Multifunction Device and Network Printers STIG

Details

Version / Release: V2R5

Published: 2015-04-02

Updated At: 2018-09-23 05:02:28

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-6999r1_rule MFD01.001 MEDIUM A network protocol other than TCP/IP is enabled on a MFD or printer. The greater the number of protocols allowed active on the network the more vulnerabilities there will be available to be exploited. The SA will ensure the only network protocol used is TCP/IP all others are disabled.System AdministratorDCPP-1
    SV-7000r1_rule MFD01.002 MEDIUM A MFD or a printer is not using a static IP address. Without static IP addresses, if the DNS cache is poisoned (corrupted) print files containing sensitive data could be redirected, leading to the compromise of sensitive data. The SA will ensure all MFDs and printers are assigned a static IP.System Administ
    SV-7001r1_rule MFD01.003 MEDIUM A firewall or router rule is not used to block all ingress and egress traffic from the enclave perimeter to the MFD or printer. Access to the MFD or printer from outside the enclave network could lead to a denial of service caused by a large number of large print files being sent to the device. Ability for the MFD or printer to access addresses outside the enclave network could l
    SV-7002r1_rule MFD02.004 MEDIUM A MFD or a printer device is not flash upgradeable or is not configured to use the most current firmware available. MFD devices or printers utilizing old firmware can expose the network to known vulnerabilities leading to a denial of service or a compromise of sensitive data. The SA will ensure devices are flash upgradeable and are configured to use the most current fi
    SV-7003r1_rule MFD02.001 HIGH The default passwords and SNMP community strings of all management services have not been replaced with complex passwords. There are many known vulnerabilities in the SNMP protocol and if the default community strings and passwords are not modified a unauthorized individual could gain control of the MFD or printer. This could lead to a denial of service or the compromise of
    SV-7004r1_rule MFD02.002 HIGH The MFD does not maintain its configuration state (passwords, service settings etc) after a power down or reboot. If the MFD does not maintain it state over a power down or reboot, it will expose the network to all of the vulnerabilities that where mitigated by the modifications made to its configuration state. The SA will ensure the MFD maintains its configuration s
    SV-7005r2_rule MFD02.003 MEDIUM Management protocols, with the exception of HTTPS and SNMPv3, must be disabled at all times except when necessary. Unneeded protocols expose the device and the network to unnecessary vulnerabilities.System AdministratorDCPP-1
    SV-7009r1_rule MFD02.005 HIGH There is no restriction on where a MFD or a printer can be remotely managed. Since unrestricted access to the MFD or printer for management is not required the restricting the management interface to specific IP addresses decreases the exposure of the system to malicious actions. If the MFD or printer is compromised it could lead
    SV-7015r1_rule MFD03.001 LOW Print services for a MFD or printer are not restricted to Port 9100 and/or LPD (Port 515). Where both Windows and non-Windows clients need services from the same device, both Port 9100 and LPD can be enabled simultaneously. Printer services running on ports other than the known ports for printing cannot be monitored on the network and could lead to a denial of service it the invalid port is blocked by a network administrator responding to an alert from the IDS for traffic on
    SV-7019r1_rule MFD04.001 MEDIUM A MFD or a printer is not configured to restrict jobs to those from print spoolers. If MFDs or printers are not restricted to only accepting print jobs from print spoolers that authenticate the user and log the job, a denial of service can be created by the MFD or printer accepting one or more large print jobs from an unauthorized user.
    SV-7021r1_rule MFD05.001 MEDIUM Print spoolers are not configured to restrict access to authorized users and restrict users to managing their own individual jobs. If unauthorized users are allowed access to the print spooler they can queue large print file creating a denial of service for other users. If users are not restricted to manipulating only files they created, they could create ad denial of service by cha
    SV-7022r1_rule MFD06.001 MEDIUM The devices and their spoolers do not have auditing enabled. Without auditing the identification and prosecution of an individual that performs malicious actions is difficult if not impossible.System AdministratorECAR-1, ECAR-2, ECAR-3
    SV-7023r2_rule MFD06.002 LOW Implementation of an MFD and printer security policy for the protection of classified information. Department of Defense Manual 5200.01, "Protection of Classified Information" provides policy, assigns responsibilities, and provides procedures for the designation, marking, protection, and dissemination of controlled unclassified information (CUI) and cl
    SV-7024r2_rule MFD06.006 LOW The level of audit has not been established or the audit logs being collected for the devices and print spoolers are not being reviewed. If inadequate information is captured in the audit, the identification and prosecution of malicious user will be very difficult. If the audits are not regularly reviewed suspicious activity may go undetected for a long time. Therefore, the level of audit
    SV-7025r2_rule MFD07.001 HIGH MFDs with print, copy, scan, or fax capabilities must be prohibited on classified networks without the approval of the DAA. MFDs with print, copy, scan, or fax capabilities, if compromised, could lead to the compromise of classified data or the compromise of the network. The IAO will ensure MFDs with copy, scan, or fax capabilities are not allowed on classified networks unles
    SV-7026r1_rule MFD07.002 MEDIUM A MFD device, with scan to hard disk functionality used, is not configured to clear the hard disk between jobs. If the MFD is compromised the un-cleared, previously used, space on the hard disk drive can be read which can lead to a compromise of sensitive data. The SA will ensure the device is configured to clear the hard disk between jobs if scan to hard disk func
    SV-7027r1_rule MFD07.003 LOW Scan to a file share is enabled but the file shares do not have the appropriate discretionary access control list in place. Without appropriate discretionary access controls unauthorized individuals may read the scanned data. This can lead to a compromise of sensitive data. The SA will ensure file shares have the appropriate discretionary access control list in place if scan
    SV-7028r1_rule MFD07.004 LOW Fax from the network is enabled but auditing of user access and fax log is not enabled. Without auditing the originator and destination of a fax cannot be determined. Prosecuting of an individual who maliciously compromises sensitive data via a fax will be hindered without audits. The SA will ensure auditing of user access and fax log is en
    SV-7029r1_rule MFD07.005 MEDIUM Devices allow scan to SMTP (email). The SMTP engines found on the MFDs reviewed when writing the SPAN STIG did not have robust enough security features supporting scan to email. Because of the lack of robust security scan to email will be disabled on MFD devices. Failure to disable this f
    SV-7030r1_rule MFD08.001 MEDIUM A MFD device does not have a mechanism to lock and prevent access to the hard drive. If the hard disk drive of a MFD can be removed from the MFD the data on the drive can be recovered and read. This can lead to a compromise of sensitive data. The IAO will ensure the device has a mechanism to lock and prevent access to the hard disk.Info
    SV-7031r1_rule MFD08.002 HIGH The device is not configured to prevent non-printer administrators from altering the global configuration of the device. If unauthorized users can alter the global configuration of the MFD they can remove all security. This can lead to the compromise of sensitive data or the compromise of the network the MFD is attached to.System AdministratorECAN-1