NDSU Networked Printers, Copiers and Multi-function Systems Security Standards and Guidelines
Many printer, copiers and multi-function devices (printer, copier, scanner, and fax machines combined into one unit) are devices with embedded operating systems such as Windows that interact with the network and the user. These systems often provide services for confidential information and must be secured and in compliance with all NDSU policies and procedures.
A networked printer or multi-function device (MFD) can be a significant entry point for those interested in sensitive and confidential data. Often they are connected to the network and forgotten until it is time to replace them. Because they are machines that have operating systems, can interact with the Internet, and are used to transfer documents on and off campus via email, these devices need to be as secured and be current and up-to-date with operating system and software patches. If a networked printer or MFD is not secure, all information that is being printed, scanned,and faxed is susceptible to compromise. With the built-in network capabilities there are many ways that information can be taken and misused.
The checklist below is a good starting point to determine how and what needs to be done to secure your networked printer or MFD.
- All networked printers and MFDs must have a static IP address. To obtain a static IP address, please submit a request to Networking and Enterprise Operations. Printers connected to desktops and used by one individual are not required to have a static IP address.
- If an MFD will be used for copying, faxing, emailing, and/or printing confidential data, it must be located in an area of the office or department that is not accessible to the public.
- Limit access to the printer/MFD only to those faculty and staff who have a definite need to use it.
- Disable unneeded or unused services on the machine, e.g., "Document Server"
- Do not save and/or store documents that contain classified or sensitive information on the machine.
- Change default logins and passwords.
- Turn off Web connections unless a need can be justified for them. The need must be formally documented.
- Vendor support of the machine must provide configuration information and log in and password information to NDSU personnel.
- If device support is administered remotely or via the Web, the administrator login and password must be encrypted in transfer and storage. If encryption can not be used, then remote and Web administration is not allowable and only the local console can be used.
- The administrator login and password must be changed from the default and is on that is within standards established by NDSU policy 158 and NDUS policy and procedure 1901.2.
- The vendor must provide security patches and updates in a timely manner. Any vulnerability left unpatched for more than thirty days would require the device to be shut down until the patch is available from the vendor and installed and activated on the printer/MFD.
- Printers and MFDs must be restricted from offsite Internet access. Users can not remote into the system to print documents from off campus.
- Email sent and received from the printer/MFD must be within the @ndsu.edu domain.
- SSL certificates must be those approved for use by NDSU. Please visit with the IT Security Office on how to obtain an SSL certificate.
- The systems must support 801.1x network authentication.
- Printers/MFDs must support IPv6.
- All services must be configurable and must allow complete disable (i.e., SMTP, NTP, FTP, HTTP, NFS, IPX, Appletalk, etc.)
- the the Telnet daemon. If a remote shell is needed, it is recommended to use SSH or OpenSSH;
- Anonymous FTP access;
- Support for the HTTP Trace method;
- NetBIOS Null sessions;
- The SNMP community name string must be changed from the public default name string. Please click here to find more information on how to disable the SNMP community name string.
- The printer/MFD will be scanned for the latest vulnerabilities at least quarterly using SANS Top 20 Critical Security Controls as a guide. If the scanning caused performance isses for the printer/MFD, it should be powered off until the vendor can fix or replace it.
For more information on how to disable services or to change the SNMP community name string, please contact your respective IT technician, IT liaison or the IT Security Office.
Anonymous FTP: Anonymous FTP (File Transfer Protocol) is a method for giving users access to files so that they don't need to identify themselves to the server. Anonymous FTP is a common way to get access to a server in order to view or download files that are publicly available.
Appletalk: A proprietary set of networking protocols developed by Apple, Inc.
HTTP Trace method: Hypertext Transfer Protocol. This method causes the data received by the HTTP Server from the client to be sent back to the client. The TRACE capability could be used by vulnerable or malicious applications to trick a web browser into issuing a TRACE request against an arbitrary site and then send the response to the TRACE to a third party using web browser features.
IPX: Internet Packet Exchange. A NetWare communications protocol used to route messages from one node to another.
NetBIOS null Session: Network Basic Input Output System is a network session layer protocol used in IBM and Microsoft software products to provide the means for client programs to communicate with server processes. A null session connection allows you to connect to a remote machine without using a user name or password. Instead, you are given anonymous/guest access.
NFS: Network File System. A protocol developed by Sun Microsystems and used on Unix systems that allows a computer system to access files on other computer systems on a network as if they were local files stored on the original system.
NTP: Network Time Protocol. A network protocol for clock synchronization between computer systems over packet-switched variable-latency data networks.
SMTP: Simple Mail Transport Protocol. The underlying peer-to-peer transmission mechanism for many of the electronic mail applications on the Internet.
SNMP Community Name String: Simple Network Management Protocol (SNMP) is used in network management systems in order to manage network devices.
SNMP exposes management data in the form of variables on the managed systems, which describe the system configuration. These variables can then be queried (and sometimes set) by managing applications
Telnet: The TCP/IP protocol for terminal emulation to a remote computer.
Aug 4, 2015
Free Windows 10 Upgrade, yes indeed Windows 10 is a free upgrade for a year for computers with Windows 7 and 8 installed on them. However, Microsoft will not tell you about this in an e-mail. Ransomware (software that will encrypt your files and then ask for money for the decryption key) has been seen being delivered through an e-mail promising a free windows 10 upgrade. Delete these messages as you get them and do not open any attachment that you did not expect to receive.
Jul 28, 2015
1.4 million cars recalled for vulnerable remote control. Fiat, Chrysler, Jeep, and Dodge vehicles can possibly be controlled remotely over the Sprint network. Researchers have shown that while sitting at their desks they can take over many functions of a vehicle on the road through the onboard Infotainment system tied to the Sprint cellular network.
Feb 17, 2015
Over-sharing on a first date could lead to no second date, but over-sharing on a social media site could lead to data theft, real property theft, or physical danger to yourself or your family. There are lots of automated scripts already running on the Internet looking for keywords that are posted to social media, these scripts do everything from changing the word "meet" to "meat" and posting the results to twitter, to alerting potential thieves that a family is now on vacation and away from their house. Be safe on social media
Feb 6, 2015
New Slim Spray Diet ... Want a Cruise ... Fight Hair Loss Now ... SPAM SPAM SPAM ... It seems to get into every e-mail inbox beofre the account is even setup. But there are some ways to fight this menace.
- Don't reply to it
- Don't tell vendors your e-mail account
- If your service has the option, report it or mark it as spam
There are more ways to fight in the link below.
FEB 4, 2015
Its Tax Refund Season, Time for a new phone or tablet. But what about the old one? Do you have information on that device that could be used against you? How can you make sure that your old phones and devices don't come back to haunt you when you are done with it? Many people buy old equipment off ebay just to see what kind of data is left on those devices. Follow this guide to make sure that your device is wiped clean before you dispose of it.
FEB 3, 2015
When you download an app on social media or your mobile device, you may be allowing it to collect personal information like your contacts list or location. If possible, look at an app’s permissions before downloading and make sure you are comfortable with the information it collects. If the app does not tell you what information it collects, error on the side of caution and assume that it may be collecting information.
FEB 2, 2015
There is a security and privacy threat almost everywhere you go. Most don't even think about it. Free WIFI, if its free how can that be bad? In fact most Free WIFI could be quite safe, but a few access points could have an active sniffer on the line watching every single nibble of data that goes across its interface, looking for passwords, usernames, or e-mail addresses. Click Below for more information on safely using WIFI when traveling.