Educause Security Discussion mailing list archives
Re: Printer Security
From: Frank Barton <bartonf () HUSSON EDU>
Date: Mon, 4 Nov 2019 17:01:58 -0500
Since I've gotten a couple requests, Here's the slide deck that I used for my presentation "Printers Are Evil" Frank On Mon, Nov 4, 2019 at 3:37 PM Frank Barton <bartonf () husson edu> wrote:
Robert, you've hit the nail, mostly, on the head. (and If you're interested, I'll send you my slide-deck entitled "Printers Are Evil" for a presentation I did for the local INFOSEC group) - Change all passwords (admin or otherwise) - Set 'sane' SNMP community strings - Update Firmware (I would remove the "If allowed" - it *will* be kept current) - Add all printers to management/monitoring - Do not allow access to printers on the 'production' network, they should be COMPLETELY isolated (and public internet would be a huge "nope" from me) - LDAP, if needed for directory listing - Passcodes, or other secure release mechanism (We use PaperCut & Find-me printing) - Shut down any protocol you aren't using (this includes USB, WiFi, etc.) - Contact the Office of Technology when disposing of a printer (do not throw in trash or recycle without support). - All IP information must be assigned by the Office of Technology - Encrypt the printer’s hard disk (if an option) - Configure Logging to a remote server if supported - Configure NTP A couple of your notes I questioned. We created a dedicated network exclusively for printers. the only people that can talk directly to printers are IT folks when working through the servers. Printers are notoriously 'soft' targets, and I don't want them on the production network, but in order for them to be useful, and be monitored, you need them on a network. Any communication to the printers has to go through the print servers. Our MFPs also reach out to $VENDOR directly, which has to go through a proxy server as the printer network doesn't have internet access. Don't trust the printers' built in white-listing abilities. set up ACLs on the network so that you know nothing except explicitly authorized servers/services can talk to the printers If you want some 'fun', tell Nessus to scan your local network overnight, and see how many people complain about the reams of paper that print out when typical printers get hit with a vulnerability scanner The other thing I would add would be standardize! have your "big" MFPs that are vendor managed and supported, and pick one or two models of 'desktop' type devices that you will 'permit' Let me know if you have questions On Mon, Nov 4, 2019 at 3:20 PM Barton, Robert W. <bartonrt () lewisu edu> wrote:Afternoon, We are in the process of reviewing our policy for printers/MFPs and changing our vendor. If anyone can share what they have done for printer security, I would appreciate it (please email off list if sensitive in any way). Below is our current/future security listing (sans details), any comments are welcome; - Change administrator and all other default accounts to non-default passwords. - Update SNMP community strings. o Beware – the default driver install MAY use SNMP. o Use a community string that identifies the machine and can be replicated to other areas on campus. - Update all firmware (if allowed). - Do not network the printer unless necessary - Add all MFPs to management applications - Do not allow access to printers via the public Internet (unless necessary) - Setup LDAP on all MFPs - Use passcodes to secure output - Setup ‘white list’ for access - Follow manufacturer best practices on security - Shutdown unnecessary services and protocols - Contact the Office of Technology when disposing of a printer (do not throw in trash or recycle without support). - All IP information must be assigned by the Office of Technology - Encrypt the printer’s hard disk (if an option) - Shut off o USB Printer (if not used) o Wireless Printing - Configure printer to purge memory or disk - Configure any FAX option to only allow ‘image data’ (if possible) - Robert W. Barton Executive Director of Information Security and Policy Lewis University One University Parkway Romeoville, IL 60446-2200 815-836-5663 This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone at (815)-836-5950 and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community-- Frank Barton, MBA Security+, ACMT, MCP IT Systems Administrator Husson University
-- Frank Barton, MBA Security+, ACMT, MCP IT Systems Administrator Husson University ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Attachment:
Printers Are Evil.pdf
Description:
Current thread:
- Printer Security Barton, Robert W. (Nov 04)
- Re: Printer Security Scantlin, Aaron J. (Nov 04)
- Re: Printer Security Hart, Michael (Nov 04)
- Re: Printer Security Frank Barton (Nov 04)
- Re: Printer Security Frank Barton (Nov 04)
- Re: Printer Security randy (Nov 04)