II - Mission Support Classified
Rules and Groups employed by this XCCDF Profile
-
MFD/Printer Firewall/Router Rule Perimeter
Group -
A firewall or router rule must block all ingress and egress traffic from the enclave perimeter to the MFD or Network Printer.
Access to the MFD or printer from outside the enclave network could lead to a denial of service caused by a large number of large print files being sent to the device. Ability for the MFD or printe...Rule Medium Severity -
MFD Firmware
Group -
The MFD or Network Printer must employ the most current firmware available.
MFD devices or printers utilizing old firmware can expose the network to known vulnerabilities leading to a denial of service or a compromise of sensitive data. While the MFD must use the most curr...Rule Medium Severity -
MFD SNMP Community Strings
Group -
The default passwords and SNMP community strings of all management services have not been replaced with complex passwords.
There are many known vulnerabilities in the SNMP protocol and if the default community strings and passwords are not modified an unauthorized individual could gain control of the MFD or printer. T...Rule High Severity -
MFD Configuration State After Power Down or Reboot
Group -
The MFD or Network Printer must maintain configuration state (e.g., passwords, service settings) after a power down or restart.
If the MFD does not maintain it state over a power down or restart, it will expose the network to all of the vulnerabilities that where mitigated by the modifications made to its configuration stat...Rule High Severity -
MFD Management Protocols
Group -
Management protocols, with the exception of HTTPS and SNMPv3, must be disabled at all times except when necessary.
Unneeded protocols expose the device and the network to unnecessary vulnerabilities.Rule Medium Severity -
MFD or a printer can be managed from any IP
Group -
There is no restriction on where a MFD or a printer can be remotely managed.
Since unrestricted access to the MFD or printer for management is not required the restricting the management interface to specific IP addresses decreases the exposure of the system to malicious ac...Rule High Severity -
Print Services Restricted to Port 9100 and/or LPD
Group -
Print services for a MFD or printer are not restricted to Port 9100 and/or LPD (Port 515). Where both Windows and non-Windows clients need services from the same device, both Port 9100 and LPD can be enabled simultaneously.
Printer services running on ports other than the known ports for printing cannot be monitored on the network and could lead to a denial of service it the invalid port is blocked by a network admini...Rule Low Severity -
MFD/Printer Restrict Jobs Only From Print Spooler
Group -
A MFD or printer is not configured to restrict jobs to those from print spoolers.
If MFDs or printers are not restricted to accept print jobs only from print spoolers that authenticate the user and log the job, a denial of service can be created by the MFD or printer accepting o...Rule Medium Severity -
MFD Authorized Users Restrictions
Group -
Print spoolers are not configured to restrict access to authorized users and restrict users to managing their own individual jobs.
If unauthorized users are allowed access to the print spooler they can queue large print file creating a denial of service for other users. If users are not restricted to manipulating only files t...Rule Medium Severity -
MFD and Spooler Auditing
Group -
The devices and their spoolers do not have auditing enabled.
Without auditing the identification and prosecution of an individual that performs malicious actions is difficult if not impossible.Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.