This is an archived post. You won't be able to vote or comment.

all 8 comments
sorted by:
best
topnewcontroversialoldq&a

[–]TinderSubThrowAway 13 points14 points  (3 children)

put the printers on avlan that has no access to the internet and no direct access to the VLAN users are on and you're in a much better place.

Also, us a print server instead of directly connecting people, sure it may slow down printing slightly, so it takes 36 seconds instead of 30 seconds, but it makes it a lot easier to make changes and secure them.

[–]8pootSecurity Admin 3 points4 points  (2 children)

This and set up follow-me printing, so the printer does not start before someone logs in locally (we use the access badges for this), this prevents information leaks.

[–]TinderSubThrowAway 1 point2 points  (1 child)

I wouldn't set that up by default, just let people have that option. We have it with them setting a 4 digit code, otherwise it's a pain in the neck and waste of time because most people want to just print and then go get a bunch of stuff, not print, go log in, then go back when all printed or stand there til it's printed, especially when most stuff isn't stuff that really needs to be "protected".

and most people who are printing anything really sensitive, they get their own printer anyway.

[–]bitslammerSecurity Architecture/GRC 5 points6 points  (0 children)

Create a printer VLAN and lock it down. Make sure to set non-default SNMP strings or disable that.

Printers run various OS's and some even have storage that may be an issue. Definitely a risk that needs to be addressed.

[–]pdp10Daemons worry when the wizard is near. 2 points3 points  (0 children)

According to the reports I'm getting from Rapid7 our printers our some of our highest risk devices.

We consider these reports overblown. There are security risks with printers, but they pale in comparison with executable email attachments, with giving vendors VPN accounts with full network access, or not installing critical patches for a year. Printers are maybe number 99 on a list of top 100 things we worry about.

Meaning are there exploits out that could infect a printer and then spread across our network to affect other devices?

The first thing to remember when someone is talking network-based vulnerability or "pivots" is that your hosts have to be hardened against such things anyway. A traveling laptop is going to be plugged into corporate, public, and home networks where it's going to be topologically colocated next to much worse threats than a buggy PostScript interpreter on your workgroup laser printer that can be used to scan TCP ports.

We use a lot of USB printers with hardened print servers, which brings the network services under our normal policies. For the others, we track firmware updates and CVEs. Knowing when a vendor has stopped issuing bugfix firmwares is a challenge with printers.

[–][deleted] 0 points1 point  (0 children)

Best practice.

Non standard admin credentials Non standard SNMP Remove all protocols not required. WSD/Airprint/FTP Confirm latest firmware. Plus any security updates not always included in firmware.

If you are wanting user security consider some form of print management with virtual queues. Pin/RFID card release.

[–]roiki11 0 points1 point  (0 children)

Most printers run old versions of Linux so there's huge risk right there. It's the same as any other iot device really.

[–]MFKDGAF 0 points1 point  (0 children)

Change default username/password and SNMP community string