Windows Print Server Security Best Practices
Configuring a print server could be a bit of a headache if you don’t know exactly how to proceed. However, the good news is, with some help, it is possible to configure the printer server quite easily. If you are looking for some guidance on security best practices for configuring and setting up Windows Print Servers, you’ve come to the right place. Let’s see what are the best print server security practices.
Managing your printers
Managing your printers is easier than ever as the ‘print management console’ lets you manage everything related to a printer in Windows. The fastest way to start the console is to launch ‘Run’ by pushing the Windows key + R, and then typing the command printmanagement.msc and hitting the Enter key. Then, right-click on the printer you want to manage and select properties. This will launch the Printer Properties dialog with lots of options to configure.
You can find a description of each tab, along with the configuration advice.
General Tab
This is where you configure the printer’s name and location.
Remember to name your printers well. It is better to opt for a name that’s easy to read. Following a naming convention that includes the make, site, and model of every printer is recommended. Recognizing the location field can be a helpful attribute to generate relevant reports. When populated, it can also be used to inform users where they can find the printer.
Once you configure the printer, use the ‘Print Test Page’ button to verify you can send a print job from your server to your device quickly and easily.
Sharing Tab
This tab is where you configure your print server to share the printer, along with a few other settings.
- You must check ‘Share this printer’ if you plan to share the printer. Leave it unchecked if you plan to share the print queue using Google Cloud Print, or if you only want users to send print jobs to the Find-Me print queue. It is advisable to keep the printer share name shorter than 32 characters. For environments with Macs and LPR printing, the share name shouldn’t include spaces.
- You must check Render print jobs on client computers. It should be the default option, but if it is disabled for any reason, it can lead to additional load on the server and printing issues from clients.
Clicking the Additional Drivers button lets you add drivers for legacy 32-bit systems.
Ports Tab
This tab allows the administrator to configure the ‘port’ that the Windows print queue will use to communicate with the physical printer. Printer ports are separate from a firewall port and are traditionally referred to as physical ports on the computer such as COM1 and LPT1. However, nowadays this is where you specify the IP address of your printer. What port should you use? It varies from printer to printer.
For most printers, the port would be a Standard TCP/IP Port that directs to the IP address of your printer. If you are configuring a specific print management service printer, then the port should be set to ‘nul’.
Specific TCP/IP Port can also be used by print management services, but this is only recommended while undertaking Hardware Page Checks. By necessity, such a port will slow down printing as the application wait until the last printing job is finished before analyzing the next one. So, if you don’t need a Hardware Page Check, it is better to stick to using a Standard TCP/IP Port.
Some print management services don’t recommend WSD ports as this obscures the IP address of the printer, making it difficult for them to communicate over SNMP to determine toner levels and status.
Enable bidirectional support so that a print driver can communicate with a physical printer. This way it can discover the printer hardware, discover if a finishing unit is attached, or find out if the printer is showing any errors. However, be mindful that even though there are some situations where this setting is helpful, it can result in instability or can trigger the ‘sent to printer’ status for jobs in the print queue. But, if the setting is grayed out, it does not apply to this driver, as in the case with certain Global PostScript drivers.
Configuring Port
In this section, administrators can stipulate the advanced settings for the port. However, most of the time this would be automatically configured.
In an ideal situation, the selected Protocol should be RAW. This mode of connection is faster than legacy LPR connections. Furthermore, nearly all modern printers support it. It is advisable to check SNMP Status Enabled to allow Windows to query the printer for current status. Remember that if the Community Name here and on the printer doesn’t match, Windows will think that the device is offline.
Advanced Tab
In this section, administrators can set details such as the hours a printer is available, what driver a print queue should use to communicate with the physical printer, and so on. It is here where the configuration of the documents spool also takes place.
The driver will display the name of the driver configured in the Print Management Console. It is strongly recommended to use PostScript or PCL drivers when available.
The setting, ‘Start printing after the last page is spooled’, will be automatically configured so that the document can be fully analyzed before sending it to the printer.
Uncheck ‘Enable Advanced Printing Features’ to stop the driver from spooling print jobs in proprietary print languages in place of PCL or PostScript. Disabling this setting ensures accurate reading of the spool files of the print job. This will in turn enable several features such as precise page count and color detection, grayscale conversion, and watermarking among others.
The Printing Defaults button allows you to set default options for all users such as default page size or color preferences. This is akin to the Printing Preferences menu that changes the same settings, albeit only for the logged-in user.
Printer Security Tab
This is where security permissions are set to control the users or groups of users with rights to manage the print queue or documents. It is better to leave the default permissions as it is and use the features offered by print service management to manage printer access found in filters and restrictions.
Another option is to remove the Manage Documents right for Creator Owner to prevent users from bypassing Hold & Release settings. This applies to physical print queues. Another means to prevent users from resuming held print jobs (without modifying permissions) is to use the specific print management service TCP/IP Port. If any user attempts to resume their held job, the print management service provider will automatically delete it.
Printer Device Settings
These settings could be unique to the make, model, and driver. It’s also possible that settings will interfere with print management service features. Do watch out for settings to configure the manufacturer’s implementation of Pull/Print along with other queue management features.
Other Settings
Keep your Print Server name short. If the print server name is over 15 characters, the Windows spooler will lop off the name at the end to shorten it to 15 characters. This has been the case with Windows for a long. This can cause problems with Print management services’ features when you attempt to send print jobs to a secondary print server. You can avoid any such problems by keeping the name short.
Re-locate the Spool directory
If you have plotters or wide-format printers or CAD-related printing, they mean huge spool files. In such a scenario, you should move the spool directory from the default C:/ drive location or a separate partition or HDD. If you have a different physical or virtual disk on the system, move spool files to this location. This would ensure that large spool files do not reside on the same disk as the operating system’s page file.
Hide document names in the Windows print queue by using the built-in OS-level method to Hide Document Names in the print queue.
Disabling Printer Redirection
Disable printer redirection on a dedicated print server. Otherwise, a failure in the spooler service will happen if print drivers not written for enterprise environments are installed due to printer redirection. Follow the advice from Microsoft regarding this configuration.
Conclusion
It is easy to configure your print server with the above print server security guidelines. You can use the checklist below to ensure you did not miss any important points that might compromise your printer security.
- Keep the Printer Share Name shorter than 32 characters
- The Print Server Name must be 15 characters or less
- Check if the Render print jobs on client computers are enabled
- Configure printers to use a Standard TCP/IP port
- Only use specific print management service TCP/IP Port with the Hardware Page Checks feature
- Use the nul port port for print queues
- Disable Bidirectional Support only while troubleshooting
- The port protocol must be RAW
- Use Type-3 PCL or PostScript drivers where available
- Disable Advanced Printing Features
- Leave the default permissions on the Security Tab
- Transfer the Windows Spool directory to a non-system disk
- Use the built-in Windows method for hiding document names
- Put Driver Isolation to ‘Shared’ or ‘Isolated’
- Disable Printer redirection on your print server, wherever possible
Once if you’ve checked them all, you are good to go.
