We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Disabling SNMP on printers takes them out of service - how to address?

High Priority
71 Views
Last Modified: 2020-05-06
Our printers were found to have SNMP enabled and the default "public" community string.  This was reported in IT audit as a security risk - although I have my doubts re: importance of it.
Our response was to Disable SNMPv1v2 in each of the offending (HP) printers.
NOT a good idea it seems as the printers stopped working.
Since it's too time-consuming to go "touch" each of the computers, we simply Re-Enabled SNMPv1v2 and left the community string alone for now.

My question is to confirm or guide "what's next?".

We could use our current (private) SNMP community string but then it would be visible in the printers.  
And, since we don't knowingly use SNMP for the printers, there'd be no purpose.

We could use a new "fake" community string in the printers that we don't intend to use.
That would fix the IT audit finging.
But, would the printers stop working once again?

Or, we might do something else that I've not figured out.

As a matter of practice, I try to make sure that printers set up on computers use TCP/IP ports and don't fall into using WSD connection.
So far, I haven't found a connection between SNMP and WSD but I suspect it.
We had a number of computers that had fallen into WSD setups that were involved in the recent failure
I prefer to keep things simple and don't include WSD in that context.

What would you do to satisfy the IT audit finding AND avoid a lot of individual computer work?
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Could it be that you mistakenly disabled SMB1/2 instead of SNMP?
Fred MarshallPrincipal
CERTIFIED EXPERT

Author

Commented:
McKnife:  No.  And there were many printers involved.  It was HARD to find SNMP so I was paying a lot of attention to that.  The one I "hit" was accompanied nearby by SNMPv3 and AFAIK there is no SMB3.  The HP printers are barely similar from one model to another.  Different menus, different nomenclature, etc.  But eventually one can find the SNMP settings.
The one I "hit" was accompanied nearby by SNMPv3.  
Dr. KlahnPrincipal Software Engineer
CERTIFIED EXPERT

Commented:
Buy some cheap network printer servers with USB ports.  Bring up the printers as TCP printer ports.

Be sure to get a written opinion from whoever decided that SNMP is a danger, so that you can hang them with that later on when you have a bit of free time to prove them wrong.  If they're not willing to back up that opinion by puting it in writing with their name on it, clearly stating the nature of the danger, then it's not a danger and you should tell your manager that.


System Administrator
CERTIFIED EXPERT
Distinguished Expert 2018
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
Fred MarshallPrincipal
CERTIFIED EXPERT

Author

Commented:
Just so we're on the same page: there is no print server.  So, I'm not sure where the "print server settings" reside....
?
Oh ... I found it.
CERTIFIED EXPERT
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
Fred MarshallPrincipal
CERTIFIED EXPERT

Author

Commented:
So, since I have an M402dn here in my office, I did some experiments with two computers.
I'm really sorry that I ventured there because it was an exercise in frustration and inconsistent results.
Eventually I got my own printing capability back but not without resetting the printer to defaults and rebooting everything, etc. etc.
I took the HP advice for security settings in the printer as best I could.  That's what caused the need for a reset to defaults.  It simply would not print any longer and I couldn't find a formula other than the obvious.
It's unusual for me but my conclusion here is that this stuff should not be messed with unless one has a lot of time on their hands - as in "in the printer business".  My way of avoiding hair pulling.  
I sure agree with the documentation aspect.  
Fred MarshallPrincipal
CERTIFIED EXPERT

Author

Commented:
Dr. Klahn:  Great idea!  Also, why add the little USB thingys for printers that are network capable in the first place?  I'd think they're good for USB-only printers.  Maybe as an "isolator" of sorts?

Hello There said: "When you set up a Windows computer to print to a network print device via a standard IP printer port, Windows turns on a setting on the IP printer port in its print server settings that queries the printer via SNMP to determine whether it is online or offline.  So, when you disabled SNMP on the printers, if you didn't turn of the SNMP status checking for the IP printer port on the company computers, then those printers will show up offline."

I sort of got the first part.  But it suggests that Windows then sets up a different mechanism (including being happily ignorant).  So I wonder what that might be?

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Correct, SNMP polling is how the Windows system determines when the printer is offline.

Often securing vulnerabilities deals with a report and then you assess the significance, impact.

Depending on printers, using SNMP you could pull info including things such as remaining toner.....
The SNMP on printers is commonly read-only so there is little risk....
Fred MarshallPrincipal
CERTIFIED EXPERT

Author

Commented:
arnold:  It seems that the HP printer default is for SNMP Read/Write - and there *is* a Read Only setting.

OK folks, I ventured into another experiment.  As David Johnson, hbhondt and Hello There suggested (and perhaps others) I did this:
1) Disabled the printer port SNMP Status Enabled setting on ALL the computers - how could it be less??
2) Disabled SNMP on the printer. ... IN THAT ORDER.
3) Confirmed printing works
4) Powered down the computer and the printer.
5) Powered on the printer.
6) Powered on the computers
7) Tested printing again.  It still works.

So, this appears to be part of a solution.
But, what happens when we introduce a new computer, install this printer and forget to turn off SNMP Status Enabled in the printer port settings?
Does that break the whole thing or....?  I hope not!  I guess not really, eh?

Is the crux of this that the computer, via the port SNMP setting, checks to see if the printer is alive.  If the printer isn't reporting via SNMP then the computer says it's off line.  
Then what?
If the port SNMP setting is disabled thereafter, does the computer revive or does it take a reboot or something even worse (like removing and reinstalling the printer?).

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Yes. the printer will be seen as always online.
Usually the spool test uses public community which should be read only.
The point of a report of possible insecurity/vulnerability is to allow you, the admin, to assess whether the risk if any is a concern.
The risk of having an internal printer that has an SNMP port open and uses public even in read-write mode exposed to internal resources only to be compromised or be an entry .....

I would leave SNMP port open, makes sure public is read-only, if you need to have the ability to manage some printer settings via SNMP, configure the read-write community using a unique, version enforcement.



Hello ThereSystem Administrator
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
But, what happens when we introduce a new computer, install this printer and forget to turn off SNMP Status Enabled in the printer port settings?
You will see that something is wrong. It will behave the same way you described in the original post. But since we are discussing it, I hope you will remember this and you won't forget. Now seriously. Make a note about this and make it as part of the setup procedure.
Fred MarshallPrincipal
CERTIFIED EXPERT

Author

Commented:
I have recommended an option with a unique Community Name for read only.
This seems to work when the computer is set up:
1) SNMP turned off
2) SNMP turned on and the unique Community Name provided.

Hello There:  Yes.  I'm pretty good at documenting things.  Getting people to remember and to read is a different matter!

arnold: The IT Audit included an Internal Vulnerability scan and penetration attempts (from inside of course).  So, what might we expect?  I have also recommended an option to argue this one away and, to ask "what is the apparent risk with this?".
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
It is hard to comment without seeing the actual statement of the SNMP audit report, but commonly, the statement is uniform in applicability to any SNMP where you can pull data using public community.
The printer SNMP data pull even using public community is reflecting no risk.
Even using SNMP version 1
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Consider the report as one given to open doors in an offic

Office 325 is eating area
Has a list of contacts
The report says
325 door unsecured access to information exists.

Network scan is informational to alert the reader to see whether there is a risk in one versus another.
Printers should be exempt from this.

Note, SNMP can be used to poll the printer for info on utilization, tunner level if you want to be proactive.
Fred MarshallPrincipal
CERTIFIED EXPERT

Author

Commented:
Yes, *we* know but one must convince those who don't that's there's an argument to be made - and then help them to make an argument that they can reasonably understand.  
So, arnold, that's a good analogy!
Fred MarshallPrincipal
CERTIFIED EXPERT

Author

Commented:
Thanks all!
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.