TCU Networked Printer Policy & Guidelines
The purpose of this document is to describe the requirements for the installation of a networked printer. Printers today have traditional computer operating systems, hard drives and network protocols and so are in reality another type of workstation or server. In addition these printers often are used to copy/print/fax/scan documents containing sensitive or confidential information. In the past these devices have not received the attention or oversight that traditional computers have and this has led to the potential for sensitive data breaches. This policy is intended to provide the standards and procedures to reduce this risk
This document applies to any faculty or staff printer, copier or scanner that is attached to the TCU network using any means.
- Networked printers – Printers that connect to the TCU network. They are typically multifunctional printers that have hard drives or other storage media and may be able to print/copy/fax/scan/email.
Purchasing or Leasing
- All networked printers will be purchased or leased through either Information Technology or Printing Services and registered in the Information Technology inventory system.
- All external vendors responsible for the installation, maintenance or removal of networked printers will be chosen by Information Technology. These vendors will be contractually required to comply with the requirements of this policy.
- The number of networked printer models will be restricted to help standardize configurations and ease support times.
- All networked printers must be capable of being managed centrally.
Installation and Disposal
- Any new printer models not previously scanned for security vulnerabilities will be installed temporarily in the TR warehouse and scanned. The printers will not be turned over to users until the scans are completed successfully. If this is a replacement printer then the old printer should not be removed until the new printer is ready in order to limit customer frustration.
- Information Technology or their vendors will configure all settings according to the Data Security section below. Information Technology will verify these settings.
- Information Technology will configure the print queues and Pharos.
- Information Technology will setup an AD account for “scan to folder” and configure the credentials on printers.
- Information Technology will configure LDAP search credentials on printers.
- Information Technology will add an ip exception to XSMTP for printer access.
- Whenever the hard drive or storage device is replaced or the networked printer is retired then the hard drive will be turned over to Information Technology or certified by the vendor that it has been scrubbed of all data.
- Require authentication and authorization for any administrative changes although users will be allowed to make printing changes (e.g. Enlarge by 150%) without a password.
- Set the local admin password to a common one for all printers maintained by one vendor and a password different from those used by other vendors.
- Change the default SNMP read/write community strings.
- Disable all protocols except TCP/IP. This includes protocols such as AppleTalk and IPX/SPX.
- Disable all management protocols, except HTTPS and SNMPv3.
- Disable all services except those that are necessary such as JetDirect (port 9100) and LPD (port 515). Always disable telnet, ftp and http.
- Enable immediate image overwrite and schedule regular off-hours overwrite (DoD 3 pass). Do not store documents locally.
- Enable encryption (minimum 128-bit AES).
- Use network encryption and secure protocols such as IPSec, SSL, SNMPv3.
- Ensure the networked printer maintains its configuration state (passwords, service settings etc) after power-down or reboot.
- Maintain the patches on a consistent basis. Ensure devices are flash upgradeable and are configured to use the most current firmware available.
- If the networked printer has a removable hard drive option, then ensure that the drive is locked into the device to prevent access to the hard disk. If a locking mechanism is not provided then it must be acquired before installation.
- Physically secure the networked printer in areas with restricted access such as an office or data center.
- Regularly review vendor security bulletins.
- Use LDAP (Secure LDAP when available) for searching for email accounts as well as local email directory.
- Information Technology will scan and review all printers on a quarterly basis for compliance with this policy and any issues will be immediately addressed.
Create an IT Help Desk ticket with this info
- service requested by Date
- printer’s make/model
- serial number
- mac address
- required feature – scan to email
- required feature – scan to network drive
- which network scan document share
- file format