Introduction

Networked printers provide a large out-of-the-box feature set with little to no default security. Most printers will allow a remote intruder full administrative access unless the printer administrator reconfigures the device. Insecure printers that are connected to the campus network or on your home network risk misuse and disclosure of user data, and provide an opportunity for intruders to use the device as a platform to attack other systems. For example, unsecured printers can allow an intruder to obtain copies of your documents or be used to interrupt user access to the network, which is known as a denial of service (DOS) attack.

This document describes some straightforward steps to securing your printer while connected to any network. Please note other related topics, such as physical access and proper disposal of proprietary information, are not covered here.

Administrative Actions

Required Steps

Printer configuration varies widely across manufacturers and models, so only general guidance and minimum requirements can be provided here. For instructions on performing any configuration specific to your particular device, please contact your vendor or consult your vendor's documentation.

Before you put a printer or any network device onto the University's network, the following basic standards should be followed to avoid putting the network and its users at risk. IT Security may remove your device from the network when these guidelines are not followed. To secure your printer or network device, you should do the following:

1. Review the manufacturer's recommendations for securely configuring your printer. Apply any required manufacturer firmware updates to secure the device and make any necessary configuration changes. Links to some common manufacturers are provided below.
2. Use a campus-only Internet Protocol (IP) address that starts with 10.135.x.y so your printer is not available on the public internet. For systems currently using a public internet address that is on these ranges,128.135.x.y or 205.208.x.y, you can re-register the device. Re-registering will allow you to keep the same hostname but change the IP address. Re-register using the DHCP Manual Network Registration form. If the printer users access the printer using its hostname, this should be a transparent change. If users access the printer using the printer's IP address, then the printer app will need to be reconfigured as well. Please note that if there is a clear business need for a public IP address that outweighs the risk, then the printer may remain on the public internet. However, the system must:
   1. follow all the steps described in this document
   2. have a knowledgeable system administrator who registers the device with IT Security
   3. have someone who will be responsible for installing the system updates
3. Disable any unused remote access services (e.g., telnet, SNMP, FTP, web) and protocols (e.g., Appletalk).
4. Set a strong password for any enabled remote access services.
5. Change any of the printer's default credentials such as account name, username, and password. If possible, the account name should be changed. For example, change the account name from "admin" or "administrator." The password has to be changed to a strong password that is in line with the guidelines for CNetID passwords. See the Password Management section of the CNetID Account Management Practices website for guidance.

Recommended Steps

The following steps are highly recommended:

1. If your printer provides access control or a firewall, configure Access Control Lists (ACLs), which restrict the printer's use to a defined set of client computers (e.g., your local area network (LAN) or subnet).
2. If you plan on administering or printing via HTTP: enable Secure Sockets Layer (SSL) for encrypted network transport using HTTPS.
3. If your printer supports remote logging (Syslog): consider configuring the system to Syslog to a departmental monitoring server or to Network Security's Syslog server (syslog-n0.uchicago.edu, 514/udp). If possible, have it set to only send logs relating to authentication and use of any open remote control services, such as FTP.
4. Once you have taken steps to secure the device, send a request to IT Security at security@uchicago.edu to have the configuration reviewed. Please include the printer's IP or hostname in your email.

Resources

Security-Related Configuration and Upgrades from Common Manufacturers

Links to vendor information are below. This list is a starting point and is not meant to be a comprehensive list.

Note: For instructions on performing any configuration specific to your particular device, please contact your vendor or consult your vendor's documentation.

HP

• HP JetDirect Security Technical Brief
• HP Jetdirect Security Guidelines (PDF)

Xerox

• Xerox Security Information, Bulletins, and Advisory Responses

Lexmark

• Lexmark Security for Solutions-Capable Printers and MFPs (PDF)

Finding Known Issues

You can search for known vulnerabilities for your device, such as by a search for vulnerabilities by vendors. Below are some quick links to the vulnerability database:

• Vulnerabilities for HP Laserjets
• Vulnerabilities for Lexmark Printers