Most network printers and multi-fuction devices (MFDs) are insecure straight out of the box, with most options enabled by default. If left unsecured, the devices can be exploited by hackers, including:

• Retrieve sensistive files stored on the printer/MFD’s hard drive or previous print jobs
• Print job manipulation
• Attack other systems as part of a Denial of Service (Dos) attack
• Exploit vulnerabilities in printer firmware

General Best Practice

• Determine the printing protocol, either Line Printer Daemon (LPD) which runs on port tcp/515 or Raw printing runs on port tcp/9100, disable the unused protocol.
• If not using network sharing, then consider disabling on the option on the printer. If using network sharing, determine the protocol and disable unused protcol (SMB 1.0 or SMB 2.0/3.0)
• In an IPv4 only environment, then disable IPv6.
• Use SNMP v3.0 only which is encrypted and more secure than version 2.0, if not using SNMP disable.
• Change the default administrator password on the WebGUI.
• Update the Printer firmware.

Further advanced options to secure network printers include:

Network Access Control (NAC)

In an enterprise environment it’s common to deploy a NAC solution using 802.1x to authenticate all endpoints to the network, this prevents unknown/rogue devices from connecting to the network. Modern printers support 802.1x using different authentication methods, including certificates (EAP-TLS) or username/password (PEAP/MSCHAPv2).

Access Control Lists (ACL)

Ideally there should be no need for direct printing, as most organisations use a Printer Server, therefore Access Control Lists can be utilised to reduce the attack surface and limit communication from known resources. With the printers authenticated to the network, the NAC solution can dynamically apply Access Control Lists specific to printer communication, controlling ingress/egress traffic.

To find out more about Network Access Control contact us.