This tip was submitted to the SearchWin2000.com tip exchange by member Mike Marney. Let other users know how useful...
it is by rating the tip below.
Consumers of HP software and hardware products regularly approach HP support providers for information regarding security issues. This tip attempts to address security issues related to HP JetDirect print servers, which are among the wide range of communication products that fall within the data security scope.
Here, I describe how to restrict the unauthorized use of HP JetDirect configuration utilities and the unauthorized access of JetDirect connected printers through a network, so that not all users can print to them, configure them, or have access to them. This will not address infrastructure, user/domain authentication, or operating system-specific security issues.
Many of the solutions require current firmware on the HP JetDirect print server. The variety of HP JetDirect firmware is too great to cover in this tip. Check firmware history documents written for the specific HP JetDirect print server in which you are interested.
JetDirect configuration security measures
JetDirect print servers can be configured by several different methods. For example, the IP address of a JetDirect can be configured using Telnet, JetAdmin, Web JetAdmin, DHCP, etc. The following configuration utility security measures can prevent unauthorized modification of data stored on JetDirect print servers.
A Telnet password can be written to JetDirect print server memory, which will prevent unauthorized Telnet access to the JetDirect device. This is done through the JetDirect Telnet interface by using the 'passwd' command. This password is up to 16 characters in length, case sensitive and can be saved across a power cycle. Resetting the JetDirect print server to factory defaults will erase the Telnet password.
To set the Telnet password:
- Telnet to the IP address assigned to the HP JetDirect device.
- Once connected, press ENTER twice, type "?", and press ENTER again.
- Type "passwd" at the prompt, and press ENTER.
- Enter your password.
- Type "quit" to terminate the session and to save changes and the password. NOTE: For firmware X.06.00 and above, the password needs to be typed on the password prompt line. For firmware under X.06.00, use the instructions below:
- To initiate a Telnet session to regain access to an HP JetDirect card once the password has been set: once connected, press ENTER until you are prompted: "Passwd:>"
NOTE: For firmware below X.06.00: do not type in the password at this prompt.
- Press ENTER to return to the next line, with only the ">" prompt and then enter the Telnet password assigned. You should receive the reply: "Logged in, hit two carriage returns"
- Press ENTER twice. Background Telnet is one of many utilities found in the TCP/IP protocol suite and is a systems user interface. In simple terms, it is a way to log onto one system from another system through a network. Telnet has been adapted to JetDirect print servers as a method of user interface and provides access to the device's configurable parameters. Any operating system that provides a Telnet utility path through the TCP/IP protocol can use Telnet to configure a JetDirect print server. Device password A device password can be written to JetDirect print server memory through either the JetAdmin for Windows or Web JetAdmin software utilities, or through the JetDirect's EWS (Embedded Web-Server) interface. Once this password has been saved to the JetDirect print server it must be used during any modification through JetAdmin for Windows, Web JetAdmin, or the Embedded Web-Server interface. This password is not case sensitive and is saved across a power cycle. NOTE: None of the UNIX JetAdmin software utilities use this password protection feature. UNIX JetAdmin software can only execute configuration changes when the user is logged in as root, which typically requires a password. Background Embedded Web Server (EWS) is an http connection option that is offered on all current JetDirect print servers. Most of the configurable parameters on the JetDirect print server can be accessed through EWS. EWS can be accessed through a browser by using a URL similar to this:
where ADDRESS is the IP address or IP hostname of the JetDirect print server. SNMP set community name An SNMP set community name can be stored in JetDirect print server memory and will prevent unauthorized configuration of the JetDirect via SNMP. Any SNMP utility must use this set community name before it can modify the JetDirect. Telnet, Web JetAdmin, JetAdmin, BootP/DHCP through TFTP configuration and SNMP are the methods to configure the set community name on the JetDirect print server. The set community name can be 32 characters long. Background SNMP is a protocol that is used by network management applications for monitoring and controlling network devices. HP software, such as JetAdmin or Web JetAdmin, uses SNMP to acquire information about JetDirect print servers and the printers to which they are connected. Get and Set are SNMP commands used to gather information and to configure parameters. A community name is nothing more than a password used by a network management application during Set and Get operations. Printer front panel access Locking the printer's front control panel is a physical security measure. This is important when using internal EIO/MIO JetDirect print servers because JetDirect print server settings can be configured from the printer's front control panel. Printer control panel access can also be locked through JetAdmin or Web JetAdmin software utilities. See printer specific documentation regarding front panel access control. HP JetDirect print server access control Limiting network access to JetDirect print servers is a positive step when implementing device/printer security. A few rules should be followed to ensure both use and configuration security. Again, this tip does not address general network security practices that should always be considered when working in sensitive environments. Firmware Always keep the firmware on the JetDirect print server at the latest revision level as firmware is enhanced, or revised performance and security issues are proactively addressed. Firmware updates are a best practice in security measures. Limit protocol access Always disable unused protocols on JetDirect print servers. An unused protocol could be considered a back door for unauthorized use and configuration. Protocols on JetDirect print servers can be disabled and enabled through telnet, JetAdmin, Web JetAdmin, the Embedded Web Server, or through the printer's front control panel. Allow list created through TFTP An allow list can be stored in JetDirect print server memory using BootP or DHCP. The JetDirect print server will only accept a TCP connection request from an IP address designated within the allow list. A TFTP configuration file must be created and used with BootP or DHCP to configure the allow list on the JetDirect. This TFTP file may also include Telnet-disable and the use of authentication traps to track unauthorized use of the device. Please refer to the particular operating system's documentation about BootP or DHCP implementation and TFTP configuration. Below is sample TFTP configuration file:
The # symbol denotes a remark and is not included in the file.
# HP JetDirect TFTP Configuration File
# Allow only Subnet 192.168.0 access to peripherals
# A total of four allow entries can be written through tftp
# A total of ten allow entries can be written through SNMP
# Allow may also include single IP addresses
allow: 192.168.0.0 255.255.0.0
# Disable Telnet
# Detect SNMP unauthorized usage
# Send Traps to 188.8.131.52
# Specify set community name
# End of file NOTE: An allow list and an SNMP set community name used together will restrict unauthorized configuration of HP JetDirect print servers using SNMP over IP and restrict unauthorized TCP/IP print connections. Background TCP (Transmission Control Protocol) is connection-based communication used with IP (Internet Protocol) to send data between computers over a network. IP print jobs sent to JetDirect print servers use TCP and therefore establish a node-to-node connection. The connection is established for the duration of the print job and closed after the job is completed. TCP will deny a connection request from any node not in the allow-list when that list has been established on a JetDirect print server Allow List created through Telnet The HP JetDirect print server with firmware of x.08.06 supports the ability to limit the access to the printer by creating an allow list in a telnet session. This list contains the IP address of the machines that are allowed to access the printer either through a telnet session or printing. The maximum number of IP addresses in the access list is ten. To set up an allow list using telnet type:
allow: ip address
NOTE: This will enter the IP address with a subnet mask of 255.255.255.255. Do not change this unless you want to allow access by an entire specific subnet. For example, if the subnet mask is changed to a specified address (e.g., 255.255.100.0), everyone on that subnet mask will have access to the printer even though you have specified only one IP address. To display the allow list type:
(this will show all the IP addresses with a subnet mask of 255.255.255.255) To clear the allow list type:
NOTE: An allow list and an SNMP set community name used together will restrict unauthorized configuration of HP JetDirect print servers using SNMP over IP and restrict unauthorized TCP/IP print connections.