Brother MFC printers ship with FTP, telnet, and a raft of other services turned on by default. A scan of the client network revealed a half dozen of these printers with mostly default configs. Time to secure the printers!
Firmware Update
First, we need to update the firmware. Head to the Brother website for the firmware update tool:
The first instruction on this page is to print a test page. If the printer can’t print, the firmware update will fail.
Connect the printer via USB to the updating computer and launch the updater. The computer must have internet access for the updater to check for the latest firmware. A list of connected printers will appear. Select the printer, accept the terms, and click Next.
The most annoying part of this update is that the printer will begin beeping. It sounds like you’re setting the high score in Pac-Man. The Brother updater says that the update can take up to fifteen minutes, but mine took less than 5 minutes each.
Passwords
An administrator password had been set on the printers. I had a note with the password and it worked on half of the printers. I tried the default password on the others (admin:access), but no dice. The printer can be reset from the control panel, which will revert the password back to default.
Settings
The settings menu that we want to focus on is Network Configuration > Configure Protocol. Here’s what that menu looks like initially:
The goal here is to turn off the unneeded services, thereby reducing the attack surface of the printer. For this environment, most of the services are not required. Please note that the changes do not occur until the printer is restarted.
Here is the Configure Protocol menu after the changes:
- Web Based Management (Web Server) – Leave this setting on to allow the device to be managed via the web interface.
- SNMP – Click Advanced Settings next to SNMP. Set the SNMP mode to v3. Uncheck Enable in the BRAdmin section (unless you use BRAdmin). Finally, set the SNMP admin and privacy passwords.
- LPD (PC Fax Send) – This is the Line Printer Daemon service on TCP 515. Required for network printing.
- SNTP – Set the SNTP servers here.
All set! An Nmap scan of the printers now shows the unnecessary ports closed.