Check: WN12-GE-000012
Microsoft Windows Server 2012/2012 R2 Member Server STIG:
WN12-GE-000012
(in versions v3 r7 through v2 r17)
Title
Nonadministrative user accounts or groups must only have print permissions on printer shares. (Cat III impact)
Discussion
Windows shares are a means by which files, folders, printers, and other resources can be published for network users to access. Improper configuration can permit access to devices and data beyond a user's need.
Check Content
Open "Devices and Printers" in Control Panel or through Search. If there are no printers configured, this is NA.(Exclude Microsoft Print to PDF and Microsoft XPS Document Writer, which do not support sharing.) For each configured printer: Right click on the printer. Select "Printer Properties". Select the "Sharing" tab. View whether "Share this printer" is checked. For any printers with "Share this printer" selected: Select the Security tab. If any standard user accounts or groups have permissions other than "Print", this is a finding. Standard users will typically be given "Print" permission through the Everyone group. "All APPLICATION PACKAGES" and "CREATOR OWNER" are not considered standard user accounts for this requirement.
Fix Text
Configure the permissions on shared printers to restrict standard users to only have Print permissions. This is typically given through the Everyone group by default.
Additional Identifiers
Rule ID: SV-225424r569185_rule
Vulnerability ID: V-225424
Group Title: SRG-OS-000080-GPOS-00048
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
Controls
Number | Title |
---|---|
AC-3 |
Access Enforcement |