Re: Printers, printers, printers

["Bristol, Gary L." <gbristol () OU EDU>]

Move the user subnets to private subnets behind firewalls and they either have the printers sitting in the same subnet 
with them (behind the firewall) or it is supported through the core print servers.



From: Martin Manjak [mailto:mm376 () ALBANY EDU]
Sent: Tuesday, December 11, 2007 3:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Printers, printers, printers

I'm curious as to what other schools are doing with respect managing printers. Some of the issues and challenges 
include:

1. They're cheap. Staff can purchase them directly through departmental credit cards so they aren't subject to 
purchasing guidelines, or centralized management of their configurations.

2. They're desirable as status symbols. People would rather have a personal printer on their desk than walk down the 
hall to use a departmental machine.

3. They're loaded. Rarely is a printer just a printer. It's a document imaging system with its own hard drive. It's a 
web server, often times with a web based management interface complete with a blank admin password. Other services may 
be running in default mode such as telnet, or ssh, or tftp.

4. They often have public IP addresses assigned to them.

The combination of all of the above has caused a proliferation of data leakage points. In essence, what we have are 
unmanaged servers containing electronic copies of institutional documents that are visible to the world. Secondarily, 
we have a lot of machines on our networks that can be poked, probed, and mismanaged via publicly facing services with 
blank or searchable default admin passwords.

I'm very interested in what types of controls people may have in place to address any of the above?




--

Martin Manjak

Information Security Officer

University at Albany

CISSP, GIAC GSEC-G, GCIH, GCWN