Printers, copiers and multifunction devices

Printers, copiers and multifunction devices are now part of the basic equipment of any office. Since these devices are also used to process personal and other sensitive data, care should be taken to ensure that printouts are not stolen or secretly copied. By manipulating the devices, printouts or scans can also be sent unnoticed to any recipient by email.

Furthermore, a printer contains a small minicomputer, which can also be misused, for example to send spam emails as part of a botnet.

Therefore, a few things should be taken into account when setting up, configuring and operating these devices.

Purchase

Most devices have hard drives or SSDs on which data is stored before printing or after scanning. When purchasing, but especially when renting, it is important to check whether the devices can be returned without storage or whether the storage areas can be reliably deleted without physically destroying the hard drives.

Local or network-enabled printers

In addition to functionality, space and price, the data to be printed also plays a role here. Sometimes it makes sense to provide people who often have to print personal documents with an additional local printer so that they do not have to comply with such high security requirements for access to the network printer.

Location

To prevent printers, copiers or multifunction devices from being tampered with or printouts from being copied or read by unauthorised persons, the devices should be set up in such a way that only authorised employees have access to them or that they can be easily seen by your own staff.

Security-critical information

If security-critical information is frequently printed on network printers, it must be ensured that only authorised persons can access the printouts. For this purpose, network printers and copiers can be used, for example, where users must authenticate themselves directly on the device before printing.

Configuration

Only authorised persons should be allowed to access administrative areas and the configuration. Access should only be possible after authentication, for example by means of a password or PIN. Standard passwords should be changed immediately upon commissioning.
All administrative access should only take place via an encrypted channel if possible, so that passwords or other sensitive information cannot be intercepted. For example, on some device types, the transmission of configuration data can be encrypted via HTTPS or SNMPv3. In this case, unencrypted communication should be prevented, for example by deactivating the HTTP interface for configuration.
Printers, copiers and multifunction devices often offer more functions than are needed in normal operation. This can result in unnecessary risks. Therefore, all unnecessary functions (e.g. fax) and transmission protocols should be deactivated or their use restricted as far as possible.
WLAN should always be disabled. WLAN can be intercepted, and even WPA2-encrypted connections can be easily decrypted due to a bug, allowing documents to be secretly intercepted before they are printed. The printer's WLAN signal interferes with the eduroam signal, preventing eduroam from working properly. If LAN and WLAN are enabled at the same time, unauthorised persons can gain access to the campus network.
Some printers have integrated packet filters that can be used to filter connections based on IP addresses or port numbers. All ports and IP ranges that are not required for printing and printer configuration should be blocked if possible. If print servers are used, make sure that only these servers are allowed to connect to the printers.

Updates

The device software must be checked regularly to ensure that it is up to date. If this is not the case, any patches and updates must be installed immediately. If security vulnerabilities are identified, they must be remedied as quickly as possible or other security measures must be taken.

These are just a few important and basic rules that must be observed when operating printers, copiers and multifunction devices.

If you have any questions or are an organisation with increased security requirements, please contact security(at)b-tu.de.

Name	Purpose	Lifetime	Type	Provider
_pk_id	Used to store a few details about the user such as the unique visitor ID.	13 months	HTML	Matomo
_pk_ref	Used to store the attribution information, the referrer initially used to visit the website.	6 months	HTML	Matomo
_pk_ses	Short lived cookie used to temporarily store data for the visit.	30 minutes	HTML	Matomo