Controlling Printer Security
Windows Server 2003 allows you to control printer usage and administration by assigning permissions through the Security tab of the printer's Properties dialog box. You can assign permissions to control who can use a printer and who can administer the printer or documents processed by the printer. A typical printer Security tab of a printer's Properties dialog box is shown in Figure 8-5.
&HPLJ8100 Properties
General | Sharing | Ports | Advanced Security | Device Settings ] Group or user names:
¡J3 Administrators (C0NT0S0^Administrators)
CREATOR OWNER
Everyone
ßj Print Operators (C0NT0S0\Print Operators) Server Operators (C0NT0S0\Server Operators)
Everyone
ßj Print Operators (C0NT0S0\Print Operators) Server Operators (C0NT0S0\Server Operators)
|
Permissions for CREATOR OWNER |
Allow |
Deny |
|
|
□ |
□ |
|
Manage Printers |
□ |
□ |
|
Manage Documents |
El |
□ |
|
Special Permissions |
□ |
□ |
For special permissions or for advanced settings, click Advanced.
For special permissions or for advanced settings, click Advanced.
Apply
Figure 8-5 The Security tab of a printer's Properties dialog box
You can use a printer's access control list (ACL) to restrict usage of a printer and to delegate administration of a printer to users who are not otherwise administrators. Windows Server 2003 provides three levels of printer permissions: Print, Manage Printers, and Manage Documents.
By default, the Print permission is assigned to the Everyone group. Choosing this permission allows all users to send documents to the printer. To restrict printer usage, remove this permission and assign Allow Print permission to other groups or individual users. Alternatively, you can deny Print permission to groups or users. As with file system ACLs, denied permissions override allowed permissions. Also, like file system ACLs, it is best practice to restrict access by assigning allow permissions to a more restricted group of users rather than by granting permissions to a broader group and then having to manage access by assigning additional deny permissions.
The Manage Documents permission provides the ability to cancel, pause, resume, or restart a print job. The Creator Owner group is allowed Manage Documents permission. Because a permission assigned to Creator Owner is inherited by the user who creates an object, this permission enables a user to cancel, pause, resume, or restart a print job that he or she has created. The Administrators, Print Operators, and Server Operators groups are also allowed the Manage Documents permission, which means they can cancel, pause, resume, or restart any document in the print queue. Those three groups are also assigned the Allow Manage Printers permission, which enables them to modify printer settings and configuration, including the ACL itself.
Tip If a printer's security is not a major concern, you can delegate administration of the printer by assigning a group, such as the <Printer> Users group, Manage Documents or even Manage Printers permission.
Post a comment