Use OS to lock down Printer Port 9100 to specific IPs
Hello Experts!
I have a router with port forwarding turned on for access to a networked printer (port 9100) from external devices. I want to lock down access to this port to only come from various IP addresses (to avoid spammers from printing to this device). My router does not seem to have the capability to lock down access to this port from IP addresses, so I'm looking for a way for the Windows OS to only allow certain IPs to access the port. Is there a way to do this?
Thanks,
-Joe
I have a router with port forwarding turned on for access to a networked printer (port 9100) from external devices. I want to lock down access to this port to only come from various IP addresses (to avoid spammers from printing to this device). My router does not seem to have the capability to lock down access to this port from IP addresses, so I'm looking for a way for the Windows OS to only allow certain IPs to access the port. Is there a way to do this?
Thanks,
-Joe
ASKER
It's both actually. It is a standalone printer (Konica BizHub) on a Windows (server 2016 essentials) network shared via the server.
In this situation, and this is purely my opinion -- you will get others -- I'd take the printer off the server and put the printer on a router that can handle a USB printer and can also firewall by incoming IP addresses. Alternatively, you could use the printer's network port behind a DD-WRT (or equivalent) router on a "mini-LAN" and port forward to the printer, again with firewalling by IP address.
ASKER
Well, If I were to do that, I would simply replace the router with one were I can lock down port access via IP address. I'm trying to avoid doing that and have a solution with the current equipment. Isn't there a way to lock down port or sharing on Windows? I know I've seen that in the past but can't find it now.
Thanks for the quick replies!
-Joe
Thanks for the quick replies!
-Joe
I'm pretty sure you should be able to do that from Windows Firewall advanced settings on your Server sharing the printer.
Have you checked that?
This seems similar but for RDP: https://security.stackexchange.com/questions/34709/enable-rdp-for-internal-network-only
Note that printing ports are different when used through Windows OS sharing. Refer to this for the ports: https://support.eapps.com/index.php?/Knowledgebase/Article/View/526/48/windows-server-2012---opening-file-sharing-ports
Let me know if this works for you.
Have you checked that?
This seems similar but for RDP: https://security.stackexchange.com/questions/34709/enable-rdp-for-internal-network-only
Note that printing ports are different when used through Windows OS sharing. Refer to this for the ports: https://support.eapps.com/index.php?/Knowledgebase/Article/View/526/48/windows-server-2012---opening-file-sharing-ports
Let me know if this works for you.
Port 9100 is on the printer itself, so there is nothing you can do from Windows to block that. You are allowing printing the the outside/internet? Without filtering IP traffic, I don't see a secure way to do that without VPN. Can you configure to print through Windows? You can then use Windows firewall, but I don't like the idea of putting any Windows service directly on Internet, especially not any time a protocol is used that isn't designed for resisting attacks.
ASKER
Hey Kevin, yes, you are correct. I thought I could lock down the port via windows but it seems I'm going to be stuck here without a way to do this without a secure port forwarding router. :(
Hi Joe, the only way to lock that port through Windows is if you set the Windows box as the Router. You will need an extra dedicated ethernet port for that and enable the Routing and Remote access role. That means that you turn your Windows box into a router but this isn't as simple as it sounds.
I believe it's time to upgrade the router you have there .
I believe it's time to upgrade the router you have there .
ASKER
Yep. now the question becomes, "which is the right router to get?" :)
That depends on your needs.
Have a look at DrayTek :)
Have a look at DrayTek :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That will be found out also.
Check https://www.shodan.io with your IP address and a few days after the changes.
Check https://www.shodan.io with your IP address and a few days after the changes.
a) A standalone printer with its own Ethernet / WiFi interface and IP address
b) A printer attached to a Windows system that is available to the LAN as a shared printer
The solution would be different in each case.