Securing Printer Usage in Windows Server 2003

[patris1]

کد:

http://www.windowsnetworking.com/articles_tutorials/Introduction-AppLocker-Part1.html

PART-1

Over the last few years, printers have become so inexpensive that it’s easy to not even give them a second thought. Even so, there are situations when it is probably best for you to know who has been printing to printers on your network. For example, your company’s accounts payable department may have a printer that they use to print checks. You probably have this type of printer configured so that not just anyone with a domain user account can print to it. Even so, it is usually important to know if an unauthorized user tried to print to it and to track the checks that legitimate users have printed.
I have also seen companies restrict printers that use expensive supplies. For example, one of the companies that I used to work for had a photo printer that could print 36x24 inch photos. As you can imagine, poster sized photo paper isn’t cheap (or at least it wasn’t back then), and it took a lot of ink to print a photo that size. Consequently, only a couple of users were authorized to print to the printer. That being the case, the company decided to audit the use of this printer to ensure that expensive supplies were not being wasted on unnecessary print jobs.
It really doesn’t matter why a printer is restricted. If your company sees fit to restrict the use of a printer, then it is probably a good idea to audit the printer to make sure that it is not being used for unauthorized purposes. In this article, I will show you how to implement printer auditing, and explain what your various auditing options are.
It is easiest to restrict and audit printers when the print queue is hosted on a server that’s running Windows Server 2003. Keep in mind that this doesn’t mean that the printer has to be physically attached to the server. The server can simply host the print queue for a network printer. For example, in my own organization I have a printer that has its own network card. As such, it is possible to print to the printer without the printer having to be connected to a server. If users were allowed to print to such a printer directly, it would be impossible to track printer usage through conventional means.
If you are interested in restricting or auditing such a printer, then you are better off creating a print queue on one of your servers and treating the network printer as if it were connected to the server (even though it isn’t).
To see how this works, click the server’s Start button and select the Control Panel | Printers and Faxes | Add Printer options from the Start menu. When you do, Windows will launch the Add Printer wizard.
Click Next to bypass the wizard’s Welcome screen. You will now see a screen similar to the one that’s shown in Figure A. As you can see in the figure, this screen asks you if you want to use a printer that is locally attached to the server, or if you would prefer to use a network printer. This screen is somewhat misleading because although we are creating a print queue for a network printer, Windows doesn’t see it that way. If you were to choose the Network Printer option, Windows would assume that you were connecting to either a printer that is being hosted over the Internet or to a printer that is already being hosted by another Windows machine. This means that you would have to connect to the printer by entering either a URL, a UNC based share name, or by performing an Active Directory query. For the purposes of this article, I am assuming that we are trying to audit a standalone printer, so none of these options apply. That being the case, go ahead and choose the Local Printer option, even though the printer isn’t actually local.

Figure A: Windows gives you a choice of connecting to a local printer or a network printer
You will now see a screen similar to the one that’s shown in Figure B. As you can see in the figure, Windows assumes that the printer is connected to the server through a parallel port (LPT1). You can’t use the LPT1 option since the printer is not connected directly to the server (most printers don’t even have a parallel port any more anyway). All of the other options on the Use the Following Port drop down list also refer to local ports. You will therefore have to select the Create a New Port option.

Figure B: The Add Printer Wizard tries to connect to a locally attached printer by default
The Create a New Port drop down list contains two options; Local Port and Standard TCP/IP port. Choose the Standard TCP/IP port option and click Next. When you do, Windows will launch the Add Standard TCP/IP Printer Port wizard. Click Next to bypass the wizard’s Welcome screen and you will see a screen similar to the one that’s shown in Figure C, asking you for a printer name or IP address and a port name.

Figure C: You must enter the printer’s IP address and a port name
The printer should already have an IP address assigned to it, so just enter that address into the space provided. You can enter anything that you want for the port name, but keep in mind that the port name must be unique. By default, Windows will create a port name of IP_ followed by the printer’s IP address. You can use this port name, or create your own.
Click Next and you will see a summary screen displaying the options that you have entered, as shown in Figure D. Notice in the figure that the port that you are configuring is set to accept RAW print data over port 9100, and that Windows assumes that the printer uses an HP Jet Direct interface.

Figure D: Windows displays a summary of the options that you have chosen
Click Finish, and you will be returned to the Add Printer wizard. The next screen that you will see asks you what type of printer you are setting up. You can either select the correct printer type from the list, or use the Have Disk option to supply a print driver of your own.
Click Next and you will be taken to a screen asking you for a printer name and whether or not you want Windows to use this as the default printer. The answers to these questions are totally up to you. After making your selections, click Next.
You will now see a screen similar to the one shown in Figure E, asking you if you want to share the printer. Up to this point, Windows has assumed that you are only setting up the printer so that you can print to it from the server console. If your goal is to audit printer use, then you must share the printer.

Figure E: You must share the printer
Your goal is to direct all jobs that are destined for the printer through the server that you are currently configuring. By doing so, you will be able to restrict access to the printer (if necessary), and you will be able to audit the printer’s use.
I should also mention that it is important that you only set up one server to share this printer. Otherwise, it will be possible for multiple servers to spool jobs to the printer simultaneously, and the printer can get confused.
Click Next and you will be prompted to enter the printer’s location and an optional comment. This information is intended to help users to figure out which physical printer the print queue belongs to.
Click Next and you will be given the opportunity to print a test page. After doing so, click Next one more time, followed by Finish. The server is now set up to manage print jobs for the printer. Remember that you must redirect your workstations so that they print to the server’s UNC share name (\\server name\share name) rather than printing to the printer directly.
Conclusion

In this article, I have shown you how to configure a server to manage a network printer. In Part 2 of this series, I will continue the discussion by showing you how to secure and audit the print queue.

---

موضوعات مشابه:

• Migrating DHCP from Windows 2000 Server/Windows Server 2003 to Windows Server 2008
• In-Place Upgrade from Windows Server 2003 Domain Controller to Windows Server 2008

---

[patris1]

کد:

http://www.windowsnetworking.com/articles_tutorials/Securing-Printer-Usage-Windows-Server-2003-Part2.html

PART-2

In the first part of this article series, I showed you how to configure standalone printers so that their print queue is hosted on a server running Windows Server 2003. Now that the print queue has been moved to a Windows server, it’s time to move forward with securing your printers.
Let’s begin by taking a look at the printer’s properties sheet. You can access this properties sheet by navigating through the server’s Start menu to Control Panel | Printers and Faxes. When you select the Printers and Faxes menu, the print queues that are hosted by the server should be displayed on a submenu. Right click on the print queue that you want to secure and select the Properties command from the resulting shortcut menu.
When the printer’s properties sheet opens, the General tab will be selected by default. There really isn’t much that you can do in the way of security from the General tab, so go to the Sharing tab instead. As you can see in Figure A, the Sharing tab allows you to specify the printer’s share name. The share name is used as a part of the Universal Naming Convention (UNC). There are numerous commands that can be used to manually attach to the printer using the UNC. For example, if you wanted to manually map the LPT1 port to the printer in question, you could use the following command:
NET USE LPT1: \\servername\sharename
In the command above, servername represents a server that is hosting the shared printer, while sharename is the name that the printer is shared under.

Figure A: The Sharing tab allows you to set the printer’s share name
At first glance this tab looks a lot like the screen that you would use to share a folder on a file system. Generally speaking, sharing a printer works a lot like sharing a file folder, but with one major difference. When you share a file folder, you are given the opportunity to set both NTFS level and share level permissions. If you look at Figure A, you will notice that there is no mechanism for setting permissions on the Sharing tab. Instead, all of the permissions are set through the Security tab, which I will discuss later on.
There are a couple of things that you can do on the Sharing tab to help to increase the security of the printer. One option is to not list the printer in the Active Directory. Not listing the printer in the Active Directory won’t render the printer invisible, because users can still browse the network for the printer (using a NetBIOS style browse, not by browsing the Active Directory). It reduces the chances of users casually stumbling onto the printer.
If you look at Figure A, you will notice the Additional Drivers button. Windows is designed so that when users attach to the printer through a share, the necessary drivers will be automatically installed onto the user’s computer. If you happen to be in a situation in which you know that everybody with a legitimate need to print to the printer is running a specific operating system, then you can install drivers only for that operating system. Again, this isn’t a true security solution, because a user could always manually install a driver on their PC by downloading it from the Internet (assuming that they have permission to do so). Not automatically giving users a driver when they attach to the printer simply forces users to jump through additional hoops.
None of the settings on the Sharing tab are what I would consider to be “real” security settings, but they are simply things that can improve security to a minor degree in some situations, so I wanted to mention them.
The Advanced Tab

The Advanced tab doesn’t really contain a lot of security settings, but there is one setting that I wanted to show you. If you look at Figure B, you’ll see that the Advanced tab contains a setting that allows you to control when the printer is and is not available. If you know that no one in the company has any business printing to the printer after hours, then you can set the printer so that it is only available during business hours.

Figure B: The Advanced tab contains a setting that allows you to control when the printer is and is not available
The Security Tab

The Security tab, shown in Figure C, allows you to assign the actual permissions that apply to the print queue. As is the case when securing a file system, you can apply permissions to both users and to groups. It is usually considered a better practice to only apply security to groups.

Figure C: The Security tab allows you to assign permissions to users or to groups
If you look at the figure, you will see four different permissions that you can set for the printer. The screen is actually a little bit misleading because it implies that these are the only permissions available. If you’re serious about gaining the tightest possible security over the printer, then you need to forget all about this screen, and click the Advanced button instead.
Upon doing so, Windows will display the Advanced Security Settings properties sheet. This properties sheet contains its own Permissions tab that allows you to set permissions for users and groups in a manner similar to that of the screen shown in Figure C. The difference is that this screen gives you access to more permissions than the printer properties sheet’s Security tab does, as shown in Figure D.

Figure D: The Advanced Security Settings properties sheet allows you to assign a more comprehensive set of permissions than the basic Security tab found on the printer’s properties sheet does
At first, having access to additional permissions probably sounds like a bad thing if you’re trying to lock down the printer. Keep in mind that you can either allow or deny each permission. This is handy because permissions are cumulative. Suppose for instance that a user is a member of two different groups. The group’s permissions would be combined to form the effective permissions for the user. Normally in a situation like this, the least restrictive permissions apply. The exception is that if a user is given a specific denial, then the denial will take precedence over any permissions that have been applied. You can use this concept to gain truly granular control over printer permissions. Before I show you how, let’s take a quick look at what the various permissions do.
Print – If a user has been assigned to the print permission, then the user is allowed to print to the printer.
Manage Printers – The Manage Printers permission gives users the right to modify the printer’s properties and to change the permissions that apply to other users.
Manage Documents – The Manage Documents permission allows users to do things such as pause, restart, or delete print jobs.
Read Permissions – If a user has been assigned to read permissions, then the user will be able to see the permissions that have been assigned to each user.
Change Permissions – As the name implies, Change Permissions allows a user to modify the permissions that other users have to the printer.
Take Ownership – The Take Ownership permission allows a user to take ownership of the printer.
Earlier I mentioned that you could use the various permissions in conjunction with approvals and denials to create highly granular permission settings. For example, the Manage Printers permission allows a user to modify the printer’s properties and to change its permissions. Suppose that you did not want the printer manager to be able to modify the printer’s permissions. You could grant the user the Manage Printers permission, but set a specific denial on the Changed Permissions permission. In doing so, you would allow the user to manage printers, but would forbid them from changing any permissions.
Conclusion

As you can see, there are many settings that you can use to help secure printers in your company. In Part three of this article series, I will continue the discussion by showing you how to audit printer usage.

[patris1]

کد:

http://www.windowsnetworking.com/articles_tutorials/Securing-Printer-Usage-Windows-Server-2003-Part3.html

PART-3

In the first part of this article series, I explained that the most effective way to manage a network printer is to create a print queue on one of your network servers and force all of the print jobs to pass through that queue. In the second part of this series, I walked you through some basic techniques for securing the print queue that you created in Part 1. In this article, I will conclude the series by showing you how to audit the use (and attempted use) of a network printer.
Why Audit Network Printing?

There are several reasons why you might want to audit the use of a network printer. As I explained earlier in this series, it is essential to audit the printer that your company uses to print checks. You need to know who has been printing checks and whether or not any unauthorized person has been trying to print checks.
A less extreme example of auditing involves managing printer supplies such as ink and paper. I have been in some companies in which printer use is monitored so that individual departments can be charged for the supplies that they use. I have also seen cases in which high end photo printers were audited for unauthorized use because the supplies are so expensive.
Auditing a Network Printer

Now that I have talked a little bit about why you might want to audit network printing, let’s move on to the auditing process itself. If you have ever looked through your server's security logs, then you probably realize that printer auditing is not enabled by default. To enable printer auditing, choose the Printers and Faxes command from your server’s Start menu. Upon doing so, you will see the now familiar Printers and Faxes window. Right-click on the printer that you want to audit, and select the Properties command from the resulting shortcut menu. Doing so will reveal the printer's properties sheet that you worked with in the previous part of this article series.
At this point, you must select the Security tab and then click the Advanced button. When you do, Windows will display the Advanced Security Settings properties sheet. Select the properties sheet’s Auditing tab, and you will see that it is completely empty, as shown in Figure A.

Figure A: Printer auditing is disabled by default
The way that printer auditing is set up, auditing focuses on users and groups rather than focusing on the printer itself. What this means is that you can't just tell Windows to create an audit log entry any time anyone sends a print job to the printer (at least not directly). Instead, Windows requires you to specify the names of users or groups that you want to audit. If your goal is to audit any and all use of the printer in question, then you can always audit the Everyone group.
With this in mind, click the Add button, and you will be taken to a screen that asks you to enter the names of the users or groups that you want to audit, as shown in Figure B. After entering the user or group names, I strongly recommend clicking the Check Names button. Doing so will ensure that you have spelled the names correctly and that the names are valid. After all, auditing won't do you much good if you are auditing non-existent users or groups.

Figure B: Windows requires you to enter the names of the users or groups that you want to audit
Click OK and you will be taken to the Auditing Entry dialog box, shown in Figure C. As you can see in the figure, this dialog box allows you to audit both the success and the failure of various printer related events. To enable auditing, all you have to do is to select the events that you want to audit and click OK. Before you do, it is important to understand what the various events actually mean.

Figure C: The Auditing Entry dialog box allows you to control which events you want to audit
In the section below, I will describe what each of the events that you can audit actually mean. As I do, it is important to keep in mind that my descriptions assume that you're auditing the success of a particular event. Auditing a failure of these events simply means that someone attempted to perform an action that would normally result in the event if the user had the appropriate permissions. For example, performing a success audit on the Print event would cause a security log entry to be created every time someone printed a job on the printer. A failure audit of the same event would create the event log entries any time that someone attempted to print to the printer, but couldn't because they lacked sufficient permissions. With that in mind, here are the various events and what they mean:

• Print - The user being audited has sent a print job to the printer.
• Manage Printers - A user has modified either the printer's properties or its permissions.
• Manage Documents - A user has paused, resumed, restarted, or deleted a spool print job.
• Read Permissions - A user has looked at the printer's security permissions.
• Change Permissions - A user has modified the printer's security permissions.
• Take Ownership - A user has taken ownership of the printer.

What Should You Audit?

With all of these auditing settings available to you, you might be wondering what you should actually audit. It really just depends on the nature of the printer and how much security you need. If the printer is used to print checks, then I would recommend performing both success and failure audits on every event. On the other hand, if the printer is a general-purpose printer that is heavily used, then you would not want to perform success audits on the Print event. If you did, then the event log would quickly grow to an unmanageable size because a new log entry would be created every time someone sends a print job to the printer.
I tend to think that the majority of the printers in the average organization probably do not need to be audited. However, if a printer is used for financial purposes (such as printing checks), or consumes expensive supplies, then you might want to think about auditing the printer. In these types of situations, I would recommend auditing both success and failure events related to Manage Printers and Change Permissions events. I would also recommend auditing failures of the Print event.
Conclusion

In this article series, I have explained that it is easy to overlook printers when developing a network security plan because printers have become so commonplace that they hardly seem to be a security threat. Even so, there are situations in which ignoring your printers can result in a substantial financial loss for the company. As such, I recommend configuring any sensitive printers to use a centralized print queue that is hosted by a Windows server. After doing so, you can easily enforce security on the printer and audit its use or attempted use.