Securing Printer Usage in Windows Server 2003 (Part 2)

by [Published on 11 April 2007 / Last Updated on 11 April 2007]

Printer permissions and other security settings.

If you would like to read the other parts in this article series please go to:

In the first part of this article series, I showed you how to configure standalone printers so that their print queue is hosted on a server running Windows Server 2003. Now that the print queue has been moved to a Windows server, it’s time to move forward with securing your printers.

Let’s begin by taking a look at the printer’s properties sheet. You can access this properties sheet by navigating through the server’s Start menu to Control Panel | Printers and Faxes. When you select the Printers and Faxes menu, the print queues that are hosted by the server should be displayed on a submenu. Right click on the print queue that you want to secure and select the Properties command from the resulting shortcut menu.

When the printer’s properties sheet opens, the General tab will be selected by default. There really isn’t much that you can do in the way of security from the General tab, so go to the Sharing tab instead. As you can see in Figure A, the Sharing tab allows you to specify the printer’s share name. The share name is used as a part of the Universal Naming Convention (UNC). There are numerous commands that can be used to manually attach to the printer using the UNC. For example, if you wanted to manually map the LPT1 port to the printer in question, you could use the following command:

NET USE LPT1: \\servername\sharename

In the command above, servername represents a server that is hosting the shared printer, while sharename is the name that the printer is shared under.


Figure A: The Sharing tab allows you to set the printer’s share name

At first glance this tab looks a lot like the screen that you would use to share a folder on a file system. Generally speaking, sharing a printer works a lot like sharing a file folder, but with one major difference. When you share a file folder, you are given the opportunity to set both NTFS level and share level permissions. If you look at Figure A, you will notice that there is no mechanism for setting permissions on the Sharing tab. Instead, all of the permissions are set through the Security tab, which I will discuss later on.

There are a couple of things that you can do on the Sharing tab to help to increase the security of the printer. One option is to not list the printer in the Active Directory. Not listing the printer in the Active Directory won’t render the printer invisible, because users can still browse the network for the printer (using a NetBIOS style browse, not by browsing the Active Directory). It reduces the chances of users casually stumbling onto the printer.

If you look at Figure A, you will notice the Additional Drivers button. Windows is designed so that when users attach to the printer through a share, the necessary drivers will be automatically installed onto the user’s computer. If you happen to be in a situation in which you know that everybody with a legitimate need to print to the printer is running a specific operating system, then you can install drivers only for that operating system. Again, this isn’t a true security solution, because a user could always manually install a driver on their PC by downloading it from the Internet (assuming that they have permission to do so). Not automatically giving users a driver when they attach to the printer simply forces users to jump through additional hoops.

None of the settings on the Sharing tab are what I would consider to be “real” security settings, but they are simply things that can improve security to a minor degree in some situations, so I wanted to mention them.

The Advanced Tab

The Advanced tab doesn’t really contain a lot of security settings, but there is one setting that I wanted to show you. If you look at Figure B, you’ll see that the Advanced tab contains a setting that allows you to control when the printer is and is not available. If you know that no one in the company has any business printing to the printer after hours, then you can set the printer so that it is only available during business hours.


Figure B: The Advanced tab contains a setting that allows you to control when the printer is and is not available

The Security Tab

The Security tab, shown in Figure C, allows you to assign the actual permissions that apply to the print queue. As is the case when securing a file system, you can apply permissions to both users and to groups. It is usually considered a better practice to only apply security to groups.


Figure C: The Security tab allows you to assign permissions to users or to groups

If you look at the figure, you will see four different permissions that you can set for the printer. The screen is actually a little bit misleading because it implies that these are the only permissions available. If you’re serious about gaining the tightest possible security over the printer, then you need to forget all about this screen, and click the Advanced button instead.

Upon doing so, Windows will display the Advanced Security Settings properties sheet. This properties sheet contains its own Permissions tab that allows you to set permissions for users and groups in a manner similar to that of the screen shown in Figure C. The difference is that this screen gives you access to more permissions than the printer properties sheet’s Security tab does, as shown in Figure D.


Figure D: The Advanced Security Settings properties sheet allows you to assign a more comprehensive set of permissions than the basic Security tab found on the printer’s properties sheet does

At first, having access to additional permissions probably sounds like a bad thing if you’re trying to lock down the printer. Keep in mind that you can either allow or deny each permission. This is handy because permissions are cumulative. Suppose for instance that a user is a member of two different groups. The group’s permissions would be combined to form the effective permissions for the user. Normally in a situation like this, the least restrictive permissions apply. The exception is that if a user is given a specific denial, then the denial will take precedence over any permissions that have been applied. You can use this concept to gain truly granular control over printer permissions. Before I show you how, let’s take a quick look at what the various permissions do.

Print – If a user has been assigned to the print permission, then the user is allowed to print to the printer.

Manage Printers – The Manage Printers permission gives users the right to modify the printer’s properties and to change the permissions that apply to other users.

Manage Documents – The Manage Documents permission allows users to do things such as pause, restart, or delete print jobs.

Read Permissions – If a user has been assigned to read permissions, then the user will be able to see the permissions that have been assigned to each user.

Change Permissions – As the name implies, Change Permissions allows a user to modify the permissions that other users have to the printer.

Take Ownership – The Take Ownership permission allows a user to take ownership of the printer.

Earlier I mentioned that you could use the various permissions in conjunction with approvals and denials to create highly granular permission settings. For example, the Manage Printers permission allows a user to modify the printer’s properties and to change its permissions. Suppose that you did not want the printer manager to be able to modify the printer’s permissions. You could grant the user the Manage Printers permission, but set a specific denial on the Changed Permissions permission. In doing so, you would allow the user to manage printers, but would forbid them from changing any permissions.

Conclusion

As you can see, there are many settings that you can use to help secure printers in your company. In Part three of this article series, I will continue the discussion by showing you how to audit printer usage.

If you would like to read the other parts in this article series please go to:

Advertisement

Featured Links