Secure Your Enterprise Printing Environment

Written by

*Updated – Originally published March 09, 2016*

For many print management solutions, security and convenience are considered mutually exclusive. You can have secure mobile printing and secure document printing (provided those features are offered at all), but that security comes at the expense of ease of use. Just to print a document, end users have to fuss with passcodes and jump through multiple hoops—which, paradoxically, makes them less likely to actually make use of the features in their supposedly secure printing software. Even worse, these features are often included at additional cost. That means you’re paying for features that your employees don’t use.

At PrinterLogic, we know security and convenience are actually directly linked. Or to put it another way: secure printing software is only as strong as your end users’ willingness to use it.

We’ve given a lot of thought to the printing habits of everyday users and the ideal way to integrate secure printing features into their normal workflow. And we came to the conclusion that secure printing has to be easy, seamless, and—most importantly—incredibly secure in order for it to have maximum effect. That’s why PrinterLogic combines features like secure mobile printing and secure release printing with seamless integration into your existing print environment, offering the flexibility to accommodate any printing workflow.

PrinterLogic allows you to choose from multiple secure printing release methods:

  • Badge/card reader: End users can release their print jobs at the local printer using your existing badge system. A badge reader situated next to the printer or embedded in the printing device will release the queued print jobs associated with the scanned badge.
  • Browser-based release: With this method, print jobs can be released using any device capable of running a browser—including PCs, Macs, Chromebooks and mobile devices. End users can access PrinterLogic’s web-based app to release print jobs using their own devices from anywhere in the organization. Alternatively, an inexpensive iOS or Android device can be permanently placed near the secure printer.
  • Embedded control panel: By installing the PrinterLogic app directly onto a supported printer, users can log in and release their print jobs right from the device’s LCD. This method is extremely straightforward because it doesn’t require any additional hardware.
  • Mobile Release: Using the PrinterLogic Mobile App (available on iOS and Android), end users can log in, select their print job from the queue, and release it to the printer of their choice.

In all of these scenarios, PrinterLogic’s secure printing software enables users to initiate print jobs using a specific printer driver to a single printer—thereby maintaining all functionality native to the driver and ensuring the integrity of the print job. The crucial step is the release command, which has two important roles:

  1. Print jobs cannot be authorized to be executed by anyone other than the user who initiated them.
  2. Those jobs are only released when the user is present at the printer, so the documents are not left in the output tray—and viewable to anyone—for any length of time.

Better still, secure document printing with PrinterLogic isn’t limited to one manufacturer or any single type of print environment. You can use it in any PC/Mac setting and with a whole range of devices. Your IT team will appreciate that platform and manufacturer agnosticism. Your users will appreciate the simplicity. And your organization will love the security.

The Lingering Effects of PrintNightmare

Written by

A little over a year ago, the IT community was hit with a massive vulnerability that affected way too many companies. It was known as CVE-2021-34527, colloquially called PrintNightmare.

Most companies still run print servers, which require spoolers to do their jobs properly. Unfortunately, this vulnerability was exposed within the spooler, allowing anyone to execute code on a network without even having to work around other network security. That meant everyone using servers was in trouble. 

Thankfully, a patch was released relatively quickly. But… that fix ended up causing other problems. More patches were released and, ultimately, the final fix essentially offered companies 3 choices:

  1. Stop printing entirely.
  2. Manually enter admin credentials for any print changes, deployments, or problems.
  3. Get rid of their print servers/spoolers.

Clearly, option 1 is not a long-term solution. Even companies that are moving toward a fully paperless office need time and policies in place to fully stop all printing. Even in most “paperless” offices, there are still some circumstances that require printed documents. That means that companies choosing to go this route are making choices about when it’s necessary to risk their security in order to print.

The second option is not ideal either. It takes time and resources to have your IT team constantly dealing with small print tasks previously in the hands of your general employees. Needing admin credentials to update a simple print driver is a frustrating, time-consuming issue. And employees used to having some autonomy are getting fed up with needing help to fix simple problems.

The last option may be the best choice for your company in the long run. It also takes time and resources to implement. But while it may take time and budget, more than a year of dealing with the lingering issues from the PrintNightmare vulnerability is more than enough. 

Serverless Printing Is a Permanent Fix

Unlike the patches that were released, going serverless with PrinterLogic solves print spooler vulnerabilities for good by avoiding them entirely. It streamlines your infrastructure, creating a direct IP printing environment. Plus, with the PrinterLogic Admin Console, you can manage drivers, deployments, and users all in one place. That means no more wasted time for your IT team and a more secure network. 

Isn’t it time to ditch the ongoing PrintNightmare problems?

Print Nightmare 2.0: 4 ways to avoid a recurring bad dream

Written by

In early July, a new issue was discovered with Microsoft print servers. PrintNightmare, documented in CVE-2021-34527, is a remote code execution vulnerability in the Windows Print Spooler. This vulnerability is exposed through specific inbound Remote Procedure Calls (RPC), which fails to properly restrict the administration of printers and related drivers. This can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system. In layman’s terms, that means an entire network could have been compromised.

See the PrinterLogic technical response to the Print Nightmare vulnerability.

 

Millions of Customers Were Exposed

For those using print servers, this vulnerability is just another in a long line of issues that have occurred. In just 2021, six different potential vulnerabilities have been found for Windows Print Spooler. That’s a lot of exposure to risk.

So what can you do to protect your company from these continued issues?

 

  • Minimize Risk by Eliminating Print Servers

In the past, many companies relied on print servers to manage printing permissions throughout their company. However, the reality of having multiple servers that must be patched, updated, and secured at all times drains resources. As companies scale up in our ever-changing world, that means more users, more servers, and more work to keep it all running smoothly.

To make matters worse, your attack surface gets larger with every print server you add to your network. That puts your organization more at risk of an attack with every vulnerability and causes significant man-hours to patch and mitigate vulnerabilities like Print Nightmare. Since nearly every line of business still depends on printing, this risk should worry all companies.

By eliminating print servers, you can reduce your attack surface and protect your company from any future issues that are discovered. For example, DHS was able to remove 400 print servers when they moved to PrinterLogic. By doing so, they were able to avoid the Print Nightmare vulnerability issues for all of the networks originally connected to those servers.

 

  • Remove the Centralized Exploration Point

Print servers are a high-value target for hackers. Why? Because they are a central point of access for a lot of unencrypted data. Anything being printed that passes through the print server is potentially exposed if a hacker gains access. That could mean exposing a lot of sensitive information in easy-to-read formats.

Even as companies patch these potential risk factors, hackers will continue to target print servers specifically because of the wealth of information they potentially expose. The best way to avoid that risk is to move to serverless printing. A network using PrinterLogic is protected from this single point-of-attack. For hackers to gain the same level of access in a direct IP print environment, they would need to compromise every printing source or print destination. This decentralized system is far easier for your company to protect and greatly mitigates your exposure.

 

  • Decrease Risk With Limited Permissions

With a print server, any user that needs to print must have access to the print spooler. Because access needs to be universal, a print server uses permissions to determine how to handle print jobs, installing drivers, and other tasks. With Print Nightmare, it was possible to exploit the fact that drivers could be installed by a non-administrator. This left the server vulnerable to a hacker. Once the server was compromised, the hacker had access to a “trusted” resource (the server) and could continue to attack anything connected to it.

Unlike print servers, the PrinterLogic serverless printing environment does not share print spooling services across the network. Access and authentication are segmented and restricted at the workstation level. This keeps permissions locked down since most end users will not have administrative access to other network devices…even for printing! If a print spooler is hacked, the vulnerability will be contained to that specific device.

 

  • Segment and Segregate Your Network Services

Very few companies can afford to run dedicated machines for print services. To keep costs down and make management easier, print services are often installed on servers performing multiple responsibilities. In fact, it’s not uncommon for Microsoft Print Service to be installed on Domain Controllers, DNS servers, or file servers.

The chances are high that anyone who is able to compromise a print server will gain access to these other high-value services. That’s why hackers will continue to seek out and exploit printing services. It is safe to assume that even if you patched your print servers today, there most likely will be a vulnerability that affects them tomorrow. The most secure way to protect your company from Print Server vulnerabilities is to just get rid of them!