Printers, Copiers, and Multi-function Devices (Printer/Copier/Scanner/Fax)

Printers, copiers and other multi-function devices have features similar to computers. They can be connected to a network and contain hard drives for storage of information while processing your print/copy/scan/fax request. Many of these devices have services or features that need to be configured to have the proper security settings (e.g., encryption, secure data overwrite, requiring passwords for admin account, disabling ftp and telnet, etc). By default, vendors may not have enabled the settings to properly secure the device.

Departments are responsible for the proper handling and security of the devices from the point of delivery to the time of disposal/transfer. This includes continuously monitoring that the security features are enabled and overseeing the vendor’s handling of the hard drive.

Vendors

Departments

The University has partnered with the State of Minnesota to contract with copier and multi-function device vendors who provide hard drive encryption and enable secure overwrite feature. See University Purchasing web site.

More Information on Securing Printers, Copiers, and Multi-function Devices

  1. Only allow HTTPS (or SNMP v3) for remote management of the device.
  2. Turn off or disable all unneeded printing and network protocols including:

If the service is needed, the local IT support staff should enable or turn on the specific service needed (e.g., snmp), set a strong administrative password for the service and restrict access to only those IP addresses with a business need (e.g., your subnet or University subnets).

  1. Set up a strong administrative password on all interfaces (i.e., web, telnet, ftp, snmp).  Change default or well-known credentials.
  1. Restrict access to the printer to only those IP addresses with a business need.  Options starting with the most preferred include:
  1. Encrypt the internal hard drive if feature is available.
  2. Print directly from memory.
  3. Enable detailed logging for auditing purposes. Check the logs frequently for unauthorized access.  Required if HIPAA, FERPA data is printed.
  4. Check the firmware version frequently for security updates on the vendor's support site.  Subscribe to the vendor's announcement list.

See the University policy Securing Private Data, Computers and Other Electronic Devices for additional steps to secure the device.