Securing Hewlett-Packard Printers and Multi-function Devices

By default, Hewlett-Packard printers and multifunction devices are configured without administrative passwords, or may even allow unauthenticated access to data stored on the built-in hard drive. Please make sure you configure passwords on all printers and multi-function devices in your area. If you don't know the locations and capabilities of all of the devices in your area, see Locate Unmanaged Devices below. In addition, make sure printers and multi-function devices are set for deleting documents and disabling remote firmware updates.

The following instruction is a starting point to address the most significant risks associated with a default Hewlett-Packard printer and multi-function device configurations. 

How to Configure Passwords

By default, Hewlett-Packard printers and multi-function devices are configured with no password protection for the several accounts used to administer the printer and access stored data. Unless the PJL password is set, a HP multi-function device will allow a remote attacker to view faxes on the device's hard drive without authentication. Follow the instructions below to set passwords on many HP multi-function printers:

  1. Install and launch Web Jetadmin, configuring a Web Jetadmin password in the process.
  2. Follow directions on pages 11-12 of the HP Best Practices guide to select the devices you wish to configure (Ensure you are only configuring devices you are responsible for.)
  3. Disable MFP File System External Access by following directions on page 51.
  4. Configure SNMPv3 credentials, disable SNMPv1, and apply changes by following directions on page 16-21.
  5. Configure Bootloader password by following directions on page 37.
  6. Configure EWS and PJL passwords by following directions on page 39-40 and then click "Apply" in the lower right-hand corner. If the settings look correct in the Configure Devices dialog box, click Configure Devices.
  7. Configure File system password by following instructions on page 52. Apply the change as described in Step 5 above.
  8. Once you've completed the above steps for all printers in your area, we recommend that you review the entire HP Best Practices guide to provide additional security such as encrypted transmission of data, disabling unused protocols, and any other protections that are appropriate in your area.
How to Delete Documents

Setting the file system to delete documents from the disk erases files as soon as they are no longer needed. Hewlett-Packard calls this, "Secure Fast Erase." To set the Secure File Erase Mode, follow these instructions:

  1. Use Web Jetadmin.
  2. On the Config tab, choose File System.
  3. Click to select Secure File Erase Mode, and view the options in the dropdown menu.
  4. Select Secure Fast Erase.
  5. Click Apply in the lower right-hand corner. If the settings look correct in the Configure Devices dialog box, click Configure Devices.
How to Disable Remote Firmware Updates

The firmware upgrade operation updates/replaces device operating system code on Hewlett-Packard printers and multi-function devices, and is commonly referred to as a "remote firmware update" (RFU). For security reasons, RFU is an option that should only be enabled when new firmware is being loaded and should be disabled at all other times. Follow the instructions below to disable remote firmware updates on many HP multi-function printers:

  1. Use Web Jetadmin.
  2. Select the device or devices.
  3. Select the Config tab.
  4. Expand the Security section and select the Printer Firmware Update.
  5. Ensure the checkbox is selected and select the Disable radio button.
  6. Click Apply in the lower right-hand corner and follow the dialog prompts.