When you design secure access to print resources, consider not only who is allowed to print to a particular printer but also the security of data as it's transmitted to the printer. You need to protect traffic to restricted printers, such as check printers, and prevent users from printing sensitive or confidential material to public printers.
After this lesson, you will be able to
Estimated lesson time: 30 minutes
You assign printer security by defining permissions when a printer is shared. The permissions you can assign for a printer include
Many times, though, security requirements for a printer may be more encompassing than simply defining print permissions. In some cases security of the printer output becomes just as important. In the case of confidential documents, this may include the physical security of the printers and the protection of the print job as it's transmitted to the network printer.
For physical security, print devices can be located in a secure place that may require security cards or biometric input to access the device.
To prevent transmission interception of a print job by a network sniffer, you can deploy Internet Protocol Security (IPSec) to protect data print streams to the server hosting the printer, as shown in Figure 6.7. Network sniffers are able to view the contents of data packets as they are transmitted across the network if the packets are not encrypted.
Figure 6.7 Protecting printer data transmissions
To implement IPSec, you must define IPSec policies that require IPSec for any data transmissions sent to the print server. At this time you can't use IPSec to print to a physical print device, so the print device must be locally attached to the print server (using a parallel, USB, or serial port) to ensure end-to-end security of the print transmission.
For more information on planning IPSec, see Chapter 12, "Securing Data with Internet Protocol Security."
Table 6.4 shows how to secure printing in your organization.
Table 6.4 Print Security Design Decisions
|To||Do the Following|
|Restrict access to the printer to specific groups||Change the default permissions to only allow the specific domain local groups Print permissions. You'd of users make the users members of the domain local group by placing the users in a global group that's a member of the domain local group.|
|Delegate administration of a printer|
Make the security principal a member of the Print Operators group.
To restrict to a specific printer, assign the Manage Printers permissions to the security principal.
|Prevent inspection of print jobs|
Use IPSec between the clients and the print server.
Locate printers that print confidential data in restricted areas of the office.
Attach the printers directly to the print server. Network-attached printers currently are incapable of performing IPSec operations.
The only security that Wide World Importers requires is to prevent employees who aren't members of the Graphics department from using the Agfa Proset 9800 printer. You can easily accomplish this by changing the default share permissions for the printer. Figure 6.8 shows the recommended print permissions that limit usage to the Graphics department.
Figure 6.8 Recommended print permissions for the Agfa Proset 9800
Because the jobs sent to the printer are all magazine layouts and graphics that will be for public consumption, you don't need to protect data transmissions to the film printer.
While configuring print security may not seem as important as configuring file security, sometimes confidential documents must be secured to prevent inspection of the output. Print security design must include restricting who can access the printer, planning printer placement, and using IPSec where required to prevent inspection of the print job stream.