Printers, Copiers, and Multi-function Devices (Printer/Copier/Scanner/Fax)
Printers, copiers and other multi-function devices have features similar to computers. They can be connected to a network and contain hard drives for storage of information while processing your print/copy/scan/fax request. Many of these devices have services or features that need to be configured to have the proper security settings (e.g., encryption, secure data overwrite, requiring passwords for admin account, disabling ftp and telnet, etc). By default, vendors may not have enabled the settings to properly secure the device.
Departments are responsible for the proper handling and security of the devices from the point of delivery to the time of disposal/transfer. This includes continuously monitoring that the security features are enabled and overseeing the vendor’s handling of the hard drive.
- Install encrypted disks. Enable secure overwrite, if available.
- Leave the configuration report with the department when servicing the copier, printer or multi-function device at the time of each service call.
- Provide a Copier/Multi-function Device Hard Drive Destruction/Sanitation Certificate prior to the hard drive leaving the premises for off-site repairs or swapping out of equipment/hard drive. OR the vendor must remove the hard drive on site and leave it with the department for proper disposal.
- Verify that the copier, printer or multi-function device has been properly secured. See section below for more detail.
- Check with your vendor for instructions on how to enable the required security settings on their device. See the Resources section for some general guides to help get you started.
- Keep a copy on file of the configuration report provided by the vendor after each service call.
- Keep a copy on file of a Copier/Multi-function Device Hard Drive Destruction/Sanitation Certificate provided by the vendor.
- Properly dispose of the hard drive using the University contracted service for secure disposal of hard drives, if the vendor chooses to leave the hard drive with the department for proper disposal.
The University has partnered with the State of Minnesota to contract with copier and multi-function device vendors who provide hard drive encryption and enable secure overwrite feature. See University Purchasing web site.
More Information on Securing Printers, Copiers, and Multi-function Devices
- Only allow HTTPS (or SNMP v3) for remote management of the device.
- Turn off or disable all unneeded printing and network protocols including:
If the service is needed, the local IT support staff should enable or turn on the specific service needed (e.g., snmp), set a strong administrative password for the service and restrict access to only those IP addresses with a business need (e.g., your subnet or University subnets).
- Set up a strong administrative password on all interfaces (i.e., web, telnet, ftp, snmp). Change default or well-known credentials.
- For SNMP, change your community string to non-default setting (i.e., private, public). Use SNMP Version 3 since it is the only one that supports encryption.
- Disable anonymous FTP printing on the device. Require that a username/password must be used if FTP absolutely has to be utilized.
- Restrict access to the printer to only those IP addresses with a business need. Options starting with the most preferred include:
- Network Firewall - if you already have a firewall in place, write appropriate rules to limit access to the printer to only your department's network.
- Built-in Access Control Lists (ACLs) - many network-attached devices have access-control mechanisms built in. Consult the vendor's documentation for details on how to deny access by default and enumerate allowed access.
- Move the printer to a private network (i.e., RFC-1918). To request, see KB9915947 article. This will allow access from within the University, while preventing access from everywhere else. Note - changing the IP of the device may also require reconfiguring every client that uses the device; this makes using the built-in ACLs more appealing in most cases.
- As a last-resort option, set the default gateway configuration for the printer to an invalid value (0.0.0.0, empty, or some addresses on the network). This will limit access to the printer to only devices on the same subnet. This should only be used if the device does NOT support ACLs and you do not have a private network allocation available.
- Encrypt the internal hard drive if feature is available.
- Print directly from memory.
- Enable detailed logging for auditing purposes. Check the logs frequently for unauthorized access. Required if HIPAA, FERPA data is printed.
- Check the firmware version frequently for security updates on the vendor's support site. Subscribe to the vendor's announcement list.
See the University policy Securing Private Data, Computers and Other Electronic Devices for additional steps to secure the device.