Overview

• Security Policies
• Awareness & Education Topics
• Tools & Instructions

Incident Response

• What Is a Security Incident?
• Incident Response Protocol
• Data Breach Notification
• Copyright Complaint
• Harassment

Help & Support

• Technical Support
• Contact Information
• Technical Listservs
• Learning Opportunities

About Us

• Charter

Office of Information Technology (OIT) > Security Information for IT Professionals > Awareness and Education Topics > Printers, Copiers, and Multi-function Devices

Printers, Copiers, and Multi-function Devices (Printer/Copier/Scanner/Fax)

Printers, copiers and other multi-function devices have features similar to computers. They can be connected to a network and contain hard drives for storage of information while processing your print/copy/scan/fax request. Many of these devices have services or features that need to be configured to have the proper security settings (e.g., encryption, secure data overwrite, requiring passwords for admin account, disabling ftp and telnet, etc). By default, vendors may not have enabled the settings to properly secure the device.

Departments are responsible for the proper handling and security of the devices from the point of delivery to the time of disposal/transfer. This includes continuously monitoring that the security features are enabled and overseeing the vendor’s handling of the hard drive.

Vendors

• Install encrypted disks. Enable secure overwrite, if available.
• Leave the configuration report with the department when servicing the copier, printer or multi-function device at the time of each service call.
• Provide a Copier/Multi-function Device Hard Drive Destruction/Sanitation Certificate prior to the hard drive leaving the premises for off-site repairs or swapping out of equipment/hard drive. OR the vendor must remove the hard drive on site and leave it with the department for proper disposal.

Departments

• Verify that the copier, printer or multi-function device has been properly secured.  See section below for more detail.
• Check with your vendor for instructions on how to enable the required security settings on their device. See the Resources section for some general guides to help get you started.
• Keep a copy on file of the configuration report provided by the vendor after each service call.
• Keep a copy on file of a Copier/Multi-function Device Hard Drive Destruction/Sanitation Certificate provided by the vendor.
• Properly dispose of the hard drive using the University contracted service for secure disposal of hard drives, if the vendor chooses to leave the hard drive with the department for proper disposal.

The University has partnered with the State of Minnesota to contract with copier and multi-function device vendors who provide hard drive encryption and enable secure overwrite feature. See University Purchasing web site.

More Information on Securing Printers, Copiers, and Multi-function Devices

1.  Set up an administrative password on all interfaces (i.e., web, telnet, ftp, snmp).  Change default or well-known credentials.
2. Restrict access to the printer to only those IP addresses with a business need.  Options starting with the most preferred include:

• Network Firewall - if you already have a firewall in place, write appropriate rules to limit access to the printer to only your department's network.
• Built-in Access Control Lists (ACLs) - many network-attached devices have access-control mechanisms built in.  Consult the vendor's documentation for details on how to deny access by default and enumerate allowed access.
• Move the printer to a private network (i.e., RFC-1918) by contacting OIT Network.  This will allow access from within the University, while preventing access from everywhere else.  Note - changing the IP of the device may also require reconfiguring every client that uses the device; this makes using the built-in ACLs more appealing in most cases.
• As a last-resort option, set the default gateway configuration for the printer to an invalid value (0.0.0.0, empty, or some addresses on the network).  This will limit access to the printer to only devices on the same subnet.  This should only be used if the device does NOT support ACLs and you do not have a private network allocation available.

3. Disable all unneeded printing and network protocols (i.e., AppleTalk, telnet, ftp, http).
4. Disable SNMP.  If SNMP is needed, change your community string to non-default setting (i.e., private, public).  Use SNMP Version 3 since it is the only one that supports encryption.
5. Disable anonymous FTP printing on the device.  Require that a username/password must be used if FTP absolutely has to be utilized.
6. Only allow HTTPS (or SNMP v3) for remote management of the device.
7. Encrypt the internal hard drive if feature is available.
8. Print directly from memory.
9. Enable detailed logging for auditing purposes. Check the logs frequently for unauthorized access.  Required if HIPAA, FERPA data is printed.
10. Check the firmware version frequently for security updates on the vendor's support site.  Subscribe to the vendor's announcement list.

See the University policy Securing Private Data, Computers and Other Electronic Devices for additional steps to secure the device.

Resources & Links

University Policies:

• Securing Private Data, Computers and Other Electronic Devices

Other Links:

• Copier/Multi-function Device Hard Drive Destruction/Sanitation Certificate
• Equipment Disposal Form
• Secure Data Deletion
• Secure Disposal of Hard Drives

External:

Hewlett Packard (HP)

• HP Security for imaging and printing
• Practical Considerations for Imaging and Printing Security (PDF)
• Securing Print Servers on the Network

Other

• Securing Multifunction Printers (MFP)- printing, copying, scanning & faxing devices - SANS
• Multifunction Printer Hardening Checklist - University of Texas at Austin
• Securing HP Printers - University of California, Santa Cruz
• Securing HP Printer - University of New Mexico