Network printers and related multifunction devices are insecure by default. These devices provide a large out-of-the-box feature set with little to no default security. Most printers will allow a remote intruder full administrative access unless the printer administrator appropriately configures the device. An unsecured printer can be used for the following:
- Disclosure of user data (e.g., intruders obtain copies of your documents)
- Attack other systems (e.g., printers are commonly used as part of Denial of Service attacks to route large numbers of messages to the attack target)
- Print spam messages
This page is for local IT support teams setting up printers for others as well as for individuals setting up their own printers. Follow these required and recommended steps to secure printers and related devices on the UW network.
Recommended: Let UW Managed Print Services do it
For UW faculty, staff and administrative units, UW Managed Print Services can place and support printers for use in your unit, with special attention being paid to security.
If you are managing your printer yourself
Anyone at the UW (including students in residence halls) who has a printer should either simply not connect the printer to the network at all or follow the required steps below for connecting it to the UW networks.
Option one: Not connect to the UW networks
If you are the only person that uses your printer then consider turning off the printer’s network adapter and connecting your printer directly to your computer with a USB cable. The manufacturer’s website or printer user guide should help with turning off the network adapter.
Option two: Secure your network connection
If your printer has a network adapter — and you must connect it to the UW network — then you need to contact your local IT support organization and request assistance with configuration of that printer to ensure a secure setup.
The steps here are general and apply to a wide range of devices. To take action you will need to refer to documentation or vendor support for your particular equipment.
- Review the manufacturer’s recommendations for securely configuring your printer. Apply any manufacturer firmware updates required to secure the device and make any necessary configuration changes.
- Disable any unused remote access services (e.g., telnet, SNMP, FTP, web) and protocols (e.g., Appletalk).
- Set a strong password for any enabled remote access services.
- If the printer is capable of IPv6, disable it. IPv6 may “autoconfigure” itself with a publicly accessible address, which provides another way to reach the machine.
- Use a private IP address so your printer is not available to the public internet. For systems currently using a public IP address you can request a UW private IP address by sending a message to email@example.com with the text similar to that in the following example:
The following steps are highly recommended:
- If your printer provides access control or a firewall: Configure Access Control Lists (ACLs), which restrict use of the printer to a defined set of client computers (e.g., your LAN or subnet).
- If you plan on administering or printing via http: Enable Secure Sockets Layer (SSL) for encrypted network transport using https.
- If your printer supports remote logging (syslog): Consider configuring the system to syslog to a departmental monitoring server. If possible, have it set to only send logs related to authentication and use of any open remote control services, such as FTP.