Check: MFD03.001
Multifunction Device and Network Printers STIG:
MFD03.001
(in versions v2 r14 through v2 r9)
Title
Print services for a MFD or printer are not restricted to Port 9100 and/or LPD (Port 515). Where both Windows and non-Windows clients need services from the same device, both Port 9100 and LPD can be enabled simultaneously. (Cat III impact)
Discussion
Printer services running on ports other than the known ports for printing cannot be monitored on the network and could lead to a denial of service it the invalid port is blocked by a network administrator responding to an alert from the IDS for traffic on an unauthorized port.
Check Content
The reviewer will, with the assistance of the SA, verify that the MFD or printer print services are restricted to LPD or port 9100. Where both Windows and non-Windows clients need services from the same device, both Port 9100 and LPD can be enabled simultaneously.
Fix Text
Develop a plan to coordinate the reconfiguration of the printer servers and clients so that print services runs only on authorized ports. Obtain CM approval of the plan and implement the plan.
Additional Identifiers
Rule ID: SV-7015r1_rule
Vulnerability ID: V-6790
Group Title: Print Services Restricted to Port 9100 and/or LPD
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001449 |
The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment. |
| CCI-002415 |
The organization employs boundary protection mechanisms to separate organization-defined information system components supporting organization-defined missions and/or business functions. |