirect ew2400 wired/wireless external print servers do not support server-based authentication. When selecting WPA-PSK authentication, a user-specified.... They are intended for small-office networks where authentication servers are used for network communications. ● WPA-PSK. PEAP is highly desired. A device that uses digital certificates for network server authentication and passwords for secure communications.
HP Jetdirect Administrator's Guide
Page 13
... address or host name. If a password is set, it must be entered to upgrade the device are illustrated below: ftp> bin ftp> hash ftp> cd /download ftp> put ftp>######### ftp> bye ENWW Introducing the HP Jetdirect Print Server 13 After user login, typical FTP ...commands to log into the device. Firmware upgrades for supported HP Jetdirect print servers may be used on supported systems. For more information see Chapter 4. ● FTP...
... address or host name. If a password is set, it must be entered to upgrade the device are illustrated below: ftp> bin ftp> hash ftp> cd /download ftp> put ftp>######### ftp> bye ENWW Introducing the HP Jetdirect Print Server 13 After user login, typical FTP ...commands to log into the device. Firmware upgrades for supported HP Jetdirect print servers may be used on supported systems. For more information see Chapter 4. ● FTP...
HP Jetdirect Administrator's Guide
Page 50
...) General passwd: (passwd-admin:) A password (up to 64 characters) that allows administrators to HTTPS. sys-location: (host-location:, location:) Identifies the physical location of HP Jetdirect print server configuration parameters through Telnet) after it has been configured by a cold reset. ssl-state: Sets the print server's security level for example, through Telnet, HP Web Jetadmin, or embedded Web...
...) General passwd: (passwd-admin:) A password (up to 64 characters) that allows administrators to HTTPS. sys-location: (host-location:, location:) Identifies the physical location of HP Jetdirect print server configuration parameters through Telnet) after it has been configured by a cold reset. ssl-state: Sets the print server's security level for example, through Telnet, HP Web Jetadmin, or embedded Web...
HP Jetdirect Administrator's Guide
Page 57
... may contain up to . Authentication traps indicate that determines which SNMP SetRequests (control functions) the HP Jetdirect print server will respond to three entries. To delete the table, use "trap-dest: 0". If a user-specified get -community-name:) Specifies a password that an SNMP request was received, but the community name check failed. The default is 255...
... may contain up to . Authentication traps indicate that determines which SNMP SetRequests (control functions) the HP Jetdirect print server will respond to three entries. To delete the table, use "trap-dest: 0". If a user-specified get -community-name:) Specifies a password that an SNMP request was received, but the community name check failed. The default is 255...
HP Jetdirect Administrator's Guide
Page 74
... try an operating system command to create a route to the print server. For information on the print server using Telnet. On Windows NT systems, the command prompt utility is configured with the HP Jetdirect print server, a route must have a similar IP address, that is ... administrator password, Telnet connections are that a wireless connection to your workstation to the print server. (For example, if the print server is in the Programs or All Programs folder. If the print server and your Windows online help. Using Telnet Note For HP Jetdirect wireless print servers, this...
... try an operating system command to create a route to the print server. For information on the print server using Telnet. On Windows NT systems, the command prompt utility is configured with the HP Jetdirect print server, a route must have a similar IP address, that is ... administrator password, Telnet connections are that a wireless connection to your workstation to the print server. (For example, if the print server is in the Programs or All Programs folder. If the print server and your Windows online help. Using Telnet Note For HP Jetdirect wireless print servers, this...
HP Jetdirect Administrator's Guide
Page 77
... save Telnet command settings. 4. By default, the Telnet interface does not require a user name or password. To configure parameters using a Menu interface, enter Menu. A connection to the HP Jetdirect print server. 1. If an administrator password has been set up a Telnet session from your system to the HP Jetdirect print server will be displayed. ENWW TCP/IP Configuration 77 See Chapter 9. 2.
... save Telnet command settings. 4. By default, the Telnet interface does not require a user name or password. To configure parameters using a Menu interface, enter Menu. A connection to the HP Jetdirect print server. 1. If an administrator password has been set up a Telnet session from your system to the HP Jetdirect print server will be displayed. ENWW TCP/IP Configuration 77 See Chapter 9. 2.
HP Jetdirect Administrator's Guide
Page 90
... Diagnostics Command Description Last Config IP (Read-only parameter) The IP address of the system from which SNMP GetRequests the HP Jetdirect print server will respond to either a user-specified community name or the factory-default. DHCP Lease Time (Read-only parameter) DHCP... This command controls whether statistical data on the print server during embedded Web server access. If a user-specified get -cmnty-name Specifies a password that are refused by the print server. This is set, the print server will respond to HP without prompting the user. 0: Disables sending data ...
... Diagnostics Command Description Last Config IP (Read-only parameter) The IP address of the system from which SNMP GetRequests the HP Jetdirect print server will respond to either a user-specified community name or the factory-default. DHCP Lease Time (Read-only parameter) DHCP... This command controls whether statistical data on the print server during embedded Web server access. If a user-specified get -cmnty-name Specifies a password that are refused by the print server. This is set, the print server will respond to HP without prompting the user. 0: Disables sending data ...
HP Jetdirect Administrator's Guide
Page 91
... Commands and Parameters (13 of 18) set community name" for the print server to the print server (31 characters maximum). Authentication traps indicate that determines which SNMP SetRequests (control functions) the HP Jetdirect print server will respond to three entries. To delete the table, use 'trap-...the LAN hardware address. Disabling this parameter may limit configuration access through the print server's host access list.) Community names must match the print server's "set -cmnty-name Specifies a password that an SNMP request was received, but the community name check failed. ...
... Commands and Parameters (13 of 18) set community name" for the print server to the print server (31 characters maximum). Authentication traps indicate that determines which SNMP SetRequests (control functions) the HP Jetdirect print server will respond to three entries. To delete the table, use 'trap-...the LAN hardware address. Disabling this parameter may limit configuration access through the print server's host access list.) Community names must match the print server's "set -cmnty-name Specifies a password that an SNMP request was received, but the community name check failed. ...
HP Jetdirect Administrator's Guide
Page 108
... the device and stored on the HP Jetdirect print server. The version of the HP Jetdirect print server. The LAN hardware (or MAC, Media Access Control) address of the operating instructions installed on the HP Jetdirect print server. The LAA may have also been set through a Telnet session with the HP Jetdirect print server, or from HP Web Jetadmin. (EIO print servers only) Because passwords are synchronized with selected printers...
... the device and stored on the HP Jetdirect print server. The version of the HP Jetdirect print server. The LAN hardware (or MAC, Media Access Control) address of the operating instructions installed on the HP Jetdirect print server. The LAA may have also been set through a Telnet session with the HP Jetdirect print server, or from HP Web Jetadmin. (EIO print servers only) Because passwords are synchronized with selected printers...
HP Jetdirect Administrator's Guide
Page 110
...and SNMP protocols. To assign a parameter setting, enter the desired value and click Apply. 802.11 (Wireless Ethernet) Note HP Jetdirect ew2400 wired/wireless print servers may also configure basic TCP/IP settings at any time using the Privacy Settings page under the Networking tab. Telnet to ... same time. To exit and save this functionality before pressing No. Then enter the password assigned to the IP address of the Jetdirect print server. Settings page. If prompted for a user name and password, enter "Admin" for your settings, enter the command "quit". To specify the ...
...and SNMP protocols. To assign a parameter setting, enter the desired value and click Apply. 802.11 (Wireless Ethernet) Note HP Jetdirect ew2400 wired/wireless print servers may also configure basic TCP/IP settings at any time using the Privacy Settings page under the Networking tab. Telnet to ... same time. To exit and save this functionality before pressing No. Then enter the password assigned to the IP address of the Jetdirect print server. Settings page. If prompted for a user name and password, enter "Admin" for your settings, enter the command "quit". To specify the ...
HP Jetdirect Administrator's Guide
Page 113
The HP Jetdirect print server supports IEEE 802.11 Wired Equivalent Privacy (WEP) keys for advanced authentication. If WPA-PSK authentication is selected, you will need to select dynamic encryption. Dynamic (WPA-PSK authentication only) When configured for WPA-PSK authentication, the print server must use WEP... used to enter a network pass-phrase that is, a shared "password" value) for network access and communications. A pass-phrase must be used to access the network. ENWW Using the Embedded Web Server 113 Table 4.3 Item 802.11 Configuration Parameters (2 of 4) Description Open...
The HP Jetdirect print server supports IEEE 802.11 Wired Equivalent Privacy (WEP) keys for advanced authentication. If WPA-PSK authentication is selected, you will need to select dynamic encryption. Dynamic (WPA-PSK authentication only) When configured for WPA-PSK authentication, the print server must use WEP... used to enter a network pass-phrase that is, a shared "password" value) for network access and communications. A pass-phrase must be used to access the network. ENWW Using the Embedded Web Server 113 Table 4.3 Item 802.11 Configuration Parameters (2 of 4) Description Open...
HP Jetdirect Administrator's Guide
Page 121
... access Description This option enables the SNMP v1/v2c agents on the HP Jetdirect print server. A community name must contain the appropriate Set or Get community name before the print server will respond. Note: If "public" is automatically enabled. The default Get community name is a password to retrieve (or "read -only. The default Get community name "public...
... access Description This option enables the SNMP v1/v2c agents on the HP Jetdirect print server. A community name must contain the appropriate Set or Get community name before the print server will respond. Note: If "public" is automatically enabled. The default Get community name is a password to retrieve (or "read -only. The default Get community name "public...
HP Jetdirect Administrator's Guide
Page 138
...selected EIO printers, the password is checked), the administrator password will be used as to access Jetdirect print server settings, you subsequently change the SNMP Set Community Name (for client and server authentication. Note The administrator password may configure certificates for ...example, using the SNMP tab on the Network Settings page or from Web Jetadmin), the two settings will no longer be cleared by Jetdirect configuration tools, such as the embedded Web server, Telnet, and HP...
...selected EIO printers, the password is checked), the administrator password will be used as to access Jetdirect print server settings, you subsequently change the SNMP Set Community Name (for client and server authentication. Note The administrator password may configure certificates for ...example, using the SNMP tab on the Network Settings page or from Web Jetadmin), the two settings will no longer be cleared by Jetdirect configuration tools, such as the embedded Web server, Telnet, and HP...
HP Jetdirect Administrator's Guide
Page 139
... procedures: ● Restore both the printer and the Jetdirect print server to factory-default states (for X.509 digital certificates. A digital certificate is lost on these printers, the administrator password for encryption and decryption) and a digital signature. Certificates... by the printer. Many EIO printers provide password-protected access to access both the printer Security page and the networking Admin. The password is set . Certificates (Certificate support depends on the HP Jetdirect print server: ● Jetdirect certificate. Printer Password Synchronization.
... procedures: ● Restore both the printer and the Jetdirect print server to factory-default states (for X.509 digital certificates. A digital certificate is lost on these printers, the administrator password for encryption and decryption) and a digital signature. Certificates... by the printer. Many EIO printers provide password-protected access to access both the printer Security page and the networking Admin. The password is set . Certificates (Certificate support depends on the HP Jetdirect print server: ● Jetdirect certificate. Printer Password Synchronization.