SYS.4.1 Printers, Copiers, and Multifunction Devices
Modern printers, copiers, and multifunction devices are complex devices that, in addition to mechanical components, contain their own operating systems and provide server services and functions...
Description
Introduction
Modern printers, copiers, and multifunction devices are complex devices that, in addition to mechanical components, contain their own operating systems and provide server services and functions. Because the devices often process confidential information, they — or the entire printing and scanning infrastructure — must be protected.
Multifunction devices are devices that offer several paper-processing functions, such as printing, copying, scanning, and also sending and receiving fax documents.
For many business processes and specialized tasks, paper is still used today as an information medium. Printers, copiers, or multifunction devices are therefore important components in the IT infrastructure. If the devices fail or if falsified documents are printed, this can in some cases affect critical processes and lead to significant economic damage.
Objective
This building block describes how printers, copiers, and multifunction devices can be operated securely so that neither information can flow out through these devices nor the security of the remaining internal IT infrastructure is impaired by them.
Scope and Modeling
The building block SYS.4.1 Printers, Copiers, and Multifunction Devices must be applied to every printer, copier, or multifunction device in the information domain.
The building block addresses the security of printers, copiers, and multifunction devices. Networked or locally connected document scanners are not explicitly taken into account. The risks and requirements can however be derived from those for multifunction devices. Similarly, networked fax machines are not considered separately. The risks and requirements listed in this building block for the fax function therefore also apply to this type of device. The requirements of the building block NET.4.3 Fax Machines and Fax Servers are to be additionally taken into account.
Printers, copiers, and multifunction devices are often connected to data networks. In addition to wired connections, some devices can also be directly connected to a WLAN. Recommendations for this can be found in the building blocks of the NET Networks and Communication sublayer, such as in the building block NET.2.2 WLAN Usage.
Confidential information is often stored on printers, copiers, and multifunction devices and remains on the devices after decommissioning. Leased devices are frequently replaced, depending on the contract, after a predefined usage period or frequency. They are returned at the latest after the lease contract expires. Paper and other supplies can also contain confidential information. Before these devices and supplies are decommissioned, exchanged, repaired, or returned, all sensitive information must be deleted from them. Recommendations for this are not the subject of this building block but can be found in the building block CON.6 Deletion and Destruction.
Print servers are IT systems with print queues, print job management, and possible additional functions, e.g., driver distribution or secure printing. For each print server, the general and operating system-specific security requirements for servers must be met. These are not described in this building block but in the building blocks SYS.1.1 General Server and the respective operating system-specific server building blocks.
An essential focus in securing printers, copiers, and multifunction devices is regularly updating the software installed on the devices, thereby closing software vulnerabilities. This building block does not address this aspect. Requirements for this can be found in the building block OPS.1.1.3 Patch and Change Management.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information domains, typical scenarios are used to represent the threat landscape. The following specific threats and vulnerabilities are of particular importance for the building block SYS.4.1 Printers, Copiers, and Multifunction Devices.
Unauthorized Viewing of Printed Documents
Printed documents often remain for an extended period in the output tray of central printers and multifunction devices because, for example, several files are printed first and then collected all together later. It can also happen that the wrong printer was selected at the client and documents are not found at the expected location. Since departmental or floor printers are used by many users, unauthorized persons can also view or take sensitive information.
Documents left in the output trays of decentralized workstation printers located nearby in office rooms also pose a risk. Because persons who have access to these rooms could equally view or remove the printouts.
A further risk is fax documents and printed transmission reports in the output tray, which in addition to the fax number, date, time, and page count sometimes show a reduced image of the first page. Since such reports are only output after a fax has been sent or a transmission error has occurred, they may remain in the device for an extended period or not be collected at all. As a result, confidential information may be left unattended in the output tray and in the worst case could be stolen.
Additionally, uncollected documents are eventually disposed of. This often happens by randomly throwing the printouts into nearby waste paper bins instead of securely destroying printouts with sensitive information. This can allow the information to enter public waste disposal and thus reach the hands of third parties.
Many teleworking locations are also equipped with their own printers or multifunction devices. This can equally result in sensitive information being disclosed.
Visibility of Metadata
Along with a print job, metadata is sent that typically contains the user identifier, date, time, and the name of the print job. This data is displayed on the control panel and in the web server of many printers and multifunction devices. The name of the print job is often derived from the name of the digital document. If the printer has an integrated web server, a browser can often be used to view confidential transactions. Similarly, the metadata on print servers is visible in plain text if it is not anonymized. This allows third parties to obtain confidential information. Many devices also allow print jobs to be saved for later printing after authentication via a PIN. In this case too, the name of all existing documents is displayed on the control panel of an output device.
Certain printers and copiers print so-called “Yellow Dots” (also “Machine Identification Code”, “Tracking Dots”, “Secret Dots”) on the paper. These often undocumented watermarks can contain the date and time as well as the serial number of the printer and are barely visible to the naked eye. In this way, a printout can be directly assigned to an institution or a specific person and can thus be traced back to the person who composed the text. In addition to data protection implications, this could inadvertently cause information to leave the institution.
Fax logs can also be printed without access protection on many multifunction devices. Even if only the phone number, date, time, and page count are listed, conclusions about personal data or business transactions can already be drawn.
Insufficient Protection of Stored Information
Printers, copiers, and multifunction devices are often equipped with non-volatile storage on which information is stored temporarily or even for longer periods. For example, address books, documents, fax files, and print jobs are stored there. If this information is insufficiently protected, third parties can access and read it. Under certain circumstances, even already deleted information can be reconstructed if insecure deletion methods were applied.
Data can be stored and read in the device via network protocols. Printers and multifunction devices with storage media are, if these are not secured, often usable as unauthorized file servers. In this way, information can be stored decentrally without control, which is not taken into account in the data backup concept.
Unencrypted Communication
Print and scan data are often transmitted unencrypted over the network. This allows the sent documents to be read. Similarly, print files temporarily stored on print servers can be read. This also applies to central scanning and document processing systems.
Further sources of risk are unencrypted communication interfaces for administering the devices. If devices are accessed via HTTP, SNMPv2, or Telnet, the information is transported unprotected. This puts the access information including device passwords at risk.
Unauthorized Transmission of Information
Many multifunction devices can send digitized paper documents by e-mail and fax. Without special protective measures, information can thereby deliberately or accidentally reach unauthorized recipients. Users could, for example, enter addresses or phone numbers incorrectly. As a result, sensitive data may unintentionally be sent to wrong recipients. Additionally, confidential documents can quickly reach the outside using the e-mail or fax function.
Many networked printers can be configured to receive print jobs from the Internet via e-mail and to send scanned documents as e-mail attachments. The free entry of the sender address can be misused to send e-mails under someone else’s name to internal and external persons.
Uncontrolled Data Exchange via Storage Interfaces of Printers, Copiers, and Multifunction Devices
Documents on paper can be quickly copied using multifunction devices. Due to available USB or SD connections, it is also possible to quickly digitize even large quantities of paper documents directly and without any control, and to save them to USB sticks or SD cards. Documents stored on storage media can also be directly printed via the storage interfaces.
If printers, copiers, and multifunction devices are connected to a data network or directly to clients, IT systems can often directly access storage media connected to printers, copiers, and multifunction devices. Even when the integration of storage media into IT systems is technically prevented, information can be copied without control via the storage interfaces through this detour.
In this way, (malicious) software can enter the clients connected to the multifunction devices or the institution’s data network via storage interfaces. Conversely, confidential (paper) documents can be digitized unnoticed and stolen without trace.
Insufficiently Secured Network Access of Printers, Copiers, and Multifunction Devices
Firewalls between LAN and Internet are frequently configured to allow entire subnets to access the Internet. Furthermore, printers, copiers, and multifunction devices are often assigned to the same subnet as clients. As a result, network printers too can access information on the Internet. Even if the institution’s IT systems only access the Internet via a proxy, printers, copiers, and multifunction devices can use it too. If connections to and from printers from the Internet are not rejected by the firewall, sensitive information may undesirably leave the institution’s data network. Conversely, a network-capable device could undesirably receive data from the Internet and distribute it further. A network printer can thus become a gateway for attacks from the Internet.
Inadequate Access Protection for Device Administration
Networked printers, copiers, and multifunction devices can be managed via the control panel and the built-in web server. Upon delivery, devices generally have no or only a default password. If the password is not set or not changed, the devices can be accessed very easily.
In many institutions, uniform passwords are also used for all printers and multifunction devices, which are rarely changed. As a result, they are often known to many internal and external parties, and unauthorized third parties can easily access the devices.
Furthermore, printers and multifunction devices can be reset to factory state via boot menus. This also affects security settings. For example, the device password is often no longer present after the printer or multifunction device has been reset to factory settings. Unsecured boot menus facilitate administration but simultaneously reduce security.
Printers, copiers, and multifunction devices are equipped with numerous network protocols. Upon delivery, all protocols are usually activated. As a result, attackers could access device settings and modify them so that sensitive information flows out of the network.
Many devices can transmit their control panel over the network to support. This however also allows confidential user inputs on the device’s control panel to be read.
In larger institutions, there are usually very many printers, copiers, and multifunction devices. To be able to still manage and monitor these efficiently, device management software is often used. Many institutions however do not sufficiently protect this software against unauthorized access because it is perceived as a less critical system. As a result, individual or all devices can be unintentionally or deliberately modified.
Requirements
The following are the specific requirements of the building block SYS.4.1 Printers, Copiers, and Multifunction Devices. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO must always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. These should be filled insofar as this is sensible and appropriate.
| Responsibilities | Roles |
|---|---|
| Primarily responsible | IT Operations |
| Additional responsibilities | Information Security Officer (ISO) |
Exactly one role should be Primarily responsible. Beyond that, there may be Additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the heading of the requirement. The use of singular or plural says nothing about how many people should fill these roles.
Basic Requirements
The following requirements MUST be met with priority for this building block.
SYS.4.1.A1 Planning the Use of Printers, Copiers, and Multifunction Devices (B)
Before printers, copiers, and multifunction devices are procured, their secure use MUST be planned. The following criteria SHOULD be taken into account:
- Support for secure protocols for data transmission and administration,
- encryption of stored information,
- authentication of users directly at the device,
- use of physical protection mechanisms such as eyelets for theft protection or device locks,
- existence of a reliable and high-performance automatic paper feeder of the scan unit,
- support for appropriate data formats,
- if required, support for patch and barcodes for document separation and transfer of meta information,
- existence of a function for secure deletion of storage, and
- availability of regular updates and maintenance contracts.
It MUST be determined where the devices may be set up. It MUST also be defined who may access the printers, copiers, and multifunction devices. The results SHOULD be documented in a baseline concept.
SYS.4.1.A2 Appropriate Placement and Access to Printers, Copiers, and Multifunction Devices (B)
IT Operations MUST position and secure printers, copiers, and multifunction devices so that only authorized persons can use the devices and access processed information. It MUST also be ensured that only authorized persons can administer, maintain, and repair the devices. Written confidentiality agreements MUST be concluded with service providers (e.g., for maintenance).
Printers, copiers, and multifunction devices MUST be provided with device passwords in order to lock access to the web server and control panel for administration. These MUST meet the specifications of the institution’s identity and authorization management.
SYS.4.1.A3 DISCONTINUED (B)
This requirement has been discontinued.
SYS.4.1.A12 DISCONTINUED (B)
This requirement has been discontinued.
SYS.4.1.A13 DISCONTINUED (B)
This requirement has been discontinued.
SYS.4.1.A22 Proper Disposal of Printed Documents (B)
Documents that are no longer needed but have been printed and contain confidential information MUST be destroyed in an appropriate manner. If home workplaces are equipped with printers, copiers, or multifunction devices, it SHOULD be ensured that the printed information can be destroyed appropriately on site if it is no longer needed.
Standard Requirements
Together with the basic requirements, the following requirements correspond to the state of the art for this building block. They SHOULD generally be met.
SYS.4.1.A4 Creation of a Security Policy for the Use of Printers, Copiers, and Multifunction Devices (S)
The institution SHOULD develop a security policy for printers, copiers, and multifunction devices. It SHOULD regulate what requirements and specifications are placed on the information security of the devices and how these are to be met. It SHOULD also be defined which functions may be administered or used by which users under which conditions.
SYS.4.1.A5 Creation of Usage Policies for Handling Printers, Copiers, and Multifunction Devices (S) [Information Security Officer (ISO)]
The ISO SHOULD create a usage policy for the institution that summarizes all security requirements for handling the devices in a clear and understandable manner. The usage policy SHOULD be known to all users.
SYS.4.1.A6 DISCONTINUED (S)
This requirement has been discontinued.
SYS.4.1.A7 Restriction of Administrative Remote Access to Printers, Copiers, and Multifunction Devices (S)
IT Operations SHOULD ensure that administrative remote access to printers, copiers, and multifunction devices is only made possible to a clearly defined group of administration and service personnel. This SHOULD also be ensured when the institution uses central device management software.
It SHOULD be determined whether the display of the control panel may be viewed via a data network. If this is desired, it SHOULD only be able to be transmitted to IT Operations. This SHOULD also be coordinated with the affected users.
SYS.4.1.A8 DISCONTINUED (S)
This requirement has been discontinued.
SYS.4.1.A9 DISCONTINUED (S)
This requirement has been discontinued.
SYS.4.1.A10 DISCONTINUED (S)
This requirement has been discontinued.
SYS.4.1.A11 Restriction of the Connection of Printers, Copiers, and Multifunction Devices (S)
IT Operations SHOULD ensure that network-capable printers, copiers, and multifunction devices are not reachable from external networks. If multifunction devices are connected to the telephone network, it SHOULD be ensured that no uncontrolled data connections between the institution’s data network and the telephone network can be established. Network printers and multifunction devices SHOULD be operated in a separate network segment that is separated from the institution’s clients and servers.
SYS.4.1.A15 Encryption of Information in Printers, Copiers, and Multifunction Devices (S)
Where possible, all information stored on device-internal, non-volatile storage media SHOULD be encrypted. Print jobs SHOULD also be transmitted in encrypted form where possible.
SYS.4.1.A17 Protection of Payload and Metadata (S)
Payload and metadata such as print jobs and scan files SHOULD be stored on the devices for as short a time as possible. The data SHOULD be automatically deleted after a predefined time. File servers in the devices and functions such as “scan to device memory” SHOULD be disabled by IT Operations. The protocols and functions required for this SHOULD be blocked as far as possible.
In general, IT Operations SHOULD ensure that all metadata is not visible to unauthorized persons. The institution SHOULD regulate how printouts containing metadata are passed on to third parties.
SYS.4.1.A18 Configuration of Printers, Copiers, and Multifunction Devices (S)
All printers and multifunction devices SHOULD only be configurable by IT Operations. Device functions not needed SHOULD be switched off. In particular, all data and network interfaces of printers, copiers, and multifunction devices that are not required SHOULD be deactivated.
The devices SHOULD be managed exclusively via encrypted protocols such as HTTPS and SNMPv3. All protocols via which printers and multifunction devices can be accessed unencrypted SHOULD be replaced by encrypted ones or switched off by IT Operations. This SHOULD be implemented in particular for protocols that allow device configuration to be changed, e.g., SNMP, Telnet, and PJL.
SYS.4.1.A19 DISCONTINUED (S)
This requirement has been discontinued.
Requirements for High Protection Needs
The following are exemplary proposals for requirements for this building block that go beyond the level of protection corresponding to the state of the art. The proposals SHOULD be considered when there is a higher need for protection. The concrete definition is made in the context of an individual risk analysis.
SYS.4.1.A14 Authentication and Authorization at Printers, Copiers, and Multifunction Devices (H)
Only authorized persons SHOULD be able to access the printed or copied documents. As far as possible, only central printers, copiers, and multifunction devices SHOULD be used where users must authenticate themselves at the device before the print job starts (“secure print”). After users have authenticated, only their own print jobs SHOULD be visible. Only the functions necessary for the respective users SHOULD be enabled.
SYS.4.1.A16 Reduction of Downtime for Printers, Copiers, and Multifunction Devices (H)
To keep the downtime of printers, copiers, and multifunction devices as short as possible, among other things:
- replacement devices SHOULD be available,
- maintenance contracts SHOULD be checked for appropriate response times,
- a list of specialist dealers SHOULD be maintained to be able to quickly procure replacement devices or parts, and
- if required, frequently needed spare parts SHOULD be kept in stock.
SYS.4.1.A20 Extended Protection of Information in Printers, Copiers, and Multifunction Devices (H)
On the print server, the names of print jobs SHOULD only be displayed anonymized. All interfaces for external storage media SHOULD be blocked. Furthermore, device-internal address books SHOULD be deactivated and users SHOULD be offered alternative addressing methods (e.g., address lookup via LDAP).
For printers and multifunction devices with e-mail functionality, it SHOULD be ensured that e-mails can only be sent with the e-mail addresses of the authenticated users. Documents SHOULD also only be able to be sent to internal e-mail addresses.
Incoming fax documents and transmission reports SHOULD only be accessible to authorized persons.
SYS.4.1.A21 Extended Security of Printers, Copiers, and Multifunction Devices (H)
IT Operations SHOULD regularly check the security settings of printers, copiers, and multifunction devices and correct them if necessary. If an automated control and correction system is available, it SHOULD be used.
Furthermore, restrictions SHOULD be imposed on resetting devices to factory settings via the boot menu. It SHOULD be ensured that no firmware or additional software can be installed on printers and multifunction devices that has not been verified and approved by the respective manufacturer.
Additional Information
Good to Know
The Alliance for Cybersecurity (ACS) provides guidance on the topics mentioned in the BSI recommendations “Printers and Multifunction Devices in the Network BSI-CS 015” and “Secure Passwords in Embedded Devices (BSI-CS 069)”. In-depth information on printers, copiers, and multifunction devices can also be found in the white paper “Data Protection and IT Security in Print Infrastructures” by ACS partner company mc² management consulting GmbH.
The National Institute of Standards and Technology (NIST) describes requirements for output devices such as printers, copiers, and multifunction devices in its Special Publication 800-53 “Security and Privacy Controls for Federal Information Systems and Organizations”, particularly in the chapter “PE-5 Access control for output devices”.
The IEEE Standard Protection Profile for Multifunction Devices in IEEE Std 2600TM-2008 Operational Environment B, “IEEE Std 2600.2TM-2009” was developed by the IEEE Computer Society, Information Assurance (C/IA) Committee as a basis for creating security specifications to conduct a certification of an IT product, the evaluation target (ET).