There I was, minding my own business, printing off the latest set of sales reports for the weekly meeting - when I spotted it.
In the print queue display was the HR director’s print job, titled:
“Mike Johnson – Termination”
Well, I didn’t see that coming. Who else is up for the chop? Do I tell Mike? Am I next? So many questions.
I’m sure you’re chomping at the bit to find out what happened next. However, let’s take a step back for a second …
Are document names in print queues really a problem?
Before we jump in and say the world is ending, is this really a problem and a scenario that could happen to you? Is there a simple, already-enabled feature covering this for you? Turns out, there is!
Using Windows Server 2012+ to hide document names
If you’re using Microsoft Windows Server 2012 or later as your print server, there’s an inbuilt feature ready to go - one that also brings with it additional benefits around the security of print jobs.
The print spooler, by default, will ensure that only print server administrators can see the document names of jobs in the queue. If a user opens up a queue, they’ll only be able to see the details of jobs that they have submitted to the queue. Problem solved!
An example of a print queue in Server 2016 where the logged-in user “OfficeStaff1” is unable to see the print jobs names sent by “Executive”
Over on Microsoft’s website , you’ll find nifty instructions for print administrator settings.
NOTE: If you’re not on Windows Server 2012 yet, remember that Microsoft is discontinuing support for Server 2008 and Server 2008 R2 at the start of 2020. So jump over and explore upgrading your operating system, so you can benefit from this hidden document names feature and also be ready for Microsoft support to end.
Hiding document names from sys admins using PaperCut MF
Wanting to hide document names from your administrators as well? That’s a job for PaperCut MF!
We’ve got a feature built right into the software that can hide all of the document names in the queue, regardless of who’s looking. This feature is also really handy if you have any 2008 servers left in circulation.
A simple checkbox and you’re set to go. It’s worth noting, this feature is quite resources intensive, so I wouldn’t be recommending it as standard practice. However, it’s available on each print queue if needed.
Checking your print queue permissions
It’s handy that Microsoft has covered off hiding the document names, but it’s also important to make sure users have the right permissions on the print queues to ensure PaperCut retains primary control of each print job.
During the installation of PaperCut MF, I recommend checking the permissions and setup of all of your print queues to ensure users only have the read permission on the print queue.
If you missed this step during your installation, we cover this in more detail in Windows Print Queue Configuration in the PaperCut Knowledge Base.
Two methods to achieve print queue anonymity
Let’s review the two steps to keeping your organization’s printed documents secret:
- If you’re running Windows Server 2012 or later, Microsoft will make sure your document names are hidden. Just don’t forget the print queue permissions to make sure users can’t delete any of the jobs in the queue.
- Want to hide document names from administrators, too? No worries, we’ve got you covered in PaperCut MF with the option on each print queue to “ Hide document names for jobs in the queue ”.
Want some extra help getting set up? Check out our Knowledge Base article for the step by step setup process, including this walk-through video from our support expert, Alan Morris.
Ok, there’s ONE MORE WAY to achieve anonymity. It’s a bit techy, though.
Want to hide the jobs completely?
So far we’ve hidden the document names from end users and even the administrator. However, what if you want to hide the jobs completely so end users can’t see who, when or what is being printed?
Most people set up Windows printing to use SMB. It’s pretty much the standard. However, if you’re more familiar with Mac or Linux, you’ve probably experienced LPR/LPD. In the world of Windows, using LPR/LPD to submit print jobs means you can avoid sharing the print queue with users, rendering it inaccessible to users using Windows permissions, and therefore hiding anything that’s waiting to be released. Sounds easy, right?
Well, it is, sort of…
We ship an LPD service with PaperCut ready to install on your print server (as Microsoft have deprecated theirs), which will allow the jobs to be accepted by the server. You can find all the details about this here .
Once that’s running, the more difficult part is deploying queues to the users using LPR/LPD. This is possible through a mix of a Powershell Login Script and Group Policy. A great starting point for this is Microsoft’s online documentation . You’re going to need to get set up to create the printer port using LPD/LPR, disable SNMP on the queue, install the driver, and finally get the print queue itself installed.
Once everything is up and running, you’ll only be able to see the jobs if you log on to the server. Everything will be hidden from the users.
One little note if you try this out, you might notice that the jobs are arriving in the server queue with the user’s IP address included.
Removing this is easy. Just jump into our LPD Service configuration file"
..\app_path\PaperCut LPD Service\pc-lpd.config
And adjust the value of RemoveHostAddress to true.
While you’ll need to share the server queue so jobs can be accepted, users specifically don’t need permissions to access the share. You can just go ahead and switch off the “View Server” permission in the Print Server properties, making sure they can’t browse to the server and add the queue
By the way, remember to remove the everyone group, too. Our recommendation is to go for Domain Users.