Securing Printer Usage in Windows Server 2003 (Part 3)

How and when to audit network printers.

If you would like to read the other parts in this article series please go to:

In the first part of this article series, I explained that the most effective way to manage a network printer is to create a print queue on one of your network servers and force all of the print jobs to pass through that queue. In the second part of this series, I walked you through some basic techniques for securing the print queue that you created in Part 1. In this article, I will conclude the series by showing you how to audit the use (and attempted use) of a network printer.

Why Audit Network Printing?

There are several reasons why you might want to audit the use of a network printer. As I explained earlier in this series, it is essential to audit the printer that your company uses to print checks. You need to know who has been printing checks and whether or not any unauthorized person has been trying to print checks.

A less extreme example of auditing involves managing printer supplies such as ink and paper. I have been in some companies in which printer use is monitored so that individual departments can be charged for the supplies that they use. I have also seen cases in which high end photo printers were audited for unauthorized use because the supplies are so expensive.

Auditing a Network Printer

Now that I have talked a little bit about why you might want to audit network printing, let’s move on to the auditing process itself. If you have ever looked through your server's security logs, then you probably realize that printer auditing is not enabled by default. To enable printer auditing, choose the Printers and Faxes command from your server’s Start menu. Upon doing so, you will see the now familiar Printers and Faxes window. Right-click on the printer that you want to audit, and select the Properties command from the resulting shortcut menu. Doing so will reveal the printer's properties sheet that you worked with in the previous part of this article series.

At this point, you must select the Security tab and then click the Advanced button. When you do, Windows will display the Advanced Security Settings properties sheet. Select the properties sheet’s Auditing tab, and you will see that it is completely empty, as shown in Figure A.


Figure A: Printer auditing is disabled by default

The way that printer auditing is set up, auditing focuses on users and groups rather than focusing on the printer itself. What this means is that you can't just tell Windows to create an audit log entry any time anyone sends a print job to the printer (at least not directly). Instead, Windows requires you to specify the names of users or groups that you want to audit. If your goal is to audit any and all use of the printer in question, then you can always audit the Everyone group.

With this in mind, click the Add button, and you will be taken to a screen that asks you to enter the names of the users or groups that you want to audit, as shown in Figure B. After entering the user or group names, I strongly recommend clicking the Check Names button. Doing so will ensure that you have spelled the names correctly and that the names are valid. After all, auditing won't do you much good if you are auditing non-existent users or groups.


Figure B: Windows requires you to enter the names of the users or groups that you want to audit

Click OK and you will be taken to the Auditing Entry dialog box, shown in Figure C. As you can see in the figure, this dialog box allows you to audit both the success and the failure of various printer related events. To enable auditing, all you have to do is to select the events that you want to audit and click OK. Before you do, it is important to understand what the various events actually mean.


Figure C: The Auditing Entry dialog box allows you to control which events you want to audit

In the section below, I will describe what each of the events that you can audit actually mean. As I do, it is important to keep in mind that my descriptions assume that you're auditing the success of a particular event. Auditing a failure of these events simply means that someone attempted to perform an action that would normally result in the event if the user had the appropriate permissions. For example, performing a success audit on the Print event would cause a security log entry to be created every time someone printed a job on the printer. A failure audit of the same event would create the event log entries any time that someone attempted to print to the printer, but couldn't because they lacked sufficient permissions. With that in mind, here are the various events and what they mean:

  • Print - The user being audited has sent a print job to the printer.
  • Manage Printers - A user has modified either the printer's properties or its permissions.
  • Manage Documents - A user has paused, resumed, restarted, or deleted a spool print job.
  • Read Permissions - A user has looked at the printer's security permissions.
  • Change Permissions - A user has modified the printer's security permissions.
  • Take Ownership - A user has taken ownership of the printer.

What Should You Audit?

With all of these auditing settings available to you, you might be wondering what you should actually audit. It really just depends on the nature of the printer and how much security you need. If the printer is used to print checks, then I would recommend performing both success and failure audits on every event. On the other hand, if the printer is a general-purpose printer that is heavily used, then you would not want to perform success audits on the Print event. If you did, then the event log would quickly grow to an unmanageable size because a new log entry would be created every time someone sends a print job to the printer.

I tend to think that the majority of the printers in the average organization probably do not need to be audited. However, if a printer is used for financial purposes (such as printing checks), or consumes expensive supplies, then you might want to think about auditing the printer. In these types of situations, I would recommend auditing both success and failure events related to Manage Printers and Change Permissions events. I would also recommend auditing failures of the Print event.

Conclusion

In this article series, I have explained that it is easy to overlook printers when developing a network security plan because printers have become so commonplace that they hardly seem to be a security threat. Even so, there are situations in which ignoring your printers can result in a substantial financial loss for the company. As such, I recommend configuring any sensitive printers to use a centralized print queue that is hosted by a Windows server. After doing so, you can easily enforce security on the printer and audit its use or attempted use.

No comments: