Network Printing Best Practices

Printers placed on public IP space can experience a number of problems. The most common complaints are the device printing spam or gibberish on large amounts of paper. This prevents legitimate use and wastes resources. The frequency of these attacks has been increasing since late 2015 and continues to be a concern. Protect your printers from these and other attacks by following these printing best practices.

Limit Internet Connectivity

  • Printers and other devices that do not require Internet connectivity should be placed in private IP space. UMNet Administration provides guidance for Assigning Private IP Network Numbers.
  • Devices that require connectivity to the Internet should be configured to only allow connection to necessary services.

Configure Access Control Lists for Limited Access

  • Configure access so that only appropriate network subnets can reach the printer.
  • If printing from off-campus networks is needed, private IP address space can be accessed through the use of the U-M Virtual Private Network (VPN) client to connect to the printer. (See Use a Secure Internet Connection for information about VPNs at Michigan Medicine, and the Dearborn and Flint campuses.)

Set a Strong Administrative Password

  • Do not accept the default password. Many printers come with a standard admin password. In some cases, printers come with no password at all.
  • It is imperative that you set your own strong password for your printers.
  • Limit knowledge of the password to only those who need to manage the printer.
  • If the printer is reset to factory settings, it it likely the default password will be restored and will need to be changed.

Disable Unnecessary Services

Most printers support a number of different services, many of which are legacy and rarely used. Many services can weaken the overall security of the printer, as they can be identified and exploited by attackers.

  • Disable any services that you do not use. This can often be done by a management web interface enabled on the printer.
  • Disable Telnet and FTP. In the past, these may have been used to manage and send print jobs; this should be avoided.
  • Review and disable services such as IPP, AppleTalk, and IPv6 when appropriate.

Disable Embedded Web Server

Many printers allow configuration and administration through a built-in web interface.

  • Configure the web server to only allow traffic over a secure connection (HTTPS), and disable access over HTTP.
  • If you do not use the embedded web server to manage your printer, disable it if possible.

Configure Multifunction Printers and Printers with Hard Drives

  • If the printer is a multi-function device, configure scan-to-email such that email service cannot be used as email relay (commonly used to send spam).
  • If possible configure multi-function scan-to-email to utilize encrypted PDF.
  • When a printer with a hard drive is retired, ensure that the hard drive is wiped or destroyed. (See Data Retention and Removal on Copiers and Multifunction Devices.)