Best Practices for Securing Printers
By default, any device connected to our wired network (including printers) are placed on a Internet-accessible IP space. This can lead to that printer experiencing a number of problems, the most common of which is the printer printing spam or gibberish wasting a large amount of paper and preventing legitimate use. The frequency of these attacks has been increasing since 2015 and continue to be a concern. In March 2016 we blocked the most common printing port at our campus border, and we will soon add additional common printing ports to the border block. Protect your printers from these and other attacks by following these best practices for securing your printer.
Limit Internet Connectivity / Configure Access Control Lists
- Review your printer's documentation on how to create access control lists to limit access to that printer to ideally only your department's subnets. If you need to print from on campus but outside your department you can limit to the campus IP space (10.0.0.0/8, 188.8.131.52/16, 184.108.40.206/16, 220.127.116.11/19), this will also allow you to utilize the VPN to print from off campus.
- If your printer does not have the ability to create an access control list the Division of IT's Network Operations group can create a network ACL at our campus border for your printer to restrict access to campus only. Please open a ticket with the Service Desk by emailing your request to email@example.com or calling x51500.
Disable Unnecessary Services
Most printers support a number of different services, many of which are legacy and rarely used. Many services can weaken the overall security of the printer, as they can be identified and exploited by attackers. Disable any services that you do not use. This can often be done by a management web interface enabled on the printer or the physical printer menu.
- Disable Telnet and FTP - These are older protocols that have been used to manage print jobs in the past and are often no longer used but still turned on by default. We have seen a large number of print spam sent via open FTP servers on printers so we strongly recommend you disable FTP.
- Disable Embedded Web Server - Many printers allow configuration and administration through a built-in web interface. Configure the web server to only allow traffic over a secure connection (HTTPS), and disable access over HTTP. If you do not use the embedded web server to manage your printer, disable it if possible. (Do this after you have disabled all other unneeded services.)
- Disable Other Services - Review and disable other rarely used services such as IPP, AppleTalk, and IPv6 where appropriate.
To ensure consistency and completeness in securing your printers, download a copy of the file Printer Security Checklist by clicking the file in the Attachments section below.