Network security for printers

Last updated: August 16, 2022

Network printers and related multifunction devices are insecure by default. These devices provide a large out-of-the-box feature set with little to no default security. Most printers will allow a remote intruder full administrative access unless the printer administrator appropriately configures the device. An unsecured printer can be used for the following:

  • Disclosure of user data (e.g., intruders obtain copies of your documents)
  • Attack other systems (e.g., printers are commonly used as part of Denial of Service attacks to route large numbers of messages to the attack target)
  • Print spam messages

This page is for local IT support teams setting up printers for others as well as for individuals setting up their own printers. Follow these required and recommended steps to secure printers and related devices on the UW network.

Recommended: Let UW Managed Print Services do it

For UW faculty, staff and administrative units, UW Managed Print Services can place and support printers for use in your unit, with special attention being paid to security.

If you are managing your printer yourself

Anyone at the UW (including students in residence halls) who has a printer should either simply not connect the printer to the network at all or follow the required steps below for connecting it to the UW networks.

Option one: Not connect to the UW networks

printer USB cableIf you are the only person that uses your printer then consider turning off the printer’s network adapter and connecting your printer directly to your computer with a USB cable. The manufacturer’s website or printer user guide should help with turning off the network adapter.

Option two: Secure your network connection

If your printer has a network adapter — and you must connect it to the UW network — then you need to contact your local IT support organization and request assistance with configuration of that printer to ensure a secure setup.

Required steps

The steps here are general and apply to a wide range of devices. To take action you will need to refer to documentation or vendor support for your particular equipment.

  1. Review the manufacturer’s recommendations for securely configuring your printer. Apply any manufacturer firmware updates required to secure the device and make any necessary configuration changes.
  2. Disable any unused remote access services (e.g., telnet, SNMP, FTP, web) and protocols (e.g., Appletalk).
  3. Set a strong password for any enabled remote access services.
  4. If the printer is capable of IPv6, disable it. IPv6 may “autoconfigure” itself with a publicly accessible address, which provides another way to reach the machine.
  5. Use a private IP address so your printer is not available to the public internet. For systems currently using a public IP address you can request a UW private IP address by sending a message to help@uw.edu with the text similar to that in the following example:

    From: Jane Smith <jsmith@u.washington.edu>

    Subject: Assign private IP address to a networked printer(s)

    Hello, I’m Jane Smith,

    I would like to request a private IP address for networked printer

    Make:
    Model:
    Current IP address: = 128.xxx.xxx.xxx
    host name (if known) = hostname.domainname.washington.edu
    Jane Smith

 

Recommended steps

The following steps are highly recommended:

  1. If your printer provides access control or a firewall: Configure Access Control Lists (ACLs), which restrict use of the printer to a defined set of client computers (e.g., your LAN or subnet).
  2. If you plan on administering or printing via http: Enable Secure Sockets Layer (SSL) for encrypted network transport using https.
  3. If your printer supports remote logging (syslog): Consider configuring the system to syslog to a departmental monitoring server. If possible, have it set to only send logs related to authentication and use of any open remote control services, such as FTP.