HP Web Jetadmin - Security and HP Web Jetadmin
2
OVERVIEW
Protecting IT environments against loss or harm is crucial in today’s data and system-driven world.
HP Web Jetadmin has tools and features that work in tandem with your device fleet to bring you
superior security management. HP Web Jetadmin has a robust set of features that allows:
• Protection against unauthorized use of the application
• Role-based administration using Microsoft® account management
• Feature enablement tied to account login
• Control over device-based security features for both individual devices and batches of devices
This document discusses security details for HP Web Jetadmin in two sections: application security
and device security. Please note that this document does not cover all device or application security
aspects that should be considered when managing devices or implementing software applications.
To meet the needs for higher levels of imaging and printing security, HP has implemented a storage
erase feature that meets the U.S. Department of Defense 5220-22.M requirements for clearing storage
media when the administrator selects certain options and uses supported devices.
APPLICATION SECURITY
HP Web Jetadmin has several features that make it easy to secure the application and its features:
• Single sign-on—Users do not have to provide password and user details in order to access the
application.
• .NET Remoting—The client displays through a local application that uses .NET Remoting as a
secure means of communicating with the server.
• Active Directory Integration—Domain accounts are used to identify who has access to the
application and its features.
1
• Low privilege service—HP Web Jetadmin does not run as a system and has no direct access to
key OS components (the client application runs under user credentials).
2
• Secure online downloads—HP Web Jetadmin installer and update files that can be obtained from
hp.com are digitally signed. This helps to ensure the integrity and authenticity of files as well as
underlying components as they are installed.
• Optional SSL/TLS—ClickOnce client deployment can apply added security with certificates.
Roles and users
HP Web Jetadmin is a single sign-on application, which means a username and password are not
always required if the user’s Windows® user account has been granted access to an HP Web
Jetadmin role.
3
When the HP Web Jetadmin client application launches, the user is authenticated to the server using
Windows Integrated Authentication. Features that have been disabled as a result of assigned role
permissions are not viewable or accessible from the user’s account. To log into the HP Web Jetadmin
server using a different Windows account user name, users must launch Microsoft Internet Explorer
Administrator-created roles define feature access to the client and enable and disable
features for various user-levels.
1
In order for HP Web Jetadmin to validate AD user accounts, the HP Web Jetadmin host system must be joined to the AD domain.
2
The HP Web Jetadmin service runs under the NT AUTHORITY\Network Service, a local, built-in account on the server hosting the application.
By using this account, the HP Web Jetadmin service runs as a low privilege service. Changing the account that the HP Web Jetadmin service uses
is not supported by Hewlett-Packard and is also strongly discouraged. Users should be aware that NT AUTHORITY\Network Service should have
default access rights to its %USERPROFILE% (typically C:\Documents and Settings\Network Service\). During installation, HP Web Jetadmin also
sets Read, Execute, and List permissions on the HP Web Jetadmin directory (usually within ~Program Files\Hewlett-Packard) for the user NT
AUTHORITY\Network Service. Finally, the Microsoft SQL instance either created by the HP Web Jetadmin installer or by the end user should log
on as NT AUTHORITY\Network Service.
3
For more information, including scenarios in which single sign-on is not the active log-in mechanism, see “User/role assignment” on page 3.