Security Manager Technical Training

HP JetAdvantage Security Manager
Technical Training Guide

(HP SM 3.2, version 18.4)
Copyright and Legal Notice
© Copyright 2019 HP Development Company, L.P.
Reproduction, adaptation, or translation without prior written permission is prohibited, except as allowed under
the copyright laws.
The information contained herein is subject to change without notice.
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an additional
warranty. HP shall not be liable for technical or editorial errors or omissions contained herein..
Trademark credits
Windows® is a U.S. registered trademark of Microsoft Corporation.
Edited on: January 2019
Table of Contents
Training Objectives ............................................................................................................................................. 1

How to use this training ........................................................................................................................................ 1
Supporting Videos ............................................................................................................................................. 1
Task 1: Installing HP SM ..................................................................................................................................... 2
Preparation / Objectives ....................................................................................................................................... 2
Install Pre-requisites ............................................................................................................................................. 3
Install HP SM ........................................................................................................................................................... 4
Task 2: Launching HP SM and General Configuration..................................................................................... 5
Preparation/Objectives ......................................................................................................................................... 5
Installing your license ............................................................................................................................................ 5
Configuring Automation Output .......................................................................................................................... 5
Secure your installation (optional) ...................................................................................................................... 6
Task 3 – Create a policy ..................................................................................................................................... 7
Preparation.............................................................................................................................................................. 7
Creating a policy ..................................................................................................................................................... 7
Create a custom policy (optional) ....................................................................................................................... 9
Create a policy from a customer’s checklist (optional) .................................................................................. 9
Task 4- Adding Devices .................................................................................................................................... 10
Preparation/Objectives ...................................................................................................................................... 10
Supporting Videos .......................................................................................................................................... 10
Adding devices (using IP range) ........................................................................................................................ 10
Task 5- Credentials ........................................................................................................................................... 12
Preparation/ Objectives ..................................................................................................................................... 12
Set Admin (EWS) Password ............................................................................................................................... 12
Task 6 - Assess & Remediate Devices............................................................................................................ 13
Pull assessments ................................................................................................................................................ 13
Task 7- Instant-On Security ............................................................................................................................. 14
Device Announcement Agent (DAA) ................................................................................................................ 14
Security Manager Configuration ....................................................................................................................... 14
Task 8 – Reports ............................................................................................................................................... 16
Executive Summary Report............................................................................................................................... 16
Extract Data .......................................................................................................................................................... 16
Task 9- Certificate Management ..................................................................................................................... 17
Suggested Videos ........................................................................................................................................... 17
Managing Certificates ......................................................................................................................................... 17
Enter certificate information (optional) .......................................................................................................... 17
Appendix A – MFD checklist ............................................................................................................................. 19
Appendix B – MFD checklist policy recommendations ................................................................................. 20
Training Objectives
The purpose of this training is to provide you with all the information and best practices to install HP
JetAdvantage Security Manger (HP SM) as a demo on a computer / virtual machine or install the solution as a
POC in a customer’s environment.
How to use this training

This course leverages the HP SM whitepapers maintained in HP’s online system. When HP makes an update to
the whitepaper, the PDF referenced in this document is automatically updated. This means most of this training
is updated through updating the whitepapers. Look for the latest version of this training on
myhpsalesguide.com.
These documents are created by knowledgeable HP engineers who work on HP SM escalations. The support
tickets they resolve provide a basis for the content of the whitepapers. If you will take time to learn the
contents of the whitepapers you will be prepared to answer most of the questions you receive regarding HP SM.
Each section has a short introduction identifying the objectives/purpose of that section. You will be directed to
the whitepaper for certain content and then back to this training guide for additional information and video links
that help clarify the items that are being discussed.
Please follow the guide as it has been outlined when you are first going through the training. Skipping a section
or not reading a whitepaper may impede the learning process and cost you more time. After you have
completed the training, feel free to use this guide to help you quickly locate resources to help you in your HP SM
efforts.
Supporting Videos
How to use this training:
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDNca14d2
9e-0460-4ee6-937f-9fb068f38c9e
1
Task 1: Installing HP SM
Preparation / Objectives
The instructions included in this training prepare you to install HP SM on any of the supported operating
systems. For this training we are using Windows 10 Enterprise (in a Virtual Machine) and a new local SQL
Express 2014 installation which is bundled as part of the default installation package. These options are
typically fine in a demonstration environment or for a SMB customer where server licensing can be a problem.
If you are installing in an enterprise network, it is preferable to install HP SM on a computer with a Windows
Server operating system for maximum availability. Please refer to the installation documentation, especially if
you are using a dedicated SQL server instance. As always, it is a best practice to make sure your operating
system (OS) is updated after any windows features have been added or removed.
If you are installing on a different solution, please refer to the specific information for your system in the
documentation to complete the setup for another windows version or if using a dedicated SQL server instance.
In this task we’ll be using the following two documents. These documents provide the information necessary to
install HP SM on either a Windows client or server operating system.
• HP SM installation and setup guide: http://h10032.www1.hp.com/ctg/Manual/c03564723
• Using Miscrosoft® SQL Server whitepaper: http://h10032.www1.hp.com/ctg/Manual/c04635799
Supporting Videos
Downloading from the software kiosk:
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDNb1a500
c3-70fb-4448-9aa4-07f03c6e7865
Server Sizing:
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDNc2f299
4a-8ad7-4228-a859-7c7eaba97ed6
Installing Prerequisites:
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDN0f9eb7
4a-7d8a-4e3b-aa99-1da20c92cb81
SQL Server Options:

https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDN0911cf
63-84f1-49f0-a491-aa47db829128
2
Install Pre-requisites
The prerequisites for HP SM are straightforward and the installation guide does a good job of identifying what is
required by the user and what is handled automatically through the installer.
NOTE: An internet connection is required for downloading the .Net 3.5 framework on some operating
systems.
1. Open the documents referenced in the preparation section.
2. Review Chapter 1 in the HP SM Installation and Setup guide. Return to this guide before installing any
prerequisites and review the information below:
a) Install the prerequisites including the Microsoft .Net 3.5 Framework and IIS configuration.
b) Make sure your Windows 10 operating system is connected to the Internet to install .Net 3.5.
i. In Programs and Features on the Control Panel , click the Turn Windows features on or off
option.
ii. Select the .Net Framework 3.5 feature, and then click OK.
The installation takes place automatically.
Figure: Control Panel showing Windows features settings
3
Figure: Net framework 3.5 option checked
3. Please follow the instructions for IIS contained in the HP SM installation and setup guide.
4. If you are using a Virtual Machine, now would be a great time to create a snapshot of your environment.
5. Run the HP SM installer file to install the remaining prerequisites then return to this guide.
Install HP SM
With the prerequisites met, HP SM is a simple installer where you can accept the defaults by clicking the Next
button until Installation Is complete. For most SMB installations, POC installations or demo room, the default
MS SQL 2014 Express database installs that is bundled with HP SM which will be sufficient.
If the customer has a dedicated MS SQL database server, you should install the production database on that server.
Steps to install HP SM
1. With the prerequisites installed we are ready to continue the installation.
Make sure to review the following information:
• Review Chapter 2 in the HP SM installation and setup guide.
• Review the SQL Server whitepaper for additional installation considerations including the
proper number of HP SM servers an organization should use.
NOTE: Benchmarking shows approximately 1,500 devices can be remediated per hour or about 36,000
devices per day.
2. Follow the appropriate steps to configure HP SM with the database and webserver.
4
Task 2: Launching HP SM and General Configuration
Preparation/Objectives
The interface for HP SM runs on IIS and opens in a web browser. This means that any computer on the network
can access the interface and configure policies. To leverage the full power of HP SM you will need to license your
installation. Automated output allows you to send messages to administrators and you can also secure who has
access to which parts of HP SM.
To complete this task, you need to have a successfully installed instance of HP SM. You will need a shortcut to
the HP SM web interface or you will need the URL to the website where HP SM is installed.
At the end of this task you should have completed the following:
• Reviewed and installed a license, if you have received one.
• Configured automated output.
• Secured HP SM (optional task).
NOTE: We are not setting up Instant-On at this stage. The Instant-On feature requires selecting a
security policy and we will not create a security policy until Task 3.
In this task we’ll be using the following four documents:
• User Guide: http://h10032.www1.hp.com/ctg/Manual/c03564719
• Licensing whitepaper: http://h10032.www1.hp.com/ctg/Manual/c04677865
• Automation Output Feature whitepaper: http://h10032.www1.hp.com/ctg/Manual/c04686128
• Securing HP SM whitepaper: (optional) http://h10032.www1.hp.com/ctg/Manual/c03601734
Supporting Videos
Licensing:
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDNd45d49
13-0ccf-4252-a8be-9a6fef4a62c
Installing your license

1. Download and review the User Guide.
Read chapters 1 through 3 ending with the section titled “Install licenses”.
2. Download and review the Licensing whitepaper referenced above.
The whitepaper clearly defines the types of licenses available as well as the simple instructions for
installation. More detailed information about the way licensing works including the used services and
some issues that may occur when using virtual machines.
3. If you have a license file, follow the steps in the whitepaper to install the license.
Configuring Automation Output

1. Review the section on “Automated Output” in the User Guide. Download and review the Automation
Output Feature whitepaper.
2. You can use any valid SMTP information to send these messages.
5
Domain credentials, Gmail accounts, or custom hosted email information can be added to these fields
to send the messages.
NOTE: Make sure you test your email settings.
Secure your installation (optional)

Steps to secure your installation
1. Download and review the Securing HP SM whitepaper.

2. If you installed HP SM on this computer, you should follow the instructions to limit access to the HP SM
web service to computer administrators only. Make sure to review the firewall considerations.
6
Task 3 – Create a policy
Preparation
To complete this task, you need to have a successfully installed instance of HP SM. You should have HP SM
open and on the Policy page. We will be configuring the HP Base Policy. While this is fine for training purposes
and walking through the steps to validate a policy, you should refrain from using the built-in policies as much
as possible. The Base Policy has been known to cause contention with some HP solutions. If the customer has a
current network attached peripheral or multifunction printer policy in place, you should do your best to map
those requirements to settings in HP SM. The built-in policies are valuable when using HP SM in a sales
engagement to get a snapshot of their current environments security status.
In this task we’ll be using the following two documents:
• Policy Editor Settings whitepaper: http://h10032.www1.hp.com/ctg/Manual/c03602120
Supporting Videos
Policy Templates:
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDN133a8c
12-a236-4beb-acf3-6160f0d30f17
Policy help and validation:
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDNc137c5
c7-b384-4a6d-98f2-9ea744b4a067
Creating a policy
Steps to create a policy
1. Download and review the User Guide. Review the “Create a security policy” section of Chapter 4.
2. Download and review the Policy Editor Settings whitepaper.
3. Follow the instructions on creating a policy from the User Guide and create a new HP Base Policy.
7
4. Follow the recommendations on the Policy Editor to validate the policy. Use the instructions in the User
Guide and the Policy Editor Settings whitepaper as a reference to answer your questions regarding
policy creation.
5. Make sure the policy is valid and save the policy.
NOTE: You should never just select a built-in policy because it is available. All policies should be
customized by discovering the customer’s security requirements and building a policy that fulfills their
needs.
8
Create a custom policy (optional)
Steps to create a custom policy
This optional task helps reinforce creating a custom policy. We’ll use the blank policy editor to create a custom
policy with some simple settings to help familiarize you with there and how to set those policies.
1. Create a new policy called MyTestPolicy using the Blank Policy template.
2. On the Authentication page, select the Credentials tab and click to enable the Admin (EWS) Password.
Set the password length to 0, choose hp as the password, and then turn off Password Complexity and
account lockout.
3. Click the Device Control page and click the External Connections tab. Click the check box to enable Host
USB Plug and Play for remediation. Make sure that Host USB Plug and Play is disabled.
4. Click the Printing page. Click the check box to enable File Transfer Protocol for remediation. Make sure
File Transfer Protocol is disabled.
5. Click the Digital Services page, and then select the Fax tab. Click the check box to enable Send Fax
remediation. Change the Severity to High.
6. Click the Network Security page, and then click the Web tab. Click to check the Require HTTPS Redirect
tab. Set the Severity to High and ensure Require HTTPS Redirect is set to enabled.
7. Click the Validate button to make sure your policy is valid. If there are any errors, correct the errors until
your policy is valid then save your policy.
Create a policy from a customer’s checklist (optional)

Steps to create a policy from a customer’s checklist
This optional task helps reinforce creating a policy based on a customer’s Multifunction device (MFD) checklist.
In HP, we would call this a multifunction printer (MFP) checklist.
Appendix A has a checklist found from performing an internet search on MFD checklists. It is from a university in
the United States. Please do your best to match the checklist to HP Security Manager policy items. When you
are complete, compare your findings with the policy in Appendix B.
9
Task 4- Adding Devices
It is great to have a policy in place, but even better to apply those policies to the devices in your fleet. The
Devices page allows you to group your printers so the appropriate policy can be applied to each group. For
example, you may have more strict security restrictions on the printers that are in the marketing department
than you have in your IT department since IT may have non-standard printing requirements. You can quickly
create a policy for each department and apply it to the printers in their group.
To complete this task, you need to have a successfully installed instance of HP SM. You will need to be on the
Devices page of HP SM. At the end of this task you should have completed the following:
• Created groups with unique settings
• Added devices to groups using an IP range
• Edited / removed devices
Note: We are not setting up Instant-On at this stage. The Instant-On feature is beneficial when groups
have been created, and certain policies can be added to each group. Setting up groups and adding
devices before setting up Instant-On maintains user control on assessments and remediation.
In this task we’ll be using the following three sources:
• Adding and Tracking Devices Whitepaper: http://h10032.www1.hp.com/ctg/Manual/c03602117
• HP device compatibility chart: (optional) http://h10032.www1.hp.com/ctg/Manual/c03601723
Supporting Videos
Adding devices:
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDN45e4d6
0c-6df3-473b-a9d4-b19018c4aff5
Grouping devices
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDNa878d0
08-f0f8-4960-8fa0-03c42abdeaed
Adding devices (using IP range)

Steps to add devices using an IP range
1. Open the documents referenced in the preparation section.

2. Review the Add and edit device information section from Chapter 4 in the HP SM Installation and Setup
guide, and then review the Adding and Tracking Devices whitepaper.
3. The HP device compatibility chart shows which HP SM features work with the different HP printers. You
should be familiar with this document as you consider the printers in your fleet.
4. Follow the instructions to create a new group. Give the group an appropriate name for the devices it will
contain (e.g., Management, IT, or Public).
5. Using the IP range method, add at least one printer to the group you created.
10
Optional: If you have multiple groups, practice managing your devices by moving them from group to
group or adding and deleting new devices.
11
Task 5- Credentials
Preparation/ Objectives
Many of the HP SM support escalations are due to credential failures. This is one of the most common problems
you may face as you work with your customers. The Credential management whitepaper provides information
of how to resolve and troubleshoot these issues. It also explains how the credential store manages passwords
and applies them to devices.
Devices page and have at least one device added to HP SM. At the end of this task you should have completed
the following:
• Review the device authentication options with HP SM
• Set Admin Password.
In this task we’ll be using the following two sources:
• Credential management whitepaper: http://h10032.www1.hp.com/ctg/Manual/c05172643
Supporting Videos
Resolving credential issues:
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDN8b6dd7
1f-9370-4406-9c38-44d219fe8310
Setting global credentials:

https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDN10db84
ac-39f1-4d2a-a8ab-45527c9a5110
Set Admin (EWS) Password

Steps to set an EWS admin password
1. Review the HP SM User Guide section titled “Set device credentials” in Chapter 4 and review the
Credential management whitepaper.
2. Select at least one printer and run a verification task.
3. On the Device page, select the devices/groups for credentials.
4. Select Set credentials, and select Other credentials
5. Select Set admin (EWS) password,
6. Type in the password and type it again to confirm.
7. Click Configure to save.
12
Task 6 - Assess & Remediate Devices
The Assessment and Remediation features of HP SM are where the true power of the solution lies. Assessment
is the process of determining how well the devices in the fleet match the security policies you have set.
Remediation is bringing those devices into compliance with those policies.
To complete this task, you need to have a successfully installed instance of HP SM. You will also need to have
Instant-On enabled for the devices and the server. At the end of this task you should have completed the
following:
Note: Automatic remediation for devices can be set up in the Instant-On settings of SM.
• Assign policies to devices
• Set up assess & remediate schedules
• Schedule automated reports on device assessments.
In this task we’ll be using the following source:
Supporting Videos
Adding devices
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDN45e4d6
0c-6df3-473b-a9d4-b19018c4aff5
Grouping devices:
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDNa878d0
08-f0f8-4960-8fa0-03c42abdeaed
Pull assessments
Steps to pull assessmnets
1. Review the User Guide, Chapter 4, Assess and remediate section.

2. Ensure all requirements for creating a new task, according to the User Guide are met.
3. In HP SM, add a new task
4. Select a group and name the task.
5. Select a policy and set the frequency schedule.
6. View assessments by either enabling email results, or by viewing the devices page or reports page.
13
Task 7- Instant-On Security
When a device is connected to the network in its default state, it is only partially secured. This can represent a
security threat to your network. The Instant-on Security feature in HP SM provides an automatic method to
keep your network safe and compliant.
To complete this task, you need to have a successfully installed instance of HP SM. You will need a shortcut to
the HP SM web interface or you will need the URL to the website where HP SM is installed. At the end of this
task you should have completed the following:
• Enable/Disable Instant-On Security on devices and servers
• Automatically add devices
• Instant-On Security Whitepaper: http://h10032.www1.hp.com/ctg/Manual/c04222990
Supporting Videos
Instant-On Security architecture:
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDNf0423b
b2-c93c-45ff-95aa-c62b0e2f8802
Selecting an Instant-On Policy:
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDNd6cd8b
e8-a40d-4f6d-9689-539d6f663b09
Device Announcement Agent (DAA)

Steps to enable DAA
1. Read the section titled “Set up Instant On Security“in the User Guide and the Instant-On Security
whitepaper.
2. Navigate to the printer’s EWS to the Networking page and click the Announcement Agent link.
3. Ensure Enable Device Announcement Agent is checked. If desired, type the IP address of your HP
JetAdvantage Security manager server in the Configuration Server IP Address, and then click Apply.
Security Manager Configuration

Steps for configuration
1. Instant-On is not enabled on the server by default.

2. Go to the Settings page of Security Manager.
3. Select Accept Device Announcements.
4. Click OK to confirm the dialog box .
5. Check the Allow Automatic Remediate checkbox and select an Initial Assessment Policy from the
dropdown list.
14
6. You can test this feature by initiating one of the Instant-On requests.
15
Task 8 – Reports
The reports section of HP SM proves the value of the solution to your customers. While IT can see the value in
reducing the time needed to monitor their devices, you need to convince management that you are receiving a
return on your investment. The built-in reports describe how well your fleet meets the policy requirements they
have defined and identifies which printer need to be addressed if they are out of compliance. Reports can be
exported as a PDF for sharing in your next meeting or in CSV format for further manipulation.
Reports page. At the end of this task you should have completed the following:
• Export the executive summary report as a PDF.
• Extract the data for analysis in MS Excel.
• Reporting Whitepaper: http://h10032.www1.hp.com/ctg/Manual/c05201811
Executive Summary Report

Steps to view the Executive Summary Report
1. Review the Reporting Whitepaper.

2. On the Reports page of HP SM, select Executive Summary from the drop-down menu.
3. Select Show Report.
4. Select the PDF icon to export this report as a PDF.
Extract Data
Steps to extract data
1. In the dropdown menu select Devices Assessed.

2. Click the Export as CSV button.
3. The data is now available for manipulation in MS Excel.
16
Task 9- Certificate Management
Certificate management is becoming one of the most important security needs in many organizations.
Certificates verify the identity of each network device and provide a way to secure communication. In the past,
certificate management on printers has been a difficult, manual process. HP SM helps automate this process to
keep your printers compliant with your company certificate policy requirements.
To complete this task, you need to have a successfully installed instance of HP SM. At the end of this task you
should have completed the following:
• Check and renew device certificates
In this task we’ll be using the following source:
• Certificate Management Whitepaper: http://h10032.www1.hp.com/ctg/Manual/c04677863
Suggested Videos
Creating a certificate management policy:
https://players.brightcove.net/1160438706001/rJ3BuzV1g_default/index.html?videoId=ref:REFIDWDN90259d
22-7857-4fc9-95f8-726166813b4a
Managing Certificates
Steps for managing certificates
1. Review the Certificate Management Whitepaper.

2. In the HP SM Settings, select Certificate Management.
3. Select Identity Certificate.
4. Fill in the appropriate information.
5. Follow the instructions in the Policy Editor Settings whitepaper to set up CA certificates.
Enter certificate information (optional)

Steps to enter certificate information
1. Open the Policy page.

2. Create a new policy using the Blank Policy template.
3. Under the Authentication page, click the Certificate Management tab.
4. Click the Identity Certificate check box to select it.
5. Select HP Security Manager as the Certificate Signing Request Source.
6. Select MS Standalone from the Certificate Authority drop-down list.
7. Type trainingserver.lab.com in the Certificate Authority Server textbox.
8. Type trainingserver in the Certificate Authority Name text box.
9. Type HP in the Organization text box.
10. Type IT in the Organizational Unit text box.
11. Type Boise in the City text box.
12. Type ID in the State text box.
17
13. Select US from the Country drop-down list.
14. Click the slider to enable Include Subject Alternative Name.
15. Type lab.com for the Domain Name text box.
16. Select 1024 from the Key Length drop- down list.
17. Select SHA-256 from the Certificate Request Signature Algorithm drop-down list.
18. Type 15 in the Renewal Threshold text box.
19. Click the Save button to validate and save this policy.
Figure: Device Settings in Authentication tab
18
Appendix A – MFD checklist
This checklist, found in 2017, reveals the real-life hardening requirements for a university in the United States.
19
Appendix B – MFD checklist policy recommendations
These are the policy settings that can be set using HP JetAdvantage Security Manager to meet the MFD
hardening requirements from the document referenced in Appendix A. These may not be a perfect match and
you should question how closely they apply to the situation shared. This is only intended to give you some ideas
on how it can be approached, it is not intended as a complete solution.
Checklist item 1: Disable unused network protocols other than TCP/IP (i.e. DHCP, SMTP)
This is an unclear direction because they do not state which protocols are unused. For this example, we can
quickly turn off Bonjour protocol since we likely don’t want it enabled.
In Policy Editor, go to the Device Discovery page and click the General tab. Select the Bonjour check box. Click
the slider to disable Bonjour. You will be prompted that AirPrint requires Bonjour protocol and clicking OK to
close the dialog box will disable AirPrint. Click OK to disable both Bonjour and AirPrint.
Clecklist item 2: Disable unused network services
Work with the department to turn off any scan to destinations that are not required. In the Policy Editor window
view the Digital Services page and turn off any service not needed for this department.
Clecklist item 3: Assign the MFD an internal static IP Address
This item cannot be configured by HP JetAdvantage Security Manager.
Checklist item 4: Restrict access to MFD services (print, fax, scan, and management) to the minimum number of
hosts that require these specific functions.
This can be done by editing the access control list and enabling authentication on the MFP control panel.
Checklist item 5: Use encrypted communication protocols (e.g. HTTPS / port 443) where available and disable
insecure protocols.
Navigate to the Network Services page and click to enable Require HTTPS Redirect for remediation and make
sure Require HTTPS Redirect is set to enabled.
Checklist item 6: Set a strong administrator password (change the default)
Navigate to the Authentication page and select the Credentials tab. Check the Admin (EWS) Password checkbox
to enable it for remediation, set the minimum password length to 8, type HPisGr8! for the password, enable
Password Complexity and Account Lockout. Type 5 for Maximum attempts, 30 for Reset attempts after
(seconds), and 120 for Lockout duration (seconds).
Checklist item 7: Change the default SNMP community strings to strong passwords
Navigate to the Authentication page and select the Credentials tab. Check the SNMPv1/v2 checkbox to enable it
for remediation and type HPR3@dme! for the Read Community Name and HPWr1t3me! for the Write
Community name.
20
Checklist item 8 and 8a: Ensure logging is enabled on the MFD and ensure that logs are monitored on a regular
basis
The best way for an organization to track their logging is with a SIEM tool such as Splunk or HP ArcSight. HP
JetAdvantage Security Manager can make sure this policy item is set.
In Policy Editor, navigate to the Device Control page and the Logging tab. Click to enable System Logging for
remediation and type a Server Name (e.g. splunk.somedomain.com) and leave the rest of the values at their
default. More information about each of the values can be obtained by hovering over the label for each text box.
Checklist item 9: Restrict address books, mailboxes, and logs by password protecting them. Prohibit the
scanning of document containing confidential or sensitive information for email transmission and / or storage
on the document server.
This can be half accomplished by requiring authentication on the device before certain features are enabled.
On the Authentication page of Policy Editor, select the Authentication Manager tab. Click to enable the Print and
Copy authentication methods and select the items you want to lock out for this department.
Checklist item 10: Monitor Common Vulnerabilities and Exposures and vendor for security bulleting and
patches. You may also request a vulnerability scan from information security.
This cannot be done through HP JetAdvantage Security Manager.
Checklist item 11: Upgrade firmware in a timely manner. Document all changes.
Firmware cannot be upgraded through HP JetAdvantage Security Manager but there is a section to check
whether the firmware is the latest version. Enabling this will provide a report of those devices that require a
potential update.
Checklist item 12: Place the device in an area with physical security controls consistent with the sensitive date it
processes.
This cannot be done through HP JetAdvantage Security Manager.
Checklist item 13: Set an administrator password on the console
In Policy Editor, go to the Authenticaton page and select the Authentication Manager tab. Select the
Administrative Function Authentication checkbox to enable it and lock out any desired administrative functions.
Checklist item 14: Require that users authenticate to scan, fax or copy from the console.
On the Authentication page of the Policy Editor, select the Authentication Manager tab. Click to enable the Print
and Copy authentication methods and select the items you want to lock out for this department.
Checklist item 15: If the MFD has a removable hard drive, ensure it is locked into the device.
While we cannot provide physical security for this, the hard drives are encrypted so once they are removed from
the device the data is still safe.
Checklist item 16: If possible, implement measures to encrypt or secure-wipe print spool files.
Select the General tab on the Device Control page and check to enable remediation for Disk Encryption Status.
Make sure it is set to Active.
21
Checklist item 17: Ensure that any MFD drive that are decommissioned are sent back to the manufacturer or
leasing company are secuire destroyed / sanitized and obtains a document of destruction.
On the Device Control page select the General tab. Check the Erase Data checkbox to enable it for remediation.
Enable the Erase Data slider. Once this policy is applied, the next time the MFP is cold reset it will securely wipe
the drive of data.
22

Security Manager Technical Training

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security Manager Technical Training

Uploaded by

Copyright:

Available Formats

HP JetAdvantage Security Manager

Technical Training Guide

Training Objectives ............................................................................................................................................. 1

How to use this training

SQL Server Options:

Figure: Control Panel showing Windows features settings

Installing your license

Configuring Automation Output

Secure your installation (optional)

1. Download and review the Securing HP SM whitepaper.

5. Make sure the policy is valid and save the policy.

Create a policy from a customer’s checklist (optional)

Adding devices (using IP range)

1. Open the documents referenced in the preparation section.

Setting global credentials:

Set Admin (EWS) Password

1. Review the User Guide, Chapter 4, Assess and remediate section.

Device Announcement Agent (DAA)

Security Manager Configuration

1. Instant-On is not enabled on the server by default.

Executive Summary Report

1. Review the Reporting Whitepaper.

1. In the dropdown menu select Devices Assessed.

1. Review the Certificate Management Whitepaper.

Enter certificate information (optional)

1. Open the Policy page.

Figure: Device Settings in Authentication tab

You might also like