Effective Practices for Printers

Networked printers often handle ASU Internal information, and sometimes even sensitive information. It is important to follow standard hardening procedures to ensure a secure printing environment. This includes ensuring that printers are maintained with current patches, secure configurations, and strong passwords. Here are some effective practices to secure any networked printers in your support area.
  • Keep the printer firmware updated. 
  • Secure the printer with a strong password (don't use the default password, and never leave it blank/unprotected)
  • Passwords should always be encrypted in transit, so if the printer has a password-protected web page, obtain and configure a digital certificate, enable https, and disable the unencrypted http interface.
  • Change the SNMP community strings (these are the equivalent of printer "passwords." "Public" and "private" are the defaults and are widely known) 
  • Disable any protocols that are no longer used. (Do you really need Novell IPX enabled, etc?)
  • Newer printers have advanced features (e.g. print-via-email, upload and print files, web-enabled printing). Consider these features and if they are not used, disable or protect them with passwords.
  • Some printer manufactures make available utilities to manage and update printers remotely. Please check with the printer manufacture to see what options are available to manage your printers.
  • Certain printers come equipped with storage devices (internal hard disks) that contain frequently printed documents. Ensure that no sensitive data is stored on these devices, or, even better, disable the internal storage devices on the printers.
  • If possible, change the default TCP port from 9100 to another port number. (Specific exploits target the default port and may cause the printers to print blank pages. However, some printers may not be capable of changing this port number.)
  • If you have a firewall in front of your printers, only allow trusted IP’s (i.e. print server, etc.) to talk directly to the printer.
  • Disable printing via FTP or assign a stong password to the FTP printing features if it cannot be disabled.
  • Configure every printer with a static internal "ten dot" IP address and a DNS hostname.  Ideally DNS hostnames should include your department's DNS subdomain, for example: printer-name.dept.asu.edu
  • When printing, photocopying or faxing, ensure that only authorized personnel will be able to see the output. Sensitive or Highly Sensitive information should not be transmitted to network-connected printing/scanning devices unless on a closed or securely encrypted network.