Wednesday, November 26, 2008

Planning for Print Server Security

Planning for print server security is vital in order to protect your organization’s resources. As with any production server, you need to protect the physical print server and safeguard access to data stored on the server. Consequently, your security plan must address three areas:
  • Physical location
  • Group Policy settings
  • Printer permissions
Ensuring the Physical Security of Each Print Server

Locate your print servers in a physically secure location that only designated individuals can access. Allowing unauthorized access to your print servers risks harm to the system. In addition, consider to what extent you also need to restrict physical access to network hardware. The details of implementing these security measures depend on your physical facilities as well as your organization’s structure and policies.

Securing the Print Environment

Windows Server 2003 adds new Group Policy settings that affect how clients connect to print servers on the network. Two of these policy settings are particularly useful for security.

Allow print spooler to accept client connections This Group Policy setting, which is configured on the server, determines how clients access the print server over the network. If an individual with administrative credentials creates shared printers for use by managed clients, the spooler automatically allows connections upon creation of the first shared printer. If a virtual spooler resource is created on a clustered server, the spooler likewise automatically allows connections. If no shared printers or virtual spooler resources already exist, you might need to enable this policy setting by using the Computer Management snap-in from a remote computer. To administer print services on a server running Windows Server 2003, log on to the server locally, or log on remotely through a Remote Desktop session.

Point and Print restrictions This Group Policy setting, which is configured on client computers, determines the print servers to which the client can connect. To provide a higher level of security for managed workstations, this policy setting controls a client computer’s ability to connect to and install a printer driver from specified print servers. By default, managed clients can use Point and Print only with servers that are within their forest. An administrator can use this policy to add additional servers to the list of trusted print servers. Alternatively, administrators can disable this policy to enable managed clients to connect to any accessible print server and install a printer driver from it.

Using Printer Permissions to Control Access to Shared Printers

Even if the physical server is in a secure room, the print server might still be accessible through remote administration tools. Therefore, you need to implement methods for restricting access to remote administration of print servers. You can restrict access to a print server by setting printer permissions.

Source: /technet.microsoft.com/en-us/library/cc780641.aspx

No comments: