Jan 07 2022
Security

4 Ways to Strengthen Printer Security

Addressing printer-based security threats is a must for higher education institutions.
by

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Dr. Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.

Printers aren’t just printers anymore. They are scanners, copiers, fax machines, print servers and more. They may not have the processing power and storage of servers or even a modern smartphone, but their invisible nature and privileged position in networks makes them an ideal entry point and hiding place for malware and hackers. Here are four tips to reduce the risk of compromise.

Click the banner below to unlock premium content exploring higher ed security.

higher ed security insider sign-up higher ed security insider sign-up

1. Consider a Separate Virtual LAN

Printers have complex software, but they don’t have the same level of support, bug fixes and security testing that we expect in desktop, server and smartphone operating systems. Start by acknowledging that printers can never be fully secured, and so network-based access controls are a critical tool for isolation and protection. If you can, place printers on a separate virtual LAN, with all access controlled by a firewall. If your buildings and printers are too dynamic to identify which ports the printers are attached to, you can use tools such as 802.1X authentication based on the media.

2. Modify Configurations to Reduce Attack Surface

Out of the box, printers can have as many as 20 printing protocols and services enabled. This makes the devices user-friendly and allows users to plug and play, but it also creates a huge attack surface. By whittling the configuration down to the absolute minimum needed for operation in your network, you can reduce the risk of someone taking control of a printer or gaining access to stored print jobs. Don’t forget other basics: Change the default password or, better yet, use a campuswide directory for authentication. Disable unencrypted management traffic, and only enable SNMPv3 (if you are using SNMP at all). If you haven’t rolled out IPv6 yet, don’t enable it on printers either.

FIND OUT: What one university learned after a ransomware attack.

3. Explore a Centralized Printing as a Service Model

The temptation to litter inexpensive printers all over the network can be strong, especially in distributed, budget-constrained environments like higher education. Having dozens of printer types from different vendors to manage and secure turns a hard job into an impossible one. If a centralized Printing as a Service model works for your campus, this is your best choice to deliver the highest level of security and reliability overall, as devices are provided, managed, secured and controlled by a third-party partner. For campuses that need a more distributed approach, use security as the lens to view basic standards for all printers connected to your network. This ensures that you only restrict choice when there is a clear and compelling reason.

4. Isolate Devices to Reduce Security Risks

Configure the printer to only communicate with the print server, eliminating the possibility of someone communicating directly with the device. This strategy is especially important if you find that you cannot put printers on their own firewalled network segment. Print servers provide a level of separation between the end user and the printer that will reduce (but not eliminate) the likelihood of security problems.

DIVE DEEPER: Colleges leverage pandemic’s hard lessons to advance cybersecurity strategy.

Illustration by Dan Page/Theispot

More On

Related Articles

Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

Subscribe Now