Use physical security
Physically secure the printer, as if it were a computer server.
Enable access controls
Change the administrator password on the https (web) login. On any printer that supports it, install a CA certificate and use it instead of a password for administrative access. If available, use access lists to limit the users who can access the printer.
Disable Unnecessary Services, and Limit Network Ports and Protocols
Most printers support a number of different services, many of which are legacy and rarely used. Many services can also weaken the overall security of the printer, as they can be identified and exploited by attackers.
Disable any services that you do not use. This can often be done by a management web interface enabled on the printer.
Disable Telnet and FTP. These may have been used in the past to manage and send print jobs, but should now be avoided.
Review and disable services such as AppleTalk and IPv6 when appropriate.
Disable Embedded Web Server
Many printers allow configuration and administration through a built-in web interface. Configure the web server to only allow traffic over a secure connection (HTTPS), and disable access over HTTP.
If you do not use the embedded web server to manage your printer, disable it if possible.
Restrict Management Services
All networked printers should have a static IP address on the non-routable 172.16.x.x address space. If available on your printer, restrict access to authorized users in your department or unit.
SNMP and https (web) are protocols used to manage printers. SNMP is used for large organizations managing hundreds to thousands of devices, including printers. SNMP should be turned off. If there is a documented requirement for SNMP, the following guidelines should be followed to prevent exploitation of security vulnerabilities:
Turn off version 1 and 2 of SNMP, and change the default SNMP read and write community strings. Turn logging on, and review logs as appropriate to detect and/or investigate potential security breaches.
Please contact UVa Information Security with any questions.
Next Scheduled Review: February 2016
Revisions: February 2015
Effective: Original version was released 2001