Securing Printers and Multifunction Printing Devices
The security, setup, and maintenance of multifunction printing devices (MFD) is becoming increasingly important due to a growing number of federal and state regulations. Risk to the data that resides on or passes through MFDs can be mitigated by limiting network and user access to the device. Restricted or internally controlled data is often printed, scanned, faxed, or stored on MFD’s, often unintentionally. These security practices are intended to reduce exposure from Information leakage from logs (e.g. fax logs with credit card numbers, filenames that may give away sensitive HR info); SNMP attacks; HTTP server vulnerabilities; and easy access to information about directory, mail, storage, or other network services.
- Disable all protocols except TCP/IP. If the device supports legacy protocols like IPX or AppleTalk, disable them. Legacy protocols are difficult to monitor and secure. It is a general best practice to turn off services and protocols that are not being used.
- Disable all management interfaces except for those used regularly. Unneeded protocols and services, especially those that do not support encryption, expose the network to potential vulnerabilities and pivot points.
- HTTPS will likely be the primary management method. If the device will not be accessed remotely, this can be disabled as well
- If you use SNMP to manage devices, only enable SNMPv3 and enable both authentication and encryption
- Disable FTP and telnet since they rely on clear text for authentication.
- Disable all other protocols or services that will not be directly used on a regular basis
- Enable only the printing protocols that will be used. Unneeded protocols and services, especially those that do not support encryption, expose the network to potential vulnerabilities and pivot points. If you're not using any of the following, disable them:
- Port 9100 (used by HP JetDirect and some other clients)
- LPD on port 515 (used by many Unix and Linux systems)
- IPP on 631 (used by CUPS and some other clients)
- SMB printing should only be used as a last resort and should generally be disabled.
- If the device has a document server, make sure users have to enter a password to access data. If it is not being used, disable it. Prevent unauthorized access to restricted, internally controlled, or other sensitive data.
- Change the default administrative password. If you are using SNMP, also change that password and default community string. Default passwords and community strings allow anyone to access or abuse the services on the device.
- Ingress and egress traffic to the device should be controlled with firewall rules. Access to device printing protocols and administrative interfaces should be limited to approved subnets or VLANs to prevent unauthorized use or malicious activity. Printing protocols such as LPD or IPP should be restricted such that only approved VLANs can send print jobs. Administrative interfaces such as HTTPS and SNMP should be restricted such that only approved sysadmin VLANs can access these features.