Prevent users from bypassing PaperCut
“Help! I’m a Systems Administrator and PaperCut customer and our organization is serious about tracking print jobs and preventing unauthorized printing. What tools do we have to restrict access to printing and ensure that all print jobs are properly funneled through PaperCut?”
A common query we receive is what measures can be taken to prevent users from bypassing PaperCut NG and PaperCut MF. In such situations, users allow themselves to print for free by connecting to printers directly from their workstation or laptop. These are a few different measures you can take to prevent this from happening.
Most modern print devices will allow an administrator to block or allow a certain range of IP addresses under the web interface, usually in the Security section. You should be able to “allow-list” the Print Server IP address, authorizing printing to the device from just those addresses. All other IPs would be blocked, and this ensures users cannot print to this device directly and will be required to connect through the authorized and PaperCut-managed print server in order to print. By necessity this solution assumes that you have set up a print server to facilitate printing and users are not directly printing to printers from their workstations.
Another way to prevent users from accessing your printers is to have them set up on a different VLAN or Subnet. There are many ways that a network administrator can configure the network to prevent users from directly accessing printers. For example they could set up a separate VLAN specifically for printers, and then create rules firewall rules on the router that prevent users from directly reaching these ports and IP addresses, but allow traffic from only from the print server.
This step is essential along with one or both of the above approaches to ensure users cannot print directly. While you could purchase a USB port blocker or lock to prevent users from physically accessing the USB port, a less costly option would be to disable USB printing through the printer’s settings. Consult the printer manufacturer’s documentation for specific details on how to make sure these options are disabled.
WSD and AirPrint are protocols designed to make it easy for different devices to discover printers when they are on the same subnet. This is great for a home office when it should be easy to discover your printers, but in enterprise environments these protocols allow users to connect directly to printer hardware, bypassing any print management software like PaperCut. They also cause trouble for users and IT departments, because once the user moves to a different subnet (like the company WiFi) then suddenly they are no longer able to print. Having your printers on a separate subnet than your users reduces the risk that they are accidentally found, but a more sure way to prevent this would be to manage the settings on the printer to disable these discovery protocols.
Consult your printer manufacturer’s documentation to find out how to disable these protocols, or make sure that your end-users and printers are on separate subnets or separate VLANs.
As an example, here is the section in the web interface of a Ricoh copier where you can disable WSD and Bonjour:
Keywords: direct, restricting, restriction, printer, MFD, MFP, Access, ip, block, layer3, subnets, bypass, mapping, map