Copier and MFD Security

Eight Steps to Secure Your Copier or Multi-Function Device (MFD)

Note: The resources below have been gathered to specifically address concerns related to the security of sensitive information that may be stored on the hard drives of copiers, printers, or multi-function devices. However, it is good practice to develop a general minimum security standard for ALL networked devices. Issues related to media disposal, confidential data handling, patching, encryption, third-party contracts, etc. are not unique to the devices mentioned here.

  1. Configure copiers, printers, and other multi-function devices securely.
    • Configure the device with a static IP address, using RFC1918 (non-routable) addressing if possible.
    • Limit network access to the device, by configuring IP restrictions (firewall or ACL) for the device to only those needed.
    • Change default admin password to a strong value, and change community string names.
    • Disable all unneeded services, protocols, and features. Often just TCPIP is needed, and ports 9100 (HP Jet Direct) and/or 515 (LPD).
    • Employ a method to erase or overwrite the hard disk between jobs, such as setting a job timeout value.
    • Refer to the following university resources below: Brown, Indiana University, Northwestern, UC Davis, UC Irvine, UT Austin, and Yale.
  2. Develop appropriate policies and procedures that address disposal procedures for equipment, protecting sensitive data, etc.
    • Always employ appropriate disposal procedures for equipment. When in doubt, consult the manufacturer for proper sanitization procedures.
      • Destroy/shred/erase internal hard drives before decommissioning
      • Negotiate contract terms that include secure wiping/disposal for leased equipment
    • Refer to the following university resources below: Indiana, University at Buffalo, and University of Florida.
    • This HEISC resource includes a survey of higher education disposal policies and practices: Guidelines for Information Media Sanitization.
  3. Work with vendors to make sure devices meet industry security standards and certifications.
    • Be sure to review current contracts. If security concerns arise, work with vendors to close the gaps and modify/update contracts as needed.
    • Develop a template for contact/service agreements with vendors that have devices with more native security features. Many vendors also offer optional data security kits.
    • Refer to the following university resources below: Brown, Indiana, UC Davis, and UC Irvine.
  4. Educate IT staff, business offices, and other users on campus.
    • For IT support, make them aware of university policy and practices, especially regarding proper disposal of electronic equipment, and any contracts or special fees that are required for equipment.
    • For faculty/staff/students, alert them to the risk of making copies off-site coupled with information about the institution's policy and practices. It's also a good opportunity to tie in a more general reminder about PII and the reasons to protect it.
    • Refer to the following university resources below: Brown and University of Florida.
  5. Remember to perform firmware updates on a regular basis. Upgrades are often a manual process.
    • Some vendors offer security updates via RSS Feed (e.g., Xerox).
    • Refer to the following university resources below: UC Irvine, UT Austin, and Yale.
  6. Consider managing all copiers/multi-function network devices through one office, and utilize print spool servers.
    • With a central print spool/queue service, you can limit direct printer access to only that server.
    • Refer to the following university resources below: Boston University, Broward College, and University of Akron.
  7. Consider requiring drive encryption.
    • Refer to the following university resources below: UC Irvine.
  8. Consider physical security of hard drives for devices with open access.
    • Remind faculty/staff/students to avoid copying documents with sensitive information using public-access devices.
    • Post flyers or label machines in public places as a reminder that any data copied there may be stored in the memory.
    • Move printers or copiers to more secure (and less open) spaces whenever possible. Consider housing them in an area that is staffed, and locked after hours.

Additional Resources for Copier & Multifunction Device (MFD) Security

Higher Education Resources

Industry & Other Resources

Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).