Printer Configuration Best Practices

Printers are a common intrusion point for access into an organizations network. It is a common misconception to think that printers are secure due to the nature of the simple tasks that they perform. However, printers are fully functional devices with exploitable services such as web servers, ftp services and hard drive device storage capabilities. It is therefore important that system administrators take appropriate steps to ensure that these devices are properly setup with adequate settings to secure them against compromise and malicious use.

Below are some recommended configuration best practices.

1. Change the administrative password on the device from the default settings.
   All printers are shipped with a default administrative password. This password provides access to the printer configuration interface and could also expose printer job information to a malicious user. Print jobs that contain confidential data such as tax forms and your research work are some documents that could be acquired from a compromised printer.If the set password for the device is lost or forgotten, performing a factory reset can restore access to the device. Physical access to the device is required for this process.
2. Disable the SMTP server service on the printer if you do not intend to mail out printer jobs from the printer.
   The SMTP service is an email processing application that when used as intended sends valuable email messages from the printer. For example, a scan to email print job or printer toner replacement notification message could be sent from the device. Likewise, this message service could be used to send out spam messages if the email service is not protected.
3. Disable the SNMP service or change the community string default password if the service is required.
   The SNMP service is an administrative configuration protocol. It is commonly used for large-scale configuration of devices using some form of automation. It is most probable that this service is not required in your environment. It is recommended that the service be disabled unless when enterprise management of your device is required.
4. Disable the following services:
   Printers include a myriad of additional services for different feature sets and deployment use cases. If these services are not required for your environment, it is best practice to disable these services on your device.
   • SLP (Service location protocol)
   • Telnet
   • MDNS
   • Multicast IPV4
   • Bonjour
   • IPX/SPX
5. Set file-system password (Review documentation)
   The storage device on your printer can be used to store malicious code or gain access to stored print orders. It is therefore crucial that the storage resource is properly secured. System administrators are encouraged to review advanced settings documentation for their devices and apply vendor recommended settings for file system protection.
6. Configure printing protocols
   Different printing protocols expand the printing capabilities of your printer. As an example, the IPP (Internet printing protocol) could be used to send printing jobs from the Internet. This access could allow the printing of marketing flyers from unsolicited sources. To prevent the abuse of your printer resource, limit available printing protocols on your printer to those required for your environment (i.e.,  lpr, lpd).
7. Set control panel password (PJL service)
   Most display screens on printers allows for some form of customization. Although the risk impact of malicious access to the display setting is minimal, a malicious party could disrupt printing services by altering the touch screen capable features on your device. However, applying a password on your display setting function can easily mitigate this exploit.
8. Set access list access and scope to NYU NYC IP ranges
   Your printer is an internal network service and as such should not be exposed to the Internet. Where possible, printers should be configured on a private network (RFC1918). Manufacturers are aware of the capabilities of these devices and have included new features that provide additional protections for publicly accessible printers. On access-list capable devices, configure your printer access rules. Scope the required access for your devices to the private and public NYU-NET IP ranges.FTP