Secure Printers and Scanners
Printers, scanners (e.g., copiers, fax machines), and multi-function devices (incorporate print, copy, scan, fax features) are similar to computers. These devices can connect to the network and store data on a hard drive for your print/copy/scan/fax request. When connected to the network, they can be used to launch attacks, store unauthorized data, retrieve scanned and printed documents, or print objectionable or unauthorized material.
Securing these devices is an important step in protecting University data and resources.
Coordinate Changes for University Compliance
Coordinate additions and changes to maintain University compliance.
- For use with payment card information (e.g., credit cards), contact University Accounts Receivable Service (firstname.lastname@example.org).
- For use in a Health Care Component or with health information, contact HST (email@example.com).
Configure and Verify Security Settings
Vendors may not enable the security settings by default, or they may reset to default insecure settings during a vendor service call.
To protect the data and the availability of the device, configure the security settings. Check with the vendor for instructions on how to enable security settings on the device. Many devices require a restart for the settings to take affect.
Periodically check the security settings, especially after a vendor service call.
Restrict Access to the Device
By IP Address(es)
Options starting with the most preferred include:
- Assign the device a campus-routed IP address (i.e., RFC-1918) to only allow access from within the University network. To request a campus-routed IP address, see KB9915947 article. Changing the IP of the device may also require re-configuring every client that uses or manages the device.
- Use a Network Firewall. Write firewall rules to limit access to only the University subnet(s) and network and service protocols that are need to use/manage the device.
- Use Built-in Access Control Lists (ACLs) on the device. List the IP addresses that can log into the management interface on the device. Consult the vendor's documentation for details on how to deny access by default and enumerate allowed access.
- Set the default gateway configuration on the device to an invalid value (0.0.0.0, empty, or some addresses on the network). This will limit access to only devices on the same subnet. Use this option only if the device does not support ACLs or device can not use a campus-routed IP address.
By Network Protocols
TCP/IP is generally the only network protocol needed. Some of the following are used for compatibility with legacy systems. Restrict access to the IP addresses that use the particular network protocol, otherwise disable the network protocol.
- Wireless broadcast
By Service Protocols
Use https (or snmp v3) for remote management of the device. Use snmp v3 (prior versions do not support encryption). Restrict access to the IP addresses that use the particular service protocol and set a strong password, otherwise disable the service protocol.
- http (use https)
- ftp (including anonymous ftp)
- snmp v1 and v2 (see reducing risk of snmp)
- smtp, tcp port 25 (not needed to send outgoing mail using the University mail relay)
Maintain Unique and Strong Passwords on Accounts and Service Protocols
- Default passwords or well-known credentials for the device (e.g., vendor service account), change to a unique strong password.
- snmp community string (e.g., private, public), change to non-default settings and set a strong password. Disable public community string, if not used.
- Web interface, set a strong password.
- ftp if used, require a username and strong password.
- telnet if used, set a strong password.
Check passwords after a vendor service call to ensure that the passwords are not reset to default passwords.
Protect the Data
Encrypt the Internal Hard Drive
Encryption is a feature available on newer devices. Enable secure overwrite feature.
The University has partnered with the State of Minnesota to contract with copier and multi-function device vendors who provide hard drive encryption and enable secure overwrite feature. See University Purchasing website.
Print Directly from Memory
Enable the print directly from memory feature on the device. The data is not written to the device's hard drive.
Enable Logging and Review Logs
- Enable detail logging for auditing and security purposes.
- Review logs for unauthorized access. This is required on devices with HIPAA, FERPA, or payment card (credit card) data.
Monitor the Device
Check for and Install Firmware Updates
- Check the vendor's support site and/or subscribe to the vendor's announcement mailings.
- Verify that the device is running the current firmware version.
- Install firmware updates.
Manage Vendor Service Calls
- Keep a copy of the configuration report that the vendor needs to provide after each service call. If not provided, verify and document that the security settings did not change.
- Complete a Copier/Multifunction Device Hard Drive Destruction/Sanitization Certificateprior to the hard drive leaving the premises for off-site repairs or swapping out of equipment/hard drive. OR the vendor must remove the hard drive on site and leave it with the unit for proper disposal.
- Check passwords after a vendor service call to ensure that the passwords are not reset to default passwords
- Verify security settings after a vendor service call to ensure that they are properly set,
Properly Dispose of the Hard Drive
- Determine the proper disposal of the hard drive while adhering to the Media Sanitization standard in the Information Security policy
- Complete a Copier/Multi-function Device Hard Drive Destruction/Sanitization Certificate. Keep a copy of this document.
- For hard drives left with the unit, use the University contracted service for secure disposal of hard drives.
- Depending on the value of the device, complete the University’s Equipment Disposal Form.
See the University Information Security policy for additional steps to secure the device to meet the data security classification and security level for the device.
Contact Technology Help for assistance.