Please enable javascript to view this page in its intended format.

Queen's University
 

G1. Multifunction Device (MFD) Security Hardening Guidelines

These guidelines document the security requirements for the following networked devices:

  • Printers
  • Scanners
  • Copiers
  • Faxes
  • MFDs*

* An MFD is sometimes called a multifunction printer (MFP) or all-in-one (AIO) device, and typically incorporates printing, copying, scanning, and faxing capabilities. For the purposes of these guidelines, we will refer to all of the devices listed above as MFDs.

It is assumed that networked campus MFDs are likely to handle some amount of personal, confidential, and/or operationally-sensitive University information. These guidelines are required to protect that information.

The Information Systems Security Office derived this list from government and industry documents, with a particular focus on configuration issues that are unique to the computing environment at Queen's University.

Because management interfaces for MFDs vary, even within the same product line, these guidelines provide general best practices. In order to implement them, consult your MFD’s documentation or the vendor.

Installation/Configuration Guidelines

  1. Change the factory default password that controls device configuration. (See website page on Creating Strong Passwords for additional information.)
  2. Assign an IP address. (Contact your ITAdmin Rep for assistance, and be sure to specify it is for a network printer, copier or MFD.)
  3. If hard disk functionality is enabled, configure the device to remove spooled files, images, and other temporary data using a secure overwrite between jobs.
  4. Use secure communications (such as HTTPS) to access web-based device configuration pages.
  5. Disable all protocols other than IP printing, if they are not being utilized.
  6. Upgrade to patched firmware when it becomes available from the vendor.
Note : Both Seaway Solutions (Xerox) and the OT Group (Canon) will follow the above mentioned configuration guidelines. 
 

Decommissioning Guideline

All Multifunction Devices with hard drives must have their hard drives securely erased when removed from service and when storage components are replaced. A certificate of erasure must be supplied to Strategic Procurement Services (SPS).

  • Both Seaway Solutions (Xerox) and the OT Group (Canon) will follow the necessary erasure protocols and provide a certificate of erasure to SPS whenever they decommission a leased device. 
  • If you own a networked MFD with a hard drive that is not leased through one of the University's enterprise agreements, ITServices offers a Hard Drive Destruction and Disposal service which can assist in the proper disposal of hard drives.

Physical Location

If your device contains a hard drive, you should choose its location carefully:

  • Where possible, try to locate it in an area that has little or no public access during business hours, and is locked down during non-business hours.
  • If your device is in a public area (e.g. a library), it may be necessary to lock the device to prevent access to the hard drive inside it.

Additional Information

Please see the following pages for further information:

The EDUCAUSE & Internet2 Higher Education Information Security Council (HEISC) has gathered resources on this topic and developed a list of suggested steps to take when securing campus copiers, printers, or other multifunction devices:

https://wiki.internet2.edu/confluence/display/itsg2/Copier+and+MFD+Security

References

Questions?

Please contact the Information Systems Security Office.

 

 

Kingston, Ontario, Canada. K7L 3N6. 613.533.2000