Security recommendations for printers
- BLOCK THE ACCESS TO THE PRINTER FROM THE INTERNET
Place the printers on a private network segment (e.g., 10.0.0.0/8 or 192.168.0.0/16). If this is not possible, use a firewall to restrict access to the printer. Then set up a dedicated machine as a print server with appropriate access authentication.
- CHANGE DEFAULT PASSWORDS
Both for accessing the printer (SSH) and its web interface. Suppose the printer's administrative interface is not configured correctly. In that case, attackers can potentially change the printer's network address and redirect print jobs, perform a Denial of Service attack to disable the device or use the printer as a platform to attack other systems on the network.
- USE AN ENCRYPTED CONNECTION TO ACCESS PRINTER ADMINISTRATION
Use HTTPS (instead of HTTP) for the web interface and SSH (instead of Telnet) to access the system.
- UPDATE REGULARLY
Check the availability of firmware updates for all printers as part of your regular machine update schedule.
- USE SATIC IP ADRESSES
If possible, use private static IP addresses and disable mDNS and SNMP protocols. If you need SNMP, use only the SNMPv3 version and change the default SNMP Community Name to a new strong enough password.
- USE ENCRYPTED PRINT PROTOCOLS SUCH AS IPPS OR WSD OVER HTTPS
Do not use print protocols (IPP, LPD, RAW, WSD, SMB) that do not encrypt printed documents. If the printer does not support secure protocols, use RAW (also known as port 9100, AppSocket, or HP JetDirect) or IPP. Disable LPD and SMB protocols on the printer.
- USE SSL/TLS OR IPSEC
Do so wherever it is possible to prevent eavesdropping on communications.
- TURN OFF UNUSED SERVICES
Disable Telnet on all printers. If not explicitly required, disable mDNS (Bonjour), Multicast IPv4, SNMP, Emails, Fax, FTP, HTTP, SLP, IPX/SPX, and DLCPLLC, which are usually enabled by default on printers.
- USE SECURITY SETTINGS RECOMMENDED BY THE MANUFACTURER
Some printers have advanced security options (e.g., file system security). Study the advanced settings documentation for a specific device and apply the settings recommended by its manufacturer.