...
Step - The step number in the procedure. If there is a UT Note for this step, the note # corresponds to the step #.
Check - This is for administrators to check off when she/he completes this portion.
To Do - Basic instructions on what to do to harden the respective system
MFD - Reference number in the Defense Information Systems Agency document entitled Multi-Function Device (MFD) and Printer Checklist for Sharing Peripherals Across the Network.
UT Note - The UT Note at the bottom of the page provides additional detail about the step for the university computing environment.
Cat I - For systems that include Category-I data, required steps are denoted with the ! symbol. All steps are recommended.
Cat II/III - For systems that include Category-II or -III data, all steps are recommended, and some are required (denoted by the *!*).
Min Std - This column links to the specific requirement for the university in the Minimum Security Standards for Systems document.
...
This list provides specific tasks related to the computing environment at The University of Texas at Austin.
1
| If other alternatives are unavailable, this can be accomplished by installing a SOHO router/firewall in between the network and the host to be protected. Performing as much of the configuration as possible while the MFD is not plugged into the network is another alternative. | ||||||
| Some printers support non-IP based protocols for compatibility with legacy systems. These might include AppleTalk and IPX/SPX. These protocols are more difficult to monitor and secure, and should be disabled if they are not being used. | ||||||
| Giving MFDs static IP addresses or DHCP reservations makes it easier to monitor them and apply access lists on hardware-based firewalls. Consider placing sensitive MFDs on their own VLAN, which may make them easier to identify and secure. It is also strongly advised to give MFDs campus-routed RFC 1918 addresses, so that they are not accessible from the Internet. It is rare that an MFD needs to be accessed from off-campus, and a VPN can be used in those instances. | ||||||
| Examples of ways to provide secure communications:
| ||||||
| Examples of management protocols that can possibly be disabled:
| ||||||
| MFD upgrades are often manual processes. Patch update notifications might include e-mails from the manufacturer or leasing company. | ||||||
| Examples of possible protocols:
| ||||||
| Some MFDs may include the ability to securely erase job-related files in between jobs. Others might require an optional security kit from the manufacturer. | ||||||
| Some ways to provide secure storage on MFDs:
| ||||||
| The level of confidentiality required dictates how MFDs are physically placed. Examples might include:
| ||||||
| If the MFD has a removable hard drive option, then ensure that the drive is locked into the device. |
References
- DISA Sharing Peripherals Across the Network Security Technical Implementation Guide, Version 1, Release 1
- DISA Multi-Function Device (MFD) and Printer Checklist for Sharing Peripherals Across the Network Security Technical Implementation Guide, Version 1, Release 1.2
- HP LaserJet 4345 MFP Security Checklist
- HP Secure Imaging and Printing
- Canon imagerRUNNER Security Kit
- UT Austin Minimum Security Standards for Systems
- UT Austin Minimum Security Standards for Data Stewardship
- UT Austin Data Encryption Guidelines
- UT Austin ISO Consensus Papers
- SANS Institute Gold Paper: Auditing and Securing Multifunction Devices
Anchor | ||||
---|---|---|---|---|
|