Skip to content

Multifunction Device and Network Printers STIG

Rules, Groups, and Values defined within the XCCDF Benchmark

  • MFD/Printer Firewall/Router Rule Perimeter

    <GroupDescription></GroupDescription>
    Group
  • A firewall or router rule must block all ingress and egress traffic from the enclave perimeter to the MFD or Network Printer.

    &lt;VulnDiscussion&gt;Access to the MFD or printer from outside the enclave network could lead to a denial of service caused by a large number of l...
    Rule Medium Severity
  • MFD Firmware

    <GroupDescription></GroupDescription>
    Group
  • The MFD or Network Printer must employ the most current firmware available.

    &lt;VulnDiscussion&gt;MFD devices or printers utilizing old firmware can expose the network to known vulnerabilities leading to a denial of service...
    Rule Medium Severity
  • MFD SNMP Community Strings

    <GroupDescription></GroupDescription>
    Group
  • The default passwords and SNMP community strings of all management services have not been replaced with complex passwords.

    &lt;VulnDiscussion&gt;There are many known vulnerabilities in the SNMP protocol and if the default community strings and passwords are not modified...
    Rule High Severity
  • MFD Configuration State After Power Down or Reboot

    <GroupDescription></GroupDescription>
    Group
  • The MFD or Network Printer must maintain configuration state (e.g., passwords, service settings) after a power down or restart.

    &lt;VulnDiscussion&gt;If the MFD does not maintain it state over a power down or restart, it will expose the network to all of the vulnerabilities ...
    Rule High Severity
  • MFD Management Protocols

    <GroupDescription></GroupDescription>
    Group
  • Management protocols, with the exception of HTTPS and SNMPv3, must be disabled at all times except when necessary.

    &lt;VulnDiscussion&gt;Unneeded protocols expose the device and the network to unnecessary vulnerabilities.&lt;/VulnDiscussion&gt;&lt;FalsePositives...
    Rule Medium Severity
  • MFD or a printer can be managed from any IP

    <GroupDescription></GroupDescription>
    Group
  • There is no restriction on where a MFD or a printer can be remotely managed.

    &lt;VulnDiscussion&gt;Since unrestricted access to the MFD or printer for management is not required the restricting the management interface to sp...
    Rule High Severity
  • Print Services Restricted to Port 9100 and/or LPD

    <GroupDescription></GroupDescription>
    Group
  • Print services for a MFD or printer are not restricted to Port 9100 and/or LPD (Port 515). Where both Windows and non-Windows clients need services from the same device, both Port 9100 and LPD can be enabled simultaneously.

    &lt;VulnDiscussion&gt;Printer services running on ports other than the known ports for printing cannot be monitored on the network and could lead t...
    Rule Low Severity
  • MFD/Printer Restrict Jobs Only From Print Spooler

    <GroupDescription></GroupDescription>
    Group
  • A MFD or printer is not configured to restrict jobs to those from print spoolers.

    &lt;VulnDiscussion&gt;If MFDs or printers are not restricted to accept print jobs only from print spoolers that authenticate the user and log the j...
    Rule Medium Severity
  • MFD Authorized Users Restrictions

    <GroupDescription></GroupDescription>
    Group
  • Print spoolers are not configured to restrict access to authorized users and restrict users to managing their own individual jobs.

    &lt;VulnDiscussion&gt;If unauthorized users are allowed access to the print spooler they can queue large print file creating a denial of service fo...
    Rule Medium Severity
  • MFD and Spooler Auditing

    <GroupDescription></GroupDescription>
    Group
  • The devices and their spoolers do not have auditing enabled.

    &lt;VulnDiscussion&gt;Without auditing the identification and prosecution of an individual that performs malicious actions is difficult if not impo...
    Rule Medium Severity
  • MFD/Printer Security Policy

    <GroupDescription></GroupDescription>
    Group
  • Implementation of an MFD and printer security policy for the protection of classified information.

    &lt;VulnDiscussion&gt;Department of Defense Manual 5200.01, "Protection of Classified Information" provides policy, assigns responsibilities, and p...
    Rule Low Severity
  • MFD Level of Audit and Reviewing

    <GroupDescription></GroupDescription>
    Group
  • The level of audit has not been established or the audit logs being collected for the devices and print spoolers are not being reviewed.

    &lt;VulnDiscussion&gt;If inadequate information is captured in the audit, the identification and prosecution of malicious user will be very difficu...
    Rule Low Severity
  • MFD Classified Network

    <GroupDescription></GroupDescription>
    Group
  • MFDs with print, copy, scan, or fax capabilities must be prohibited on classified networks without the approval of the DAA.

    &lt;VulnDiscussion&gt;MFDs with print, copy, scan, or fax capabilities, if compromised, could lead to the compromise of classified data or the comp...
    Rule High Severity
  • MFD Clearing Disk Space Scan to Disk

    <GroupDescription></GroupDescription>
    Group
  • A MFD device, with scan to hard disk functionality used, is not configured to clear the hard disk between jobs.

    &lt;VulnDiscussion&gt;If the MFD is compromised the un-cleared, previously used, space on the hard disk drive can be read which can lead to a compr...
    Rule Medium Severity
  • MFD Scan Discretionary Access Control

    <GroupDescription></GroupDescription>
    Group
  • Scan to a file share is enabled but the file shares do not have the appropriate discretionary access control list in place.

    &lt;VulnDiscussion&gt;Without appropriate discretionary access controls unauthorized individuals may read the scanned data. This can lead to a com...
    Rule Low Severity
  • MFD fax from network auditing

    <GroupDescription></GroupDescription>
    Group
  • Auditing of user access and fax logs must be enabled when fax from the network is enabled.

    &lt;VulnDiscussion&gt;Without auditing the originator and destination of a fax cannot be determined. Prosecuting of an individual who maliciously c...
    Rule Low Severity
  • MFD scan to SMTP (email)

    <GroupDescription></GroupDescription>
    Group
  • MFDs must not allow scan to SMTP (email).

    &lt;VulnDiscussion&gt;The SMTP engines found on the MFDs reviewed when writing the MFD STIG did not have robust enough security features supporting...
    Rule Medium Severity
  • MFD Hard Drive Lock

    <GroupDescription></GroupDescription>
    Group
  • A MFD device does not have a mechanism to lock and prevent access to the hard drive.

    &lt;VulnDiscussion&gt;If the hard disk drive of a MFD can be removed from the MFD the data on the drive can be recovered and read. This can lead t...
    Rule Medium Severity
  • MFD/Printer Global Configuration Settings

    <GroupDescription></GroupDescription>
    Group
  • The device is not configured to prevent non-printer administrators from altering the global configuration of the device.

    &lt;VulnDiscussion&gt;If unauthorized users can alter the global configuration of the MFD they can remove all security. This can lead to the compr...
    Rule High Severity
  • MFD03.002

    <GroupDescription></GroupDescription>
    Group
  • The MFD must be configured to prohibit the use of all unnecessary and/or nonsecure functions, physical and logical ports, protocols, and/or services.

    &lt;VulnDiscussion&gt;In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e....
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules