13 Replies Latest reply on Sep 30, 2016 8:15 AM by Paul Klump

    Securing your print environment

    bheffernan@pharos.com Ranger

      Recent hacks in the news are directing attention toward printer-related security. Maybe you heard about the one that resulted in the mass printing of racist fliers at several U.S. universities. This is an often disregarded area of network security. As most of you probably know, many printers ship unsecured by default; they listen on all ports and support many protocols. This "plug and play" openness makes them easy to connect to your network but it also introduces potential security vulnerabilities. It's important that you lock down your network printers and make your print environment a key part of your organizational security policies and procedures.

       

      We thought we'd open this topic for discussion so that we can all share our experiences and methods related to this important topic. How does your organization incorporate print devices into your overall security policy, and what best practices and experiences can you share?

        • Re: Securing your print environment
          Timothy Grzeczka Pioneer

          This is a great discussion to start. While the main reason many organizations look into Print Management is cost savings, security is also an issue. Before Pharos, printing on our campus was a mess. We had multiple public locations that you could login and print as much as you wished. Beyond the waste there were also concerns about personal data loss due to the print jobs releasing immediately. With Secure Release and Informed Print / Cost Acceptance, we were able to cut down on waste and educate our users on best practices for printing. I can share a few things I've done over the years to secure our environment:

           

          1. Be sure ALL devices (from high end MFPs all the way to simple laser printers) have their admin password set and if possible their control panels locked. MFPs are easier to accomplish this with since they have built in security. Some simple laser printers don't have a way to do this. Also, most MFPs allow you to restrict by account type in Pharos what they can and cannot do.

           

          2. Setup and use the built in firewall / access restrictions on printers. Most printers have the ability to limit what IPs and protocols are allowed to talk to the printer. With a few clicks, you can set the printer to only accept jobs from your Pharos print servers. Even if a user gets the IP address, there's nothing they can do with it.

           

          3. Minimize or eliminate use of generic or anonymous guest accounts. It's hard to track down who did something when you have generic accounts. During my time here, I've worked to get all the generic accounts removed and everyone; community members, guests, volunteers, vendors, etc; have unique credentials that have restrictions and (if applicable) expiration dates. I know it's not directly related to Pharos and printing, but it can make securing a print environment much easier.

           

          Just my experiences. I'm sure others will have other suggestions.

          3 of 3 people found this helpful
          • Re: Securing your print environment
            John Siegel Guide

            Adding to what Tim mentioned:

             

            We shut off any protocol we don't support, i.e. EtherTalk, Netware, Port 9100, etc. limiting the various potential connections. We also change the HTTP setting to connect to the devices embedded webserver from the standard  80 or 8080 to a different port. We don't allow printing via USB so we also shut off the USB ports and the ability to connect via parallel port on printers.

             

            ~John

            2 of 2 people found this helpful
            • Re: Securing your print environment
              Rick Heckbert Wayfarer

              Our checklist for new devices

              1. Set Access Control Lists (ACL) - control what source IPs can send data to device (remember, masking for HP ACLs looks like subnet masks but is not.)  123.45.67.89 with an HP mask of 255.255.255.0 will let anyone with an IP of 123.45.67.x send data to the device.  You need a mask of 255.255.255.255 to restrict the data to only come from a single machine.  Remember to include your machine as a back door!

              2. Shut off all unwanted protocols

              3. Shut off local ports (USB/Parallel/Serial)

              4. Set admin password

              5. Set embedded web server (EWS) password

              6. Set SNMP Community name (get away from default of public)

              7. Shut off telnet/FTP access

              8. Set display to NOT show IP address

               

              Some other things we do

              1. Lock the control panel down so as to not print config pages.  Config pages show IP addresses and with a machine's IP as long as no ACLs are set I can set it up as a local TCP/IP printer on my machine and completely bypass Pharos

              2. Make sure all paper sizes have a default cost.  When we first installed Pharos, some enterprising students found that if you selected A4 as the paper size at the print dialog box, the job would go through but because we only set prices for North American sizes (8.5 x 11, 8.5 x 14 aka letter, legal) the price for A4 was defaulted to $.00. The process worked the same except the total charge was pages x $.00 or $.00.  The HP printers were then kind enough to suggest "We don't have A4, print 8.5 x 11 instead?"  Hit OK or the check button and off it went printing the job on the "substitute" of 8.5 x 11 at no cost to the end user.

               

              I have seen the A4 trick being used by a lot of students until we caught it.  I've seen several students set up direct connections to the printer until we implemented ACLs and I have seen students bring cables with them and directly connect to the print device until we blocked local ports.  You may also want to turn off Air Printing if your device supports it.

               

              A new group I took over management of Pay-for-Print from recently was one of the schools hit by the racist printouts.  Needless to say I was configuring ACLs that night!

              2 of 2 people found this helpful
                • Re: Securing your print environment
                  Steven English Guide

                  Rick Heckbert,

                   

                  The paper size item you referenced with the A4 paper size can be easily addressed by taking the following 2 steps:

                  1. Add the Default Paper Size to the list in the Per Page Attribute Costs and enter the desired prices.
                  2. Under the Job Cost Method, set the Default Per Page Cost to something ridiculously high.  I typically use $500 or $1000

                   

                  This accomplishes two things.  First, the last several versions of Pharos allow for continued detection of attributes even when the paper size is either not determined or does not have pricing configured.  In your case, since A4 paper was not configured, Pharos would have fallen back to that Default Paper Size value and still attempted to detect the remaining attributes (mono, color, simplex, duplex, etc.) which would have resulted in the job still being priced correctly.  As you know, job costing in old versions of Pharos would fall out of the attributes table for paper sizes that were not configured and then charge the default per page cost, which is $0.00 to start.  Of course, if you allow for Ledger printing in addition to letter, it would certainly still make sense to configure the European equivalents (A3 & A4 IIRC) as the Default Paper Size functions as a catchall regardless of size.

                   

                  The second part is the fail-safe so that if a condition ever arises that causes the charging to exit the attributes table and fall back to the default price, the user will not be able to print because of the price.  It has the added benefit of being really memorable when the report comes in that the job was going to cost $2000, and we know exactly what is going on and what to start asking about.  It usually winds up with them resubmitting the job and we review the attributes in Pharos Admin to see the sore thumb attribute or to notice a missing paper size attribute.

                   

                  Regards,

                  Steven

                  1 of 1 people found this helpful
                • Re: Securing your print environment
                  Paul LaFollette Guide

                  Rick Heckbert has an excellent list of steps to take.  I'd like to take this moment to heartily recommend all of us to review his list and consider each item for each environment.

                   

                  Having said that...

                  I had used the Access Control Lists for many years, however certain protocols can "slip past" the ACLs on many of the newer printers, and on some newer printers using ACLs will cause printers to no longer "ping" and also stop the EWS from responding if you're not in an allowed subnet even with accessing the EWS set to be allowed... while other models will continue in the same fashion as the older printer models. I recently learned (from HP) that HP has deprecated the Access Control Lists and it looks like no further development is taking place with the ACLs.  HP is still providing the ACL option on the printers, but HP highly recommends using the Firewall options provided on nearly all networkable HP printers. - The problem is:  Setting up the Firewall settings is more complicated (but allows for flexibility ACLs could not) and HP's Web JetAdmin tool can apply Firewall settings as a Template to greatly ease deploying... but the different models are (not yet) consistent with their Firewall settings and Web JetAdmin doesn't yet manage to get the full Firewall settings some models require, which makes applying Firewall settings inconsistent and sometimes a real "pain in the ___" (IMHO).

                   

                  I know for a fact if you need to have IPP, WS-Discovery, or Web Services Print turned on, these protocols can "slip past" the ACLs on certain printer models but the Firewall settings can stop those protocols where needed.  (if you're tempted, DON'T try to use both ACLs and Firewall settings, it'll bite you)

                   

                  We had a multi-function printer that needed locked down and ACLs were not good enough, but if we didn't get the Firewall settings absolutely perfect, the scan to email and scan to folder functions totally failed but the printer would still print, even though the Firewall was set to "allow all protocols" for the needed subnet, it wasn't enough to also allow the scan functions. 

                   

                  ACLs and Firewall settings is an area I believe the printer manufacturers could really use a bunch more development (and better tools).

                   

                  It is also unfortunate that a number of the protocols that are best turned off, are protocols used by many printer management tools.  Grrr.  (yeah, a little venting).

                   

                  - Paul L.

                  1 of 1 people found this helpful
                    • Re: Securing your print environment
                      Joshua Fecich Newbie

                      We are working on securing our printing environment over the summer because we found students bypassing the Pharos queues by printing from apple products! When setting the firewall settings we added the pharos server in the exception list. We are able to login, but it never prints anything. Any ideas?

                       

                      Thanks,

                        • Re: Securing your print environment
                          Paul LaFollette Guide

                          Joshua Fecich

                          Are the "Bonjour" or "Airprint" protocols on your printers enabled?   Bonjour and Airprint (and also mDNS "Multicast Domain Name System") aid the Mac OS devices to 'discover' devices and identify them thus making it simple to setup for printers that are "nearby" as these protocols serve mostly just devices in the same IP subnet.   Disabling those protocols at the printer puts a stop to discovering printers by those means.

                           

                          Also, Bonjour, Airprint, and IPP/IPPS (Internet Printing Protocol) can bypass the access control lists (ACL) on many printers.  For this reason, HP encourages using the printer's Firewall settings if the printer has that ability.  However, setting up the Firewall correctly without "shooting yourself in the foot" can be tricky and isn't as easy/simple as setting access control lists.

                           

                          Thanks,

                          - Paul L.

                          1 of 1 people found this helpful
                            • Re: Securing your print environment
                              Joshua Fecich Newbie

                              Yes, we are definitely having some issues with the firewall settings! For some reason when its enabled and we set the default rule to allow, the printer will not print released jobs from Pharos. We even tried adding rules that ALL IPv4 traffic was allowed (just to test) and jobs would still print when release from Pharos...

                               

                              We had to disable the firewall and go back to the ACL unfortunately. I disabled all the protocols except LPD, which Pharos uses.... I'm assuming (when its turned off it no longer works).

                               

                              If anyone has any ideas on why Pharos stops working when we enable the firewall, I'm all ears!

                               

                              Thanks,

                              -Josh

                                • Re: Securing your print environment
                                  Scott Olswold Guide

                                  Josh,

                                  Most firewall solutions (I'm admittedly very unfamiliar with any firewall inside a printer, so please forgive me) will also block UDP outright. If you are using device state/status checking in Uniprint and your printer's firewall isn't allowing all UDP 161 (SNMP) traffic, that will affect the Uniprint server's ability to release, because the initial device state check fails. Just a thought.

                                   

                                  -Scott

                                  1 of 1 people found this helpful
                          • Re: Securing your print environment
                            lpadgett Scout

                            Just a couple things to add.

                            • It's a good idea to turn off automatic upgrades due to the chance that malicious ps/firmware files have been known to wreck printers.
                              • The racist flier hack was a ps file but the first thing I thought was that it could have been much worse if he had different intentions such as stealing data or creating hidden spam servers. Older printers particularly have this problem, but I think my Docucolor press printers still have the file upgrade option.
                            • Turn off all device discovery protocols
                            • Keep printer firmware updated
                            • Run daily device overwrite policies to delete confidential data from the internal hard drive.

                             

                                    I use Access Control on my smaller printers and ip filtering + ssl certs on the mfp's.

                                   Changing ports for sftp if supported isn't a bad idea either. With new technology like the Arduino Yun, any wireless technology is vulnerable too, just food for thought.

                             

                            -Loyd

                            • Re: Securing your print environment
                              Bill Kasper Guide

                              We were one of the universities that got hacked, and we've been fighting it since December.  As a University, we use Nexpose to check our security vulnerability, and it works nicely with the devices to figure out what's what.

                               

                              What we do varies by device maker.  Our basic list with Ricohs overlaps with others above.  We change the base login away from "admin/blank" after loading our Pharos software the first time.  We turn off telnet, ftp, sftp, RSH/RCP, and SSDP.  We change our snmp names away from "public" and "admin".  Our Pharos devices are limited by IP to our Pharos servers, and our office IP address range (so we can get at them from our office); no one else is allowed to use it, and since Pharos channels all print streams through the servers, it's just fine.  In some instances we allow particular server queue IP addresses to pass through the NIC, and print outside of Pharos (we charge that based on the difference between what was charged under Pharos and what else was done on the device). 

                               

                              On non-Pharos devices (which our users use like regular IP printers) we turn everything off the same way, but limit the IPs to the campus class C subnet; we will specify our office address range, and specific other ranges if we want to use belt *and* suspenders.

                               

                              Once we set up our Ricoh devices this way, nothing but what we want gets through, and our Nexpose count is well below the Security Team's threshold. 

                               

                              Ricoh is pretty sane in their implementation, Canon less so.  We've found Canons that have IP ACLs locked down tight to the particular subnet are still subject to RAW printing from outside that subnet.  So, for our Canons (non Pharos devices) we turn it all off excepting LPR, and have class B subnet-based ACLs set up.  And we're slowly getting rid of the Canons.

                               

                              Bill

                              • Re: Securing your print environment
                                Paul Klump Wayfarer

                                One of the ways we've implemented security for our printers was to create separate networks for our computer lab printers (/28 or /29, depending on the number of printers on site and a guess-timate on future growth), and then worked with our Telecommunications group to establish ACLs on the network-side to limit which hosts/networks can connect to the printers.  The list of whitelisted hosts/networks on our printer networks is very small - our print servers, the subnet that my office uses, and the host that performs the checks for our Nagios monitoring system.  This way, students will not be able to directly connect to our printers, even if they discover the IP address of a printer, and prevents any protocol leaking.

                                 

                                Once we moved the printers to heavily-ACLed networks, our lab staff mentioned that could no longer access a printer's web interface to check for paper tray levels, error messages, etc.  So we added checks via Nagios to regularly gather info on the printer display, page count, and toner and paper levels.  Then we gave each campus access to a Nagios view so they could have a dashboard view of the printers on their campus, and the state of each check.

                                 

                                Paul