Professional Documents
Culture Documents
Security Manager Technical Training
Security Manager Technical Training
Trademark credits
Windows® is a U.S. registered trademark of Microsoft Corporation.
Edited on: January 2019
Table of Contents
Supporting Videos
How to use this training:
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDNca14d2
9e-0460-4ee6-937f-9fb068f38c9e
1
Task 1: Installing HP SM
Preparation / Objectives
The instructions included in this training prepare you to install HP SM on any of the supported operating
systems. For this training we are using Windows 10 Enterprise (in a Virtual Machine) and a new local SQL
Express 2014 installation which is bundled as part of the default installation package. These options are
typically fine in a demonstration environment or for a SMB customer where server licensing can be a problem.
If you are installing in an enterprise network, it is preferable to install HP SM on a computer with a Windows
Server operating system for maximum availability. Please refer to the installation documentation, especially if
you are using a dedicated SQL server instance. As always, it is a best practice to make sure your operating
system (OS) is updated after any windows features have been added or removed.
If you are installing on a different solution, please refer to the specific information for your system in the
documentation to complete the setup for another windows version or if using a dedicated SQL server instance.
In this task we’ll be using the following two documents. These documents provide the information necessary to
install HP SM on either a Windows client or server operating system.
• HP SM installation and setup guide: http://h10032.www1.hp.com/ctg/Manual/c03564723
• Using Miscrosoft® SQL Server whitepaper: http://h10032.www1.hp.com/ctg/Manual/c04635799
Supporting Videos
Downloading from the software kiosk:
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDNb1a500
c3-70fb-4448-9aa4-07f03c6e7865
Server Sizing:
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDNc2f299
4a-8ad7-4228-a859-7c7eaba97ed6
Installing Prerequisites:
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDN0f9eb7
4a-7d8a-4e3b-aa99-1da20c92cb81
2
Install Pre-requisites
The prerequisites for HP SM are straightforward and the installation guide does a good job of identifying what is
required by the user and what is handled automatically through the installer.
NOTE: An internet connection is required for downloading the .Net 3.5 framework on some operating
systems.
1. Open the documents referenced in the preparation section.
2. Review Chapter 1 in the HP SM Installation and Setup guide. Return to this guide before installing any
prerequisites and review the information below:
a) Install the prerequisites including the Microsoft .Net 3.5 Framework and IIS configuration.
b) Make sure your Windows 10 operating system is connected to the Internet to install .Net 3.5.
i. In Programs and Features on the Control Panel , click the Turn Windows features on or off
option.
ii. Select the .Net Framework 3.5 feature, and then click OK.
The installation takes place automatically.
3
Figure: Net framework 3.5 option checked
3. Please follow the instructions for IIS contained in the HP SM installation and setup guide.
4. If you are using a Virtual Machine, now would be a great time to create a snapshot of your environment.
5. Run the HP SM installer file to install the remaining prerequisites then return to this guide.
Install HP SM
With the prerequisites met, HP SM is a simple installer where you can accept the defaults by clicking the Next
button until Installation Is complete. For most SMB installations, POC installations or demo room, the default
MS SQL 2014 Express database installs that is bundled with HP SM which will be sufficient.
If the customer has a dedicated MS SQL database server, you should install the production database on that server.
Steps to install HP SM
1. With the prerequisites installed we are ready to continue the installation.
Make sure to review the following information:
• Review Chapter 2 in the HP SM installation and setup guide.
• Review the SQL Server whitepaper for additional installation considerations including the
proper number of HP SM servers an organization should use.
NOTE: Benchmarking shows approximately 1,500 devices can be remediated per hour or about 36,000
devices per day.
2. Follow the appropriate steps to configure HP SM with the database and webserver.
4
Task 2: Launching HP SM and General Configuration
Preparation/Objectives
The interface for HP SM runs on IIS and opens in a web browser. This means that any computer on the network
can access the interface and configure policies. To leverage the full power of HP SM you will need to license your
installation. Automated output allows you to send messages to administrators and you can also secure who has
access to which parts of HP SM.
To complete this task, you need to have a successfully installed instance of HP SM. You will need a shortcut to
the HP SM web interface or you will need the URL to the website where HP SM is installed.
At the end of this task you should have completed the following:
• Reviewed and installed a license, if you have received one.
• Configured automated output.
• Secured HP SM (optional task).
NOTE: We are not setting up Instant-On at this stage. The Instant-On feature requires selecting a
security policy and we will not create a security policy until Task 3.
In this task we’ll be using the following four documents:
• User Guide: http://h10032.www1.hp.com/ctg/Manual/c03564719
• Licensing whitepaper: http://h10032.www1.hp.com/ctg/Manual/c04677865
• Automation Output Feature whitepaper: http://h10032.www1.hp.com/ctg/Manual/c04686128
• Securing HP SM whitepaper: (optional) http://h10032.www1.hp.com/ctg/Manual/c03601734
Supporting Videos
Licensing:
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDNd45d49
13-0ccf-4252-a8be-9a6fef4a62c
5
Domain credentials, Gmail accounts, or custom hosted email information can be added to these fields
to send the messages.
NOTE: Make sure you test your email settings.
6
Task 3 – Create a policy
Preparation
To complete this task, you need to have a successfully installed instance of HP SM. You should have HP SM
open and on the Policy page. We will be configuring the HP Base Policy. While this is fine for training purposes
and walking through the steps to validate a policy, you should refrain from using the built-in policies as much
as possible. The Base Policy has been known to cause contention with some HP solutions. If the customer has a
current network attached peripheral or multifunction printer policy in place, you should do your best to map
those requirements to settings in HP SM. The built-in policies are valuable when using HP SM in a sales
engagement to get a snapshot of their current environments security status.
In this task we’ll be using the following two documents:
• User Guide: http://h10032.www1.hp.com/ctg/Manual/c03564719
• Policy Editor Settings whitepaper: http://h10032.www1.hp.com/ctg/Manual/c03602120
Supporting Videos
Policy Templates:
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDN133a8c
12-a236-4beb-acf3-6160f0d30f17
Policy help and validation:
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDNc137c5
c7-b384-4a6d-98f2-9ea744b4a067
Creating a policy
Steps to create a policy
1. Download and review the User Guide. Review the “Create a security policy” section of Chapter 4.
2. Download and review the Policy Editor Settings whitepaper.
3. Follow the instructions on creating a policy from the User Guide and create a new HP Base Policy.
7
4. Follow the recommendations on the Policy Editor to validate the policy. Use the instructions in the User
Guide and the Policy Editor Settings whitepaper as a reference to answer your questions regarding
policy creation.
NOTE: You should never just select a built-in policy because it is available. All policies should be
customized by discovering the customer’s security requirements and building a policy that fulfills their
needs.
8
Create a custom policy (optional)
Steps to create a custom policy
This optional task helps reinforce creating a custom policy. We’ll use the blank policy editor to create a custom
policy with some simple settings to help familiarize you with there and how to set those policies.
1. Create a new policy called MyTestPolicy using the Blank Policy template.
2. On the Authentication page, select the Credentials tab and click to enable the Admin (EWS) Password.
Set the password length to 0, choose hp as the password, and then turn off Password Complexity and
account lockout.
3. Click the Device Control page and click the External Connections tab. Click the check box to enable Host
USB Plug and Play for remediation. Make sure that Host USB Plug and Play is disabled.
4. Click the Printing page. Click the check box to enable File Transfer Protocol for remediation. Make sure
File Transfer Protocol is disabled.
5. Click the Digital Services page, and then select the Fax tab. Click the check box to enable Send Fax
remediation. Change the Severity to High.
6. Click the Network Security page, and then click the Web tab. Click to check the Require HTTPS Redirect
tab. Set the Severity to High and ensure Require HTTPS Redirect is set to enabled.
7. Click the Validate button to make sure your policy is valid. If there are any errors, correct the errors until
your policy is valid then save your policy.
This optional task helps reinforce creating a policy based on a customer’s Multifunction device (MFD) checklist.
In HP, we would call this a multifunction printer (MFP) checklist.
Appendix A has a checklist found from performing an internet search on MFD checklists. It is from a university in
the United States. Please do your best to match the checklist to HP Security Manager policy items. When you
are complete, compare your findings with the policy in Appendix B.
9
Task 4- Adding Devices
Preparation/Objectives
It is great to have a policy in place, but even better to apply those policies to the devices in your fleet. The
Devices page allows you to group your printers so the appropriate policy can be applied to each group. For
example, you may have more strict security restrictions on the printers that are in the marketing department
than you have in your IT department since IT may have non-standard printing requirements. You can quickly
create a policy for each department and apply it to the printers in their group.
To complete this task, you need to have a successfully installed instance of HP SM. You will need to be on the
Devices page of HP SM. At the end of this task you should have completed the following:
• Created groups with unique settings
• Added devices to groups using an IP range
• Edited / removed devices
Note: We are not setting up Instant-On at this stage. The Instant-On feature is beneficial when groups
have been created, and certain policies can be added to each group. Setting up groups and adding
devices before setting up Instant-On maintains user control on assessments and remediation.
In this task we’ll be using the following three sources:
• User Guide: http://h10032.www1.hp.com/ctg/Manual/c03564719
• Adding and Tracking Devices Whitepaper: http://h10032.www1.hp.com/ctg/Manual/c03602117
• HP device compatibility chart: (optional) http://h10032.www1.hp.com/ctg/Manual/c03601723
Supporting Videos
Adding devices:
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDN45e4d6
0c-6df3-473b-a9d4-b19018c4aff5
Grouping devices
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDNa878d0
08-f0f8-4960-8fa0-03c42abdeaed
10
Optional: If you have multiple groups, practice managing your devices by moving them from group to
group or adding and deleting new devices.
11
Task 5- Credentials
Preparation/ Objectives
Many of the HP SM support escalations are due to credential failures. This is one of the most common problems
you may face as you work with your customers. The Credential management whitepaper provides information
of how to resolve and troubleshoot these issues. It also explains how the credential store manages passwords
and applies them to devices.
To complete this task, you need to have a successfully installed instance of HP SM. You will need to be on the
Devices page and have at least one device added to HP SM. At the end of this task you should have completed
the following:
• Review the device authentication options with HP SM
• Set Admin Password.
In this task we’ll be using the following two sources:
• User Guide: http://h10032.www1.hp.com/ctg/Manual/c03564719
• Credential management whitepaper: http://h10032.www1.hp.com/ctg/Manual/c05172643
Supporting Videos
Resolving credential issues:
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDN8b6dd7
1f-9370-4406-9c38-44d219fe8310
1. Review the HP SM User Guide section titled “Set device credentials” in Chapter 4 and review the
Credential management whitepaper.
2. Select at least one printer and run a verification task.
3. On the Device page, select the devices/groups for credentials.
4. Select Set credentials, and select Other credentials
5. Select Set admin (EWS) password,
6. Type in the password and type it again to confirm.
7. Click Configure to save.
12
Task 6 - Assess & Remediate Devices
Preparation/Objectives
The Assessment and Remediation features of HP SM are where the true power of the solution lies. Assessment
is the process of determining how well the devices in the fleet match the security policies you have set.
Remediation is bringing those devices into compliance with those policies.
To complete this task, you need to have a successfully installed instance of HP SM. You will also need to have
Instant-On enabled for the devices and the server. At the end of this task you should have completed the
following:
Note: Automatic remediation for devices can be set up in the Instant-On settings of SM.
• Assign policies to devices
• Set up assess & remediate schedules
• Schedule automated reports on device assessments.
In this task we’ll be using the following source:
• User Guide: http://h10032.www1.hp.com/ctg/Manual/c03564719
Supporting Videos
Adding devices
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDN45e4d6
0c-6df3-473b-a9d4-b19018c4aff5
Grouping devices:
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDNa878d0
08-f0f8-4960-8fa0-03c42abdeaed
Pull assessments
Steps to pull assessmnets
13
Task 7- Instant-On Security
Preparation/Objectives
When a device is connected to the network in its default state, it is only partially secured. This can represent a
security threat to your network. The Instant-on Security feature in HP SM provides an automatic method to
keep your network safe and compliant.
To complete this task, you need to have a successfully installed instance of HP SM. You will need a shortcut to
the HP SM web interface or you will need the URL to the website where HP SM is installed. At the end of this
task you should have completed the following:
• Enable/Disable Instant-On Security on devices and servers
• Automatically add devices
In this task we’ll be using the following two sources:
• User Guide: http://h10032.www1.hp.com/ctg/Manual/c03564719
• Instant-On Security Whitepaper: http://h10032.www1.hp.com/ctg/Manual/c04222990
Supporting Videos
Instant-On Security architecture:
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDNf0423b
b2-c93c-45ff-95aa-c62b0e2f8802
Selecting an Instant-On Policy:
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDNd6cd8b
e8-a40d-4f6d-9689-539d6f663b09
1. Read the section titled “Set up Instant On Security“in the User Guide and the Instant-On Security
whitepaper.
2. Navigate to the printer’s EWS to the Networking page and click the Announcement Agent link.
3. Ensure Enable Device Announcement Agent is checked. If desired, type the IP address of your HP
JetAdvantage Security manager server in the Configuration Server IP Address, and then click Apply.
15
Task 8 – Reports
Preparation/Objectives
The reports section of HP SM proves the value of the solution to your customers. While IT can see the value in
reducing the time needed to monitor their devices, you need to convince management that you are receiving a
return on your investment. The built-in reports describe how well your fleet meets the policy requirements they
have defined and identifies which printer need to be addressed if they are out of compliance. Reports can be
exported as a PDF for sharing in your next meeting or in CSV format for further manipulation.
To complete this task, you need to have a successfully installed instance of HP SM. You will need to be on the
Reports page. At the end of this task you should have completed the following:
• Export the executive summary report as a PDF.
• Extract the data for analysis in MS Excel.
In this task we’ll be using the following two sources:
• User Guide: http://h10032.www1.hp.com/ctg/Manual/c03564719
• Reporting Whitepaper: http://h10032.www1.hp.com/ctg/Manual/c05201811
Extract Data
Steps to extract data
16
Task 9- Certificate Management
Preparation/Objectives
Certificate management is becoming one of the most important security needs in many organizations.
Certificates verify the identity of each network device and provide a way to secure communication. In the past,
certificate management on printers has been a difficult, manual process. HP SM helps automate this process to
keep your printers compliant with your company certificate policy requirements.
To complete this task, you need to have a successfully installed instance of HP SM. At the end of this task you
should have completed the following:
• Check and renew device certificates
In this task we’ll be using the following source:
• Certificate Management Whitepaper: http://h10032.www1.hp.com/ctg/Manual/c04677863
Suggested Videos
Creating a certificate management policy:
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDN90259d
22-7857-4fc9-95f8-726166813b4a
Managing Certificates
Steps for managing certificates
18
Appendix A – MFD checklist
This checklist, found in 2017, reveals the real-life hardening requirements for a university in the United States.
19
Appendix B – MFD checklist policy recommendations
These are the policy settings that can be set using HP JetAdvantage Security Manager to meet the MFD
hardening requirements from the document referenced in Appendix A. These may not be a perfect match and
you should question how closely they apply to the situation shared. This is only intended to give you some ideas
on how it can be approached, it is not intended as a complete solution.
Checklist item 1: Disable unused network protocols other than TCP/IP (i.e. DHCP, SMTP)
This is an unclear direction because they do not state which protocols are unused. For this example, we can
quickly turn off Bonjour protocol since we likely don’t want it enabled.
In Policy Editor, go to the Device Discovery page and click the General tab. Select the Bonjour check box. Click
the slider to disable Bonjour. You will be prompted that AirPrint requires Bonjour protocol and clicking OK to
close the dialog box will disable AirPrint. Click OK to disable both Bonjour and AirPrint.
Clecklist item 2: Disable unused network services
Work with the department to turn off any scan to destinations that are not required. In the Policy Editor window
view the Digital Services page and turn off any service not needed for this department.
Clecklist item 3: Assign the MFD an internal static IP Address
This item cannot be configured by HP JetAdvantage Security Manager.
Checklist item 4: Restrict access to MFD services (print, fax, scan, and management) to the minimum number of
hosts that require these specific functions.
This can be done by editing the access control list and enabling authentication on the MFP control panel.
Checklist item 5: Use encrypted communication protocols (e.g. HTTPS / port 443) where available and disable
insecure protocols.
Navigate to the Network Services page and click to enable Require HTTPS Redirect for remediation and make
sure Require HTTPS Redirect is set to enabled.
Checklist item 6: Set a strong administrator password (change the default)
Navigate to the Authentication page and select the Credentials tab. Check the Admin (EWS) Password checkbox
to enable it for remediation, set the minimum password length to 8, type HPisGr8! for the password, enable
Password Complexity and Account Lockout. Type 5 for Maximum attempts, 30 for Reset attempts after
(seconds), and 120 for Lockout duration (seconds).
Checklist item 7: Change the default SNMP community strings to strong passwords
Navigate to the Authentication page and select the Credentials tab. Check the SNMPv1/v2 checkbox to enable it
for remediation and type HPR3@dme! for the Read Community Name and HPWr1t3me! for the Write
Community name.
20
Checklist item 8 and 8a: Ensure logging is enabled on the MFD and ensure that logs are monitored on a regular
basis
The best way for an organization to track their logging is with a SIEM tool such as Splunk or HP ArcSight. HP
JetAdvantage Security Manager can make sure this policy item is set.
In Policy Editor, navigate to the Device Control page and the Logging tab. Click to enable System Logging for
remediation and type a Server Name (e.g. splunk.somedomain.com) and leave the rest of the values at their
default. More information about each of the values can be obtained by hovering over the label for each text box.
Checklist item 9: Restrict address books, mailboxes, and logs by password protecting them. Prohibit the
scanning of document containing confidential or sensitive information for email transmission and / or storage
on the document server.
This can be half accomplished by requiring authentication on the device before certain features are enabled.
On the Authentication page of Policy Editor, select the Authentication Manager tab. Click to enable the Print and
Copy authentication methods and select the items you want to lock out for this department.
Checklist item 10: Monitor Common Vulnerabilities and Exposures and vendor for security bulleting and
patches. You may also request a vulnerability scan from information security.
This cannot be done through HP JetAdvantage Security Manager.
Checklist item 11: Upgrade firmware in a timely manner. Document all changes.
Firmware cannot be upgraded through HP JetAdvantage Security Manager but there is a section to check
whether the firmware is the latest version. Enabling this will provide a report of those devices that require a
potential update.
Checklist item 12: Place the device in an area with physical security controls consistent with the sensitive date it
processes.
This cannot be done through HP JetAdvantage Security Manager.
Checklist item 13: Set an administrator password on the console
In Policy Editor, go to the Authenticaton page and select the Authentication Manager tab. Select the
Administrative Function Authentication checkbox to enable it and lock out any desired administrative functions.
Checklist item 14: Require that users authenticate to scan, fax or copy from the console.
On the Authentication page of the Policy Editor, select the Authentication Manager tab. Click to enable the Print
and Copy authentication methods and select the items you want to lock out for this department.
Checklist item 15: If the MFD has a removable hard drive, ensure it is locked into the device.
While we cannot provide physical security for this, the hard drives are encrypted so once they are removed from
the device the data is still safe.
Checklist item 16: If possible, implement measures to encrypt or secure-wipe print spool files.
Select the General tab on the Device Control page and check to enable remediation for Disk Encryption Status.
Make sure it is set to Active.
21
Checklist item 17: Ensure that any MFD drive that are decommissioned are sent back to the manufacturer or
leasing company are secuire destroyed / sanitized and obtains a document of destruction.
On the Device Control page select the General tab. Check the Erase Data checkbox to enable it for remediation.
Enable the Erase Data slider. Once this policy is applied, the next time the MFP is cold reset it will securely wipe
the drive of data.
22