Multifunction Printer Security and Compliance & Multifunctional Device (MFD) hardening standards
Effectively managing multifunction products is an information security issue. A growing list of federal and state regulations makes this an essential area for complying with the Health Insurance Portability and Accountability Act (HIPAA) and other laws. By selecting and implementing appropriate security technologies designed to control access and provide data tracking and accountability risk of unauthorized access and potential breach of protected & confidential information can be mitigated.
These devices are subject to all IT policies and procedures. Before any device is recycled to another user and/or before it is taken out of service at the University (redeployment, donation, selling, or recycling), it must be handled as per the University Media Control policy. Never allow the device to be returned to the vendor (or any non-Yale entity) unless it is documented that there was no Yale data in memory or storage.
A Multifunctional Device (MFD) is an office machine which incorporates the functionality of multiple devices in one. A typical MFD may act as a combination of some of the following devices: printer/photocopier/fax/scanner. Yale does not recommend a specific MFD manufacturer or model; so some of the hardening steps below might not be applicable to your model. Please consult with the device's manufacturer on the specifics on how to implement the controls. These steps to secure a MFD scanning sensitive data (potentially 3 lock) are to eliminate the exposure from:
- Information leakage from logs (e.g. fax logs showing credit card numbers, long distance telephone codes -TAN, and filenames),
- SNMP attacks,
- Poorly configured network services,
- Buffer overflows, and
- Potential for data recovery from an MFD's internal hard drive.
Try to secure the MFD before you have it plugged into the network.
|Harden Step||Reason Why|
|Disable all protocols in the MFD except TCP/IP. Some printers support non-IP based protocols for compatibility with legacy systems. These might include AppleTalk and IPX/SPX.||Other protocols are more difficult to monitor and secure, and should be disabled if they are not being used.|
|Disable all management protocols, except HTTPS and SNMPv3 (this includes BOOTP).
- HTTPS will likely be the primary management protocol for your device. If the MFD does not require remote management, this interface can be disabled.At the very least ensure you use HTTPS for web-based management.
- If you use SNMP to manage your MFD, and your MFD supports it, choose SNMPv3 for its authentication and encryption features.
- Encryption of 3 lock data that is output to a printer connected to a network shall be provided through the use of secure printing applications (e.g., JetDirect port 9100) or protocols (e.g., IPP over SSL or TLS) to prevent unauthorized network interception.
- If the Internet Printing Protocol (IPP) is not used then disable it.
- If the environment is not using DHCP for IP addressing then it should also be disabled.
- Any other protocols necessary to upgrade firmware or configure the device, can be open upon request.
|Unneeded protocols expose the device and the network to unnecessary vulnerabilities.|
|Ensure the print/copy/fax/scan services are restricted to required protocols.Examples of possible protocols:
- Port 9100 (a.k.a. HP JetDirect, socket): Most printing services use this protocol, especially drivers from HP, so you may not be able to disable it.
- LPD is used for printing by many Unix and Linux systems. However, many can now also use CUPS (the Common UNIX Printing System), which allows for printing via a number of protocols. If you do not need LPD, disable it.
- SMB (Windows) printing is often not required, as it is taken care of by other protocols, such as JetDirect. It is also not encrypted. If possible, disable SMB printing.
- Telnet: Some MFDs provide telnet management interfaces (older management tools). If possible, disable this insecure protocol.
|The greater the number of protocols allowed active on the network the more vulnerabilities available to be exploited.Unneeded protocols expose the device and the network to unnecessary vulnerabilities.|
|Assign the MFD a static private campus IP address (not accessible from the Internet).If you can't do a static IP address then at least provide a DHCP reservation or in their own VLAN.
It is rare that an MFD needs to be accessed from off-campus, and a VPN can be used in those instances.Restrict printing/copying/faxing/scanning to the minimum number of campus subnets practical for the device to function for its group of users. The suggestions above makes it easier to monitor the MFDs and apply access lists on hardware-based firewalls.
|Without static IP addresses, if the DNS cache is poisoned (corrupted) print files containing sensitive data could be redirected, leading to the compromise of sensitive data.|
|Have a firewall or router rule to block all ingress and egress traffic from the campus perimeter to the MFD.||Access to the MFD from outside the campus network could lead to a denial of service caused by a large number of large print files being sent to the device. Ability for the MFD to access addresses outside the campus network could lead to a compromise of sensitive data caused by forwarding a print file to a location outside of the Yale network.|
|Change default passwords and SNMP community strings with complex passwords.||There are many known vulnerabilities in the SNMP protocol and if the default community strings and passwords are not modified an unauthorized individual could gain control of the MFD. This could lead to a denial of service or the compromise of sensitive data.|
|Disable FTP.Some MFDs give you the ability to FTP upload documents to print. If you can't disable FTP printing then protect FTP printing with username/password credentials.|
|Reconfigure the MFD so that print services will only run on authorized ports (port 9100 and/or LPD).Where both Windows and non-Windows clients need services from the same device, both Port 9100 and LPD can be enabled simultaneously.||Printer services running on ports other than the known ports for printing cannot be monitored on the network and could lead to a denial of service it the invalid port is blocked by a network administrator responding to an alert from the IDS for traffic on an unauthorized port.|
|Restrict access to the MFD's management function to a specific set of IP addresses or trusted subnets. If the device lacks this functionality use an ACL in a router, firewall or switch to restrict the access.||Restricting the MFD management interface to specific IP addresses decreases the exposure of the system to malicious actions. If the MFD is compromised it could lead to a denial of service or a compromise of sensitive data.|
|MFD Configuration State After Power Down or Reboot
Ensure the MFD maintains its configuration state (passwords, service settings etc) after power-down or reboot. If a full reset is performed, ensure that a process is in place to reconfigure the MFD back to its production state.
|If the MFD does not maintain it state over a power down or reboot, it will expose the network to all of the vulnerabilities that were solved by previous modifications changes.|
|Maintain the MFD patches on a consistent basis.Ensure devices are flash upgradeable and are configured to use the most current firmware available Ensure whoever is supporting the MFD receives any patch update notifications e-mails from the manufacturer or leasing company.||MFD devices or printers utilizing old firmware can expose the network to known vulnerabilities leading to a denial of service or a compromise of sensitive data.|
|If hard disk functionality is enabled, configure the MFD to remove spooled files, images, and other temporary data using a secure overwrite between jobs.Some MFD processes may include the ability to wipe job-related files in between jobs. Others might require an additional security kit from the manufacturer.||If the MFD is compromised the un-cleared, previously used, space on the hard disk drive can be read which can lead to a compromise of sensitive data|
|If the MFD has a removable hard drive option, then ensure that the drive is locked into the device to prevent access to the hard disk.If the vendor does not supply a lock, acquire an aftermarket lock that will secure the drive so that it cannot be accessed. Even a drive that cannot be removed but the connectors can be removed is vulnerable.||If the hard disk drive of a MFD can be removed from the MFD the data on the drive can be recovered and read. This can lead to a compromise of sensitive data.|
|Ensure that only MFD administrators can modify the global configuration from the console by requiring a password.||If unauthorized users can alter the global configuration of the MFD they can remove all security. This can lead to the compromise of sensitive data or the compromise of the network the MFD is attached to.|
|Physically secure the MFD in areas with restricted access.The level of confidentiality required dictates how MFDs are physically located. Examples might include:
- Kept in a data center with restricted access.
- Kept in an office that is attended during business hours and locked after hours.
|Can lead to untraceable and possibly undetectable compromise of sensitive data.|
|When a vendor is working on the MFD, the vendor's work must be monitored to ensure that security measures are not removed during the course of troubleshooting. If they are removed, they must be put back in place.||Unauthorized individuals may read the scanned data. This can lead to a compromise of sensitive data.|
|Each department must ensure that there are procedures in place for scrubbing or disposing of hard disks when MFDs are sent out for repair or disposal.These should include maintenance, disposal, and purging of classified devices to include their non-volatile memory and storage devices.||Unauthorized individuals may read the scanned data. This can lead to a compromise of sensitive data.|
|Create the appropriate discretionary access control list for file shares if scan to a file share is enabled.Some ways to provide secure storage on MFDs:
- User "mailboxes" (which usually contain faxes and scans) must require authentication and authorization. Some MFDs support encrypted storage, either natively or with the addition of a security kit. Depending on the data being scanned this should be considered.
|Without appropriate discretionary access controls unauthorized individuals may read the scanned data. This can lead to a compromise of sensitive data.|
|Ensure MFDs are configured to restrict jobs to only print spoolers, not directly from users.The configuration is accomplished by restricting access, by IP, to those of the print spooler and adminstrators. If supported, IP restriction is accomplished on the device, or if not supported, by placing the device behind a firewall, switch or router with an appropriate discretionary access control list.||If MFDs are not restricted to only accepting print jobs from print spoolers that authenticate the user and log the job, a denial of service can be created by the MFD accepting one or more large print jobs from an unauthorized user.|
|Ensure devices and their spoolers have auditing fully enabled.Auditing will include user, key operator and admin codes and passwords, enabled features and services. Any deviation from the baseline should be treated as a potential security incident. Ensure operational security controls are in place to ensure servicing of devices by authorized personnel is in accordance with change and configuration management processes.||If inadequate information is captured in the audit, the identification and prosecution of malicious user is difficult if not impossible. If the audits are not regularly reviewed suspicious activity may go undetected for a long time.|
|Ensure auditing of user access and fax log is enabled if faxing from the network is enabled.If not then disable the fax functionality and disconnect the phone line from the MFD.||Without auditing the originator and destination of a fax cannot be determined. Prosecuting of an individual who maliciously compromises sensitive data via a fax will be hindered without audits.Try to see if the fax log can be prevented from listing out any TAN or credit card information.|
Adapted from Multifunction Printer Hardening Checklist, with permission from ITS, The University of Texas at Austin, Austin, Texas 78712-1110.