Securing Network Printers and Multi-Function Devices
Network Printers and Multi-Function Devices (MFD) are common in offices because they provide the ability to copy, print, scan, and fax from one central machine that is shared by many. The MFD's typically store information and are connected to the network, therefore security controls need to be enforced to protect the information being printed, copied, scanned, faxed, etc. UH policy EP 2.214 Security and Protection of Sensitive Information defines security requirements when MFD's are used for protected data.
The following is a list of best practices that should be followed to harden Network Printers and MFD's. This checklist is a guideline since the management interfaces for MFD's vary, so refer to the MFD's documentation or the vendor to ensure you implement the security controls available for the various models.
- Change default Administrator password - Change the default passwords and SNMP community strings to complex passwords. If possible the passwords should be changed at least annually.
- Disable unneeded management protocols - Disable unused network protocols. TCP/IP is necessary for the network device with restrictions. SMTP, SNMP V3 and HTTPS may be used for device management, updates, monitoring, and communications. Other protocols provide potential for unauthorized access or compromise so they should be disabled if possible.
- Assign a Static or Fixed IP - Network printers and MFD's should have a static or fixed IP. This will provide protection in the event that the DNS cache is poisoned; print files will not be able to be redirected.
- IP Filtering - If possible, restrict access to the MFD by allowing access to a specific set or range of IP Addresses.
- Updates - To protect the network printer or MFD from known security vulnerabilities the firmware needs to be kept up to date. To ensure that updates are applied in a timely manner the MFD Administrator should request automatic update notifications if the manufacturer offers them. The MFD Administrator should also check for patches available to mitigate the vulnerabilities.
Common Vulnerabilities and Exposures (CVE) Click on "Search CVE List" and enter your MFD or printer manufacturer/model.
- Physical Security - If there is a hard drive in the MFD, physical access to the device should be restricted / secured to prevent unauthorized access / removal of the hard drive.
- Data Security - If there is a hard drive in the MFD, enable encryption for data stored and data transmitted to and from the device. The recommended encryption algorithm is Advanced Encryption Standard (AES 128-bit). Also enable immediate and scheduled image overwrite to erase data from the hard drive and non-volatile storage. Check the manufacturer's technical specifications to ensure the hard drive can be encrypted.
- Authentication - Enable network authentication restricting Users access to authorized services and ensure Users can not access the MFD global configuration.
- Secure Printing - If available, enable the secure printing option that holds the print job until the owner enters a pin to release the document.
- Logging - Enable logging to capture job activity, User access, fax logging, configuration changes, etc. The logs are necessary to identify malicious activity and in the event of a security incident, logs can assist with prosecution. Logs should be reviewed for irregular activity that may be considered a security incident, for example transmitting large amounts of data after regular business hours or many failed log on attempts in a short amount of time.