How to restrict printer to local domain

[Pat Coghlan]

I have a DC and a number of workstations and want these computers to be
able to print to a network printer (with HP jet direct module).

Which of the following are possible and what is the best way to set it up?

a) only share the printer to computers which are part of the domain
b) prevent computers which are not a member of the domain from using the
printer

Because this is a security-related application, our IT people don't want
the printer accessible to the entire enterprise. I suspect that we
might have to take it off IP and connect it directly to the DC or one of
the workstations and share it, since if it is on the network then
presumably anyone who knows its IP address would be able to print to it.

Thoughts?

-Pat

 

[Lanwench [MVP - Exchange]]

I have a DC and a number of workstations and want these computers to
be able to print to a network printer (with HP jet direct module).

Which of the following are possible and what is the best way to set
it up?

a) only share the printer to computers which are part of the domain
b) prevent computers which are not a member of the domain from using
the printer

Because this is a security-related application, our IT people don't
want the printer accessible to the entire enterprise. I suspect that
we
might have to take it off IP and connect it directly to the DC or one
of the workstations and share it, since if it is on the network then
presumably anyone who knows its IP address would be able to print to
it.

Thoughts?

-Pat

Change the share permissions on the printer share on the server so that only
the groups you wish can print to this printer.
Don't let anyone have local admin rights on their workstations, and then
they can't add local printers (which is what they'd need to do to print
directly to the printer via a standard TCP/IP port).

 

[Pat Coghlan]

In general, then, printers should be attached (physically or logically)
to the server and then shared?

Once a printer is accessible via TCP/IP, there's really nothing stopping
a user in another domain from printing directly to it, is there?

If one is concerned about this, printers would have to be connected
directly to the server via a serial/parallel/USB port, no?

 

[Lanwench [MVP - Exchange]]

In general, then, printers should be attached (physically or
logically) to the server and then shared?

No - when you add your printer to a server, you're installing a standard
TCP/IP port and installing a "local" printer. Then share it & set the share
permissions as stated.

Once a printer is accessible via TCP/IP, there's really nothing
stopping a user in another domain from printing directly to it, is
there?

Well - how much control do you have over the other domain? If none at all,
can they be segregated with routers/VLANs in your switch? If you're just
talking about preventing non-domain computers from printing to it at all,
what are these non-domain computers, and do you have any control over them?
As I said, without local admin rights, one can't add a 'local' printer - and
this would be a local printer.

If one is concerned about this, printers would have to be connected
directly to the server via a serial/parallel/USB port, no?

Shouldn't be necessary, although of course you could do that.

 

[Lanwench [MVP - Exchange]]

Understood. What I mean was, should this type of printer always be
installed on just the server, and shared for the workstations to use?

That's how I do it - but it does end up getting installed on workstations as
a member printer, if the users have rights to the share on the server.

After thinking about it, the subnet containing the printer and our
DCs/workstations shouldn't be accessible to the WAN, which is
designated one security level lower than our application.

Our application and printer should be isolated on a separate LAN.

Sounds like it...

If one is concerned about this, printers would have to be connected
directly to the server via a serial/parallel/USB port, no?

Shouldn't be necessary, although of course you could do that.
Thanks.

Lanwench [MVP - Exchange] wrote:


Pat Coghlan wrote:

I have a DC and a number of workstations and want these computers
to be able to print to a network printer (with HP jet direct
module).

Which of the following are possible and what is the best way to
set it up?

a) only share the printer to computers which are part of the
domain b) prevent computers which are not a member of the domain
from using the printer

Because this is a security-related application, our IT people
don't want the printer accessible to the entire enterprise. I
suspect that we
might have to take it off IP and connect it directly to the DC or
one of the workstations and share it, since if it is on the
network then presumably anyone who knows its IP address would be
able to print to it.

Thoughts?

-Pat


Change the share permissions on the printer share on the server so
that only the groups you wish can print to this printer.
Don't let anyone have local admin rights on their workstations, and
then they can't add local printers (which is what they'd need to do
to print directly to the printer via a standard TCP/IP port).

 

[Pat Coghlan]

No - when you add your printer to a server, you're installing a standard
TCP/IP port and installing a "local" printer. Then share it & set the share
permissions as stated.

Understood. What I mean was, should this type of printer always be
installed on just the server, and shared for the workstations to use?

Well - how much control do you have over the other domain? If none at all,
can they be segregated with routers/VLANs in your switch? If you're just
talking about preventing non-domain computers from printing to it at all,
what are these non-domain computers, and do you have any control over them?
As I said, without local admin rights, one can't add a 'local' printer - and
this would be a local printer.

After thinking about it, the subnet containing the printer and our
DCs/workstations shouldn't be accessible to the WAN, which is designated
one security level lower than our application.

Our application and printer should be isolated on a separate LAN.

If one is concerned about this, printers would have to be connected
directly to the server via a serial/parallel/USB port, no?

Shouldn't be necessary, although of course you could do that.
Thanks.

Lanwench [MVP - Exchange] wrote:

Pat Coghlan wrote:

I have a DC and a number of workstations and want these computers to
be able to print to a network printer (with HP jet direct module).

Which of the following are possible and what is the best way to set
it up?

a) only share the printer to computers which are part of the domain
b) prevent computers which are not a member of the domain from using
the printer

Because this is a security-related application, our IT people don't
want the printer accessible to the entire enterprise. I suspect
that we
might have to take it off IP and connect it directly to the DC or
one of the workstations and share it, since if it is on the network
then presumably anyone who knows its IP address would be able to
print to it.

Thoughts?

-Pat


Change the share permissions on the printer share on the server so
that only the groups you wish can print to this printer.
Don't let anyone have local admin rights on their workstations, and
then they can't add local printers (which is what they'd need to do
to print directly to the printer via a standard TCP/IP port).