Prevent users from bypassing PaperCut

A common query we receive is what measures can be taken to prevent users from bypassing PaperCut NG and PaperCut MF. In such situations, users allow themselves to print for free by connecting to printers directly from their workstation or laptop. These are a few different measures you can take to prevent this from happening.

Whitelist only the Print Server IP address

Most modern print devices will allow an administrator to block or allow a certain range of IP addresses under the web interface, usually in the Security section. You should be able to “white-list” the Print Server IP address, authorizing printing to the device from just those addresses. All other IPs would be blocked, and this ensures users cannot print to this device directly and will be required to connect through the authorized and PaperCut-managed print server in order to print.

Move the printers to a separate network

Another way to prevent users from accessing your printers is to have them set up on a different VLAN or Subnet. There are many ways that a network administrator can configure the network to prevent users from directly accessing printers. For example they could set up a separate VLAN specifically for printers, and then create rules firewall rules on the router that prevent users from directly reaching these ports and IP addresses, but allow traffic from only from the print server.

Disable local printing methods like USB and Bluetooth

This step is essential along with one or both of the above approaches to ensure users cannot print directly. While you could purchase a USB port blocker or lock to prevent users from physically accessing the USB port, a less costly option would be to disable USB printing through the printer’s settings. While there, you may also look to disable Infrared, Bluetooth, onboard direct-WiFi printing, and any other direct connection that the device may support. Consult the printer manufacturer’s documentation for specific details on how to make sure these options are disabled.

Disable discovery protocols like WSD, Bonjour, and AirPrint

WSD and Bonjour are protocols designed to make it easy for Windows workstations or Apple devices to discover printers when they are on the same subnet. This is great for a home office when it should be easy to discover your printers, but in enterprise environments these protocols allow users to connect directly to printer hardware, bypassing any print management software like PaperCut. They also cause trouble for users and IT departments, because once the user moves to a different subnet (like the company WiFi) then suddenly they are no longer able to print.

Consult your printer manufacturer’s documentation to find out how to disable these protocols, or make sure that your end-users and printers are on separate subnets or VLANS.

As an example, here is where you could disable WSD and Bonjour on a Ricoh copier:

Categories: How-to Articles, Security and Privacy, Print Queues

Keywords: direct, restricting, restriction, printer, MFD, MFP, Access, ip, block, layer3, subnets, bypass, mapping, map