Security

Secure Printers with These 4 Tips

Minimizing security risks related to printer vulnerabilities is essential for federal agencies.

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Dr. Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.

Printers aren’t just printers these days. They are scanners, copiers, fax machines, print servers and more. They may not have the processing power and storage capacity of a server or even a modern smartphone, but their invisible nature and privileged position in networks makes them an ideal entry point and hiding place for hackers and malware.

Here are four tips to reduce the risk of compromise.

1. Understand the Nature of the Technology

Printers have complex software, but they don’t get the same level of support, bug fixes and security testing that we expect for desktop, server and smartphone operating systems. Because printers can never be fully secured, network-based access controls are a critical tool for isolation and protection.

If you can, place printers on a separate virtual LAN, with all access controlled by a firewall. Your buildings and printers may be too dynamic to identify which ports the printers are attached to. In that case, you can use tools such as 802.1X authentication to automatically steer printers to the right network segment based on the Media Access Control address. You will still need to create a secure configuration, but firewalls add an additional layer of protection.

Click the banner below to learn about the latest emerging technology by becoming an Insider.

2. Simplify and Secure Configurations

Out of the box, printers can have as many as 20 printing protocols and services enabled. This makes these typically plug-and-play devices user-friendly, but it also creates a huge attack surface. By whittling the configuration down to the absolute minimum needed to operate in your network, you can reduce the risk of someone taking control of a printer or gaining access to stored print jobs.

Don’t forget other basics: Change the default password or, better yet, use an agency-wide directory for authentication; disable unencrypted management traffic; and if you are using SNMP, enable only SNMPv3. If you haven’t rolled out IPv6 yet, don’t enable it on your printers.

3. Pick the Right Products

The temptation to litter the network with inexpensive printers can be strong, especially in distributed, budget-constrained environments. Having dozens of printer types from different vendors to manage and secure can turn a hard job into an impossible one.

If a centralized Print as a Service model works for your agency, this is your best choice to deliver the highest level of security and reliability overall. In this model, devices are provided, managed, secured and controlled by a third-party partner. If your agency needs a more distributed approach, use security as the lens to view basic standards for all printers connected to your network. This ensures you restrict choice only when there is a clear and compelling reason.

4. Use Print Servers to Further Isolate Devices

Configure the printer to communicate only with the print server, eliminating the possibility of someone communicating directly with the device. This strategy is especially important if you find that you cannot put printers on their own firewalled network segment. Print servers provide a level of separation between the end user and the printer that will reduce (but not eliminate) security problems.

Veronika Oliinyk/Getty Images