Topics Map > University of Chicago > IT Services > Accounts, Identity, & Security > Security
Topics Map > University of Chicago > IT Services > Applications, Operating Systems, & Devices > Devices

Network Security for Printers

This article explains required and recommended steps to secure printers and related devices on the network. Network printers and related multifunction devices are insecure by default.

Introduction

Networked printers provide a large out-of-the-box feature set with little to no default security. Most printers will allow a remote intruder full administrative access unless the printer administrator reconfigures the device. Insecure printers on the internet or even just the campus network risk misuse and disclosure of user data (e.g. intruders obtain copies of your documents) and provide an opportunity for miscreants to use the device as a platform to attack other systems (e.g. printers are commonly used as part of Denial of Service attacks). This document describes some straightforward steps to securing your printer while it is connected to a network. Please note that we do not cover other important topics such as physical access and proper disposal.

Administrative Actions

Required Steps

Printer configuration varies widely across manufacturers and models so we can provide only general guidance and minimum requirements. For instructions on performing any configuration specific to your particular device, please contact your vendor or consult your vendor's documentation.

Any networked device that does not meet the following basic standards poses a risk to the network (and the device users) and thus IT Security may remove it from the network for remediation.

  1. Review the manufacturer recommendations for securely configuring your printer. Apply any manufacturer firmware updates required to secure the device and make any necessary configuration changes. Links to some common manufacturers are provided below.
  2. Use a campus-only computer address (IP address starting with 10.135.x.y) so your printer is not available to the general internet. For systems currently using a public internet computer address (IP 128.135.x.y or 205.208.x.y) you can re-register the device (keeping the same hostname but changing the IP) using the Network Engineering host registration process. If the printer users access the printer using its hostname, this should be a transparent change. If users access it using the printer IP, then the clients will need to be reconfigured as well. Please note that if there is a clear business need for a public IP that outweighs the risk, then the printer may remain on the public internet but the system must follow all steps described here, must have a knowledgeable system administrator who registers the device with Network Security, and who will be responsible for system updates.
  3. Disable any unused remote access services (e.g. telnet, SNMP, FTP, web) and protocols (e.g. Appletalk).
  4. Set a strong password for any enabled remote access services.

Recommended Steps

The following steps are highly recommended:

  1. If your printer provides access control or a firewall: configure Access Control Lists (ACLs) which restrict use of the printer to defined set of client computers (e.g. your LAN or subnet).
  2. If you plan on administering or printing via http: enable Secure Sockets Layer (SSL) for encrypted network transport using https.
  3. If your printer supports remote logging (syslog): consider configuring the system to syslog to a departmental monitoring server or to Network Security's syslog server (syslog-n0.uchicago.edu, 514/udp). If possible, have it set to only send logs relating to authentication and use of any open remote control services, such as FTP.
  4. Once you have taken steps to secure the device, request that IT Security review the configuration (email security@uchicago.edu with your printer's IP or hostname).

Resources

Security-Related Configuration and Upgrades from Common Manufacturers

Links to vendor information below. This list is a starting point and not meant to be a comprehensive list. As stated above: for instructions on performing any configuration specific to your particular device, please contact your vendor or consult your vendor's documentation.

HP

Xerox

Lexmark

Finding Known Issues

You can search for known vulnerabilities for your device. One possible way is to search for vulnerabilities by vendor. Some quick links into the vulnerability database:




Keywords:printing, MFP, Multi_Function_Product, Multi_Function_Printer, Multi_Function_Peripheral, multifunctional, all-in-one, AIO, Multifunction_Device, MFD   Doc ID:42399
Owner:James C.Group:University of Chicago
Created:2014-07-31 11:27 CDTUpdated:2017-03-10 09:25 CDT
Sites:University of Chicago, University of Chicago - Sandbox
Feedback:  0   0