Information Security Guideline
Multifunction Devices, MFD
Statement of Policy
shington University School of Medicine (WUSM) is committed to conducting business in compliance with all
applicable laws, regulations and WU policies. WUSM has adopted this policy to outline the security measures
required to protect electronic information
systems and related equipment from unauthorized use.
This guide is to
identify and mitigate the security risks that
Multifunction Devices (MFD)
Most often these devices are left in their default state, in
by various vendors that lack
on how they should be securely configured. The guidance contained within this document will give administrators
and vendors the necessary step
place these devices on the network.
MFP (Multi Functional Products) and/or services
that are connected to the internal network
Over the past decade greater intelligence has been built
in to many enterprise and consumer equipment. Where
previously a printer or a fax
machine may have been simple to configure via several toggle switches, it may now
contain a fully functional operating system and a computer with the processing power dwarfing that of an older
devices are in use for p
rinting, faxing and c
present a security risk
have similar components and features to
Though the risk of
low due to
network attacks (
P attacks, and buf
other capabilities present a high
HTTP in clear text,
File Transfer P
FTP), FAX/Scan to Email
, fax numbers, copy and scan logs,
Most if not all devices have an internal
e used for configuration and setup of thes
e devices. Unprotected access to these
ages can allow
of network information in addition to
manipulation of internal
ess book information controlling
scan destinations and
inbound routing of fax
hese devices if configured properly can prevent the loss/exposure of information from the above vulnerabilities.
As a preventative step it is recommended t
hat you follow the recommendations below.
All MFDs s
be registered wi
th their respective IT departments.
At a minimum,
be maintained to provide accurate identification:
Primary point of contact(s), and the physical location
Vendor supporting the MFD
, Administrator name
re make, model, and manufacturer
Main functions and any associated applications
All associated IP Addresses and IP names
All associated wired and wireless MAC addresses
Periodic assessments of the MFD and related components will be pe
rformed to ensure the MFD meets the
guidelines within this best practice.
suffer from a mismatch between the service state
articulated in the management console and the true state of the service. Given this, it is recommended that the
ndergo a port scan to ensure only expected network services are available.
The Information Security
Office will perform these assessments through the use of a vulnerability assessment tool. Any discrepancies
between the MFD and this guideline will be re
ported to the Department or MFD custodian. INFOSEC will
work with all parties involved in the remediation effort.
It is recommended that a separate administrative
account be created called “fsscan” for this.
Set a Static IP Addresses
Giving MFDs static IP addresses or DHCP reservations makes it easier to monitor them and apply access lists
It is recommended that a static IP address be assigned to the MFD.
Set Static DNS Server Addresses
It is recommended
that DNS server IP addresses be statically configured in the MFD.
Disable Bootstrap Protocols
Bootstrap Protocols, including BOOTP, PXE, and DHCP are network protocols used by a network client to
obtain its network configuration (IP, subnet, DNS servers,
gateway, etc) automatically. It is recommended that
bootstrap protocols be disabled.
Disable Unused Protocols
Many MFDs can participate in networks that operate over a variety of protocols, including IP, IPX/SPX, and
AppleTalk. As a defense in depth mea
sure, it is recommended that all unused network
layer protocols supported
by the MFD be disabled.
Disable Unused Wi
MFDs often come equipped with Wi
Fi cards that allow these devices to participate on wireless LANs. As a
defense in depth m
easure, it is recommended that unused Wi
Fi interfaces be disabled.
FI interface is
used it should
meet the INFOSEC Wireless
Use Secured Communications
Where technically feasible
, all unencrypted protocols should
ncrypted protocols (for example
scan to email and file sharing) to improve
overall security if Protected Information is being used.
especially true and
if the protected information will transverse a public network such as WUSTL
and/or the Internet.
If the MFD supports it, use HTTPS for web
based management rather than HTTP.
If web based
nt occurs only within WUCON
this is not required but recommended.
If you use SNMP to manage your MFD, and your MFD supports it, choos
e SNMPv3 for its
authentication and encryption features.
If not configure SNMP per some of the suggestions below.
SNMP is a network management protocol used for centralized monitoring and configuration of
based devices. SNMP "traps" are sent to a
management console whenever an event occurs
that warrants it (e.g. an "out
paper" or "paper jam" condition).
The most basic form of SNMP security is the community string, which functions similarly to a
password. Many devices come with preconfigured SNMP
community strings which pose a security
risk if left at the widely known, default settings
"public" for read
only access and "private" for read
write access. If SNMP is NOT used for device management in your environment, then disable it. If
SNMP is use
d to monitor and/or manage the device, the following recommendations provide
increasing levels of protection to better secure SNMP:
If supported by the device and m
anagement platform, use SNMPv3
If only monitoring is necessary,
disable SNMP read
default SNMP community strings
Configure an ACL (on the device and/or network) to limit SNMP queries from onl
necessary monitoring systems
Encryption of Protected Information that is output to a printer connected to a
be provided through the use of secure printing applications (e.g., JetDirect) or
protocols (e.g., IPP over
, or VPN
) to prevent unauthorized network interception.
If sensitive information is to be sent to printers across
tworks consult the
INFOSEC office for a risk assessment and alternative way
of protecting the information.
Legacy MFDs provide administrative access
It is recommended that this access mechanism be
Access for network
be limited to
and to the fewest individuals and methods necessary for managing the device.
FTP is also a common vector to
gain access to a system. This should also be di
Disable Unused SMTP Services
Some MFDs accept inbound SMTP requests in support of SMTP
fax services. It is recommended that this
access mechanism be disabled if unused.
Disable Unused HTTP Services
Hyper Text Transfer Protocol (HTTP) is the
primary protocol over which web based communications occurs.
Often, MFDs utilize this protocol to expose
rich administrative interfaces.
Most MFDs include an embedded
web server, and HTTP or HTTPS will likely be the prima
ry management protocol for the
vice. If the MFP
does not require remote management,
this interface can be disabled. Use HTTPS if
PIN for Confidential Job Retrieval
Many MFDs can be configured to require a pin or RFID inte
to retrieve print jobs.
It is recommended
that a PIN, or other auth
orization mechanism, be used
to access print jobs
if the MFD is in a public area and is
used to process protected information
Accept Jobs from Only Authorized Spoolers and Users
recommended that print jobs be restricted to only those jobs that originate from authorized spoolers or
Restrict Print Services Ports
Print services are commonly bound to port 9100/TCP or 515/TCP. It is recommended that the MFD be
configured to u
tilize these ports or a port standardized on
by the implementing department
Port 9100 (a.k.a. HP JetDirect, socket): Most printing services use this protocol, especially drivers from
HP, so you may not be able to disable it.
LPD: LPD is used for printing
by many Unix and Linux systems. However, many can now also use CUPS
(the Common UNIX Printing System), which allows for printing via a number of protocols. If you do not
need LPD, disable it.
IPP: If the Internet Printing Protocol is not used in your envi
ronment, then disable it.
FTP: Some printers give you the ability to FTP upload documents to print. This feature is not used in most
environments and should be disabled.
SMB: SMB (Windows) printing is often not required, as it is taken care of by other pro
tocols, such as
JetDirect. It is also not encrypted. If possible, disable SMB printing.
SMTP: This is often used for scanning and faxing, and can often be disabled.
Delete Completed Scan Jobs
MFDs often have functionality that allows a user to scan an ima
ge to the MFD’s local hard drive. It is
recommended that the MFD be configured to delete job artifacts once retrieved by the user.
Protect Hard Disk
If hard disk functionality is enabled, configure the MFD to remove spooled files, images, and
data using a secure overwrite
(or other disk clearing capability)
the MFD is processing protected
Typically, the system administrator can manually invoke this feature using the On Demand Image
It is recommended that this facility be used prior to returning, recycling, or
otherwise disposing of the device.
Ensure that the MFD provid
es secure storage for Protected Information
Establish Firmware Currency
ke advantage of improvements i
n security technology, MFDs
the most current, supportable
version of the firmware, operating system, and application installed that will meet the needs of the user
Upgrade to patched firmware expedientl
y, in a manner consistent with change control processes.
All firmware, operating system, service, and application security software
applied as soon as
possible after they become available.
Verify Configuration State after Power Loss
Function Device may not retain its configuration state after power loss. It is recommended
that the configuration state of the MDF be verified after power loss.
If a full reset is performed, ensure that a
process is in place to reconfigure
the MFD back to its production state.
Require PIN for Administrative Control Panel
MFDs can commonly be configured to require an authorization code before granting access to the device’s
control panel. It is recommended that authentication and authoriza
tion mechanisms be enabled for
administrative control panel access.
Change Default Passwords
Function Devices are typically configured with default user accounts that are common to all devices of
the same make/model. It is recommended that default p
asswords be changed.
Passwords and passphrases must
meet the complexity requirements and change frequency as defined by
Account and Password
for all accounts and services on the device.
Restrict Administrative Access to Specific IP Ad
Many MFDs can be configured to limit administrative access to only those connections that originate from a
designated IP subnet. It is recommended that access to network accessible administrative interfaces be limited
to designated subnets.
typically contain functionality to log all submitted requests. It is recommended that these facilities
on the device, logging levels be set to ensure adequate details are preserved, and logs be reviewed
particular ensure that the
following are enabled if the MFD supports it:
Spooler Access Logging
able Print Job Logging
Enable Print to Fax Logging
Enable Print to Email Logging
Print to Share Logging
The classification of information th
at the MFD’s processes should dictate how/where they are physically. If the
classification level is Protected then the following should be observed.
Physically secure the MFD in areas with restricted access.
If capabilities permit lock and prevent acc
ess to the hard disk.
Ensure that only printer administrators can modify the global configuration from the console by
requiring a password.
When a vendor is working on the MFD, the vendor's work is monitored to ensure that security
measures are not remov
ed during the course of troubleshooting
. If they are removed, they should
put back in place.
03.02.03 Wireless Guidelines
02.01.01 User Account and Password Guidelines
SANS Reading Room, “Audit
ing and Securing Multifunction Devices”
er for Internet Security “CIS_Multi
MFD Security Checklist
This checklist contains multifunction device (MFD) hardening/configuration
vary, even within the sa
me product line, this checklist
l best practices. In order to
implement the items
on this checklist, consult your
MFD’s documentation or the vendor.
Point of Contact
Hardware Make/ Model/Manufacturer
IP Address/DNS Names
Separate account called “fsscan” created.
Static IP Address Assigned
ver statically assigned
Bootstrape Portocols Dis
Unused Portocols Disabled
Fi Interfaces Dis abled or Co
igured per Wireles s Guidelines
Protocols Us ed s uch as HTTPS, SNMP v3, etc.
if PI is involved
and trans vers es a public network
Acces s Dis abled
Unus ed SMTP (Mail) Protolcol Dis abled
HTTP Dis abled
Pin for Protected Job Retrieval Created
Print Jobs Limited to only Known Spoolers or Users Configured
Restrict Printer Ports
MFD Configured to Delete C
ompleted Scan Jobs
MFD Configured to Protect Stored Images or Temp. Files on the Harddisk
If MFD has Data Storage Capability Information is Secured
Firmware is Up to Date
PIN for Administrative Access is Enabled
Default Passwords Changes
Default Admin or O
ther Accounts Changed
Remote Administrative Access Restricted
If any item in the Checklist above
cannot be co
the MFD capabilities please place in the check
column an NP (Not Possible).
Logging is Enabled for all Functions
MFD physically Secured with Restricted Access
MFD Harddisk locked or Physically Secured