Setting Up a Secure Printing Environment

Previous page
Table of content
Next page

iPrint is designed to take full advantage of eDirectory security and ease of management. Setting up a secure printing environment can be done on three levels:

  • Print access control: Create a secure printing management infrastructure by assigning users to User , Operator, or Manager roles. This restricts the list of those who can control printers, Print Managers, and brokers .

  • Printer security levels: Printer security levels control how access to printers is managed. By default, the client application will control print security, but this responsibility can be moved to the Print Manager to provide greater security.

  • Securing iPrint with SSL: This option not only encrypts print communications over the wire, but also requires users to authenticate before installing and printing to a printer.

Each of these levels is discussed in the following sections.

Print Access Control

Printer security is ensured through the assignment of the Manager, Operator, and User Access Control roles, and by the strategic placement of printers and printer configurations. For more information on eDirectory access control in general, see Chapter 6, "Users and Network Security."

The access controls for iPrint allow you to specify the access each User, Group , or Container object will have to your printing resources. It is important to remember that all iPrint print roles function independently. For example, assigning someone as a printer manager does not automatically grant said person the rights of a printer user.

In most cases, the default assignments will prevent any problems that this role independence might cause. For example, a printer manager is automatically assigned as a printer operator and user for that printer. Similarly, a printer operator is automatically assigned as a user of that printer as well. You cannot remove the user role from an operator, and you cannot remove the operator and user roles from a manager.

The creator of an iPrint object is automatically assigned to all supported roles for the type of object being created.

You can assign multiple Printer objects to a given printer agent, but simultaneously make different access control assignments to each Printer object. This means that users in different containers can be assigned different trustee rights to the same printer.

Printer Roles

As previously alluded to, there are three roles associated with iPrint printing services: Manager, Operator, and User. Table 7.4 describes the rights granted to each role.

Table 7.4. NDPS Print Roles and Their Associated Rights

ROLE

ASSOCIATED RIGHTS

Manager

NDPS tasks performed exclusively by the printer manager are those that require the creation, modification, or deletion of NDPS Printer objects, as well as other eDirectory administrative functions. Printer managers are automatically designated as printer operators and users as well, so they can perform all tasks assigned to the operator role. Typical manager functions include the following:

  • Modifying and deleting Printer objects

  • Adding or deleting operators and users for a printer

  • Adding other managers

  • Configuring interested-party notification

  • Creating, modifying, or deleting printer configurations

Operator

Print operators cannot create, modify, or delete eDirectory objects or perform other eDirectory administrative functions. Their management tasks include the following:

  • Performing all of the functions available through the Printer Control page

  • Pausing, restarting, or reinitializing printers

  • Reordering, moving, copying, and deleting jobs

  • Setting printer defaults, including locked properties

  • Configuring print job spooling

User

Print users only have rights to submit and manage print jobs that they own. Users cannot copy, move, reorder, or remove jobs they do not own. To simplify administration, the container within which a printer resides is automatically assigned as a user for that printer. That way, all users in that container inherit printer user rights. You can delete the Container object as a printer user in order to block access to the printer for users in that container.

To define the role assignment for a printer, complete the following steps:

  1. From iManager, select iPrint and click Manage Printer.

  2. Specify the printer for which you want to configure access controls and click OK.

  3. At the Manage Printer page, select the Access Control tab, as shown in Figure 7.7.

    Figure 7.7. Access Control tab for defining printer management roles in ConsoleOne.

    graphics/07fig07.gif

  4. Make your desired changes by adding or deleting members from the User, Operator, and Manager roles for this printer. eDirectory objects that can be assigned in these roles include User, Group, or Container objects. Click OK to save your changes.

Following these changes, printer access will be granted according to the access controls you have defined.

Print Manager Access Controls

Print Manager security is provided exclusively through the printer manager role in iManager. The printer manager role was discussed previously in the "Printer Roles" section. Refer to Table 7.4 for more information on iPrint administrative roles in iManager. For more information on role-based administration with iManager, see Chapter 3, "Novell Management Tools." Common administrative tasks related to the print manager include the following:

  • Creating printer agents and NDPS Manager objects

  • Adding or deleting operators and users for a printer

  • Adding other managers

  • Configuring interested-party notification

  • Creating, modifying, or deleting printer configurations

You should plan on assigning users who need to perform these types of tasks as occupants of the printer manager role.

NDPS Broker Access Controls

There are two roles associated with the NDPS Broker object. The printer manager role was discussed previously in the "Printer Roles" section. Refer to Table 7.4 for more information on iPrint administrative roles in iManager:

  • Manager: NDPS tasks performed exclusively by the broker manager require the creation, modification, or deletion of Broker objects, as well as those that involve other eDirectory administrative functions. Typical manager functions include the following:

    • Creating, modifying, and deleting Broker objects

    • Adding other managers

    • Enabling or disabling brokered services

    • Adding resources to the Resource Management Service

    • Assigning or changing a broker password

  • Public access user: A public access user is a role assigned to all individuals on the network who are users of printers receiving services and resources provided by the broker. This role is assigned by default and does not require specific administrative action by the broker manager.

You can also assign a password to the broker interface for increased security. After the broker loads on your NetWare server, navigate to the Broker screen and press F4.

Printer Security Levels

Printer security levels affect how rights to a printer are determined and enforced. There are three security levels:

  • Low: Security is enforced by the client applications only.

  • Medium (default): Security is enforced by the NDPS manager if print data integrity is involved. If print data integrity is not involved, security is enforced by the client applications.

  • High: Security is enforced by the NDPS manager for all operations.

As noted, the default security level is Medium. For sensitive print data, you can set the security level to High, but there is a trade-off between print performance and print security. To set a printer's security level, complete the following steps:

  1. From iManager, select iPrint Management and click Manage Printer.

  2. Specify the printer for which you want to change security levels and click OK.

  3. At the Manage Printer page, select the Access Control tab and click the Security subpage.

  4. In the Security Level field, set the level of security for this printer and click OK to save your changes.

The printer will now adhere to the security characteristics defined by the security level you have applied to that printer.

WARNING

As you can see, making security level changes will affect all print jobs going to this printer, so make sure you consider the consequences carefully .


Securing iPrint with SSL

Secure printing takes advantage of SSL, which requires users to authenticate using their eDirectory usernames and passwords. Users must authenticate once per eDirectory tree per session. The print data is encrypted, and all print communications use port 443 . Without secure printing, the printer is available to anyone on the local network and print communications are not encrypted. Secure printing works in conjunction with the security level set for the printer.

Table 7.5 shows how access is determined, depending on the level of printer security and if secure printing is enabled or disabled. Printer security levels were discussed in a previous section.

Table 7.5. Effects of Printer Security and Secure Printing Options

PRINTER SECURITY LEVEL

SECURE PRINTING DISABLED (NO SSL)

SECURE PRINTING ENABLED (WITH SSL)

Low

Full access

eDirectory authentication.

Medium

Check of users' effective rights

eDirectory authentication and check of users' effective rights.

High

Users must use SSL and authenticate to eDirectory

Users will receive an error if they do not use SSL. eDirectory authentication, check users' effective rights, and connection verification are all required.

To enable SSL support for a given printer, or for all printers associated with a given print manager, complete the following steps:

  1. From iManager, select iPrint and click Enable iPrint Support.

  2. Specify the print service manager for which you want to enable IPP printing.

  3. At the Enable iPrint Support page, check the box next to Enabled and click OK. This will enable IPP on all printers assigned to this print service manager. You can also select printers individually by checking the box from the Enabled column next to each printer you want iPrint enabled.

  4. (Optional) Use the same check box procedure in the Secure column to enable secure printing as needed for printers associated with this print manager. More information on securing your printing services was provided earlier in this chapter.

  5. Click OK to return to the iManager home page.

As you probably noted, this same routine can also be used to disable/enable iPrint support for a printer should that be necessary.


Previous page
Table of content
Next page
Novell NetWare 6. 5 Administrator's Handbook
Novell NetWare 6.5 Administrators Handbook
ISBN: 0789729849
EAN: 2147483647
Year: 2002
Pages: 172
Authors: Jeffrey Harris
BUY ON AMAZON
Metrics and Models in Software Quality Engineering (2nd Edition)
Network Security Architectures
Introduction to 80x86 Assembly Language and Computer Architecture
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
MPLS Configuration on Cisco IOS Software
Understanding Digital Signal Processing (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy