Printers are a ubiquitous component in any office environment. Managing and controlling printers is usually not so much a security issue as it is a political and budgetary one. Fortunately, group policy offers several controls to help you retain control over printers in your IT environment.
Within the User Configuration section, the Printers folder is found within Administrative Templates, Control Panel. This folder contains five controls.
The Browse a common Web site to find printers control adds a Browse button on Locate Your Printer page of the Add Printer wizard. This button takes users to a page where all available printers are conveniently located. (This is convenient for the users, but an administrator will need to build and maintain the Web-based printers list).
The Browse the network to find printers command allows users to search the network for shared printers. Disable this control to force users to type in a specific printer share name instead of viewing a list of all available printers.
The Default Active Directory path when searching for printers command specifies the AD container where printer searching will begin. If command is not used, searching always begins at the AD root.
The Prevent addition of printers and Prevent deletion of printers commands stop end users from adding or removing printers. If you have a static environment with adequate administrative oversight, enable these controls.
Other printer controls are found in the Computer Configuration section of group policy in the Administrative Tools, Printers folder. There are fifteen controls here. Most of these controls manage how printers are advertised, searched, viewed or accessed by clients. There are also several controls that manage printer pruning. At a defined interval, AD polls all systems that host a shared printer. If that host fails to respond, then its shared printer is removed from the active resource list. This process is known as pruning.
Pay particular attention to the Disallow installation of printers using kernel-mode drivers control. When enabled, no client system can install a kernel-mode printer driver. Since kernel-mode drivers have direct access to hardware, corrupted or Trojaned drivers can be a serious security and stability risk. Once administrators install printers on client systems, enabling this command will prevent the installation of new printers by end users.
James Michael Stewart is a researcher and writer for Lanwrights, Inc.