Title

Printer share permissions are not configured as recommended. (Cat III impact)

Discussion

Improperly configured share permissions on printers can permit the addition of unauthorized print devices on the network. Windows shares are a means by which files, folders, printers, and other resources can be published for network users to remotely access. Regular users cannot create shares on their local machines; only Administrators and Power Users have that ability.

Check Content

2008 - •Double click on “Printers” in Control Panel If there are no locally attached printers, then mark this as “Not Applicable.” Perform this check for each locally attached printer: •Right click on a locally-attached printer. •Select Sharing from the drop-down menu. Perform this check on each printer that has the “Shared” radio-button selected: •Select the Security tab The following table lists the Server 2008 default printer share security settings: Account Assignment - Allow Everyone - Print CREATOR OWNER - Manage Documents Administrator - Print, Manage Printers, Manage Documents Administrators - Print, Manage Printers, Manage Documents If any non administrative user accounts or groups have greater than “Print”, then this is a finding.

Fix Text

Configure the permissions on locally shared printers to meet the minimum requirements.

Additional Identifiers

Rule ID: SV-16949r1_rule

Vulnerability ID: V-1135

Group Title: Printer Share Permissions

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.