While we don't generally think of them as such, networked printers, copiers, and multi-function devices are computers. As such, they are open to attack from the network and there are ways to compromise them. Once compromised, the device can be used for network scanning, spamming and denial of service attacks like any other computer. It is also possible to transfer copies of all documents printed or scanned to the attacker, a serious security risk. Because of this, it is important to make sure that any networked device be secured before putting it on the campus network.
This document will refer to printers, copiers, multi-function devices and any other networkable devices producing print on paper as "printers". Listed below are security measures that ITS recommends you take with any printer before connecting it to the network. Consult the printer's documentation and/or the manufacturer's website for detailed instructions.
Give the printer a private static IP address.
Private IP addresses can only be contacted from machines on the ISU network or off-campus machines using the ISU VPN service. This will greatly limit the opportunity for attacks. Request a static IP address through the ASW page at https://asw.iastate.edu/cgi-bin/acropolis/request/dns and choose "Private IP number (no connection to the Internet, campus only)". While you're getting an IP, give the printer a meaningful name that will help users find it without needing that IP number.
Newer printers can use IPv6 addresses, and will assign one to themselves if you don't set one. IPv6 addresses are inherently visible from the world, bypassing the firewall.
Set an administrator password.
Many printers come with no administrator password, or with a default password known to the entire world. Set a secure password of sixteen characters or longer with at least two types of characters.
Update the printer's firmware to the manufacturer's latest version.
This is especially important for older HP printers, which have known vulnerabilities. Like any software update, this is a continuing process and will need to be repeated as new updates are released. After you've applied updates, check the printer's settings carefully. Manufacturers have added features and protocols to the printer as part of an update that you may wish to disable.
Disable all unneeded communications protocols.
TCP/IP (IP) is the only protocol necessary for communicating with most computers. AppleTalk and IPX/SPX are rarely used and are not routed between buildings at ISU.
Disable all unused print protocols.
Most computers can now print via JetDirect (Port 9100) and/or LPD. If you have no Macintosh workstations, you can disable Bonjour (aka MDNS). IPP is uncommon, SMB (Windows) is not usually required, and FTP is insecure and should not be used.
Disable all unneeded management protocols.
Most administrators control printers through a Web interface; make sure that access is by HTTPS, not HTTP. Disable the telnet protocol. Leave SNMP enabled; both Windows 7 and Papercut use it for reading printer status.
Consider setting access control lists on the printer where possible.
An access control list (ACL) allows you to specify the machines or subnets that can connect to the printer. This can increase security, but requires additional management.
Consider using Papercut.
With Papercut, access to the printer can be restricted by ISU NetID with optional accounting while allowing printing from anywhere in the world. Besides printing normally from Windows and Mac OS X machines with the Papercut software installed, Microsoft Office and Adobe Reader (PDF) documents can be printed from almost any device through a Web interface. Add a printer to Papercut at https://asw.iastate.edu/cgi-bin/acropolis/request/print; see https://papercut.its.iastate.edu:9192/content/help/index.html for more information.
- "Multifunction Device Hardening Checklist", University of Texas at Austin Information Security Office
- "Multifunction Printer Security and Compliance & Multifunctional Device (MFD) hardening standards", Yale University Information Technology Services
- "Security Standard for Multi-Function Network Devices, Digital Copiers, Printers and Fax Machines", Brown University Computing and Information Services
- "Printers, Copiers, and Multi-function Devices (Printer/Copier/Scanner/Fax)", University of Minnesota Office of Information Technology
March 23, 2012