I recently introduced a Ricoh IM 6500 printer on the office network, and it reminded me that we need to treat printers like computers. These devices should be given the same amount of security resources, controls, processes and isolation as need for any other computer in your network.
Focus on these eight areas to keep you printers from being a point of entry for attackers:
1. Limit access privileges to printers
Like any other technology, limit printer access to only those who need it. Define the network IP addresses of the devices with permission to access each printer.
2. Disable unused protocols
Disable unused protocols that are active on each device. Only set up those protocols that are needed. Ensure that you review this process regularly as the needs for your network changes.
Many printers have default security settings that preconfigure printer connections and protocols based on standards set by government agencies. FIPS 140 is a standard level of security protocols that is often used and can be preconfigured. It will automatically disable TLS1.0 and SSL3.0 as well as set the encryption to be AES 128 bit/256 bit. It also automatically disables Diprint, LPR, RSH/RCP, Bonjour, SSDP, SMB, NetBIOS and RHPP. It also automatically sets the Kerberos authentication and encryption algorithm to be AES256-CTS-HMAC-SHA1-96/AES128-CTS-HMAC-SHA1-96/DES3-CBC-SHA1.
3. Review printer firmware level
Review all equipment for their firmware level. Limit who can upgrade the device and how the device obtains its patching processes. Review as well the IP addresses that the printer will need to report its status if you opt for that process.
4. Beware of automatic reports of printer activity
Most leased printers require a status report of the pages processed. If it is not appropriate for your devices to automatically report these amounts, have a process to collect and report such information. If you opt for automatic data collection, determine from your vendor the IP address that your devices will be using to connect and report this information. Notify your firewall management administration of this expected traffic.
5. Know what information your printers process
Review the information that each device processes and the level of protection needed. If it will be used for faxing and will need secure processes, enable IPsec and review which personnel in your firm should have rights to review the folder to scan to. Also review if you want the document server feature set up and who should have rights to that function.
6. Properly manage printer log files
Review the log file functions and ensure that logs are stored in a preferred log storage process whether that is to a cloud log server or a local Splunk server. Review what time zone you want the printer to be set to and if it should be set to a clock synchronization process.
7. Confirm security controls
When deploying printers into sensitive areas, review and confirm their security controls. Often systems are vetted under Common Criteria for approved devices. These Common Criteria include:
Security audit: The device generates audit records of user and administrator actions. It stores audit records both locally and on a remote syslog server.
Cryptographic support: The device includes a cryptographic module for the cryptographic operations that it performs. The relevant Cryptographic Algorithm Validation Program (CAVP) certificate numbers are noted in the security target.
Access control: The device enforces access control policy to restrict access to user data. The device ensures that documents, document processing job information, and security-relevant data are accessible only to authenticated users who have the appropriate access permissions.
Storage data encryption: The device encrypts data on the hard drive and in memory to protect documents and confidential system information if those devices are removed from the network.
Identification and authentication: Except for a defined minimal set of actions that can be performed by an unauthenticated user, the device ensures that all users must be authenticated before accessing its functions and data.
Administrative roles: The device provides the capability for managing its functions and data. Role-based access controls ensure that the ability to configure the security settings of the device is available only to the authorized administrators. Authenticated users can perform copy, printer, scanner, document server and fax operations based on the user role and the assigned permissions.
Trusted operations: The device performs power-on self-tests to ensure the integrity of the TSF components. It provides a mechanism for performing trusted update that verifies the integrity and authenticity of the upgrade software before applying the updates. It uses an NTP server for accurate time.
Device access: Interactive user sessions at the local and remote user interfaces are automatically terminated by the device after a configured period of inactivity.
Trusted communications: The device protects communications from its remote users using TLS/HTTPS, and communications with the LDAP, FTP, NTP, syslog, and SMTP servers using IPsec.
PSTN fax-network separation: The device restricts information received from or transmitted to the telephone network to only fax data and fax protocols. It ensures that the fax modem cannot be used to bridge the LAN.
Image overwrite: The device overwrites residual image data stored on the hard drive after a document processing job has been completed or cancelled.
8. Review latest guidance for smart card authentication
In July 2021, Microsoft made changes for CVE-2021-33764 to harden printing processes that rely on smart card authentication. As of the August updates, Microsoft will no longer put in place this temporary mitigation. If you use smart card authentication for printers, review KB5005408 for more advice in dealing with potential issues when the August security updates are installed on your domain controllers.
Copyright © 2022 IDG Communications, Inc.
