Windows Thread, [Answered] Using Authenticated Users on Printers, and stopping non domain users in Technical; Hey everyone. I've got a question about printer security permissions. I have printers configured on my Windows Server 2003 print ...
9th February 2009, 11:33 PM #1
[Answered] Using Authenticated Users on Printers, and stopping non domain users
Hey everyone. I've got a question about printer security permissions. I have printers configured on my Windows Server 2003 print server to allow Administrators [All 3 options], Authenticated [Print], Creator Owner [All 3 options], Print Operators and Server Operators with their default of all 3 options, and students to deny all 3 options [this if for a staff printer obviously]. The question I have is, will this successfully be enough to block a non domain user from printing to a printer? I'm using Authenticated Users instead of everyone. Here's the deal. I took out my MacBook Pro, connected over the wireless network [it's not a member of the domain, just my laptop from home], and tried to add a printer via Windows Network. I added the staff printer listed there, and successfully fired a test page to it no problem. Should I have been able to do this? Never once did I have to enter a password. Is it connecting via some other protocol I don't know about? Maybe Bonjour or something? Just want to make sure ONLY our systems can print and not a misc system. I just can picture a student plugging in their laptop, adding a staff printer, and firing off print jobs. I thought I had it locked down. It works within our domain, a student can't add a staff printer. But I want to make sure that an anonymous system can't access them either. My mac just made it look way too easy. Haven't tried yet with a Windows laptop.
Last edited by link470; 10th February 2009 at 10:05 PM.
IDG Tech News
9th February 2009, 11:38 PM #2
Did you connect to the printer using the server based share UNC
\\server\printer or did you connect to the printer directly by its IP?
If your doing it via IP you will need to check the security on the actual printers software, the security rules applied you mentioned only apply to connections being attempted via the server share
10th February 2009, 12:28 AM #3
I think my mac just browsed the network and found some printers, and added it. I'm starting to wonder if there even IS a way to block direct connections to the printers. I can't seem to do that with the web based configuration panels on this printer [a Dell 1700n for example].
10th February 2009, 12:51 AM #4
To make it a little more difficult, on your printer server right click a printer, choose Properties > Sharing and untick Listed in the Directory. Do this for every printer in turn on your print server. This means when users try to search for printers they'll get no results. They'd have to manually type in the full UNC path \\servername\print-share-name and then should be prompted to enter a username and password.
As for permissions (as always), deny permissions take priority over allow permissions. Remove all existing groups under security and only add security groups you want to give permission to. So I'd recommend domain administrators; staff; students (for example). Domain administrators should have Print, Manage Printers and Manage Documents. Staff and students should have just Print or Print and Manage Documents only.
Now click the Add button and type "anonymous". ANONYMOUS LOGON should appear. Tick deny for Print, Manage Printers and Manage Documents then apply changes. Do this for every printer and it should solve your problem.
However - if someone brought in a computer, added a printer by typing in the UNC path and then authenticated using domain\username and password, they would still be able to print from the computer. Hope this helps.
10th February 2009, 01:37 AM #5
If you wanted to properly lock out direct connection to the printers you may need to setup a seporate VLAN for them that only the servers have access to. That way anything on the client network will be able to connecto to the authentication controlled print driver on the server but not to the printer directly.
Originally Posted by link470
3 Thanks to SYNACK:
dhicks (10th February 2009), link470 (10th February 2009), _Bat_ (4th November 2009)
10th February 2009, 06:33 PM #6
Might be hard in our setup, but I see exactly what you're saying. Thanks!
By Kevin_Beaumont in forum How do you do....it?
Last Post: 9th December 2008, 02:05 PM
By jmair in forum Windows
Last Post: 18th March 2008, 01:58 AM
By tosca925 in forum Windows
Last Post: 15th August 2007, 06:36 PM
Last Post: 21st November 2006, 03:47 PM
By tarquel in forum Wireless Networks
Last Post: 30th October 2006, 03:08 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)