Topics Map > Services > Security
Security Standards for Printers
Many printer, copiers and multi-function devices (printer, copier, scanner, and fax machines combined into one unit) are devices with embedded operating systems such as Windows that interact with the network and the user. These systems often provide services for confidential information and must be secured and in compliance with all NDSU policies and procedures.
A networked printer or multi-function device (MFD) can be a significant entry point for those interested in sensitive and confidential data. Often they are connected to the network and forgotten until it is time to replace them. Because they are machines that have operating systems, can interact with the Internet, and are used to transfer documents on and off campus via email, these devices need to be as secured and be current and up-to-date with operating system and software patches. If a networked printer or MFD is not secure, all information that is being printed, scanned and faxed is susceptible to compromise. With the built-in network capabilities there are many ways that information can be taken and misused.
- All networked printers and MFDs must have a static IP address. To obtain a static IP address, please submit a request to Networking and Enterprise Operations. Printers connected to desktops and used by one individual are not required to have a static IP address.
- If an MFD will be used for copying, faxing, emailing, and/or printing confidential data, it must be located in an area of the office or department that is not accessible to the public.
- Limit access to the printer/MFD only to those faculty and staff who have a definite need to use it.
- Disable unneeded or unused services on the machine, e.g., "Document Server"
- Do not save and/or store documents that contain classified or sensitive information on the machine.
- Change default logins and passwords. Turn off Web connections unless a need can be justified for them.The need must be formally documented.
- Vendor support of the machine must provide configuration information and log in and password information to NDSU personnel.
- If device support is administered remotely or via the Web, the administrator login and password must be encrypted in transfer and storage. If encryption can not be used, then remote and Web administration is not allowable and only the local console can be used.
- The administrator login and password, as well as any other administrator type of account, must be changed from the default and is within standards established by NDSU policy 158 and NDUS policies and procedures.
- The vendor must provide security patches and updates in a timely manner. Any vulnerability left unpatched for more than thirty days would require the device to be shut down until the patch is available from the vendor and installed and activated on the printer/MFD.
- Printers and MFDs must be restricted from offsite Internet access. Users can not remote into the system to print documents from off campus.
- Email sent and received from the printer/MFD must be within the @ndsu.edu domain.
- SSL certificates must be those approved for use by NDSU. Please visit with the IT Security Office on how to obtain an SSL certificate.
- The systems must support 801.1x network authentication.
- Printers/MFDs must support IPv6.
- All services must be configurable and must be allowed to be completely disabled (i.e., SMTP, NTP, FTP, HTTP, NFS, etc.)
- Disable: the the Telnet daemon. If a remote shell is needed, it is recommended to use SSH or OpenSSH;
- Disable: Anonymous FTP access;
- Support for the HTTP Trace method;
- NetBIOS Null sessions;
- The SNMP community name string must be changed from the public default name string. Please click here to find more information on how to disable the SNMP community name string.
- The printer/MFD will be scanned for the latest vulnerabilities at least quarterly using SANS Top 20 Critical Security Controls as a guide. If the scanning caused performance issues for the printer/MFD, it should be powered off until the vendor can fix or replace it.
- Disable LLMNR if possible