S 4.300 Information security for printers, copiers, and all-in-one devices
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: User, Administrator
In order to be able to generate a printout, the necessary information must be transmitted from the workstation computer to the printer. On copiers, transmission generally only takes place internally between the scanning unit and storage device. An attacker could attempt to access the storage device or to read the information during its transmission to the printer.
In large devices, hard disks are often used as temporary storage space for the temporary file services provided for the information to be printed. Depending on the configuration, the information may not only be stored temporarily in the storage device, but also permanently. It should be guaranteed that the information is deleted from temporary storage after printing. Many copiers offer a delete function for this purpose. All users must be instructed to use this function every time a copy is made (see M 2.398 User guidelines for handling printers, copiers, and all-in-one devices).
If information requiring a higher level of protection is printed or copied often, then you should note that simple deletion is not enough to prevent the restoration of the deleted data. Some devices provide mechanisms for "secure deletion" for this purpose. In this case, the delete function also overwrites the data deleted. If such a function is provided, then it must be activated. Otherwise an adequate alternative solution must be found.
If possible, safeguards should be implemented to make physically accessing the storage device or removing the hard disks more difficult for an attacker. Devices should be sealed so that attempts to remove or manipulate the internal storage device can be detected. In general, printers and copiers should be set up so that no one can try to manipulate such devices unobserved.
As additional protection, it is recommended to store the information in the internal storage device in encrypted form. Numerous printers and copiers offer this function. If the device used supports encrypted storage, then this function should be activated.
Communication between the workstation computers, print servers, and network printers is usually performed over a data network, which means the same risks as for other data connections exist in this case as well. In order to prevent someone from eavesdropping on this communication, the print jobs should be transmitted in encrypted form, if possible.
Some print protocols such as the LPR/LPD protocol (Line Printer Remote / Line Printer Daemon), widely used on Unix systems in particular, do not support encryption. The situation is similar with SMB/CIFS (Server Message Block / Common Internet File system) when using Windows.
For this reason, a protocol such as IPP (Internet Printing Protocol) that supports encryption should be selected, e.g. TLS/SSL (Transport Layer Security / Secure Sockets Layer) in connection with IPP.
On Unix systems, the Common Unix Printing System (CUPS) should be used, for example; with newer versions, CUPS uses the IPP protocol in the default settings for communication between client and print server. TLS/SSL can be activated in this case by specifying the appropriate configuration.
Review questions:
- Do the network printers and/or copiers support encrypted storing of information, and has this been activated?
- Is the memory of printers, copiers, and all-in-one devices deleted automatically or by the user after printing?
- Are the print jobs protected during transmission?
- Were safeguards implemented that make removing the internal storage components from printers and copiers more difficult?