Embedded Web Server Settings Lab
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
2 hours 52 minutes
welcome back to print Security Intermediate Course. And this is a lab in which I'm going to show you how to use him by the Web server to do settings regarding security.
So let's not beat around the bush in Let's go directly to the
somebody do observer
and you accessing the Web server from the browser. And I have already opened this one on my,
um, color laser jet, uh, mfp that I have at home. So this is the only network printer that I have at home than the real one.
when you open the image of observer, this is what you get.
And, uh, this is very important here. This part here, you can see that I'm signed in. So let me just sign out. And you have seen that except information there is pretty much nothing I can access unless I sign in. So let me just sign in. You'll get the regular
sign in page. There are no user names here because this is meant to be accessed by administrator only, although you can create some other use names.
I'm signing in,
and now you can see that I can access the settings regarding everything on this device. And you, as you can see there quite a lot of them. And there there is
quite complex structure of these settings. But let's go to security tab and see what you can find their.
So there is general security. So basically, you have them
embedded Web server password, which has already been sent. If I want to change you, though, take the old password and new tight new passport twice. Then I can set the service access code,
which is needed to type in when you are,
um, doing something on the device in the service mode, which is exits prior to boot off the device upper devices operating system.
I have already said that, of course,
and, uh, also, if you're using some softer in this case digital sending softer. That is HB
selling. And together with all these devices, which allows you to
do something more than just canto folder or toe to send to email, this can file,
and then you would need to set the past four for that as well.
Then you can set the inventive obsession Time out, which is said here on the factory default 30 minutes. I suggest that you put it even shorter because if somebody's working in various ever better Web server and forgets to log out,
then this should log out anyway and prevent somebody else accessing the ambit of observer that somebody who doesn't have the
rights to do that.
And then we have very important thing regarding security. So we have bgl security. So by setting numerical piojo past Fordham or Pink Old, you are basically
setting, preventing some off the PDO file system commands, device attendance commands, S and MP pastoral commands and environment commands that the fact that default environment off the device, you prevent them from being executed unless the bgl password is provided
now. Because I'm using this device in my home and there is no danger that I got going to be sending malware infested the print file, I will not do that. But it's very simple to enter it here,
and also you can enable these commands there by default disabled, so I don't actually need this password.
Then I have also disabled for security reasons the
postscript privileged operators, Um, so
you have learned what the postscript can do to the wise. So by disabling this, I have done,
um, a little bit more in terms of security when it comes to print job security.
Also, what I have disabled on this device is P J L drive access and posted
postscript drive access, meaning that from both postscript file or P jail commands. You cannot access car drive on this device.
Um, I have enabled devices USB because I'm using it sometimes to scan some things on the scanner off this, uh, amfb
and I have enabled host, plug and play because this is a feature I need sometimes for specific reason. Now, as I mentioned again, this is a home printer. I mean printer used at home.
My home and I don't have many of the problems people, usually in companies have. So if you're in a company, you'd
be very, very smart to disabled thes things unless it's specifically requested by the business.
And you can see at the end the status off security settings. So I'm not going to go into details of this anymore.
But let me just jump to networking,
and the first thing you can see networking is you have TCP I P settings
and you have D c P I p version four, which I'm using at home. There is no absolutely no reason for me to use the six. It would cost too much for home network. But what I have done is that I have set
the i P configuration to be manual, meaning that when I set the this I p address for this device, it stays
the other possible, uh, ways for this device to get the I P address would be with good
B a, the H c p or photo I p
uh the ex cp means that it would be given by my
router at home
for my cable Internet. But I don't want that. I want this I i p address to be fixed so I can point the drivers using the i P address.
But so if you go to the network settings as well, you here can see that I can set the community name for us an MP version one and two
in some environments e
this thing s and MP setting the order community name is different than the fault. So it has to be different. It's usually public by default But if people are using S and MP and they want toe, make it more secure than there's an MP community name wouldn't be public,
or so if they're using S and MP version three, that means it has to have used name authentication, protocol and pass phrase. And if you remember, if you're using this, I would suggest that the past phrases 255 bytes long, not shorter. So use the maximum.
But these are the most important ones for the basic embedded Web server security settings,
uh, other settings and this device. And I'm going to uncheck a lot of these and explain why so 9100 printings of this port
is now going to be closed. The reason why we're closing it because it's a legacy, it's easily hackable. I'm not going to go into details how
LPD printing as well if you remember this is on them on a list of recommending best practices for printing,
then tell that conflict is going to be disabled.
Um, also bonjour and their prints are going to be disabled,
I PP printing is going to be disabled. FTP printing. He's going to be disabled,
and that's pretty much it here. So these things
I I I'm going to disable, um on and also so for I p p an i p p s full printing. So for secure pull printing, which I'm not using at home because it makes no sense.
Uhm I'm going to leave the verify certificate anyway, but I'm not using it, but it doesn't
make any doesn't do any harm to leave it like this.
if I click apply now here these things are going to be applied. And now they're going to
be set in according to best practices. So what else we can do regarding security? For example, in this device, we can go toe authorization on and we're having jet direct certificate. This is this here,
and I haven't intentionally set the certificate getting Internet Explorer, which is the best for
browsing this embedded. But server I'm not usually using it, so I'm not setting the certificate here.
Uh, but if you click on view, you can see the certificate for this device, which is there because we're connecting through https
This is very important thing regarding the
the security of device if you're using something like this in a small environment with the small number of devices, for example, this one allows for 20. You can define the ah I P V four addresses and masks on devices that are allowed to access this printer,
and you conexes this Web server access from only these I p addresses, and that's it.
So if you are, for example ah, accessing server from ah, remote desktop on and you know the I P address of the server, you can set it here on DA and on Lee. From that server, you can access the inventive observer. Know what the else Connexus This is very nice thing to do
if you're in a big company and you're afraid that somebody will
set access the embedded observing even if you had set the password and everything,
there is a way to break passwords or for somebody confined about your password, but they cannot access it from the outside. They have to log in to the server and then access this device. Otherwise they won't be a log.
um, there are many other things that you can do about setting security on a device using about the Observer. It really depends on your knees. I have shown you is just the most important ones.
Also, I have shown you what my device, which is HP laser jet can do. Other windows have different menu structure, have different settings, but almost all of them have. All of these or the most important things are said to be
ableto. They have it in a medical service so that you can set it and make follow the best practices for Prince security. And this is what's important. So you have seen how it's done.
I'm not making any special ways for you to do by yourself, because you need you need absolutely the same model of device or
HP device with the future smart forefinger regions installed in this device.
And so So, if you want to practice, if you have a net for access to network printer Andi, it's not protected that it doesn't have the password. You can go there and do the two things just to see how it's done.
uh, so just look at this. Go through this and you can understand
how you can do these things.