Link to home
Create AccountLog in
Avatar of Joe Thompson
Joe ThompsonFlag for United States of America

asked on

Use OS to lock down Printer Port 9100 to specific IPs

Hello Experts!

I have a router with port forwarding turned on for access to a networked printer (port 9100) from external devices.  I want to lock down access to this port to only come from various IP addresses (to avoid spammers from printing to this device).  My router does not seem to have the capability to lock down access to this port from IP addresses, so I'm looking for a way for the Windows OS to only allow certain IPs to access the port.  Is there a way to do this?

Thanks,

-Joe
Avatar of Dr. Klahn
Dr. Klahn

By "networked printer" do you mean -

a) A standalone printer with its own Ethernet / WiFi interface and IP address
b) A printer attached to a Windows system that is available to the LAN as a shared printer

The solution would be different in each case.
Avatar of Joe Thompson

ASKER

It's both actually.  It is a standalone printer (Konica BizHub) on a Windows (server 2016 essentials) network shared via the server.
In this situation, and this is purely my opinion -- you will get others -- I'd take the printer off the server and put the printer on a router that can handle a USB printer and can also firewall by incoming IP addresses.  Alternatively, you could use the printer's network port behind a DD-WRT (or equivalent) router on a "mini-LAN" and port forward to the printer, again with firewalling by IP address.
Well, If I were to do that, I would simply replace the router with one were I can lock down port access via IP address.  I'm trying to avoid doing that and have a solution with the current equipment.  Isn't there a way to lock down port or sharing on Windows?  I know I've seen that in the past but can't find it now.

Thanks for the quick replies!

-Joe
I'm pretty sure you should be able to do that from Windows Firewall advanced settings on your Server sharing the printer.
Have you checked that?
This seems similar but for RDP: https://security.stackexchange.com/questions/34709/enable-rdp-for-internal-network-only

Note that printing ports are different when used through Windows OS sharing. Refer to this for the ports: https://support.eapps.com/index.php?/Knowledgebase/Article/View/526/48/windows-server-2012---opening-file-sharing-ports

Let me know if this works for you.
Port 9100 is on the printer itself, so there is nothing you can do from Windows to block that. You are allowing printing the the outside/internet? Without filtering IP traffic, I don't see a secure way to do that without VPN. Can you configure to print through Windows? You can then use Windows firewall, but I don't like the idea of putting any Windows service directly on Internet, especially not any time a protocol is used that isn't designed for resisting attacks.
Hey Kevin, yes, you are correct. I thought I could lock down the port via windows but it seems I'm going to be stuck here without a way to do this without a secure port forwarding router.  :(
Hi Joe, the only way to lock that port through Windows is if you set the Windows box as the Router. You will need an extra dedicated ethernet port for that and enable the Routing and Remote access role. That means that you turn your Windows box into a router but this isn't as simple as it sounds.
I believe it's time to upgrade the router you have there .
Yep. now the question becomes, "which is the right router to get?" :)
That depends on your needs.
Have a look at DrayTek :)
ASKER CERTIFIED SOLUTION
Avatar of Joe Thompson
Joe Thompson
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
That will be found out also.
Check https://www.shodan.io with your IP address   and a few days after the changes.