Introduction and scope
There are a wide variety of threats to university information systems and computing environments. In order to reduce the risk of compromise, and minimize the impact in the event of a compromise, the university has developed policies, standards, and guidelines to assist in improving security.
Network printers, scanners, photocopiers, and multifunction devices that may also handle fax are all examples of networked peripheral devices. These devices are essentially computers, and are subject to the same threats as computers on the campus network. The purpose of this standards document is to assist those responsible for the installation and maintenance of peripheral devices at the University of Waterloo with maintaining the security of the network, the reliability of the devices, and the privacy of the information recorded and transmitted by these devices.
Change the administrator password
All networked peripheral devices have one or more ways of editing the configuration, be it using a web browser, a telnet client, and/or some other method. Setting the administrator password prevents unauthorized configuration changes.
Patch the device
These devices, like computers, are controlled by software. Security vulnerabilities are often discovered for such software, so it is advisable that the software is updated before the device is placed into service.
Disable unused functionality
Modern networked peripherals support a wide range of protocols, including enterprise authentication and email. If the functionality is used, it should be configured as appropriate, otherwise it should be disabled, where possible.
Configure access control on the device
Most devices support access control lists. Ideally, access controls should be set so that access is restricted to:
- Print servers
- Client computers that may print directly to the device
- Computers used to manage the device
Put the device on a 'private' network
The bulk of threats to networked peripheral devices are from outside of the campus network. Placing the devices on a network that is routed only on-campus significantly reduces the threat exposure. Putting multiple devices on the same isolated 'private' network allows the definition of access controls at the network router/firewall, which should simplify the management of network access controls.
The configuration settings of networked peripheral devices are often overlooked, because once configured, they 'just work' and only require replacement consumables. It is strongly recommended that the software level and configuration of these devices be reviewed at least once per year.
Some networked peripheral devices have fixed disk drives. These drives may contain images of some or all of the documents scanned/copied/transmitted by the device. Since there is a strong possibility that Confidential or Restricted information may be stored on these disk drives, they need to be disposed of securely. This applies to devices which are returned to the supplier as well as to devices which are re-purposed or disposed of using the standard university guidelines.