Re: Printers, printers, printers

["Jones, Dan" <Dan.Jones () UMASSMED EDU>]

Of particular interest here at the moment is a function (scan to folder)
with Ricoh multi-function devices. 

 

When 'scan to folder' is enabled, the users must enter their domain
credentials into the printer so that the printer can place the scanned
documents on a network share. I have yet to dig into how well the
printers are secured... however a few of them have been replaced which
means the user's credentials went out the door with the old printer. 

 

I came upon this 'feature' as users started to take seriously the
reasons for periodic password changes (which 'breaks' the scan to folder
functionality until the user enters their new domain password into the
printer). 

 

In the solutions column... I'm trying to change this model, and have the
printers configured with a machine account so that they can send scanned
documents to people's email. Also, working with the purchasing
department to help steer the types of devices that can be placed on the
network is an avenue. Service contracts should stipulate that the
internal drive's contents be wiped before the printer leaves our
premises. Educating users that password caching is against policy is
another... 

 

I imagine that we're all wrestling with this in one way or another. 

Dan Jones
IT Security Manager
University of Massachusetts Medical School 

________________________________

From: Martin Manjak [mailto:mm376 () ALBANY EDU] 
Sent: Tuesday, December 11, 2007 4:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Printers, printers, printers

 

I'm curious as to what other schools are doing with respect managing
printers. Some of the issues and challenges include:

1. They're cheap. Staff can purchase them directly through departmental
credit cards so they aren't subject to purchasing guidelines, or
centralized management of their configurations.

2. They're desirable as status symbols. People would rather have a
personal printer on their desk than walk down the hall to use a
departmental machine.

3. They're loaded. Rarely is a printer just a printer. It's a document
imaging system with its own hard drive. It's a web server, often times
with a web based management interface complete with a blank admin
password. Other services may be running in default mode such as telnet,
or ssh, or tftp.

4. They often have public IP addresses assigned to them.

The combination of all of the above has caused a proliferation of data
leakage points. In essence, what we have are unmanaged servers
containing electronic copies of institutional documents that are visible
to the world. Secondarily, we have a lot of machines on our networks
that can be poked, probed, and mismanaged via publicly facing services
with blank or searchable default admin passwords. 

I'm very interested in what types of controls people may have in place
to address any of the above?





-- 
Martin Manjak
Information Security Officer
University at Albany
CISSP, GIAC GSEC-G, GCIH, GCWN