|
Name |
HP
LaserJet 4345 MFP Security Checklist |
|
Version |
Version
1 |
|
Status |
Final |
| Creation
Date |
2005-10-01 |
| Revision
Date |
2005-10-10 |
| Product
Category |
Multi-Functional
Peripheral |
| Vendor |
The
Hewlett Packard Company |
| Product |
HP
LaserJet 4345 MFP |
| Product
Version |
HP
LaserJet 4345 MFP Firmware Version 20050607
09.022.3
HP Jetdirect Inside Firmware Version V.28.54.FF
HP Web Jetadmin Peripheral Management Software
Version 7.8 with Service Pack 3 Plug In and
HP LaserJet 4345 MFP Plug In |
| Product
Role |
HP
LaserJet 4345 MFPs provide the following services
over the network: Print, Copy, Fax, Digital
Send to Email, and Digital Send to Network Folder1 |
|
Checklist
Summary |
The
HP LaserJet 4345 MFP Security Checklist provides
instructions to configure HP LaserJet 4345
MFPs for recommended network security settings.
The checklist relies on HP Web Jetadmin Peripheral
Management Software for most of the settings,
but covers some settings in the MFP Embedded
Web Server (a web page that is part of the
MFP firmware to provide remote network access
to status and settings). The checklist also
assumes that readers are trained in standard
practices for network administrative practices.
The
HP LaserJet 4345 MFP Security Checklist includes
a threat model section that explains the types
of security threats an enterprise network
that includes an MFP might face. It uses the
Microsoft STRIDE model to explain the threat
model.
After
the Threat Model section, the checklist covers
recommended settings in the MFP EWS. Most
of the recommended settings are covered in
the Web Jetadmin Settings section, but a few
should be configured in the EWS. The Web Jetadmin
section covers most settings in the checklist.
Following
the Web Jetadmin Settings section, the Settings
List section literally provides a checklist
of the settings including checkboxes to provide
a succinct list of the settings. The checklist
continues with the Physical Security section
explaining security for the physical location
of the MFP.
Following
the Physical Security section, the Ramifications
section explains the known implications and
effects of each setting on the MFP and on
the enterprise environment. It is meant to
alert users on the intent of each recommended
setting to give readers information to make
decisions about their networks.
HP
requires the configuration presented in the
checklist to consider HP LaserJet 4345 MFPs
as configured for security; however, HP does
not guarantee or warrant that the HP LaserJet
4345 MFP Security Checklist provides assurance
that MFPs are resistant to network security
compromises. Administrators should use the
checklist as a reference toward best practices
to help improve overall security.
|
| Known
Issues |
Some
settings in the HP LaserJet 4345 MFP Security
Checklist do no apply to all networks. The
HP LaserJet 4345 MFP Security Checklist recommends
disabling many network services and access
points. Administrators should consider the
applications and tools that are installed
on their networks and configure the MFPs accordingly.
For instance, if a network includes certain
Novell services, the administrator should
not disable MFP features and access points
for Novell.
The configurations recommended in the HP LaserJet
4345 Security Checklist are compatible as
tested in the assumed network environment
(see the Assumptions Section in the checklist),
but they may cause unexpected problems in
other environments. Administrators should
test the configuration settings in their network
environments to ensure that they are compatible.
The
settings recommended in the checklist should
be configured in the order in which they appear
in the checklist. Many of the settings depend
on other settings for successful configuration.
The
HP LaserJet 4345 MFP Security Checklist is
created for enterprise environments, but most
or all of it applies to other types of environments.
Administrators should consider their network
environments while making decisions on the
recommended settings.
The
HP LaserJet 4345 MFP Security Checklist is
created to cover only HP LaserJet 4345 MFPs;
however, many of the recommended settings
are applicable to other HP MFPs or printers.
This is true especially regarding settings
available in Web Jetadmin.
-
While many of the settings that appear in
the checklist EWS Settings section are also
available in Web Jetadmin, you should configure
them only in the EWS. The combination of settings
suggested in the checklist requires that these
settings are not configured in Web Jetadmin.
-
Execute configurations in order - The configurations
in the checklist are tested for success in
the order in which they appear. Lab tests
have failed when the configurations are executed
out of the order in which they appear. Many
of the configurations depend on other configurations
for availability. For instance, it is not
possible to set Secure Erase configurations
before configuring the File System password.
Be sure to follow the checklist exactly as
it is presented.
-
SNMPv3 configuration on multiple MFPs: Web
Jetadmin can configure SNMPv3 on multiple
MFPs, but it is successful only when the SNMPv3
configuration is executed alone. If other
configurations are applied with changes to
the SNMPv3 configuration, the configuration
fails. Follow the checklist instructions to
apply the SNMPv3 configuration by itself.
|
| Target
Audience |
The
HP LaserJet 4345 MFP Security Checklist is for
administrators who use Web Jetadmin to configure
MFPs on enterprise networks. Administrators
should be familiar with general standards and
practices for using HP printers connected via
HP Jetdirect. Administrators should also be
familiar with the use of HP Web Jetadmin for
managing HP printers (or MFPs) over network
connections. Administrators should also have
access to MFP and Web Jetadmin user guides.
The user guides are available online by searching
for them by product at HP.com. |
| Target
Operational Environment |
The
HP LaserJet 4345 MFP Security Checklist is written
as though an enterprise network environment
includes one or more HP LaserJet 4345 MFPs,
a PC running Web Jetadmin with access to the
MFPs, and hardware necessary to have a network
(TCP/IP or similar). Administrators should consider
the additional tools, applications, and services
that are on the network when configuring MFPs
according to this checklist. Administrators
should also test their networks with these configurations
to ensure that the MFPs behave as expected. |
| Checklist
Installation Tools |
The
HP LaserJet 4345 MFP Security Checklist provides
instructions for configuring all possible settings
using Web Jetadmin; however, it includes some
recommended settings that are available only
using the MFP Embedded Web Server. The MFP Embedded
Web Server is a web-based tool that provides
alerts, status, and settings directly for the
MFP. The Embedded Web Server is part of the
MFP, and it is accessible from the network using
any standard web browser via HP Jetdirect. The
checklist provides instructions for settings
in Web Jetadmin and for settings in the EWS.
It shows screenshot of many of these settings
as they appear in Microsoft® Internet Explorer. |
| Rollback
Capability |
All
settings recommended in the HP LaserJet 4345
MFP Security Checklist go directly on the MFP.
Thus, all settings can be rolled back by resetting
the MFP to factory default settings. The process
for resetting MFPs to factory default settings
is simple, but it is not covered in this checklist.
Administrators should contact HP Customer Care
for help with resetting MFPs. |
| Testing
Information |
HP
tested the HP LaserJet 4345 MFP Security Checklist
on systems that meet the descriptions in the
checklist Assumptions section. Testing included
the following:
1. Start with an HP LaserJet 4345 MFP reset
to factory default settings and connected to
a TCP/IP network with LDAP, DHCP, DNS, WINS,
and standard network hardware.
2. Upgrade MFP firmware and Jetdirect firmware
to the latest versions available at hp.com
3. Install the latest version of HP Web Jetadmin
available at hp.com onto a network-connected
PC.
4. Update Web Jetadmin with the latest plug
in for HP LaserJet 4345 MFP and with the latest
service pack (service pack 3). If a major upgrade
to Web Jetadmin is released, the HP LaserJet
4345 MFP Security Checklist may not reflect
the new configuration options.
5. Follow the checklist instructions in the
order they appear, and configure all recommended
settings.
6. Log in using the MFP control panel, and use
the MFP to make a copy.
7. Log in using the MFP control panel, and send
a document to email (assuming that you configured
the MFP for Send to Email).
8. Send a print job to the MFP from a network
PC. |
| NIAP/CMVP
Status |
The
HP LaserJet 4345 MFP Security Checklist is submitted
to NIST. Some features of the MFP are submitted
for Common Criteria Certification with the assumption
that the MFP is configured according to the
HP LaserJet 4345 MFP Security Checklist. |
| Regulatory
Compliance |
N/A. |
Comments,
Warnings, Disclaimer, Miscellaneous
|
The
HP LaserJet 4345 MFP Security Checklist provides
instructions to configure HP LaserJet MFPs
for security on enterprise networks. Although
many of the recommended settings are applicable
to smaller networks and even to other MFPs
or printers, this checklist does not expressly
cover them. Administrators should be qualified
and trained IT professionals who understand
the implications of these settings and configure
their networks accordingly.
The
recommended configurations in this checklist
are known to be compatible only on TCP/IP
networks with PCs and hardware necessary to
have a network. Administrators should test
their networks after configuring MFPs for
this checklist. Use the test procedure above
in the Testing Information section.
The
configurations recommended in this checklist
are known to be compatible only when executed
in the order in which they are presented in
the checklist. Many of the settings recommended
in this checklist can cause some network applications,
management tools, and services to lose access.
Consider each setting as it relates to you
network. See the Ramifications section of
the checklist for known effects on some networks.
|
| Disclaimer |
HP
does not claim that using the HP LaserJet 4345
MFP Security Checklist prevents or inhibits
misuse or attacks on networks or on HP products.
Use this checklist at your own risk as a reference
toward best practices for security. |
| Product
Support |
Use
of the HP LaserJet 4345 MFP Security Checklist
does not void the product warrantee; however,
HP does not accept responsibility for networking
issues. For help with MFP configurations, contact
HP Customer Care. You can find contact information
for HP Customer Care by searching for it at
hp.com. |
| Submitting
Organization/Authors |
The
HP LaserJet 4345 MFP Security Checklist is
produced by HP. The following personnel provided
significant contributions to this checklist:
" Jon Huber, technical lead and project
engineer
" David Weber, researcher, test technician,
and technical writer
" Chris Oates, test engineer, test technician
" Jerry Colunga, test engineer, test
technician
" Matt Young, technical expert, lead
engineer
Many others provided information and review
for the checklist. HP thanks everyone who
participated in this effort.
|
| Point
of Contact |
Contact
Jon Huber with review comments or questions
about the content of HP LaserJet 4345 MFP Security
Checklist at the following address:
jont.huber@hp.com |
| Sponsor |
|
| Licensing |
The
HP LaserJet 4345 MFP Security Checklist is property
of the Hewlett Packard Company. Copyrighted
2005. It is distributed through the NIST checklist
program free of charge; however, no person is
authorized to alter, publish, or change any
part of the checklist without express written
permission from the Hewlett Packard Company. |
| Checklist
Homepage |
http://www.hp.com/united-states/
business/catalog/nist_checklist.html
|
| Download
Package |
http://www.hp.com/united-states/
business/catalog/nist_checklist.html
|
| Integrity |
SHA1
Digest (415204.pdf) =
b1b9b86c137d7a913b128ddd721f875940ad37a9
SHA256 Digest (415204.pdf) =
84126a885023a1934d63c820e08df4c7c0a2a803
39cd84716d9e16635db6876c |
| Change
History |
Version
1.0, 2005-10-10
|
| Dependency/Requirement |
N/A. |
| References |
N/A. |
| NIST
Identifier |
1087 |
