I recently introduced a Ricoh IM 6500 printer to the office network, and it reminded me that we should treat printers like computers. These devices should have the same amount of security resources, controls, processes, and isolation as any other computer on your network.
Focus on these eight areas to prevent your printers from being an entry point for attackers:
1. Limit Printer Access Privileges
Like any other technology, limit printer access to those who need it. Set the network IP addresses of devices allowed to access each printer.
2. Disable Unused Protocols
Disable unused protocols that are active on each device. Configure only the necessary protocols. Be sure to review this process regularly as your network needs change.
Many printers have default security settings that preconfigure printer connections and protocols according to standards set by government agencies. FIPS 140 is a standard level of security protocols that is often used and can be pre-configured. It will automatically disable TLS1.0 and SSL3.0 and set encryption to AES 128-bit/256-bit. It also automatically disables Diprint, LPR, RSH/RCP, Bonjour, SSDP, SMB, NetBIOS and RHPP. It also automatically sets the Kerberos authentication and encryption algorithm to AES256-CTS-HMAC-SHA1-96/AES128-CTS-HMAC-SHA1-96/DES3-CBC-SHA1.
3. Check the printer firmware level
Review all devices for their firmware level. Limit who can upgrade the device and how the device gets its patching processes. Also review the IP addresses the printer will need to report its status if you choose this process.
4. Beware of Automatic Printer Activity Reports
Most rented printers require a status report of processed pages. If it is not appropriate for your devices to automatically report these amounts, have a process to collect and report this information. If you choose automatic data collection, determine with your provider the IP address that your devices will use to connect and report this information. Notify your firewall management administration of this expected traffic.
5. Know what information your printers process
Review the information processed by each device and the level of protection required. If it will be used for faxing and will require secure processes, enable IPsec and check which personnel in your company should have permission to verify the folder to scan to. Also check if you want the Document Server feature configured and who should have rights to this feature.
6. Properly manage printer log files
Review the log file functions and make sure the logs are stored in a preferred log storage process, whether it’s a cloud log server or a local Splunk server. Check what time zone you want the printer to be set to and whether it needs to be set to a clock synchronization process.
7. Confirm Security Checks
When deploying printers in sensitive areas, review and confirm their security controls. Often the systems are controlled under Common criteria for approved devices. These common criteria include:
Security audit : The device generates audit records of user and administrator actions. It stores audit records both locally and on a remote syslog server.
Cryptographic support: The device includes a cryptographic module for the cryptographic operations it performs. The relevant Cryptographic Algorithm Validation Program (CAVP) certificate numbers are noted in the security target.
Access control: The device applies an access control policy to restrict access to user data. The device ensures that documents, document processing job information and security-related data are only accessible to authenticated users with the appropriate access permissions.
Storage Data Encryption: The device encrypts data on the hard drive and in memory to protect documents and sensitive system information if these devices are removed from the network.
Identification and authentication: Except for a defined minimum set of actions that can be performed by an unauthenticated user, the device ensures that all users must be authenticated before accessing its functions and data.
Administrative roles: The device offers the possibility to manage its functions and data. Role-based access controls ensure that the ability to configure device security settings is only available to authorized administrators. Authenticated users can perform copy, print, scan, document server, and fax operations depending on the user’s role and assigned permissions.
Trust operations: The device performs power-on self-tests to ensure the integrity of the TSF components. It provides a mechanism for performing a secure update that verifies the integrity and authenticity of the upgrade software before applying updates. It uses an NTP server for a specific time.
Access to the device: Interactive user sessions at local and remote user interfaces are automatically terminated by the device after a configured period of inactivity.
Trusted communications: The device protects its remote user communications using TLS/HTTPS and communications with LDAP, FTP, NTP, syslog, and SMTP servers using IPsec.
PSTN fax-network separation: The machine limits information received or transmitted over the telephone network to only fax data and fax protocols. It ensures that the fax modem cannot be used to bridge the local network.
Overwrite image: The machine overwrites residual image data stored on the hard disk after finishing or canceling a document processing job.
8. Review the Latest Guidelines for Smart Card Authentication
In July 2021, Microsoft made changes to CVE-2021-33764 to enhance printing processes that rely on smart card authentication. Starting with the August updates, Microsoft will no longer implement this temporary mitigation. If you are using smart card authentication for printers, see KB5005408 for more tips on handling potential issues when installing August security updates on your domain controllers.
Copyright © 2022 IDG Communications, Inc.