When it comes to multi function printers (MFP), sometimes security gets a low priority. Printers used to, well, just print. Now they can send a document to cloud storage, print by voice commands with Alexa, or let the manufacturer know when you’re low on ink. Which can be handy features truth be told. Where the security concerns do lie, however, is with how a device stores your print jobs, sends your scan jobs, and communicates on a network.
If you’ve ever wondered if there’s anything you can do to make a multi function printer more secure, there is. If we’re talking about that inkjet printer attached via USB there probably isn’t much to worry about. On the other hand, printing to that shared printer at the library or the one in the co-working space there are few things to be aware of. We will cover some best practices, tips, and basic settings which can be employed in a printing environment to keep your data from being used in an unintended way. Even a home printer on the wi-fi can be improved.
Print Job Security
We all know we shouldn’t be doing any banking on public Wi Fi, right? But what about printing tax forms, bank statements, or that resume to the shared printer at the library? If you’re printing to a shared printer at a public place or co-working space, I would recommend using the direct queue. The direct queue bypasses the printer’s HDD, if any, and prevents the printer from storing any information of the printed document. Just about every printer will have a job log which stores who and what was printed of the last few jobs. When it comes to public MFP’s or all in ones, you will have little control over its security. Best practices should be utilized. The Direct print queue is one way to keep sensitive documents from leaving any data on a printer.
The simplest way to print from the direct queue is from a USB drive at the printer. I can’t think of any printers nowadays that don’t have a USB port for this purpose. Also, you will be right in front of the printer as the job prints. Make sure the file on the USB is in a print ready format (.PDF, .XPS, .JPG).
The next best way to utilize the direct queue is from the printers web interface. HP, Canon, Brother, Xerox, Lexmark, Konica Minolta, Kyocera, Toshiba, Ricoh, and the rest all have web interfaces which allow for direct printing. Type the printers IP address or host name into your web browser. Look for a tab with the words “print”, “job”, or “queue”. Submit your print ready file and the job bypasses the printers HDD.
The direct queue (or port 9101) can also be used by changing the port settings in your print driver. When it comes to a home printer or a trusted printer at work this level of security isn’t warranted.
Secure print, sometimes known as private print, is similar to the hold queue only it requires a security PIN to release the print job. Not all print drivers support this feature. The job will not bypass the HDD, assuming the printer has one, nor does it use any encryption or secure connection. If it is available, it is a good way to prevent a job from sitting in the exit tray until you can get to it. This type of security is best for MFP’s or all in ones in a trusted environment.
Scan job security
When it comes to scanning there are typically several choices: scan to folder, scan to cloud, scan to email, scan to FTP or scan to USB. If you ever have to scan a document with sensitive information from a public copier or multi function printer the most secure method, again, is with a USB drive. Scanning to a USB drive will bypass the HDD, if any, and does not use the network at all.
Scan to file can be the simplest to set up. Simply share a folder with everyone and point the all in one to the share. However, that is the least secure method. That setup shouldn’t be used with any public or co-working space multi function printer. In my opinion scan to folder is best when there is a file server on the network and domain user authentication.
Scan to email is also popular and fairly easy to set up. Most public or co-working space MFP’s will probably have this setup. The drawback is this method does utilize a HDD if the MFP has one. This setup is preferable to scan to folder with home or small office networks. If you use this setup at home or work I would recommend changing the default admin password the MFP. or all in one.
Scan to FTP requires a bit more setup on the server side but provides good security if your MFP or all in one supports SFTP or FTPS. An external email server isn’t involved, file sharing doesn’t have to be enabled, and the only user authentication is with the FTP server.
As far as scanning and security, secure PDF is an after the fact type of security. It adds a password of your choosing to the scanned file. The password can be used to prevent the file from being copied or printed. It doesn’t secure the connection or data on the MFP.
About a dozen years ago a certain manufacturers MFP’s could accidentally host its web interface on the internet. A random search for something like…..web image monitor, for instance, would return results for any MFP’s that had gateway and DNS address entered. Basically, anybody on the internet could access the web interface of these MFP’s. Any unfortunate company that hadn’t changed the default password of their copier was at risk.
Address books at this time were also stored in .csv files as plain text. A shared folder entry would have a user name and password. In plain text. Accessible on the internet. A bit of a security risk, but as far as I know this was fixed fairly quick and nothing bad happened. Address books on MFP’s or all in one’s have been encrypted sine then as well.
While there’s no longer a risk like that, many all in ones can communicate over the internet. While there is little risk with these communications, there are a few things to keep in mind when hooking up devices to your network.
For example, chatty protocols such as Bonjour or WSD can be turned off. They make all wireless devices and cloud apps work without much interaction, which is nice. On the other hand, you should consider whether everybody with a smart phone within 100 feet needs to know your printer is ready to print. Turning off the extra features on the all in one is something that should be considered on a case by case basis. In most cases manual settings can be entered for cloud services and printing apps to still work.
Another way to keep your printer from communicating with the internet is leaving the gateway and DNS addresses empty. Of course, could services and apps won’t work with this method. Unless you’re running a bank from your home or office, this may be overdoing it a bit.
In summary, be aware of using a USB drive as much as possible for printing and scanning. Disabling protocols if they aren’t being used is the best practice. Secure print and secure PDF are options with very nuanced uses. Firmware updates and changing the default admin password are also best practices.