We help IT Professionals succeed at work.

Use OS to lock down Printer Port 9100 to specific IPs

Hello Experts!

I have a router with port forwarding turned on for access to a networked printer (port 9100) from external devices.  I want to lock down access to this port to only come from various IP addresses (to avoid spammers from printing to this device).  My router does not seem to have the capability to lock down access to this port from IP addresses, so I'm looking for a way for the Windows OS to only allow certain IPs to access the port.  Is there a way to do this?

Thanks,

-Joe
Comment
Watch Question

Dr. KlahnPrincipal Software Engineer

Commented:
By "networked printer" do you mean -

a) A standalone printer with its own Ethernet / WiFi interface and IP address
b) A printer attached to a Windows system that is available to the LAN as a shared printer

The solution would be different in each case.
Joe ThompsonPrincipal Manager

Author

Commented:
It's both actually.  It is a standalone printer (Konica BizHub) on a Windows (server 2016 essentials) network shared via the server.
Dr. KlahnPrincipal Software Engineer

Commented:
In this situation, and this is purely my opinion -- you will get others -- I'd take the printer off the server and put the printer on a router that can handle a USB printer and can also firewall by incoming IP addresses.  Alternatively, you could use the printer's network port behind a DD-WRT (or equivalent) router on a "mini-LAN" and port forward to the printer, again with firewalling by IP address.
Joe ThompsonPrincipal Manager

Author

Commented:
Well, If I were to do that, I would simply replace the router with one were I can lock down port access via IP address.  I'm trying to avoid doing that and have a solution with the current equipment.  Isn't there a way to lock down port or sharing on Windows?  I know I've seen that in the past but can't find it now.

Thanks for the quick replies!

-Joe
Edmond HawilaChief Operating Officer

Commented:
I'm pretty sure you should be able to do that from Windows Firewall advanced settings on your Server sharing the printer.
Have you checked that?
This seems similar but for RDP: https://security.stackexchange.com/questions/34709/enable-rdp-for-internal-network-only

Note that printing ports are different when used through Windows OS sharing. Refer to this for the ports: https://support.eapps.com/index.php?/Knowledgebase/Article/View/526/48/windows-server-2012---opening-file-sharing-ports

Let me know if this works for you.
kevinhsiehNetwork Engineer

Commented:
Port 9100 is on the printer itself, so there is nothing you can do from Windows to block that. You are allowing printing the the outside/internet? Without filtering IP traffic, I don't see a secure way to do that without VPN. Can you configure to print through Windows? You can then use Windows firewall, but I don't like the idea of putting any Windows service directly on Internet, especially not any time a protocol is used that isn't designed for resisting attacks.
Joe ThompsonPrincipal Manager

Author

Commented:
Hey Kevin, yes, you are correct. I thought I could lock down the port via windows but it seems I'm going to be stuck here without a way to do this without a secure port forwarding router.  :(
Edmond HawilaChief Operating Officer

Commented:
Hi Joe, the only way to lock that port through Windows is if you set the Windows box as the Router. You will need an extra dedicated ethernet port for that and enable the Routing and Remote access role. That means that you turn your Windows box into a router but this isn't as simple as it sounds.
I believe it's time to upgrade the router you have there .
Joe ThompsonPrincipal Manager

Author

Commented:
Yep. now the question becomes, "which is the right router to get?" :)
Edmond HawilaChief Operating Officer

Commented:
That depends on your needs.
Have a look at DrayTek :)
Principal Manager
Commented:
Thanks all.  I needed this as spammers are sending random print jobs to my printers due to them being on the Internet on port 9100.  What I'm going to do for now is change the print port on the router so 9100 is no longer listening.  I'll use a different external port and translate it to 9100 on the router when going to the IP of the printer.  Appreciate all your responses and help!  I'll eventually swap the router for one that supports secure port forwarding.

Cheers,

-Joe
nociSoftware Engineer
Distinguished Expert 2019

Commented:
That will be found out also.
Check https://www.shodan.io with your IP address   and a few days after the changes.