Steven Yarmush
asked on
SNMP vulnerability scan
SNMP writable communities shows up on my vulnerability scan.
I am being told to disable it
How will disabling it affect printing
When is it needed?
Does it matter if the printer has a hard drive?
I am being told to disable it
How will disabling it affect printing
When is it needed?
Does it matter if the printer has a hard drive?
You should be ok disabling it. no relations whatsoever.
ASKER
https://community.spiceworks.com/topic/483706-disable-snmp-on-printers-causes-headache-with-windows-7-ugh
Please look at the above link
I tried doing this to the company copier scanner and I had to reinstall all the users who have access to the copier scanner
I have 10 printers with this vulnerability at the moment.
Any suggestions how I can make this painless
Please look at the above link
I tried doing this to the company copier scanner and I had to reinstall all the users who have access to the copier scanner
I have 10 printers with this vulnerability at the moment.
Any suggestions how I can make this painless
Certainly the printer disk will not be affected.
Make sure you disable SNMP Status for the printer under Printer Properties > Ports > Configure Port. If using a server, this must be done on the server. If SNMP is enabled, the driver will try to check printer status, and will fail when SNMP is disabled.
Note that, disabling SNMP will also prevent print management software from checking printer status. You may not use any, but if something like WebJetAdmin stops working, this is why.
Make sure you disable SNMP Status for the printer under Printer Properties > Ports > Configure Port. If using a server, this must be done on the server. If SNMP is enabled, the driver will try to check printer status, and will fail when SNMP is disabled.
Note that, disabling SNMP will also prevent print management software from checking printer status. You may not use any, but if something like WebJetAdmin stops working, this is why.
Can't you just change the community string?
Make sure to change it on the printer and "print management" and you should be good.
An SNMP string being "Public" or "Private" is indeed asking for problems.
Make sure to change it on the printer and "print management" and you should be good.
An SNMP string being "Public" or "Private" is indeed asking for problems.
ASKER
we have copier\ printers that a 3rd party sends us toner when needed. If I change this I assume by the comments above this will be broken?
No, it won't.
The printer will use the driver on the printserver. This is used by some software to query the toner level.
How the driver and printer communicate and with what SNMP community name doesn't matter. Just make sure you change it on both ends. (Printer and printserver)
The printer will use the driver on the printserver. This is used by some software to query the toner level.
How the driver and printer communicate and with what SNMP community name doesn't matter. Just make sure you change it on both ends. (Printer and printserver)
ASKER
from what I am reading to make this easy I should set up all the printers on a print server so that I only have to make the changes one time
I am unsure if the copier company will bulk if they cannot get toner reports
I am unsure if the copier company will bulk if they cannot get toner reports
You're not comparing apples with apples :)
This is completely separated.
Worst case scenario you'll have to adjust the SNMP string in the company's software too.
This is completely separated.
Worst case scenario you'll have to adjust the SNMP string in the company's software too.
we have copier\ printers that a 3rd party sends us toner when neededSome printers are able to send an email requesting attention. In that case SNMP is not involved. If the 3rd party has print management software installed then, yes it will be affected. Check with them to see how they do it.
Re installing on a server. For a large organisation a server is always the easier method. For a small company, I prefer to have each user connect directly to the printer. In your case, if you are not using a server then every user needs to make sure SNMP is not ticked. But in your case, moving to a server will not make life easier. With the direct connection users will have to change a driver setting; with a server, users will have to install a new printer.
Start by checking whether SNMP Status is currently enabled. If it isn't, then you only have to worry about the toner supplier.
ASKER
I cannot depend on users changing settings- it will not happen-If I load the printers on a print server I can control that
Any other suggestions without involving users doing something
Any other suggestions without involving users doing something
The SNMP config on printers is the means by which when configured the printer status is determined, I.e. If the poll of the SNMP response is received, the printer is seen online, if it is not, the printer is marked offline.
Public is a read only community.
If the printer prints sensitive information, the default scheme should be to use encrypted harddrive.
It is a tool that gets installed on a system that monitors the printer status using SNMP to poll the toner reference.
The scan scans what you tell, identifying the impact/vulnerability of the report.
I.e. You ask sone one who identifies Window (structure) to review your office space for vulnerabilities, the report cones back with a list of external Windows as well as a few electrical room door windows, custodian office door window included as a possible vilnerability.
...
Public is a read only community.
If the printer prints sensitive information, the default scheme should be to use encrypted harddrive.
It is a tool that gets installed on a system that monitors the printer status using SNMP to poll the toner reference.
The scan scans what you tell, identifying the impact/vulnerability of the report.
I.e. You ask sone one who identifies Window (structure) to review your office space for vulnerabilities, the report cones back with a list of external Windows as well as a few electrical room door windows, custodian office door window included as a possible vilnerability.
...
ASKER
I have 10 printers with this vulnerability
SNMP writable communities
what would be the easiest way to fix
I am not going to worry about toner reporting back for the copiers
I cannot ask users to check boxes- it will have to be done by me
]https://community.spiceworks.com/topic/483706-disable-snmp-on-printers-causes-headache-with-windows-7-ugh[/b][/b][/b]
if you read the article above you can see how this could break the print jobs
SNMP writable communities
what would be the easiest way to fix
I am not going to worry about toner reporting back for the copiers
I cannot ask users to check boxes- it will have to be done by me
]https://community.spiceworks.com/topic/483706-disable-snmp-on-printers-causes-headache-with-windows-7-ugh[/b][/b][/b]
if you read the article above you can see how this could break the print jobs
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
its not that easy
if you read the article I posted above you will see what could happen
I made these changes for one printer and it broke the printer for all users who had it installed on their PC
I had to reinstall after the changes were made
this is why I said its better to install printers on a print server. You can make the change one time
I cannot count on users to make the change on their PC
if you read the article I posted above you will see what could happen
I made these changes for one printer and it broke the printer for all users who had it installed on their PC
I had to reinstall after the changes were made
this is why I said its better to install printers on a print server. You can make the change one time
I cannot count on users to make the change on their PC
I said disable the writeable community, not disable SNMP completely.
what does the scan say which wirteable community in SNMP does it report?
Depending on your environment, i.e. AD centrally managed, you should have a server/servers set as print servers who have the printer installed locally and shared/pushed to the clients using GPOs/GPPs.
I've not seen printers that come with SNMP writeable community enabled.
Since you mentioned that your Printer provider includes the option to automatically order supply, have a talk with them on whether or why they have a writeable community defined for SNMP.
Look through your printer's SNMP settings and make sure what you have, public is set to read-only
what does the scan say which wirteable community in SNMP does it report?
Depending on your environment, i.e. AD centrally managed, you should have a server/servers set as print servers who have the printer installed locally and shared/pushed to the clients using GPOs/GPPs.
I've not seen printers that come with SNMP writeable community enabled.
Since you mentioned that your Printer provider includes the option to automatically order supply, have a talk with them on whether or why they have a writeable community defined for SNMP.
Look through your printer's SNMP settings and make sure what you have, public is set to read-only
ASKER
thank you