S 4.301 Restrictions on access to printers, copiers, and all-in-one devices

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

To make attacking printers, copiers, and all-in-one devices more difficult, access to these devices must be restricted. In the following, some aspects you should consider for the secure operation of printers and copiers are described:

• Restriction of access rights to only those needed
  
  If possible, only as few administrators as necessary should be granted complete access. To do this, only grant those the access rights necessary to perform the required tasks (see S 2.8 Granting of access authorisations).
• Secure administration access:
  
  Only authorized persons should be allowed to access administrative areas and the configuration. Access should only be possible after prior authentication, for example by entering a password or a PIN. If printers, copiers, or all-in-one devices will be administered over a network, then it must be ensured that the administrators also need to be authenticated in this case as well. If the system does not support authentication, then suitable alternative safeguards must be implemented.
• Secure remote access to the administration:
  
  Administration access should only be possible over an encrypted channel, if possible, so that no passwords or other information requiring protection can be eavesdropped on. For example, some types of devices can encrypt the transmission of the configuration data using HTTPS or SMNPv3. In this case, unencrypted communication should be prohibited by deactivating the HTTP interface for configuration, for example.
• Disabling unneeded functions:
  
  Even printers, copiers, and all-in-one devices generally offer more functions than are needed for normal operation. These functions can pose an unnecessary risk. For this reason, all unneeded functions should be deactivated or their use should be restricted as much as possible.
• Packet filters:
  
  Some printers have integrated packet filters for filtering the connections based on IP addresses or port numbers. All ports not required for printing operations or for configuring the printer are to be blocked, if possible. If the device supports encrypted communication, then unencrypted communication with the device should be prevented as much as possible, for example using the corresponding port numbers.
  
  If print servers are used, it must be ensured that only these servers are allowed to establish a connection to the printers. In this case, it is much more difficult for unauthorized IT systems to establish a connection to the printers. Exceptions to this are the systems used to configure the printers. These systems also need to access the printers, of course.
  
  The packet filters should generally be configured as restrictively as possible. This also applies to the establishment of connections from the network printers to other IT systems. For example, the packet filters should be configured so that network printers cannot connect to an IT system located outside of the LAN. This makes the unwanted exchange of data with external IT systems, for example with computers on the Internet, more difficult. Regardless of the local packet filter configuration, communication between the printers and external networks must be blocked by the central security gateway.
• Network segmentation:
  
  It is often recommended to collect all printers, copiers, and all-in-one devices in a single logical network. In many cases, this makes configuration and administration easier. When implemented thoroughly, communication between the printers and other network segments can be controlled specifically by the corresponding routers and gateways (for the IP packets received as well as those sent).

Review questions:

• Is the access to the configuration of printers, copiers, and all-in-one devices protected?
• Is the remote configuration of printers, copiers, and all-in-one devices protected by authentication and an encrypted connection?
• Have all unneeded functions of printers, copiers, and all-in-one devices been switched off?