Networked Printers, Copiers, and Multi-function Devices

Networked printers, copiers, and multi-function devices are computers. As such, they are open to attack from the network and there are ways to compromise them. Because of this, it is important to make sure that any networked device be secured before putting it on the campus network.

This document will refer to printers, copiers, multi-function devices and any other networkable devices producing print on paper as "printers".

Security Measures When Connecting a Printer to the Network

If a networked printer, copier, or multi-functional device is compromised, the device can be used for network scanning, spamming and denial of service attacks like any other computer. It is also possible to transfer copies of all documents printed or scanned to the attacker, a serious security risk.

Recommended Security Measures

Listed below are security measures that Iowa State IT recommends you take with any printer before connecting it to the network. Note: consult the printer's documentation and/or the manufacturer's website for detailed instructions.

Give the printer a private static IP address

Private IP addresses can only be contacted from machines on the Iowa State network, or off-campus machines using the Iowa State VPN service. This will greatly limit the opportunity for attacks.

Request a static IP address through the ASW page and choose "Private IP number (no connection to the Internet, campus only)". While you're getting an IP, give the printer a meaningful name that will help users find it without needing that IP number.

Disable IPv6

Newer printers can use IPv6 addresses, and will assign one to themselves if you don't set one. IPv6 addresses are inherently visible from the world, bypassing the firewall.

Set an administrator password

Many printers come with no administrator password, or with a default password known to the entire world. Set a secure password of sixteen characters or longer with at least two types of characters.

Update the printer's firmware to the manufacturer's latest version

This is especially important for older HP printers, which have known vulnerabilities. Like any software update, this is a continuing process and will need to be repeated as new updates are released. After you've applied updates, check the printer's settings carefully. Manufacturers have added features and protocols to the printer as part of an update that you may wish to disable.

Disable all unneeded communications protocols

TCP/IP (IP) is the only protocol necessary for communicating with most computers. AppleTalk and IPX/SPX are rarely used and are not routed between buildings at Iowa State.

Disable all unused print protocols

Most computers can now print via JetDirect (Port 9100) and/or LPD. If you have no Macintosh workstations, you can disable Bonjour (aka MDNS). IPP is uncommon, SMB (Windows) is not usually required, and FTP is insecure and should not be used.

Disable all unneeded management protocols

Most administrators control printers through a Web interface; make sure that access is by HTTPS, not HTTP. Disable the telnet protocol. Leave SNMP enabled; both Windows 7 and Papercut use it for reading printer status.

Consider setting access control lists on the printer where possible

An access control list (ACL) allows you to specify the machines or subnets that can connect to the printer. This can increase security, but requires additional management.

Consider using Papercut

With Papercut, access to the printer can be restricted by Iowa State NetID with optional accounting while allowing printing from anywhere in the world. Besides printing normally from Windows and Mac OS X machines with the Papercut software installed, Microsoft Office and Adobe Reader documents can be printed from almost any device through a Web interface.

Additional Resources