S 2.397 Planning the use of printers, copiers, and all-in-one devices

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, Administrator

A basic requirement for the secure use of printers, copiers, and all-in-one devices is appropriate planning in advance. The use of printers can be planned in several steps according to the top-down design principle: based on a basic concept for the overall system, concrete plans are specified for subcomponents in detailed subconcepts. Not only do the aspects classically associated with the term "security" need to be planned, but also normal operating aspects that can lead to requirements in the area of security.

In the basic concept, focus should be placed on handling the following aspects, for example:

• First, it must be generally specified where printers and copiers are to be installed and who has access to these rooms and/or to these devices (see S 1.32 Suitable locations for printers and copiers).
• Next, access to the network printers must be controlled, i.e. it must be specified who has which access authorizations to what printers for which tasks.
• The printers and copiers must be protected against attacks.
  • Physical manipulations are to be prevented by implementing appropriate safeguards. For example, when locks or seals are placed on maintenance access points such as access panels, unauthorised changes are more difficult to make or can at least be detected.
  • Furthermore, attacks over the network should be impeded. These attacks include, for example, unauthorized accesses to remote administration interfaces over the LAN (see safeguard S 4.301 Restrictions on access to printers, copiers, and all-in-one devices).
  • In addition, electronic information must also be protected during transmission to the printer and when the information is processed. For example, consideration should be given to encrypting all documents to be stored (possibly only temporarily) on the hard disks of the printers and copiers.

The following aspects of a concept should be considered when planning the use of printers, copiers, and similar devices:

General aspects:

• Purchase or lease: In some cases, it may make sense to lease the required printers or copiers instead of buying them. If the devices are leased, then it must be ensured that any documents stored in the printer or copier storage devices are securely deleted so they cannot be reconstructed by the next customer who leases the device. In this case, it must be checked beforehand if the storage areas can be reliably erased without physically destroying them.
• Local or network-enabled printers: It must be decided if local printers only available to individual IT systems or network-enabled printers which can be used by several users will be used. A compromise solution often provides additional benefits: users who often need to print out sensitive information are provided a local printer for these printouts. For the printouts of the other users or for printouts of information with a low protection level requirement, the compromise solution provides higher performance, central printers.
• Print servers: Network printers can be controlled directly from the workstation computers or via one (or more) print servers. A print server takes on the print jobs from the IT systems and forwards them to the desired printers. In addition to central administration and logging capabilities, the printers are also more efficiently protected against attack when only the print servers are granted access to the network printers. A suitable solution must be selected.
• Guidelines for use: To enable secure and effective use of printers, copiers, scanners, and all-in-one devices in government agencies or companies, it is necessary to create security policies which are based on the existing security objectives and which take into account the requirements from the planned operational scenarios. These specific security policies must be in agreement with the organisation's overall security concept. Based on the security policies, rules must be created for the secure use of these devices, and security policies need to be worked out for this purpose (see S 2.398 User guidelines for handling printers, copiers, and all-in-one devices). It must be ensured that printers, all-in-one devices, and other such devices are included in security audits and that the implementation of the security policies is also checked regularly for these devices.
• Distribution of privileges: It must be decided whether or not certain functions of a printer should be restricted to selected users. Examples of such functions include the more expensive functions such as colour printing or the printing of paper documents on special paper formats like A3. Setting these user rights can make administering and troubleshooting the printers more difficult.
• Refilling consumables: Consumables such as toner and paper need to be refilled regularly in printers and copiers. Rules must be established to specify who is responsible for refilling and which procedures need to be followed for refilling (see S 2.52 Supply and monitoring of consumables and S 2.2 Resource management).

Rules for document access: Safeguards must be implemented that make it more difficult to access other users’ documents:

• Information critical to security: If information critical to security is printed often on network printers, then it must be ensured that only authorised persons have access to the printouts. To accomplish this, network printers and copiers can be used on which the users need to provide authentication information directly on the device to obtain a printout, for example (see S 4.299 Authentication for printers, copiers, and all-in-one devices). Alternatively, access to the printers could also be restricted to a few trustworthy people who then distribute the printouts among the corresponding recipients.
• Additional restrictions: It must be clarified if, and if so, which restrictions should apply to printer accesses. For example, it normally does not make sense to permit employees who dial in to the network from outside to print on remote printers since they cannot immediately pick up their printouts. Corresponding restrictions can also be implemented that apply to those times of the day when documents are not normally printed.

Protection of network printers: Access to the network printers should be restricted (see S 4.301 Restrictions on access to printers, copiers, and all-in-one devices):

• Administration: Safeguards to protect the network printers against changes to the printer settings by unauthorised persons must be implemented accordingly.
• Physical protection: It should be considered to implement safeguards to prevent manipulations directly on the device.
• Network-specific protection: When using network-enabled components, mechanisms to protect the components against attacks from the network must be set up. When IEEE 802.1X or similar technical methods for controlling access to the network are supported by the network printers and the network structure, then these should also be used. They serve to protect against IT systems connecting to the network without authorisation. Furthermore, print servers should not establish any connections to other IT systems except for the predefined printers.

Availability: Precautions must be taken in case of the failure of the print servers or individual devices. Appropriate maintenance contracts, for example, can reduce the downtime resulting from technical defects (see S 6.105 Contingency planning for printers, copiers, and all-in-one devices).

Encryption: In safeguard S 4.300 Information security for printers, copiers, and all-in-one devices, the following questions, which play an important role in planning, are examined, among others:

• Hard disk encryption: Many printers and digital copiers are equipped with built-in storage media for storing information. If the device supports encryption for the storage media, then encryption should be used.
• Encryption of communications: Encrypting the communication link between the workstation computers and the print servers as well as between the print servers and the printers should be considered.

All decisions made in the planning phase must be documented so that they can be understood at a later point in time. When documenting, make sure the information is appropriately organized and easy to understand.

Review questions:

• Has the secure use of printers, copiers, and all-in-one devices been planned?
• Are the locations specified where printers, copiers, and all-in-one devices are allowed to be placed?
• Has the access to the printers, copiers, and all-in-one devices been specified?
• Were arrangements made to protect printers, copiers, and all-in-one devices against attacks?