Multifunction Peripheral Guidelines
The University of Pacific Community has identified a need to utilize Multifunction Peripheral devices (MFP) throughout the campus as a way of reducing the need of multiple devices, realizing cost savings on toner, ease of use, less impact on the environment, and efficiencies of process. An MFP is sometimes called a multifunction network device (MFD) or all-in-one (AIO) device and typically incorporates printing, copying, scanning and faxing capabilities. Because management interfaces for MFPs vary, even within the same product line, this document defines security guidelines for any MFP used at the University.
Securing MFP devices is important for a number of reasons:
- Most are simply "plugged-in" to the network, deployed using the minimal settings required to make the device respond and operate.
- Once installed, they rarely receive recommended application and operating system updates and vendor patches.
- Networked devices can be administered via the network; physical access to the device may not be required.
Due to increased sophistication (built-in "intelligence") and ever-increasing storage capacity, they can be used to launch attacks, store unauthorized data, retrieve scanned and printed documents, and print objectionable or unauthorized material.
This security guideline applies to all MFP that are used at the University. MFPs that are managed through a "pay-per-click" type of service should also follow the hardening and decommissioning checklist.
All technical support personnel responsible for the installation, maintenance, support and decommissioning of MFP devices should following the MFP security standard. This includes but is not limited to; TSPs, CSC staff, and 3rd party organizations hired or contracted to support MFP devices.
- MFP should be physically connected to PacificNet where possible
- Where possible, static IP should be set, or a static DHCP reservation should be used
- The firmware in use on any MFP should never be more than two revisions old
- Secure protocols should be used for remote configuration and support (https, SSL, or SSH)
- All unused ports and services should be disabled
- FTP and Telnet services should be disabled
- The default MFP password must be changed to comply with Pacific's password security standards
- Where possible, the SNMP community string should be changed from the factory default and comply with Pacific's password security standard. Note: Some network-based printers require SNMP's default password. For those that do, the MFP make, model, and IP address should be documented and forwarded to Pacific's IT Security Office for a security review.
- If SNMP version 3 will not be used to manage MFP, it should be turned off
- Incoming SMTP traffic should be disabled by default. If it is to be used by a department, it should be reviewed and approved by Pacific's IT Security Office
- All SMTP traffic should use Pacific's SMTP mail gateways
- A PIN, password, or passphrase should be used to protect the configuration menu on the MFP
- Access controls to the MFP should be IP filtered, MAC filtered (where supported), or through the use of network print servers
- In areas that have access to sensitive or confidential University data, automatic overwrite of data should be included
- If data is to be stored, it should not be able to read by any other device, or encrypted in 3DES
- All MFP should maintain current patch levels for security standards and anti-virus for operating system used where possible
- For any MFP that will be moving between departments, the equipment should be erased, sanitized and setup at the new department starting from default factory settings
- For any MFP that will be permanently removed from the University network, the equipment should be handled as any system that stores confidential information. MFPs need to be erased and sanitized to University requirementsor the hard drive should be retained before being physically removed from the University. See Appendix I for the MFP Decommission Checklist.
Exceptions to this security guideline should be fully documented (paper or email) and sent to Pacific's IT Security Office (ITSO) for security review. All MFP devices that were installed and used at the University prior to the date this guideline was implemented should be reviewed by the TSP and the ITSO to assess risk to the University.Exception Process:
- Document each item not checked off with the specific reasoning as to why the task could not be completed.
- Complete as many sections of the hardening checklist as possible.
- Submit the completed checklist along with the exception document to firstname.lastname@example.org or mail it via campus mail to IT Security in the OIT department.
- If additional security controls are needed, each exception request will be managed on a case-by-case basis with suggested protections commensurate to the highest classification category of data that will be used on/with the MFP.
The ITSO will annually review exception requests and may request changes in security safeguards as technology changes.