Canon imageRUNNER ADVANCE Operating instructions

MFD
HARDENING
GUIDE

imageRUNNER ADVANCE

INTRODUCTION

Modern Canon Multifunction Devices (MFDs) provide print, copy, scan, send and fax functionality.
MFDs are computer servers in their own right, providing a number of networked services along
with significant hard drive storage.

When an organisation introduces these devices into their infrastructure, there are a number
of areas that should be addressed as part of the wider security strategy, which should look to
protect the confidentiality, integrity and availability of your networked systems.

Clearly, deployments will differ and organisations will have their own specific security
requirements. While we work together to ensure that Canon devices are shipped with appropriate
initial security settings, we aim to further support this by providing a number of configuration
settings to enable you to more closely align the device to the requirements of your specific
situation.

This document is designed to provide sufficient information to enable you to discuss with Canon
or Canon partner the most appropriate settings for your environment. It should be noted that not
all device hardware has the same level of capability and different system software may provide
different functionality. Once decided, the final configuration can be applied to your device or fleet.
Please feel free to contact Canon or a Canon partner for further information and support.

Canon imageRUNNER ADVANCE Hardening Guide

2

Who is this document meant for?

This document is aimed at anybody who is
concerned with the design, implementation and
securing of office multifunction devices (MFDs)
within a network infrastructure. This might
include IT and network specialists, IT security
professionals, and service personnel.

Scope and coverage

The guide explains and advises on the
configuration settings for two typical network
environments, so that organisations can
securely implement an MFD solution based
on best practice. It also explains (from system
software platform version 3.8) how Syslog
functionality can provide real-time feedback
from the MFD. These settings have been tested
and validated by Canon’s Security team.

We make no assumptions about specific
industry sector regulatory requirements that
may impose other security considerations and
are out of scope of this document.

This guide was created based upon the typical
feature set of the imageRUNNER ADVANCE
platform, and while the information here
applies to all models and series within the
imageRUNNER ADVANCE range, some features
may differ between models.

Implementing appropriate MFD security for
your environment

To explore the security implications of
implementing a multifunction device as part of
your network, we have considered two typical
scenarios:

• A typical small office environment

• An enterprise office environment

Canon imageRUNNER ADVANCE Hardening Guide

3

SMALL OFFICE ENVIRONMENT

Typically, this will be a small business environment with an un-segmented network topology.
It uses one or two MFDs for its internal use and these devices are not accessible on the Internet.

While mobile printing is available, additional solution components will be required. For those users
requiring printer services outside of a LAN environment, a secure connection is required, but this
will not be covered in this guide. However, attention should be paid to the security of the data in
transit between the remote device and the print infrastructure.

Figure 1 Small Office Network

Canon

e-Maintenance

Canon Remote

Services

www

Internet

Mobile device:

External user

Client PC

Fax

PSTN

Firewall

DIRECT

Wireless

Access

Point

File server

Mobile device:

Internal user

Multi-functional

device

Mobile device: User

connected directly

to device

The latest generation of imageRUNNER ADVANCE models provide wireless network
connectivity allowing the device to connect to a WiFi network. It can also be used to establish
a point-to-point WiFi Direct connection with a mobile device without the need for a network
connection.

Bluetooth and NFC options are available for several device models and are used to establish
the WiFi Direct connection for iOS and Android devices respectively only.

Canon imageRUNNER ADVANCE Hardening Guide

4

CONFIGURATION CONSIDERATIONS

Please note that unless a feature of the imageRUNNER ADVANCE is mentioned below, it is
regarded as being sufficient in the default settings for this business and network environment.

Table 1 Small Office Environment Configuration Considerations

imageRUNNER ADVANCE Feature Description Consideration

Service Mode Allows access to Service Mode settings Password protect with a non-default, non-trivial

Service Management System Allows access to various

SMB Browse/Send Store and retrieve to and from Windows /SMB

Remote UI Web-based configuration tool The imageRUNNER ADVANCE administrator

SNMP Network monitoring integration Disable version 1 and enable version 3 only

Send to e-mail and/or IFAX Send emails from the device with attachments Enable SSL

POP3 Automatically fetch and print documents from

Address book / LDAP Use directory service to look up home number or

FTP Print Upload & download documents to and from the

WebDAV Send Scan and Store documents on a remote location Enable authentication for WebDAV shares

Encrypted PDF Encrypt documents By policy sensitive documents should only

Secure Print Print job is sent to the device but locked in the print

Syslog event notification System Logging Protocol is a standard industry

Verify System at start-up Provides assurance that the system software

Embedded web browser Browser access to Internet Enforce through administration, the use of a content

Bluetooth and NFC
(available from Generation 3 models)

Wireless LAN Provides Wireless access Use WPA-PSK/WPA2-PSK with strong passwords

IPP Connect and send printing jobs over IP Disable IPP

non- standard device settings

network shares

mailbox

email addresses to send scans to

embedded FTP server

queue until the corresponding PIN number is
entered

protocol used to send system log or event
messages to a specific server called a Syslog server

components have not been compromised. It will
have a minimal impact upon system boot time

Used to establish a WiFi Direct connection Enable WiFi Direct to allow direct connection to a

and maximum length password

Password protect with a non-default, non-trivial
and maximum length password

System administrators should, by policy, disallow
any users from creating local accounts on their
client machine for use in sharing documents with
the imageRUNNER ADVANCE over SMB

should enable HTTPS for the remote UI and disable
HTTP access. Enable the use of PIN authentication
unique to each device

Do not use the POP3 authentication before SMTP send
Use SMTP authentication

Enable SSL
Enable POP3 authentication

Enable SSL
Do not use domain credentials to authenticate against
the LDAP server; use LDAP specific credentials

Turn on FTP authentication. Be aware that FTP
traffic will always travel in clear text over the
network

be encrypted using PDF version 1.6 (AES-128)

Enable PIN protected print jobs

Consider pointing the imageRUNNER Syslog data
to your existing network syslog analysis tool or
enterprise Security Event Management System
(SIEM) platform.

Enable function

filtering web proxy to avoid malicious or viral content
being accessed. Disable the creation of favourites

mobile device. WiFi Direct may not be used when
WiFi is used to connect to a network

Canon imageRUNNER ADVANCE Hardening Guide

5

AN ENTERPRISE OFFICE ENVIRONMENT

This is typically a multi-site, multi-office environment with segmented network architecture. It has
multiple MFDs deployed on a separate VLAN accessible for internal use via print server(s). These
MFDs are not accessible from the Internet.

This environment will usually have a permanent team to support its networking and back office
requirements along with general computer issues, but it is assumed they will not have specific
MFD training.

This is typically a multi site, multi office environment with segmented network architecture. It has
multiple MFDs deployed on a separate VLAN accessible for internal use via print server(s). These
MFDs are not accessible from the Internet.

Figure 2 Enterprise Office work

Client PC

Syslog/SIEM

server

Wireless

Access

Point

General network infrastructur e

Print server

Dedicated Print VLAN

-

device

iW MC

device

-

Mobile device:

Internal user

Firewall

Second network inf rastructure

Wireless

PointAccess

Connections highlighted in red will be available from Generation 3 models

PSTN

Mobile device:

External user

Firewall

Client PC

Fax

Intern

et

Canon

e-Maintenance

Canon Remote

Services

6 Canon imageRUNNER ADVANCE Hardening Guide

CONFIGURATION CONSIDERATIONS

Please note that unless a feature of the imageRUNNER ADVANCE is mentioned below it is
regarded as being sufficient in the default settings for this business and network environment.

Table 2 Enterprise Office Environment Configuration Considerations

imageRUNNER ADVANCE Feature Description Consideration

Service Mode Allows access to Service Mode settings Password protect with a non-default, non-trivial

Service Management System Allows access to various

SMB Browse/Send Store and retrieve to and from Windows /SMB

Remote UI Web-based configuration tool Following initial device configurations disable the

SNMP Network monitoring integration Disable version 1 and enable version 3 only

Send to e-mail and/or IFAX Send emails from the device with attachments Enable SSL

POP3 Automatically fetch and print documents from

Address book / LDAP Use directory service to look up phone number or

IPP Connect and send printing jobs over IP Disable IPP

WebDAV Send Scan and Store documents on a remote location Enable authentication for the WebDAV shares

IEEE802.1X Network access authentication mechanism EAPOL V1 supported

Encrypted PDF Encrypt documents By policy sensitive documents should only be

Encrypted Secure Print Enhance the protection of Secure Print by

Certificate Auto Enrolment The auto enrolment process improves the

Syslog event notification System Logging Protocol is a standard

Verify System at start-up Provides assurance that the system

Wireless LAN Provides Wireless access Use WPA-PSK/WPA2-PSK with strong passwords

WiFi Direct Used to establish a WiFi Direct connection Disable WiFi Direct

Embedded web browser (available from
Generation 3 2nd edition models)

non- standard device settings

network shares

mailbox

email addresses to send scans to

encrypting the file and the password during
transmission

efficiency of digital certification retrieval
and deployment

industry protocol used to send system log
or event messages to a specific server
called a Syslog server

software components have not been
compromised. It will have a minimal
impact upon system boot time

Browser access to Internet Apply appropriate restrictions or disable ability to

and maximum length password

Password protect with a non-default, non-trivial
and maximum length password

System administrators should, by policy, disallow
any users from creating local accounts on their
machine for use in sharing documents with the
imageRUNNER ADVANCE over SMB

Remote UI completely by disabling HTTP and
HTTPS

Enable:

- Certificate verification at the SMTP server
Or if not viable:

- Only use this feature in an environment where a
Network Intruder Detection System collector is
present Do not use the POP3 authentication
before SMTP send Use SMTP authentication

Enable SSL
Enable:

- Certificate verification at the POP3 server

Or if not viable:

- Only use this feature in an environment where a
Network Intruder Detection System collector is
present Enable POP3 authentication

Enable SSL
Enable:

- Certificate verification at the LDAP server

Or if not viable:

- Only use this feature in an environment where a
Network Intruder Detection System collector is
present Do not use domain credentials to
authenticate against the LDAP server; use LDAP
specific credentials

Enable SSL
Enforce the printer to only allow files ending with
the “file printing extensions” to be uploaded

encrypted using PDF version 1.6 (AES-128)

Configure the username in the Printer tab on the
client printer configuration to a different username
than the LDAP/domain credentials of that user.
Ensure “Restrict printer jobs” is turned off

Requires a network certificate solution
to leverage

Consider pointing the imageRUNNER
ADVANCE Syslog data to your existing
network syslog analysis tool or
enterprise Security Event
Management System (SIEM) platform

Enable function

download files acquired via the browser

The latest generation of imageRUNNER ADVANCE models provide wireless network
connectivity allowing the device to connect to a WiFi network whilst simulatiously connected
to a wired network. This scenario can be useful where the customer needs to share a device
across two networks. A school environment is a typical example where there are separate staff
and pupil networks.

Canon imageRUNNER ADVANCE Hardening Guide

7