Link to home
Create AccountLog in
Avatar of hypercube
hypercubeFlag for United States of America

asked on

Disabling SNMP on printers takes them out of service - how to address?

Our printers were found to have SNMP enabled and the default "public" community string.  This was reported in IT audit as a security risk - although I have my doubts re: importance of it.
Our response was to Disable SNMPv1v2 in each of the offending (HP) printers.
NOT a good idea it seems as the printers stopped working.
Since it's too time-consuming to go "touch" each of the computers, we simply Re-Enabled SNMPv1v2 and left the community string alone for now.

My question is to confirm or guide "what's next?".

We could use our current (private) SNMP community string but then it would be visible in the printers.  
And, since we don't knowingly use SNMP for the printers, there'd be no purpose.

We could use a new "fake" community string in the printers that we don't intend to use.
That would fix the IT audit finging.
But, would the printers stop working once again?

Or, we might do something else that I've not figured out.

As a matter of practice, I try to make sure that printers set up on computers use TCP/IP ports and don't fall into using WSD connection.
So far, I haven't found a connection between SNMP and WSD but I suspect it.
We had a number of computers that had fallen into WSD setups that were involved in the recent failure
I prefer to keep things simple and don't include WSD in that context.

What would you do to satisfy the IT audit finding AND avoid a lot of individual computer work?
Avatar of McKnife
McKnife
Flag of Germany image

Could it be that you mistakenly disabled SMB1/2 instead of SNMP?
Avatar of hypercube

ASKER

McKnife:  No.  And there were many printers involved.  It was HARD to find SNMP so I was paying a lot of attention to that.  The one I "hit" was accompanied nearby by SNMPv3 and AFAIK there is no SMB3.  The HP printers are barely similar from one model to another.  Different menus, different nomenclature, etc.  But eventually one can find the SNMP settings.
The one I "hit" was accompanied nearby by SNMPv3.  
Avatar of Dr. Klahn
Dr. Klahn

Buy some cheap network printer servers with USB ports.  Bring up the printers as TCP printer ports.

Be sure to get a written opinion from whoever decided that SNMP is a danger, so that you can hang them with that later on when you have a bit of free time to prove them wrong.  If they're not willing to back up that opinion by puting it in writing with their name on it, clearly stating the nature of the danger, then it's not a danger and you should tell your manager that.


ASKER CERTIFIED SOLUTION
Avatar of Hello There
Hello There

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Just so we're on the same page: there is no print server.  So, I'm not sure where the "print server settings" reside....
?
Oh ... I found it.
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
So, since I have an M402dn here in my office, I did some experiments with two computers.
I'm really sorry that I ventured there because it was an exercise in frustration and inconsistent results.
Eventually I got my own printing capability back but not without resetting the printer to defaults and rebooting everything, etc. etc.
I took the HP advice for security settings in the printer as best I could.  That's what caused the need for a reset to defaults.  It simply would not print any longer and I couldn't find a formula other than the obvious.
It's unusual for me but my conclusion here is that this stuff should not be messed with unless one has a lot of time on their hands - as in "in the printer business".  My way of avoiding hair pulling.  
I sure agree with the documentation aspect.  
Dr. Klahn:  Great idea!  Also, why add the little USB thingys for printers that are network capable in the first place?  I'd think they're good for USB-only printers.  Maybe as an "isolator" of sorts?

Hello There said: "When you set up a Windows computer to print to a network print device via a standard IP printer port, Windows turns on a setting on the IP printer port in its print server settings that queries the printer via SNMP to determine whether it is online or offline.  So, when you disabled SNMP on the printers, if you didn't turn of the SNMP status checking for the IP printer port on the company computers, then those printers will show up offline."

I sort of got the first part.  But it suggests that Windows then sets up a different mechanism (including being happily ignorant).  So I wonder what that might be?

Correct, SNMP polling is how the Windows system determines when the printer is offline.

Often securing vulnerabilities deals with a report and then you assess the significance, impact.

Depending on printers, using SNMP you could pull info including things such as remaining toner.....
The SNMP on printers is commonly read-only so there is little risk....
arnold:  It seems that the HP printer default is for SNMP Read/Write - and there *is* a Read Only setting.

OK folks, I ventured into another experiment.  As David Johnson, hbhondt and Hello There suggested (and perhaps others) I did this:
1) Disabled the printer port SNMP Status Enabled setting on ALL the computers - how could it be less??
2) Disabled SNMP on the printer. ... IN THAT ORDER.
3) Confirmed printing works
4) Powered down the computer and the printer.
5) Powered on the printer.
6) Powered on the computers
7) Tested printing again.  It still works.

So, this appears to be part of a solution.
But, what happens when we introduce a new computer, install this printer and forget to turn off SNMP Status Enabled in the printer port settings?
Does that break the whole thing or....?  I hope not!  I guess not really, eh?

Is the crux of this that the computer, via the port SNMP setting, checks to see if the printer is alive.  If the printer isn't reporting via SNMP then the computer says it's off line.  
Then what?
If the port SNMP setting is disabled thereafter, does the computer revive or does it take a reboot or something even worse (like removing and reinstalling the printer?).

Yes. the printer will be seen as always online.
Usually the spool test uses public community which should be read only.
The point of a report of possible insecurity/vulnerability is to allow you, the admin, to assess whether the risk if any is a concern.
The risk of having an internal printer that has an SNMP port open and uses public even in read-write mode exposed to internal resources only to be compromised or be an entry .....

I would leave SNMP port open, makes sure public is read-only, if you need to have the ability to manage some printer settings via SNMP, configure the read-write community using a unique, version enforcement.



But, what happens when we introduce a new computer, install this printer and forget to turn off SNMP Status Enabled in the printer port settings?
You will see that something is wrong. It will behave the same way you described in the original post. But since we are discussing it, I hope you will remember this and you won't forget. Now seriously. Make a note about this and make it as part of the setup procedure.
I have recommended an option with a unique Community Name for read only.
This seems to work when the computer is set up:
1) SNMP turned off
2) SNMP turned on and the unique Community Name provided.

Hello There:  Yes.  I'm pretty good at documenting things.  Getting people to remember and to read is a different matter!

arnold: The IT Audit included an Internal Vulnerability scan and penetration attempts (from inside of course).  So, what might we expect?  I have also recommended an option to argue this one away and, to ask "what is the apparent risk with this?".
It is hard to comment without seeing the actual statement of the SNMP audit report, but commonly, the statement is uniform in applicability to any SNMP where you can pull data using public community.
The printer SNMP data pull even using public community is reflecting no risk.
Even using SNMP version 1
Consider the report as one given to open doors in an offic

Office 325 is eating area
Has a list of contacts
The report says
325 door unsecured access to information exists.

Network scan is informational to alert the reader to see whether there is a risk in one versus another.
Printers should be exempt from this.

Note, SNMP can be used to poll the printer for info on utilization, tunner level if you want to be proactive.
Yes, *we* know but one must convince those who don't that's there's an argument to be made - and then help them to make an argument that they can reasonably understand.  
So, arnold, that's a good analogy!
Thanks all!