Network Printer Security

Listed below are some recommendations for deploying network-attached printers to the campus network:

Recommended Configuration for ALL Networked Printers

  • ALWAYS change the printer default Admin password. Set a secure password for the Admin account. NOTE: If the printer is reset to factory defaults, the admin password may need to be restored.
  • Whenever possible, configure the printer to use private IP space (10.0.0.0 network). Alternatively, use IP Filtering (or local Firewall) to restrict access to/from the LAN.
  • Regularly (quarterly, or more frequently if possible) upgrade the printer firmware to mitigate vulnerabilities in the printer’s OS.
  • If you are going to use the Embedded Web Server (EWS) feature of the printer (especially to manage the printer), configure secure access to the printer’s web page (Disable HTTP and enable only HTTPS).
  • Disable unused protocols/services like IPv6, FTP, IPP, Telnet, IPX (though IPX isn’t likely routed on our networks anymore), AppleTalk, etc. This includes EWS unless you use it to administer your printers.
  • Educate users to never leave sensitive printouts sitting on the printer. Encourage them to use PIN Printing when printing sensitive information where available.
  • If printing from off-campus networks is needed, require the use of the Virtual Private Network (VPN) client to connect to the printer.
  • If it is a multi-function device, configure scan-to-email such that email service cannot be used as email relay (to send SPAM/PHISH). If supported/possible, configure multi-function scan-to-email to utilize encrypted PDF.
  • If the printer has a hard drive that is actually used for spooling print jobs, configure the printer so it periodically wipes that drive (daily is recommended).
  • Once hardening steps have been completed, nmap scan your printer to confirm only known, needed ports are open and available on the network (Feel free to ask [email protected] to request NMAP/VulnScan).
  • When the printer is slated to go to property disposition (or the company that leased the printer to you), make sure the hard drive in the printer is wiped or pull it and shred/destroy.

XEROX Specific Recommendations

  • There is a local Xerox XDM server on campus which is run by the ITS printing team. This XDM server allows Xerox to communicate with the printers on campus and vice-versa. The server in question iseuc-print-xs01.adsroot.itcs.umich.edu (141.211.5.20). Some 10 nets were able to talk to it without making any changes. Some had to have their firewall/routing rules tweaked.
  • Xerox Printer Proxy system ITS offering to non-ITS campus Units: 141.211.5.20 (SNMP traffic forwarder) so that Xerox leased printers can be put on non-routable network space (10.x.x.x VLANs).
  • When Xerox technicians plan to visit the printers on campus to service, departmental IT support staff should be notified.
  • Determine how Admin passwords to the printers are managed. They should not be deployed with the default password. Xerox multi-function printers may have the same non-standard password. Xerox Techs should know that non-standard password.
  • Determine if the printer needs to communicate with Xerox networks (both inbound AND outbound) for firmware updates.
  • When used as scanners, multi-function printers must be configured to use the approved U-M SMTP relay systems to email the resulting image files (smtp.mail.umich.edu: 141.211.12.86/141.211.125.12).

Additional Considerations for All Printers

For researchers working with sensitive data (e.g. ePHI, CUI or ITAR), you will want to ask if they print or scan elements of that data. If so, there are some specific questions to ask:

  • Do they pick up printouts right away?
  • Do they use secure printing options?
  • Do they scan to email?
    • If so, do they utilize authorized U-M mail relays?
  • Are they aware that IT staff must be on-site if printer vendor is called to service the printer?
  • Are there any visitors with access to the area?
    • Any visitors to an area where Export Controlled research is going on need to be accompanied, or perhaps not allowed at all. This includes where the printers are located physically.
  • If Export Control is involved, the associated Technology Control Plan should call out secure print options (e.g. are files deleted from the spool hard drive after printing?).

Safecomputing Link to Securing Network Printers

Guidelines for Registration and Use of ITS Mail Relay Service