STIGQter STIGQter: STIG Summary:

Multifunction Device and Network Printers STIG

Version: 2

Release: 14 Benchmark Date: 25 Oct 2019

SV-6999r2_ruleThe MFD or Network Printer must not enable network protocols other than TCP/IP.
SV-7001r2_ruleA firewall or router rule must block all ingress and egress traffic from the enclave perimeter to the MFD or Network Printer.
SV-7002r2_ruleThe MFD or Network Printer must employ the most current firmware available.
SV-7003r2_ruleThe default passwords and SNMP community strings of all management services have not been replaced with complex passwords.
SV-7004r2_ruleThe MFD or Network Printer must maintain configuration state (e.g., passwords, service settings) after a power down or restart.
SV-7005r2_ruleManagement protocols, with the exception of HTTPS and SNMPv3, must be disabled at all times except when necessary.
SV-7009r1_ruleThere is no restriction on where a MFD or a printer can be remotely managed.
SV-7015r1_rulePrint services for a MFD or printer are not restricted to Port 9100 and/or LPD (Port 515). Where both Windows and non-Windows clients need services from the same device, both Port 9100 and LPD can be enabled simultaneously.
SV-7019r3_ruleA MFD or printer is not configured to restrict jobs to those from print spoolers.
SV-7021r1_rulePrint spoolers are not configured to restrict access to authorized users and restrict users to managing their own individual jobs.
SV-7022r1_ruleThe devices and their spoolers do not have auditing enabled.
SV-7023r3_ruleImplementation of an MFD and printer security policy for the protection of classified information.
SV-7024r2_ruleThe level of audit has not been established or the audit logs being collected for the devices and print spoolers are not being reviewed.
SV-7025r2_ruleMFDs with print, copy, scan, or fax capabilities must be prohibited on classified networks without the approval of the DAA.
SV-7026r1_ruleA MFD device, with scan to hard disk functionality used, is not configured to clear the hard disk between jobs.
SV-7027r1_ruleScan to a file share is enabled but the file shares do not have the appropriate discretionary access control list in place.
SV-7028r2_ruleAuditing of user access and fax logs must be enabled when fax from the network is enabled.
SV-7029r2_ruleMFDs must not allow scan to SMTP (email).
SV-7030r1_ruleA MFD device does not have a mechanism to lock and prevent access to the hard drive.
SV-7031r1_ruleThe device is not configured to prevent non-printer administrators from altering the global configuration of the device.
SV-106815r1_ruleThe MFD must be configured to prohibit the use of all unnecessary and/or nonsecure functions, physical and logical ports, protocols, and/or services.