How-to Instructions

Printers, Copiers, and Multifunction Devices (Printer/Copier/Scanner/Fax)

Printers, copiers and other multifunction devices have features similar to computers. They can be connected to a network and contain hard drives for storage of information while processing your print/copy/scan/fax request. Many of these devices have services or features that need to be configured to have the proper security settings (e.g., encryption, secure data overwrite, requiring passwords for admin account, disabling ftp and telnet, etc). By default, vendors may not have enabled the settings to properly secure the device.

Departments are responsible for the proper handling and security of the devices from the point of delivery to the time of disposal/transfer. This includes continuously monitoring that the security features are enabled and overseeing the vendor’s handling of the hard drive.

WARNING: Periodically check your printer/multi-function device passwords to confirm that the passwords have not reset back to the default.  This sometimes occurs when serviced.

Departments

  • Verify that the copier, printer or multifunction device has been properly secured.  See section below for more detail.
  • Check with your vendor for instructions on how to enable the required security settings on their device. See the Resources section for some general guides to help get you started.
  • Keep a copy on file of the configuration report provided by the vendor after each service call.
  • Keep a copy on file of a  PDF icon Copier/Multifunction Device Hard Drive Destruction/Sanitization Certificate provided by the vendor.
  • Properly dispose of the hard drive using the University contracted service for secure disposal of hard drives, if the vendor chooses to leave the hard drive with the department for proper disposal.

The University has partnered with the State of Minnesota to contract with copier and multi-function device vendors who provide hard drive encryption and enable secure overwrite feature. See University Purchasing website.

More Information on Securing Printers, Copiers, and Multifunction Devices

  1. Only allow HTTPS (or SNMP v3) for remote management of the device.
  2. Turn off or disable all unneeded printing and network protocols including:
  • AppleTalk
  • Bonjour
  • ftp
  • http
  • snmp
  • telnet

If the service is needed, the local IT support staff should enable or turn on the specific service needed (e.g., snmp), set a strong administrative password for the service and restrict access to only those IP addresses with a business need (e.g., your subnet or University subnets).

  1. Set up a strong administrative password on all interfaces (i.e., web, telnet, ftp, snmp).  Change default or well-known credentials.
  • For SNMP, change your community string to non-default setting (i.e., private, public). Use SNMP Version 3 since it is the only one that supports encryption.
  • Disable anonymous FTP printing on the device. Require that a username/password must be used if FTP absolutely has to be utilized.
  1. Restrict access to the printer to only those IP addresses with a business need.  Options starting with the most preferred include:
  • Network Firewall - if you already have a firewall in place, write appropriate rules to limit access to the printer to only your department's network.
  • Built-in Access Control Lists (ACLs) - many network-attached devices have access-control mechanisms built in.  List the IP's that can be used to log into the management interface.  Consult the vendor's documentation for details on how to deny access by default and enumerate allowed access.
  • Move the printer to a private network (i.e., RFC-1918).  To request, see KB9915947 article.  This will allow access from within the University, while preventing access from everywhere else.  Note - changing the IP of the device may also require reconfiguring every client that uses the device; this makes using the built-in ACLs more appealing in most cases.
  • As a last-resort option, set the default gateway configuration for the printer to an invalid value (0.0.0.0, empty, or some addresses on the network).  This will limit access to the printer to only devices on the same subnet.  This should only be used if the device does NOT support ACLs and you do not have a private network allocation available.
  1. Encrypt the internal hard drive if feature is available.
  2. Print directly from memory.
  3. Enable detailed logging for auditing purposes. Check the logs frequently for unauthorized access.  Required if HIPAA, FERPA data is printed.
  4. Check the firmware version frequently for security updates on the vendor's support site.  Subscribe to the vendor's announcement list.
  5. Check the passwords periodically to confirm that the passwords have not reset back to the default.  This sometimes occurs when serviced.

Vendors

  • Install encrypted disks. Enable secure overwrite, if available.
  • Leave the configuration report with the department when servicing the copier, printer or multifunction device at the time of each service call.
  • Provide a PDF icon Copier/Multifunction Device Hard Drive Destruction/Sanitization Certificate  prior to the hard drive leaving the premises for off-site repairs or swapping out of equipment/hard drive. OR the vendor must remove the hard drive on site and leave it with the department for proper disposal.

See the University Information Security policy for additional steps to secure the device.

Contact Technology Help for assistance.

Resources & Links

University Policy

External Resources

  • Canon
  • HP has a "Secure Storage Erase" feature on some printers
  • Ricoh
  • For other vendors, look for hard drive wiping or secure erasing. Usually listed under the security options section.

Related Topics