Printing: How to secure your network printer

Unsecured network attached printers are vulnerable to a range of attacks. These can take the form of unauthorized access to the printer and the documents stored on it, to damaging the printer through partial firmware updates, to serving as a vector for compromising not only the printer itself, but also the entire network.

With various manufacturers and models of printers in the market, pre-written security instructions are not practical. Below are some basic, best practices for securing a printer.

Securing your printer on the network

  1. Change default Administrator and/or Web Configuration password to strong complex passwords which, if possible, should be changed regularly.
  2. Note that if the passwords are forgotten, there is a strong possibility they cannot be reset or retrieved without replacing the hardware.
  3. Some printers may have separate FTP, Telnet, or other protocol passwords.
  4. Disable unneeded management protocols
    • Most printers will have all protocols enabled by default.
    • TCP/IP will be needed for the printer to communicate on the network.
    • SNMP is needed mainly for device management monitoring, and communications.
    • Examples of unneeded protocols that should be disabled are SMB, Bonjour, FTP, IPP, Ethertalk IPX/SPX and NetWare.
  5. Set up Access Control List/IP filtering
    • If possible, restrict access to the printer via a specific range of IP Addresses.
    • Restrict to subnet, individual address, or use the print server address to require printing through it.
  6. Update firmware
    • To protect the network printer from known security vulnerabilities and operability issues, the firmware should be kept up to date.
    • Procedures to update vary between manufacturers and models, but it is a good idea to map out or back up the printer configuration and settings before updating the firmware.
        • Most firmware updates require the printer to be in a 'READY' state and on the network or attached to the host machine.
        • Some updates only require accessing the web interface and a 'print' file.
        • Some updates require a file to be run from a host computer.
    • Never navigate away from the webpage or run any other applications while the updates are in progress.
    • Never unplug the printer or disrupt the update once it has begun.

Securing your printer and data

  1. Physical Security
    • Secure your printer's control panel through the printer's web interface.
        • This prevents changes in the printer security configuration.
        • Using passwords or passcodes prevents unauthorized access to stored files.
    • Secure your printer's hard drive.
        • When possible, place the printer where it can be supervised to prevent unauthorized physical access to the hard drive.
        • Remove and destroy hard drives when retiring machines.
  2. Data Security
    • When possible, set the encryption on the hard drive.
    • Do not store jobs on the printer any longer than necessary. Set the hard drive to erase print jobs, scans, and faxes once complete.
        • If necessary, some printers can be set to save all jobs and to store them until they can be retrieved.
    • Secure Printing
      • Some printers can require a PIN code to release jobs to help prevent document theft or snooping.
    • Retrieve print jobs immediately after printing.
  3. Logging
    • Enable logging to capture job activity, user access, fax logging, configuration changes, etc.
    • Logs should be reviewed for irregular activity that can indicate a security incident.
        • For example, transmission of large amounts of data after regular business hours, or many failed log on attempts in a short amount of time can be an indication of a compromised printer.