Information Security Guideline

cagamosisthingyΔίκτυα και Επικοινωνίες

27 Οκτ 2013 (πριν από 3 χρόνια και 5 μήνες)

90 εμφανίσεις





Information Security Guideline


Title

Multifunction Device

Guideline

Reference No

03.12.01

Version No


Status

FInal

Creation Date

1/27/2010

Revision Date



Approval Date


Approved by


TAG

Key Words

Multifunction Devices, MFD





Statement of Policy

Wa
shington University School of Medicine (WUSM) is committed to conducting business in compliance with all
applicable laws, regulations and WU policies. WUSM has adopted this policy to outline the security measures
required to protect electronic information
systems and related equipment from unauthorized use.


Objective

This guide is to
identify and mitigate the security risks that

Multifunction Devices (MFD)
introduce

into the
network
environment.

Most often these devices are left in their default state, in
stalled

by various vendors that lack

guidance
on how they should be securely configured. The guidance contained within this document will give administrators
and vendors the necessary step
s

to
securely

place these devices on the network.


Affected Systems
:

All
MFP (Multi Functional Products) and/or services
that are connected to the internal network

(WUCON)
.


Guidelines

Over the past decade greater intelligence has been built
-
in to many enterprise and consumer equipment. Where
previously a printer or a fax

machine may have been simple to configure via several toggle switches, it may now
contain a fully functional operating system and a computer with the processing power dwarfing that of an older
desktop computer.

A

variety of
these
devices are in use for p
rinting, faxing and c
opying information.


MFD’s

present a security risk
since
they
have similar components and features to

computers.

Though the risk of
protected
information

(PI)
exposure is
considered
low due to

network attacks (
SNM
P attacks, and buf
fer overflows
, etc.)
other capabilities present a high
er

risk

(
HTTP in clear text,

File Transfer P
rotocol (
FTP), FAX/Scan to Email

stored

PI,

E
-
Mail
address books
, fax numbers, copy and scan logs,

etc)
.

Most if not all devices have an internal
web pag
e used for configuration and setup of thes
e devices. Unprotected access to these
p
ages can allow
modification

of network information in addition to
manipulation of internal
addr
ess book information controlling
scan destinations and

inbound routing of fax
data.


T
hese devices if configured properly can prevent the loss/exposure of information from the above vulnerabilities.


As a preventative step it is recommended t
hat you follow the recommendations below.



1)

Registration

All MFDs s
hould

be registered wi
th their respective IT departments.


At a minimum,

the following
information
is
useful and

should

be maintained to provide accurate identification:




Primary point of contact(s), and the physical location



Vendor supporting the MFD
, Administrator name



Hardwa
re make, model, and manufacturer



Main functions and any associated applications



All associated IP Addresses and IP names







All associated wired and wireless MAC addresses



2)

Periodic

Assessment

Periodic assessments of the MFD and related components will be pe
rformed to ensure the MFD meets the
guidelines within this best practice.

Also
some MFDs

suffer from a mismatch between the service state
articulated in the management console and the true state of the service. Given this, it is recommended that the
MFD u
ndergo a port scan to ensure only expected network services are available.

The Information Security
Office will perform these assessments through the use of a vulnerability assessment tool. Any discrepancies
between the MFD and this guideline will be re
ported to the Department or MFD custodian. INFOSEC will
work with all parties involved in the remediation effort.

It is recommended that a separate administrative
account be created called “fsscan” for this.


3)

Network Protocols

Set a Static IP Addresses

Giving MFDs static IP addresses or DHCP reservations makes it easier to monitor them and apply access lists
on hardware
-
based firewalls.
It is recommended that a static IP address be assigned to the MFD.


Set Static DNS Server Addresses

It is recommended
that DNS server IP addresses be statically configured in the MFD.


Disable Bootstrap Protocols

Bootstrap Protocols, including BOOTP, PXE, and DHCP are network protocols used by a network client to
obtain its network configuration (IP, subnet, DNS servers,

gateway, etc) automatically. It is recommended that
bootstrap protocols be disabled.


Disable Unused Protocols

Many MFDs can participate in networks that operate over a variety of protocols, including IP, IPX/SPX, and
AppleTalk. As a defense in depth mea
sure, it is recommended that all unused network
-
layer protocols supported
by the MFD be disabled.


Disable Unused Wi
-
Fi Interfaces

MFDs often come equipped with Wi
-
Fi cards that allow these devices to participate on wireless LANs. As a
defense in depth m
easure, it is recommended that unused Wi
-
Fi interfaces be disabled.

If

the WI
-
FI interface is

used it should

meet the INFOSEC Wireless
Standards and
Guideline
s.


Use Secured Communications

Where technically feasible
, all unencrypted protocols should

be re
placed by

e
ncrypted protocols (for example
scan to email and file sharing) to improve

overall security if Protected Information is being used.

This is
especially true and
required

if the protected information will transverse a public network such as WUSTL

and/or the Internet.




If the MFD supports it, use HTTPS for web
-
based management rather than HTTP.

If web based
manageme
nt occurs only within WUCON

this is not required but recommended.




If you use SNMP to manage your MFD, and your MFD supports it, choos
e SNMPv3 for its
authentication and encryption features.

If not configure SNMP per some of the suggestions below.
SNMP is a network management protocol used for centralized monitoring and configuration of
network
-
based devices. SNMP "traps" are sent to a
management console whenever an event occurs
that warrants it (e.g. an "out
-
of
-
paper" or "paper jam" condition).





The most basic form of SNMP security is the community string, which functions similarly to a
password. Many devices come with preconfigured SNMP

community strings which pose a security
risk if left at the widely known, default settings
-

"public" for read
-
only access and "private" for read
-
write access. If SNMP is NOT used for device management in your environment, then disable it. If
SNMP is use
d to monitor and/or manage the device, the following recommendations provide
increasing levels of protection to better secure SNMP:


o

If supported by the device and m
anagement platform, use SNMPv3

o

If only monitoring is necessary,

disable SNMP read
-
write ac
cess


o

Change the
default SNMP community strings

o

Configure an ACL (on the device and/or network) to limit SNMP queries from onl
y
necessary monitoring systems




Encryption of Protected Information that is output to a printer connected to a
public
network sho
uld
be provided through the use of secure printing applications (e.g., JetDirect) or
protocols (e.g., IPP over
SSL,
TLS
, or VPN
) to prevent unauthorized network interception.




If sensitive information is to be sent to printers across
unprotected
campus ne
tworks consult the
INFOSEC office for a risk assessment and alternative way
s

of protecting the information.


Disable Telnet

and FTP

Access

Legacy MFDs provide administrative access

over Telnet
.

It is recommended that this access mechanism be
disabled.


Access for network
-
based administrati
on should

be limited to
authenticated and
encrypted methods,
and to the fewest individuals and methods necessary for managing the device.

FTP is also a common vector to
gain access to a system. This should also be di
sabled.


Disable Unused SMTP Services

Some MFDs accept inbound SMTP requests in support of SMTP
-
to
-
fax services. It is recommended that this
access mechanism be disabled if unused.


Disable Unused HTTP Services

Hyper Text Transfer Protocol (HTTP) is the
primary protocol over which web based communications occurs.
Often, MFDs utilize this protocol to expose
rich administrative interfaces.

Most MFDs include an embedded
web server, and HTTP or HTTPS will likely be the prima
ry management protocol for the
de
vice. If the MFP
does not require remote management,
this interface can be disabled. Use HTTPS if

supported and
disable
HTTP
.


4)

Print/Copy/Scan/FAX S
ervices

PIN for Confidential Job Retrieval

Many MFDs can be configured to require a pin or RFID inte
raction

to retrieve print jobs.
It is recommended
that a PIN, or other auth
orization mechanism, be used

to access print jobs

if the MFD is in a public area and is
used to process protected information
.


Accept Jobs from Only Authorized Spoolers and Users

It is

recommended that print jobs be restricted to only those jobs that originate from authorized spoolers or
users.


Restrict Print Services Ports

Print services are commonly bound to port 9100/TCP or 515/TCP. It is recommended that the MFD be
configured to u
tilize these ports or a port standardized on
by the implementing department
.







Port 9100 (a.k.a. HP JetDirect, socket): Most printing services use this protocol, especially drivers from
HP, so you may not be able to disable it.



LPD: LPD is used for printing

by many Unix and Linux systems. However, many can now also use CUPS
(the Common UNIX Printing System), which allows for printing via a number of protocols. If you do not
need LPD, disable it.



IPP: If the Internet Printing Protocol is not used in your envi
ronment, then disable it.



FTP: Some printers give you the ability to FTP upload documents to print. This feature is not used in most
environments and should be disabled.



SMB: SMB (Windows) printing is often not required, as it is taken care of by other pro
tocols, such as
JetDirect. It is also not encrypted. If possible, disable SMB printing.



SMTP: This is often used for scanning and faxing, and can often be disabled.

Delete Completed Scan Jobs

MFDs often have functionality that allows a user to scan an ima
ge to the MFD’s local hard drive. It is
recommended that the MFD be configured to delete job artifacts once retrieved by the user.


Protect Hard Disk

Information

If hard disk functionality is enabled, configure the MFD to remove spooled files, images, and
other temporary
data using a secure overwrite

(or other disk clearing capability)

between
jo
bs if

the MFD is processing protected
information.

Typically, the system administrator can manually invoke this feature using the On Demand Image
Overwrite (ODIO)
function.

It is recommended that this facility be used prior to returning, recycling, or
otherwise disposing of the device.


Data Storage

Ensure that the MFD provid
es secure storage for Protected Information
.


5)

Management

Establish Firmware Currency


To ta
ke advantage of improvements i
n security technology, MFDs
should
have

the most current, supportable
version of the firmware, operating system, and application installed that will meet the needs of the user
community.

Upgrade to patched firmware expedientl
y, in a manner consistent with change control processes.

All firmware, operating system, service, and application security software
updates
should
be

applied as soon as
possible after they become available.


Verify Configuration State after Power Loss

A
defective Multi
-
Function Device may not retain its configuration state after power loss. It is recommended
that the configuration state of the MDF be verified after power loss.

If a full reset is performed, ensure that a
process is in place to reconfigure

the MFD back to its production state.


Require PIN for Administrative Control Panel

MFDs can commonly be configured to require an authorization code before granting access to the device’s
control panel. It is recommended that authentication and authoriza
tion mechanisms be enabled for
administrative control panel access.


Change Default Passwords

Multi
-
Function Devices are typically configured with default user accounts that are common to all devices of
the same make/model. It is recommended that default p
asswords be changed.

Passwords and passphrases must
meet the complexity requirements and change frequency as defined by
the
User

Account and Password
Guidelines

for all accounts and services on the device.


Restrict Administrative Access to Specific IP Ad
dresses





Many MFDs can be configured to limit administrative access to only those connections that originate from a
designated IP subnet. It is recommended that access to network accessible administrative interfaces be limited
to designated subnets.


6)

Loggi
ng

MFD’s
typically contain functionality to log all submitted requests. It is recommended that these facilities
be
enabled

on the device, logging levels be set to ensure adequate details are preserved, and logs be reviewed
.

In
particular ensure that the
following are enabled if the MFD supports it:




Enable Print
Spooler Access Logging




En
able Print Job Logging




Enable Print to Fax Logging



Enable Print to Email Logging




Enable
Print to Share Logging



7)

Physical Security

The classification of information th
at the MFD’s processes should dictate how/where they are physically. If the
classification level is Protected then the following should be observed.




Physically secure the MFD in areas with restricted access.



If capabilities permit lock and prevent acc
ess to the hard disk.



Ensure that only printer administrators can modify the global configuration from the console by
requiring a password.



When a vendor is working on the MFD, the vendor's work is monitored to ensure that security
measures are not remov
ed during the course of troubleshooting
. If they are removed, they should

be
put back in place.


Related References

03.02.03 Wireless Guidelines

http://secpriv.wusm.wustl.edu/infosec/Information%20Security%20Policies/Forms/AllItems.aspx?Roo
tFolder=%2fi
nfosec%2fInformation%20Security%20Policies%2f2%20User%20Policy%20and%20Procedures&FolderCTID=&
View=%7bBF3E879F%2d52C0%2d4DBD%2dB9A2%2d64806DB760A3%7d



02.01.01 User Account and Password Guidelines

http://secpriv.wusm.wustl.edu
/infosec/Information%20Security%20Policies/Forms/AllItems.aspx?RootFolder=%2fi
nfosec%2fInformation%20Security%20Policies%2f2%20User%20Policy%20and%20Procedures&FolderCTID=&
View=%7bBF3E879F%2d52C0%2d4DBD%2dB9A2%2d64806DB760A3%7d



SANS Reading Room, “Audit
ing and Securing Multifunction Devices”

http://www.sans.org/reading_room/whitepapers/networkdevs/auditing
_and_securing_multifunction_devices_1921?s
how=1921.php&cat=networkdevs


Cent
er for Internet Security “CIS_Multi
-
Function_Device_Benchmark_v1.0.0

,

www.cisecurity.org

.



Information Security
Contact Information


IN
FOSEC@wusm.wustl.edu






Appendix A


MFD Security Checklist


This checklist contains multifunction device (MFD) hardening/configuration

requirements.
M
anagement interfaces
for MFDs
will
vary, even within the sa
me product line, this checklist
provides genera
l best practices. In order to
implement the items
on this checklist, consult your
MFD’s documentation or the vendor.

Registration

Point of Contact


Administrators Name
/Supporting Vendor


Physical Location


Hardware Make/ Model/Manufacturer


Device P
urpose


IP Address/DNS Names


MAC Address


Periodic Assessments

To Do

CIS

ref.


Protected

Confidential

Min
.

Std
.

Ref.
Para.

Ck.

Separate account called “fsscan” created.




2


Network Protocols

Static IP Address Assigned

2.1.1

Required


3


DNS Ser
ver statically assigned

2.1.2

Required


3


Bootstrape Portocols Dis
abled

2.1.4

Reccommended


3


Unused Portocols Disabled

2.1.5,
2.1.7

Reccommended


3


Unused

Wi
-
Fi Interfaces Dis abled or Co
n
f
igured per Wireles s Guidelines

2.2.2

Reccommended


3


Secure

Protocols Us ed s uch as HTTPS, SNMP v3, etc.

if PI is involved
and trans vers es a public network

2.3

Required


3


Telnet
and FTP
Acces s Dis abled

2.3.2,
2.3.3

Required


3


Unus ed SMTP (Mail) Protolcol Dis abled

2.3.5

Required


3


HTTP Dis abled

2.3.6

Requir
ed


3


Print/Copy/Fax Services

Pin for Protected Job Retrieval Created

3.1.1

Reccommended


4


Print Jobs Limited to only Known Spoolers or Users Configured

3.1.2

Reccommended


4


Restrict Printer Ports

2.1.9

Reccommended


4


MFD Configured to Delete C
ompleted Scan Jobs

1.2.3

Required


4


MFD Configured to Protect Stored Images or Temp. Files on the Harddisk

1.2.4

Required


4


If MFD has Data Storage Capability Information is Secured

1.2.1

Required


4


Management

Firmware is Up to Date

1.3.1

Reccomm
ended


5


PIN for Administrative Access is Enabled

1.1.4

Required


5


Default Passwords Changes

5.1.1

Required


5


Default Admin or O
ther Accounts Changed

5,1.2

Required


5


Remote Administrative Access Restricted

2.1.3,
2.1.8

Reccommended


5







If any item in the Checklist above
cannot be co
nfigured because

of
the MFD capabilities please place in the check
column an NP (Not Possible).

Logging

Logging is Enabled for all Functions

6.1

Required


6


Physical Security

MFD physically Secured with Restricted Access

1.1.1

Required


7


MFD Harddisk locked or Physically Secured

1.2.2

Reccommended


7