Security Standards for Printers
Many printer, copiers, and multi-function devices (printer, copier, scanner, and fax machines combined into one unit) are devices with embedded operating systems that interact with the network and the user. These systems often provide services for confidential information and must be secured and in compliance with all NDSU policies and procedures.
A networked printer or multi-function device (MFD) can be a significant entry point for those interested in sensitive data. Often they are connected to the network and forgotten until it is time to replace them. Because they are machines that have operating systems, are Internet connected, and are used to transfer documents, these devices need to be as secured and be current and up-to-date with operating system and software patches. If a networked printer or MFD is not secure, all information that is being printed, scanned and faxed is susceptible to compromise. With the built-in network capabilities there are many ways that information can be taken and misused.
The checklist below is a good starting point to determine how and what needs to be done to secure your networked printer or MFD:
- Change default logins and passwords. Turn off Web connections unless a need can be justified for them.The need must be formally documented.
- All networked printers and MFDs must have a static IP address. To obtain a static IP address, please submit a request to Networking and Enterprise Operations. Printers connected to desktops and used by one individual are not required to have a static IP address.
- If an MFD will be used for copying, faxing, emailing, and/or printing confidential data, it must be located in an area of the office or department that is not accessible to the public.
- Limit access to the printer/MFD only to those faculty and staff who have a definite need to use it.
- Disable unneeded or unused services on the machine, e.g., "Document Server"
- Do not save and/or store documents that contain sensitive data on the machine.
- Vendor support of the machine must provide configuration information and log in and password information to NDSU personnel.
- If device support is administered remotely or via the Web, the administrator login and password must be encrypted in transfer and storage. If encryption can not be used, then remote and Web administration is not allowable and only the local console can be used.
- The administrator login and password, as well as any other administrator type of account, must be changed from the default and is within standards established by NDSU policy 158 and NDUS policies and procedures.
- The vendor must provide security patches and updates in a timely manner. Any vulnerability left unpatched for more than thirty days would require the device to be shut down until the patch is available from the vendor and installed and activated on the printer/MFD.
- Printers and MFDs must be restricted from offsite Internet access. Users can not remote into the system to print documents from off campus.
- Email sent and received from the printer/MFD must be within the @ndsu.edu domain.
- SSL certificates must be those approved for use by NDSU. Please visit with the IT Security Office on how to obtain an SSL certificate.
- The systems must support 801.1x network authentication.
- Printers/MFDs must support IPv6.
- All services must be configurable and must be allowed to be completely disabled (i.e., SMTP, NTP, FTP, HTTP, NFS, etc.)
- Disable: the the Telnet daemon. If a remote shell is needed, it is recommended to use SSH or OpenSSH;
- Disable: Anonymous FTP access;
- Support for the HTTP Trace method;
- NetBIOS Null sessions;
- The SNMP community name string must be changed from the public default name string.
- The printer/MFD will be scanned for the latest vulnerabilities at least quarterly using SANS Top 20 Critical Security Controls as a guide. If the scanning caused performance issues for the printer/MFD, it should be powered off until the vendor can fix or replace it.
- Disable LLMNR if possible
For more information on how to disable services or to change the SNMP community name string, please contact your respective IT technician or IT liaison
Definitions
Anonymous FTP: Anonymous FTP (File Transfer Protocol) is a method for giving users access to files so that they don't need to identify themselves to the server. Anonymous FTP is a common way to get access to a server in order to view or download files that are publicly available.
HTTP Trace method: Hypertext Transfer Protocol. This method causes the data received by the HTTP Server from the client to be sent back to the client. The TRACE capability could be used by vulnerable or malicious applications to trick a web browser into issuing a TRACE request against an arbitrary site and then send the response to the TRACE to a third party using web browser features.
NetBIOS null Session: Network Basic Input Output System is a network session layer protocol used in IBM and Microsoft software products to provide the means for client programs to communicate with server processes. A null session connection allows you to connect to a remote machine without using a user name or password. Instead, you are given anonymous/guest access.
NFS: Network File System. A protocol developed by Sun Microsystems and used on Unix systems that allows a computer system to access files on other computer systems on a network as if they were local files stored on the original system.
NTP: Network Time Protocol. A network protocol for clock synchronization between computer systems over packet-switched variable-latency data networks.
SMTP: Simple Mail Transport Protocol. The underlying peer-to-peer transmission mechanism for many of the electronic mail applications on the Internet.
SNMP Community Name String: Simple Network Management Protocol (SNMP) is used in network management systems in order to manage network devices. SNMP exposes management data in the form of variables on the managed systems, which describe the system configuration. These variables can then be queried (and sometimes set) by managing applications
Telnet: The TCP/IP protocol for terminal emulation to a remote computer.
Downloadable Guidelines
Here is a list of guidelines and instructions that can be used to secure printers and multifunction devices: