Use OS to lock down Printer Port 9100 to specific IPs

Hello Experts!

I have a router with port forwarding turned on for access to a networked printer (port 9100) from external devices.  I want to lock down access to this port to only come from various IP addresses (to avoid spammers from printing to this device).  My router does not seem to have the capability to lock down access to this port from IP addresses, so I'm looking for a way for the Windows OS to only allow certain IPs to access the port.  Is there a way to do this?


Joe ThompsonPrincipal ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dr. KlahnPrincipal Software EngineerCommented:
By "networked printer" do you mean -

a) A standalone printer with its own Ethernet / WiFi interface and IP address
b) A printer attached to a Windows system that is available to the LAN as a shared printer

The solution would be different in each case.
Joe ThompsonPrincipal ManagerAuthor Commented:
It's both actually.  It is a standalone printer (Konica BizHub) on a Windows (server 2016 essentials) network shared via the server.
Dr. KlahnPrincipal Software EngineerCommented:
In this situation, and this is purely my opinion -- you will get others -- I'd take the printer off the server and put the printer on a router that can handle a USB printer and can also firewall by incoming IP addresses.  Alternatively, you could use the printer's network port behind a DD-WRT (or equivalent) router on a "mini-LAN" and port forward to the printer, again with firewalling by IP address.
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Joe ThompsonPrincipal ManagerAuthor Commented:
Well, If I were to do that, I would simply replace the router with one were I can lock down port access via IP address.  I'm trying to avoid doing that and have a solution with the current equipment.  Isn't there a way to lock down port or sharing on Windows?  I know I've seen that in the past but can't find it now.

Thanks for the quick replies!

Edmond HawilaChief Operating OfficerCommented:
I'm pretty sure you should be able to do that from Windows Firewall advanced settings on your Server sharing the printer.
Have you checked that?
This seems similar but for RDP:

Note that printing ports are different when used through Windows OS sharing. Refer to this for the ports:

Let me know if this works for you.
kevinhsiehNetwork Engineer Commented:
Port 9100 is on the printer itself, so there is nothing you can do from Windows to block that. You are allowing printing the the outside/internet? Without filtering IP traffic, I don't see a secure way to do that without VPN. Can you configure to print through Windows? You can then use Windows firewall, but I don't like the idea of putting any Windows service directly on Internet, especially not any time a protocol is used that isn't designed for resisting attacks.
Joe ThompsonPrincipal ManagerAuthor Commented:
Hey Kevin, yes, you are correct. I thought I could lock down the port via windows but it seems I'm going to be stuck here without a way to do this without a secure port forwarding router.  :(
Edmond HawilaChief Operating OfficerCommented:
Hi Joe, the only way to lock that port through Windows is if you set the Windows box as the Router. You will need an extra dedicated ethernet port for that and enable the Routing and Remote access role. That means that you turn your Windows box into a router but this isn't as simple as it sounds.
I believe it's time to upgrade the router you have there .
Joe ThompsonPrincipal ManagerAuthor Commented:
Yep. now the question becomes, "which is the right router to get?" :)
Edmond HawilaChief Operating OfficerCommented:
That depends on your needs.
Have a look at DrayTek :)
Joe ThompsonPrincipal ManagerAuthor Commented:
Thanks all.  I needed this as spammers are sending random print jobs to my printers due to them being on the Internet on port 9100.  What I'm going to do for now is change the print port on the router so 9100 is no longer listening.  I'll use a different external port and translate it to 9100 on the router when going to the IP of the printer.  Appreciate all your responses and help!  I'll eventually swap the router for one that supports secure port forwarding.



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nociSoftware EngineerCommented:
That will be found out also.
Check with your IP address   and a few days after the changes.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Printers and Scanners

From novice to tech pro — start learning today.