Multifunction Device Hardening Checklist
This checklist contains multifunction device (MFD) hardening requirements. An MFD is sometimes called a multifunction printer (MFP) or all-in-one (AIO) device, and typically incorporates printing, copying, scanning, and faxing capabilities. Because management interfaces for MFDs vary, even within the same product line, this checklist provides general best practices. In order to implement the items on this checklist, consult your MFD's documentation or the vendor. The Information Security Office derived this list from government and industry documents, with a particular focus on configuration issues that are unique to the computing environment at The University of Texas at Austin.
How to use the checklist
Print the checklist and check off each item you complete to ensure that you cover the critical steps for securing your server. The Information Security Office uses this checklist during risk assessments as part of the process to verify that servers are secure.
How to read the checklist
Step - The step number in the procedure. If there is a UT Note for this step, the note # corresponds to the step #.
Check - This is for administrators to check off when she/he completes this portion.
To Do - Basic instructions on what to do to harden the respective system
MFD - Reference number in the Defense Information Systems Agency document entitled Multi-Function Device (MFD) and Printer Checklist for Sharing Peripherals Across the Network.
UT Note - The UT Note at the bottom of the page provides additional detail about the step for the university computing environment.
Cat I - For systems that include Category-I data, required steps are denoted with the ! symbol. All steps are recommended.
Cat II/III - For systems that include Category-II or -III data, all steps are recommended, and some are required (denoted by the !).
Min Std - This column links to the specific requirement for the university in the Minimum Security Standards for Systems document.
Server Information
MAC Address |
|
IP Address |
|
Machine Name |
|
Asset Tag |
|
Administrator Name |
|
Date |
|
Step | ? | To Do | MFD | UT Note | Cat I | Cat II/III | Min Std |
|
| Preparation and Installation |
|
|
|
|
|
|---|---|---|---|---|---|---|---|
1 |
| If machine is a new install, protect it from hostile network traffic, until the operating system is installed and hardened. |
| ! |
| ||
|
| Network Protocols |
|
|
|
|
|
2 |
| Disable all protocols other than IP if they are not being utilized. | 01.001 | ! |
| ||
3 |
| Assign the MFP a static IP address. | 01.002 | ! |
|
| |
4 |
| Restrict printing/copying/faxing/scanning to the minimum number of subnets practical for the device to function for its group of users. | 01.003 |
| ! |
| |
5 |
| Use secure communications. |
| ! |
| ||
|
| Management Services |
|
|
|
|
|
6 |
| Change default passwords and SNMP community strings. | 02.001 |
| ! | ! | |
7 |
| Ensure the MFD maintains its configuration state after power-down or reboot. If a full reset is performed, ensure that a process is in place to reconfigure the MFD back to its production state. | 02.002 |
| ! |
|
|
8 |
| Disable unneeded management protocols. | 02.003 | ! |
| ||
9 |
| Upgrade to patched firmware expediently, in a manner consistent with change control processes. | 02.004 |
| ! | ! | |
10 |
| Utilize automated patching notification, if available. |
| ! | ! | ||
11 |
| Only allow specific, trusted subnets or hosts to manage the MFD. | 02.005 |
| ! |
| |
|
| Print/Copy/Scan/Fax Services |
|
|
|
|
|
12 |
| Limit print/copy/fax/scan services to required protocols. | 03.001 | ! |
| ||
13 |
| If hard disk functionality is enabled, configure the MFD to remove spooled files, images, and other temporary data using a secure overwrite between jobs. | 07.001 | ! |
|
| |
14 |
| Ensure that the MFD provides secure storage for Cat-I data. |
| ! |
| ||
|
| Logging |
|
|
|
|
|
15 |
| Ensure that logging is enabled on MFDs. | 06.001 |
| ! |
| |
16 |
| Logs are reviewed on a regular basis. | 06.006 |
| ! |
| |
17 |
| Logs follow data retention policies. |
|
| ! |
| |
|
| Physical Security |
|
|
|
|
|
18 |
| Physically secure the MFD in areas with restricted access. |
| ! |
| ||
19 |
| Lock and prevent access to the hard disk. | 08.001 | ! |
| ||
20 |
| Ensure that only printer administrators can modify the global configuration from the console by requiring a password. | 08.002 |
| ! |
| |
21 |
| Ensure that sensitive data is disposed of at device end-of-life. |
| ! |
|
UT Note: Addendum
This list provides specific tasks related to the computing environment at The University of Texas at Austin.