HP LaserJet, HP PageWide - Secure by Default Initiative (white paper)
2
Overview
This document lists the security settings changes for the Secure by Default initiative beginning in Fall of 2017.
The following settings are affected by the initiative: (default settings changes)
• SNMP v1/v2 defaults
• File System Access through PJL and Postscript
• PJL Device Access Commands
• Ciphersuites containing RC4 and Triple DES (CBC3, 3DES)
The following new security features are enabled by default:
• Cross-Site Request Forgery (CSRF) prevention
• HP Connection Inspector (Network Behavioral Anomaly Detection)
Changes to Device Security Settings Defaults
SNMP v1/v2 write access disabled
Simple Network Management SNMP version 1 & 2 (v1/v2) is a legacy configuration protocol introduced in 1988. SNMP
v1/v2 is not considered a secure configuration protocol for the following reasons:
• SNMP v1/v2 communications are sent in the clear through the network. Encryption is not available for v1/v2
connections. SNMPv3 provides encryption capabilities.
• SNMP v1/v2 is secured with a “community name” password string. The Set community name is also sent in the clear
due to lack of encryption.
• SNMP supports configuration OIDs from the management Managed Information Database (MIB) structure. All
configuration settings available in the management MIB can be set or changed using SNMP SET commands. Even
when a SET community name is configured and required for write operations, it can be captured from the unencrypted
SNMP data streams.
New Default:
The Secure by Default initiative disables the SNMPv1/v2 write capabilities and enables the device setting “Enable
SNMPv1/v2 read-only access”. This disables SNMPv1/v2 Sets (writes) while allowing SNMPv1/v2 Gets (reads). The Get
Community Name is used if configured.