Attack Surface
The Print Services role service allows you to share printers on a network, as well as to centralize print server and network printer management tasks. To determine the attack surface of each service for the Print Server role, you need to identify the following.
Installed files. These are files that are installed as part of each role service for the Print Server role.
Installed services. These are services that are installed as part of each role service for the Print Server role.
Note You can use the RootkitRevealer and Sigcheck utilities that are part of Windows Sysinternals to verify the integrity of the installed files and the files that the services run.
Firewall rules. These are the firewall rules that the Print Server role uses.
The details of the attack surface for the Print Server role are included in the Windows Server 2008 Attack Surface Reference workbook that accompanies this Solution Accelerator. To view the attack surface for this server role, on the Print tab of the workbook, view the sections that correspond to each of the items in the previous list.
Security Measures
This section describes the security measures that you can incorporate into your Print Server role configuration to protect the server against malicious attacks. The recommendations that follow assume that you have only selected the Print Server option on the Select Role Services page of the Add Roles Wizard. Recommendations for other role services are not included.
Configuration Checklist
This section includes configuration recommendations based on best practices to further harden the Print servers in your environment. Recommendations for the LPD Service and Internet Printing role services are not included. For more information about how to configure these services, see Windows Server 2008: Server Management.
The following table summarizes the recommended security configuration tasks for hardening servers performing the Print Server role. If you need help to complete any of the checklist items, see the following sections in this chapter for additional details and recommendations.
Table 8.1 Configuration Checklist
|
Configuration tasks
|
|
Deploy a server core installation of Windows Server 2008.
|
|
Digitally sign communications.
|
|
Consider Using the Point and Print feature.
|
|
Control printer share access.
|
|
Relocate the default Print Spooler file.
|
Deploy a Server Core Installation of Windows Server 2008
Deploying Windows Server 2008 using the Server Core installation option further reduces the attack surface of the operating system by reducing the number of installed files and running services. The advantage of the Server Core installation option is that a graphical user interface (GUI) is not installed, so the files and services required by the normal GUI are not installed.
When you use the Server Core installation option of Windows Server 2008 to deploy the operating system, you can only locally manage the server using command-line tools. To manage the server using GUI-based tools, you must install and run these tools on another computer with a Windows-based GUI.
You can use the following command-line management tools to manage the Print Server role:
To install the Print Server role service, complete the following command:
start /w ocsetup Printing-ServerCore-Role
To install the Line Printer Daemon (LPD) role service, complete the following command:
start /w ocsetup Printing-LPDPrintService
Note Because the Internet Printing role service depends on .NET Framework features that the Windows Server 2008 Server Core installation does not support, this role service is not available on computers running Server Core installations.
For more information about how to install and manage the Print Server role on a Windows Server 2008 Server Core installation, see Server Core Installation Option of Windows Server 2008 Step-By-Step Guide.
You can also use the following tools to manage your print server:
Lpg
Lpr
Net print
Print
Prncnfg.vbs
Prndrvr.vbs
Prnjobs.vbs
Prnmngr.vbs
Prnport.vbs
Prnqctl.vbs
Pubprn.vbs
For information about how to use these tools, see the "Command Reference" section of the Windows Server 2008 TechNet Library.
You can also use WMI scripts or WS-Management and the Windows Remote Shell to remotely manage Print Server role services on computers running Windows Server 2008 Server Core installations.
For more information about WMI, see Windows Management Instrumentation.
For more information about WS-Management and the Windows Remote Shell, see Windows Remote Management.
Note This section assumes that you are running a standard installation of Windows Server 2008. If you have created a Windows Server 2008 Server Core installation for your Print Server role, you can follow these steps using the Microsoft Management Console (MMC) snap-in from a remote computer.
Digitally Sign Communications
The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other network operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports SMB packet digital signing. You can configure the Group Policy setting for Microsoft network server: Digitally sign communications (always) in the following location in the Group Policy Object Editor:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted.
Microsoft recommends configuring the Microsoft network server: Digitally sign communications (always) setting to Enabled for print servers in both the EC and SSLF environments defined in this guide.
Consider Using the Point and Print Feature
Point and Print is a Windows feature that automatically downloads and installs a printer driver when a user connects to a shared printer. Point and Print also updates the printer driver on the client computer when the driver configuration is updated on the print server. The Point and Print Restrictions Group Policy setting has been updated in Windows Server 2008 and Windows Vista to help you manage the improved security of the Point and Print feature.
You can configure the Point and Print group policy settings in the following location in the Group Policy Object Editor:
User Configuration\Administrative Templates\Control Panel\Printers
The following table provides security setting information specific to this technology in Windows Server 2008.
Table 8.2 Point and Print Settings
Policy object
|
Description
|
Windows Server 2008 default
|
Browse the network to find printers
|
If this setting is enabled or not configured, users can use the Add Printer Wizard to display the list of shared printers on the network.
If this setting is disabled, the network printer browse page is removed from the Add Printer Wizard, and users cannot search the network using Windows Explorer.
|
Not Configured
|
Only use Package Point and print
|
If this setting is enabled, users can only point and print to printers that use package-aware drivers. When using package point and print, client computers check the driver signature of all drivers that are downloaded from print servers.
If this setting is disabled, or not configured, users are not restricted to package-aware point and print only.
This setting only applies to Windows Server 2008 and Windows Vista.
|
Not Configured
|
Package Point and print - Approved server
|
If this setting is enabled, users can only use package point and print to print servers approved by the network administrator. When using package point and print, client computers check the driver signature of all drivers that are downloaded from print servers.
If this setting is disabled, or not configured, package point and print is not restricted to specific print servers.
This setting only applies to Windows Server 2008 and Windows Vista.
|
Not Configured
|
Point and Print Restrictions
|
If this policy setting is enabled, client computers are restricted to only point and print to a list of explicitly named servers.
When this policy setting is disabled, client computers can point and print to any server. Computers running Windows Vista will not display a warning or an elevation prompt when users point and print to a server or when a driver for an existing printer connection needs to be updated.
|
Not Configured
|
It is important to understand the options available to you with these Group Policy settings, and how you can use them to maximize the security of client computer printer installations. The option that offers the most security might not work for your environment if you have a wide variety of printers and multifunction print devices that require drivers that Windows Server 2008 does not provide. The following figure shows the options and the tradeoffs for each one.
Figure 8.2 Secured printing options
The most secure configuration option is to use Group Policy to restrict the printer installations to use only "in-the-box" Windows drivers. These drivers have been through rigorous testing and are signed to ensure that they cannot be tampered with.
However, this option is limiting if your organization already has a wide variety of print devices installed. It is likely that you will need drivers from the printer manufacturers to support your printing requirements. To help support this type of environment, Microsoft has created package point and print drivers. These drivers from printer manufacturers offer the following advantages:
All driver components are installed on the print client.
Driver signing and driver integrity are checked on the print client.
Point and print is more trustworthy and administrators can control it better in a managed environment.
Windows Vista uses package installation as the preferred method of driver installation. However, client computers running earlier versions of Windows® cannot use these drivers because they require a local driver store that was unavailable before Windows Vista. When a client computer running an earlier version of Windows connects to a Windows Server 2008 print server, the print server uses traditional point and print to install the printer on the client computer.
The final option for client computers running Windows Vista is to elevate privileges to allow the installation of print drivers that do not support package point and print. This option requires the user to know the user name and password of a local account that has administrator privileges or requires an administrator to install the printer drivers on behalf of the use. For more information about these options and settings, see the "Point and Print Security in Windows Vista" white paper.
The default permissions applied to a new printer share on a domain-joined print server are included in the following table.
Table 8.3 Default Printer Permissions
Group or account
|
Permissions
|
Everyone
|
Print
|
CREATOR OWNER
|
Manage documents
|
Administrator
|
Print, Manage printers, Manage documents
|
For environments where a raised level of security is required, you can accomplish this by removing permissions from the Everyone group and creating a dedicated user group for the printer. This option increases the overhead for creating and managing access to the printer, but it limits access to the printer to only those users who are specifically granted permissions after you add to them to the dedicated group. Users who are not members of the group are denied access to the printer.
Relocate the Default Print Spooler File
For environments with elevated security or performance requirements, Microsoft recommends relocating the default print spooler file to a dedicated spooler volume on the Print server.
The following procedure creates a new default spool directory to all printers that are configured on this computer.
To create a new default spool directory
Click Start and type Printers.
Open the Printers management window.
On the File menu, click Server Properties, and then click the Advanced tab.
In the Spool Folder box, type the path to the dedicated volume, and then click OK.
Note For print servers that receive heavy use, monitor the disk performance metrics of the servers to ensure that the print spooler requirements do not overload the server volumes.
|