Multi-functional printers (MFPs) are security risks. We don't always see them as the full-fledged networked computers they really are. But hackers do - and they are finding them an attractive target. These printers, in the corner of the office and quietly going about their business of copying, printing, faxing and scanning, might not seem to pose any real security risk. But like any networked device, if not properly managed, they can expose sensitive campus data to unauthorized access and misuse.
Networked printers provide a large out-of-the-box feature set with little to no default security. Most printers will allow a remote intruder full administrative access unless the printer administrator configures the device. Insecure printers on the internet or even just the campus network risk misuse and disclosure of user data (e.g. intruders obtain copies of your documents) and provide an opportunity for hackers to use the device as a platform to attack other systems (e.g. printers are commonly used as part of Denial of Service attacks). To secure your multi-function printers from unauthorized access, print configuration alterations, eavesdropping and device compromise, follow these printer security best practices:
REQUIRED STEPS FOR SETTING UP YOUR PRINTER
Printer configuration varies widely across manufacturers and models so we can provide only general guidance and minimum requirements. For instructions on performing any configuration specific to your particular device, please contact your vendor or consult your vendor's documentation.
Any networked device that does not meet the following basic standards poses a risk to the network (and the device users) and thus IT Security may remove it from the network for remediation.
- Review the manufacturer recommendations for securely configuring your printer. Apply any manufacturer firmware updates required to secure the device and make any necessary configuration changes. Links to some common manufacturers are provided below.
- Use a campus-only computer address so your printer is not available to the general internet. For systems that need a public internet computer address you need to register the device with Information Security. Please note that if there is a clear business need for a public IP that outweighs the risk, then the printer may remain on the public internet but the system must follow all steps described here, must have a knowledgeable system administrator who registers the device with Information Security, and who will be responsible for system updates.
- Disable any unused remote access services
- Most printers will have all protocols enabled by default.
- TCP/IP will be needed for the printer to communicate on the network.
- SNMP is needed mainly for device management monitoring, and communications.
- Examples of unneeded protocols that should be disabled are SMB, Bonjour, FTP, IPP, Ethertalk IPX/SPX and NetWare, ApplleTalk.
- Reset the default password. Use a strong password for any enabled remote access services. Note that if the passwords are forgotten, there is a strong possibility they cannot be reset or retrieved without replacing the hardware.
- Always use Secure Sockets Layer (SSL) for encrypted network transport using https when accessing your administrative interface.
- Use access control or a firewall: configure Access Control Lists (ACLs) which restrict use of the printer to defined set of client computers
- Restrict access to the printer via a specific range of IP Addresses.
- Restrict to subnet, individual address, or use the print server address to require printing through it
- Configure the syslog to a departmental monitoring server or if it is Level 1 work with Information Security to log centrally. We only need the authentication and use of any open remote control services, such as FTP.
- Secure your printer's hard drive by setting encryption on the hard drive
- Place the printer where it can be supervised to prevent unauthorized physical access to the hard drive.
- Upgrade and patch your printer. The CSUN standard is 30 days after a patch is released by the vendor.
Operating Your Printer
Do not store jobs on the printer any longer than necessary. Set the hard drive to erase print jobs, scans, and faxes once complete.
Use pull printing, swipe cards or departmental codes for any printer that prints Level 1 data.
Remove and destroy hard drives when retiring machines
SECURITY-RELATED CONFIGURATION AND UPGRADES FROM COMMON MANUFACTURERS
Links to vendor information below. This list is a starting point and not meant to be a comprehensive list. As stated above: for instructions on performing any configuration specific to your particular device, please contact your vendor or consult your vendor's documentation.