Lesson 2: Securing Access to Print Resources | MCSE Training Kit (Exam 70-220): Designing Microsoft Windows 2000 Network Security: Designing Microsoft(r) Windows(r) 2000 Network Security (IT-Training Kits)

When you design secure access to print resources, consider not only who is allowed to print to a particular printer but also the security of data as it's transmitted to the printer. You need to protect traffic to restricted printers, such as check printers, and prevent users from printing sensitive or confidential material to public printers.

After this lesson, you will be able to

Plan secure access to print resources

Estimated lesson time: 30 minutes

Assessing Printer Security

You assign printer security by defining permissions when a printer is shared. The permissions you can assign for a printer include

Print. A security principal assigned this permission can submit print jobs to a printer and have the printer process the jobs.
Manage Documents. A security principal assigned this permission can change the order of documents and pause or delete documents in the print queue. By default, this permission is assigned to the special group named Creator Owner. This assignment allows all users to manage their own print jobs submitted to a printer.
Manage Printers. A security principal assigned this permission can share a printer and change a printer's properties.

Many times, though, security requirements for a printer may be more encompassing than simply defining print permissions. In some cases security of the printer output becomes just as important. In the case of confidential documents, this may include the physical security of the printers and the protection of the print job as it's transmitted to the network printer.

For physical security, print devices can be located in a secure place that may require security cards or biometric input to access the device.

To prevent transmission interception of a print job by a network sniffer, you can deploy Internet Protocol Security (IPSec) to protect data print streams to the server hosting the printer, as shown in Figure 6.7. Network sniffers are able to view the contents of data packets as they are transmitted across the network if the packets are not encrypted.

click to view at full size.

Figure 6.7 Protecting printer data transmissions

To implement IPSec, you must define IPSec policies that require IPSec for any data transmissions sent to the print server. At this time you can't use IPSec to print to a physical print device, so the print device must be locally attached to the print server (using a parallel, USB, or serial port) to ensure end-to-end security of the print transmission.

NOTE
For more information on planning IPSec, see Chapter 12, "Securing Data with Internet Protocol Security."

Making the Decision

Table 6.4 shows how to secure printing in your organization.

Table 6.4 Print Security Design Decisions

To	Do the Following
Restrict access to the printer to specific groups	Change the default permissions to only allow the specific domain local groups Print permissions. You'd of users make the users members of the domain local group by placing the users in a global group that's a member of the domain local group.
Delegate administration of a printer	Make the security principal a member of the Print Operators group. To restrict to a specific printer, assign the Manage Printers permissions to the security principal.
Prevent inspection of print jobs	Use IPSec between the clients and the print server. Locate printers that print confidential data in restricted areas of the office. Attach the printers directly to the print server. Network-attached printers currently are incapable of performing IPSec operations.

Do the Following

Restrict access to the printer to specific groups

Change the default permissions to only allow the specific domain local groups Print permissions. You'd of users make the users members of the domain local group by placing the users in a global group that's a member of the domain local group.

Delegate administration of a printer

Make the security principal a member of the Print Operators group.

To restrict to a specific printer, assign the Manage Printers permissions to the security principal.

Prevent inspection of print jobs

Use IPSec between the clients and the print server.

Locate printers that print confidential data in restricted areas of the office.

Attach the printers directly to the print server. Network-attached printers currently are incapable of performing IPSec operations.

Applying the Decision

The only security that Wide World Importers requires is to prevent employees who aren't members of the Graphics department from using the Agfa Proset 9800 printer. You can easily accomplish this by changing the default share permissions for the printer. Figure 6.8 shows the recommended print permissions that limit usage to the Graphics department.

Figure 6.8 Recommended print permissions for the Agfa Proset 9800

Because the jobs sent to the printer are all magazine layouts and graphics that will be for public consumption, you don't need to protect data transmissions to the film printer.

Lesson Summary

While configuring print security may not seem as important as configuring file security, sometimes confidential documents must be secured to prevent inspection of the output. Print security design must include restricting who can access the printer, planning printer placement, and using IPSec where required to prevent inspection of the print job stream.