h1

Securing the Copier \ MFD \ MFP

February 4, 2009

I recently have had the pleasure to meet with a number of Security officers to discuss their companies “copiers”. When I spoke to one of them about a copier being “hacked into” he was incredulous, he couldn’t believe his ears. There have been a number of articles on the subject and yet people still think of these networked systems as “copiers”. Something that their “Purchasing Dept” should deal with.

http://www.networkworld.com/news/2005/110905-hacking-copiers.html
http://www.bizjournals.com/triad/stories/2007/08/13/focus1.html
http://www.engadget.com/2007/03/17/your-office-photocopier-could-help-steal-your-identity/

These are not your father’s copiers. These MFDs (Multi-functional Devices) are true Network Nodes, with their own Operating System (OS), hard drive, Ram Memory, and NIC. It is more like a modern day PC than an old style copier. The new crop of smart MFDs even run applications, usually java or web based. Imagine that, copiers running their own applications, just like PCs. Don’t you think that they warrant some attention from both the network admin and security teams?

Here is the good news, most MFDs use a stripped down OS, not a standard PC version. So many standard viruses or hacks that are written for a PC would not run or run the same on your Office MFD. Does that mean you are out of the woods? or you can put your head back in the sand on this issue? not hardly!

Security is a balancing act (see the article on Security with Convenience on this Blog). If we REALLY want total security on the MFD then go ahead and unplug it from the network and return it to copier only status. But you should also disconnect all the PCs from the same dangerous network, and we know that’s not going to happen.

But don’t despair there is more good news for those of us who care about security. There are a few basic things that you can do to better secure your copier MFD MFP. Start with these simple things that can easily be done on most MFDs.

1. Set an Admin password on the MFDs (that is NOT the default password).
For practical purposes you will want to have the same one on all of your MFDs. Resist the temptation to make it different on every MFD in every department. It will make servicing and supporting the equipment a logistical nightmare. Your Service Techs, and Systems  Engineers (SEs) from your servicing dealer will also need access to this password. Don’t panic, remember that your “Copier Dealer” is their to keep your MFD running, it is not likely that they will hack your system.

2.Have your Servicing dealer shut off any ports that you do not need or use. For instance if you are not using the FTP service then turn off port 21 on your MFD. This will stop attacks or hacks that depend on this port. Your dealers Systems Engineer will be able to give you a list of what ports are open and how to shut them off. If not, get another servicing dealer.

3. If everyone is printing through a Print Server than you can easily set up an IP or MAC filter on your MFD, so that the MFD will only communicate with your print server. Any other network device trying to access or communicate with the MFD will be rejected.

There are a number of other steps that you could take to secure the copier. But keep in mind that part of security is Access and Access control. Authorized, legitimate users still need to be able to actually use the MFD to Print, Scan, Fax, and oh yeah Copy.
You could make it soooo secure that no one uses it, then what have you gained…. a hostile end user community, and no one wants that.

If you do nothing but the above three steps your MFD will be more secure than it ever was before. They are not hard to do, nor are they hard to maintain. They will cause a minimal amount of inconvenience to your end user community. To take it to the next level read https://theconnectedcopier.wordpress.com/2008/12/18/security-with-convenience-the-next-killer-app/

That’s my $0.02
Vince McHugh
vince.mchugh@necs.biz

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: