Nonadministrative user accounts or groups must only have print permissions on printer shares.

From Windows Server 2012/2012 R2 Member Server Security Technical Implementation Guide

Part of Printer Share Permissions

Associated with: CCI-000213

SV-52213r1_rule Nonadministrative user accounts or groups must only have print permissions on printer shares.

Vulnerability discussion

Windows shares are a means by which files, folders, printers, and other resources can be published for network users to access. Improper configuration can permit access to devices and data beyond a user's need.

Check content

Open "Devices and Printers" in Control Panel or through Search. If there are no printers configured, this is NA. For each configured printer: Right click on the printer. Select "Printer Properties". Select the "Sharing" tab. View whether "Share this printer" is checked. For any printers with "Share this printer" selected: Select the Security tab. If any standard user accounts or groups have permissions other than "Print", this is a finding. Standard users will typically be given "Print" permission through the Everyone group. "All APPLICATION PACKAGES" and "CREATOR OWNER" are not considered standard user accounts for this requirement.

Fix text

Configure the permissions on shared printers to restrict standard users to only have Print permissions. This is typically given through the Everyone group by default.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer