[unisog] Printers, printers, printers

Martin Manjak MManjak at uamail.albany.edu
Tue Dec 11 21:13:31 GMT 2007


I'm curious as to what other schools are doing with respect managing
printers. Some of the issues and challenges include:

1. They're cheap. Staff can purchase them directly through departmental
credit cards so they aren't subject to purchasing guidelines, or
centralized management of their configurations.

2. They're desirable as status symbols. People would rather have a
personal printer on their desk than walk down the hall to use a
departmental machine.

3. They're loaded. Rarely is a printer just a printer. It's a document
imaging system with its own hard drive. It's a web server, often times
with a web based management interface complete with a blank admin
password. Other services may be running in default mode such as telnet,
or ssh, or tftp.

4. They often have public IP addresses assigned to them.

The combination of all of the above has caused a proliferation of data
leakage points. In essence, what we have are unmanaged servers
containing electronic copies of institutional documents that are visible
to the world. Secondarily, we have a lot of machines on our networks
that can be poked, probed, and mismanaged via publicly facing services
with blank or searchable default admin passwords. 

I'm very interested in what types of controls people may have in place
to address any of the above?


Martin Manjak
CISSP, GIAC GSEC-G, GCIH, GCWN
Information Security Officer
University at Albany
MSC 209   437-3813 
"Information security controls should be considered at the systems and
projects requirements specification and design stage."
ISO/IEC 17799 Information Security Management Code of Practice




More information about the unisog mailing list