Check: WN16-00-000200
Microsoft Windows Server 2016 STIG:
WN16-00-000200
(in versions v2 r9 through v1 r1)
Title
Non-administrative accounts or groups must only have print permissions on printer shares. (Cat III impact)
Discussion
Windows shares are a means by which files, folders, printers, and other resources can be published for network users to access. Improper configuration can permit access to devices and data beyond a user's need.
Check Content
Open "Devices and Printers". If there are no printers configured, this is NA. (Exclude Microsoft Print to PDF and Microsoft XPS Document Writer, which do not support sharing.) For each printer: Right-click on the printer. Select "Printer Properties". Select the "Sharing" tab. If "Share this printer" is checked, select the "Security" tab. If any standard user accounts or groups have permissions other than "Print", this is a finding. The default is for the "Everyone" group to be given "Print" permission. "All APPLICATION PACKAGES" and "CREATOR OWNER" are not standard user accounts.
Fix Text
Configure the permissions on shared printers to restrict standard users to only have Print permissions.
Additional Identifiers
Rule ID: SV-224836r958472_rule
Vulnerability ID: V-224836
Group Title: SRG-OS-000080-GPOS-00048
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000213 |
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
Controls
Number | Title |
---|---|
AC-3 |
Access Enforcement |