Comprehensive guide to end-to-end print security

KB Home   |   Comprehensive guide to end-to-end print security

Main.PrintJobEncryption History

Hide minor edits - Show changes to output

September 13, 2019, at 12:50 AM by 193.114.149.158 -
Changed line 78 from:
ChromeOS  currently prints over IPP (not IPPS) to Mobility Print. User identity information such as passwords and usernames are encrypted, but not the spool file. If fully encrypted printing from ChromeOS is required, consider setting up PaperCut Web Print (over HTTPS) or use Google Cloud Print integration with PaperCut MF and NG.
to:
When using Mobility Print, 256-bit level AES encryption is applied to all print jobs.
January 16, 2019, at 02:51 AM by Sonja McShane -
Changed line 78 from:
[=ChromeOS=]  currently prints over IPP (not IPPS) to Mobility Print. User identity information such as passwords and usernames are encrypted, but not the spool file. If fully encrypted printing from ChromeOS is required, consider setting up PaperCut Web Print (over HTTPS) or use Google Cloud Print integration with PaperCut MF and NG.
to:
ChromeOS  currently prints over IPP (not IPPS) to Mobility Print. User identity information such as passwords and usernames are encrypted, but not the spool file. If fully encrypted printing from ChromeOS is required, consider setting up PaperCut Web Print (over HTTPS) or use Google Cloud Print integration with PaperCut MF and NG.
January 16, 2019, at 02:48 AM by Sonja McShane -
Changed lines 78-80 from:
[=ChromeOS=] prints over IPP (not IPPS) to Mobility Print. User identity information, such as passwords and usernames, and the spool file are encrypted. 

ChromeOS
currently prints over IPP (not IPPS) to Mobility Print. User identity information such as passwords and usernames are encrypted, but not the spool file. If fully encrypted printing from ChromeOS is required, consider setting up PaperCut Web Print (over HTTPS) or use Google Cloud Print integration with PaperCut MF and NG.
to:
[=ChromeOS=] currently prints over IPP (not IPPS) to Mobility Print. User identity information such as passwords and usernames are encrypted, but not the spool file. If fully encrypted printing from ChromeOS is required, consider setting up PaperCut Web Print (over HTTPS) or use Google Cloud Print integration with PaperCut MF and NG.
January 16, 2019, at 02:47 AM by Sonja McShane - Reverted the update re: ChromeOS info to add the spool file is now encrypted.
Added lines 79-80:

ChromeOS currently prints over IPP (not IPPS) to Mobility Print. User identity information such as passwords and usernames are encrypted, but not the spool file. If fully encrypted printing from ChromeOS is required, consider setting up PaperCut Web Print (over HTTPS) or use Google Cloud Print integration with PaperCut MF and NG.
January 16, 2019, at 12:28 AM by Sonja McShane - Update ChromeOS info to add the spool file is now encrypted.
Changed line 78 from:
[=ChromeOS=] currently prints over IPP (not IPPS) to Mobility Print. User identity information such as passwords and usernames are encrypted, but not the spool file. If fully encrypted printing from [=ChromeOS=] is required, consider setting up [[https://www.papercut.com/tour/web-print/|PaperCut Web Print]] (over HTTPS) or use [[https://www.papercut.com/products/ng/manual/applicationserver/topics/mobile-google-cloud-print.html|Google Cloud Print]] integration with PaperCut MF and NG. 
to:
[=ChromeOS=] prints over IPP (not IPPS) to Mobility Print. User identity information, such as passwords and usernames, and the spool file are encrypted
March 26, 2018, at 02:00 AM by Danielle Ko -
Changed line 100 from:
As mentioned earlier, an important part of security is maintenance. All too often, vulnerabilities occur through lack of maintenance. This is often a forgotten step so here are our top tips on making your print environment secure…. FOREVER!
to:
As mentioned earlier, an important part of security is maintenance. All too often, vulnerabilities occur through lack of maintenance. This is often a forgotten step so here are our top tips on making your print environment more secure:
March 04, 2018, at 11:34 PM by Mel Zouzoulas - Removed categories
Changed lines 118-119 from:
----
''Categories:'' [[Category.Security|+]], [[Category.Encryption|+]]
to:

February 27, 2018, at 02:00 AM by Willem Groenewald -
Deleted line 2:
February 27, 2018, at 01:59 AM by Willem Groenewald -
Changed line 2 from:
attach:end-to-end-encryption.jpg
to:
Attach:end-to-end-encryption.jpg
February 27, 2018, at 01:58 AM by Willem Groenewald -
Added line 2:
attach:end-to-end-encryption.jpg
February 19, 2018, at 02:25 AM by Willem Groenewald -
Changed line 87 from:
PaperCut MF and NG can securely forward print jobs to printers over IPPS. Follow this guide on how to configure IPPS printers and PaperCut MF and NG. \\
to:
PaperCut MF and NG can securely forward print jobs to printers over IPPS. Follow this [[https://www.papercut.com/kb/Main/InstallingIPPSPrinters|guide]] on how to configure IPPS printers and PaperCut MF and NG. \\
Changed line 97 from:
Checking the encryption of print jobs is slightly more involved, and a little bit more fun. You’ll need Wireshark to analyse network protocols and for instructions on how to use [[https://www.wireshark.org|Wireshark]] to validate that your jobs are secure, follow this guide.
to:
Checking the encryption of print jobs is slightly more involved, and a little bit more fun. You’ll need Wireshark to analyse network protocols and for instructions on how to use [[https://www.wireshark.org|Wireshark]] to validate that your jobs are secure, follow this [[https://www.papercut.com/kb/Main/WiresharkPrintTraffic|guide]].
February 19, 2018, at 02:20 AM by Willem Groenewald -
Changed lines 68-69 from:
Note however, that both iOS and MacOS devices accept self-signed certificates. On the open internet, where there are many hops between you and the server, a self-signed certificate is not secure because any of these hops can introduce a man-in-the-middle attack. On a local network however, the risk is considerably less, especially in a switched network environment.
to:
Note however, that both iOS and [=MacOS=] devices accept self-signed certificates. On the open internet, where there are many hops between you and the server, a self-signed certificate is not secure because any of these hops can introduce a man-in-the-middle attack. On a local network however, the risk is considerably less, especially in a switched network environment.
Changed lines 84-85 from:
If your printers support IPPS, you are in luck, as you can set up an encrypted connection between your print server and the printer. If your printers only support LPD, then there are still a few things you can do to avoid someone snooping and capturing the print jobs, which will be explained below.
to:
If your printers support IPPS, you are in luck, as you can set up an encrypted connection between your print server and the printer. If your printers only support LPD, then there are still a few things you can do to avoid someone snooping and capturing the print jobs, which will be explained below.\\
\\
Changed lines 87-88 from:
PaperCut MF and NG can securely forward print jobs to printers over IPPS. Follow this guide on how to configure IPPS printers and PaperCut MF and NG.
to:
PaperCut MF and NG can securely forward print jobs to printers over IPPS. Follow this guide on how to configure IPPS printers and PaperCut MF and NG. \\
\\
Changed lines 98-99 from:
TODO link your page here: https://www.papercut.com/kb/Main/Miscellaneous
to:
Changed lines 107-111 from:
##[=MacOS=] security alert
##iOS security alert
##[=ChromeOS=] security alert
##Android security alert
##IPPS security alert
to:
**[=MacOS=] security alert
**iOS security alert
**[=ChromeOS=] security alert
**Android security alert
**IPPS security alert
February 19, 2018, at 02:13 AM by Willem Groenewald -
Changed lines 54-55 from:
IPPS is IPP over an HTTPS connection. Inherently it uses the same level of encryption you would get on an HTTPS web page. [=MacOS=] computers do accept self-signed certificates, read more about considerations under iOS clients.
to:
IPPS is IPP over an HTTPS connection. Inherently it uses the same level of encryption you would get on an HTTPS web page. [=MacOS=] computers do accept self-signed certificates, read more about considerations under [[#ios|iOS clients]].
Changed lines 64-95 from:
to:
[[#ios]]
!!![=iOS clients=]
Mobility Print is the answer to encryption for both [[https://www.papercut.com/products/ng/mobility-print/manual/setting-up-your-devices/ios/|iOS]] and [[https://www.papercut.com/products/ng/mobility-print/manual/setting-up-your-devices/macos/|MacOS]], as [=IPPS=] is used as the printing protocol.

Note however, that both iOS and MacOS devices accept self-signed certificates. On the open internet, where there are many hops between you and the server, a self-signed certificate is not secure because any of these hops can introduce a man-in-the-middle attack. On a local network however, the risk is considerably less, especially in a switched network environment.

Best practice: If you want to minimize the risk of man-in-the-middle attacks , make sure you use secure wifi protocols, and consider using security tools that actively monitor for address spoofing attempts. 

[[#android]]
!!!Android clients
PaperCut’s Android [[https://play.google.com/store/apps/details?id=com.papercut.projectbanksia|Mobility Print app]] uses encrypted printing for Android devices out of the box. Print jobs are sent to the [[https://www.papercut.com/products/ng/mobility-print/manual/how-to-setup/|Mobility Print server]] over HTTPS. Similar to [=iOS=] and [=MacOS=], self-signed certificates are accepted. 

[[#chromeos]]
!!![=ChromeOS=] clients
[=ChromeOS=] currently prints over IPP (not IPPS) to Mobility Print. User identity information such as passwords and usernames are encrypted, but not the spool file. If fully encrypted printing from [=ChromeOS=] is required, consider setting up [[https://www.papercut.com/tour/web-print/|PaperCut Web Print]] (over HTTPS) or use [[https://www.papercut.com/products/ng/manual/applicationserver/topics/mobile-google-cloud-print.html|Google Cloud Print]] integration with PaperCut MF and NG. 

[[#printer]]
!!Print server to printers
Firstly, you need to check whether your printer supports IPPS. Check your printer specification.

If your printers support IPPS, you are in luck, as you can set up an encrypted connection between your print server and the printer. If your printers only support LPD, then there are still a few things you can do to avoid someone snooping and capturing the print jobs, which will be explained below.
'''IPPS between the server and printers'''
PaperCut MF and NG can securely forward print jobs to printers over IPPS. Follow this guide on how to configure IPPS printers and PaperCut MF and NG.
'''How to secure printers that do not support IPPS'''
As print jobs won’t be encrypted, your only defence is to separate network traffic between your server and printers from the rest of the network.

Firstly, configure your printers on a different VLAN. Secondly, to ensure someone can’t access the private VLAN by pulling out a network cable from a printer, follow the user manual of your switch to configure port security to only accept your printer’s MAC address.

!Validate
Checking whether encryption to a website is configured, is pretty easy. Simply open a browser and see whether it complains about the security.

Checking the encryption of print jobs is slightly more involved, and a little bit more fun. You’ll need Wireshark to analyse network protocols and for instructions on how to use [[https://www.wireshark.org|Wireshark]] to validate that your jobs are secure, follow this guide.
Added lines 97-115:

!Maintain
As mentioned earlier, an important part of security is maintenance. All too often, vulnerabilities occur through lack of maintenance. This is often a forgotten step so here are our top tips on making your print environment secure…. FOREVER!

#Document your security policies and design. If you leave one day, someone should be able to pick up from where you left off.
#Keep your printers on a different VLAN or dedicated IP range, and disable all protocols except IPPS.
#Switch on auto updates to get the latest security updates for software and operating systems.
#Sign up for security notifications from Microsoft.
#Create Google Alerts for:
##[=MacOS=] security alert
##iOS security alert
##[=ChromeOS=] security alert
##Android security alert
##IPPS security alert
#Share your practices and document within your organization. Don’t be surprised when your next pay review includes a nice raise.

!Conclusion
Well done! You have not only secured your organisation for the present, but you’ve put in place practices that will keep your organisation secure far into the future. Through all of this, you might have picked up a salary raise. You can now feel good going on a weekend away, knowing that you’ve got your organisation’s back. Proceed to work towards an Apply, Validate and Maintain approach for the other areas of your IT infrastructure!

February 19, 2018, at 01:34 AM by Willem Groenewald -
Changed lines 54-55 from:
[=IPPS is IPP over an HTTPS connection. Inherently it uses the same level of encryption you would get on an HTTPS web page. [=MacOS=] computers do accept self-signed certificates, read more about considerations under iOS clients.=] 
to:
IPPS is IPP over an HTTPS connection. Inherently it uses the same level of encryption you would get on an HTTPS web page. [=MacOS=] computers do accept self-signed certificates, read more about considerations under iOS clients.
Changed lines 58-62 from:
# Deploy Mobility Print. Mobility Print works extremely well in a mixed environment where some devices are managed, and others are BYOD or even mobile devices.  Both are able to connect to the Mobility Print server and authenticate securely.

Mobility Print can be deployed on a Windows server, so an additional [=MacOS=] server is not required. Mobility Print will use HTTPS for client connections.

# Deploy a [=MacOS=] server. With a [=MacOS=] server, you can deploy additional tools such as Kerberos if you want your users to avoid entering their credentials when printing. The additional overhead and cost required to configure and manage the additional server and clients often prompts organizations to use Mobility Print instead.
to:
# '''Deploy Mobility Print'''. Mobility Print works extremely well in a mixed environment where some devices are managed, and others are BYOD or even mobile devices.  Both are able to connect to the Mobility Print server and authenticate securely.\\
\\

Mobility Print can be deployed on a Windows server, so an additional [=MacOS=] server is not required. Mobility Print will use HTTPS for client connections.\\

# '''Deploy a [=MacOS=]''' server. With a [=MacOS=] server, you can deploy additional tools such as Kerberos if you want your users to avoid entering their credentials when printing. The additional overhead and cost required to configure and manage the additional server and clients often prompts organizations to use Mobility Print instead.
February 19, 2018, at 01:24 AM by Willem Groenewald -
Changed lines 16-23 from:
!![[#server| Client to print server]]
!!!* Windows
!!!* MacOS
!!!* iOS
!!!* Android
!!!* ChromeOS
!!Print server to printers
to:
[+[[#server| Client to print server]]+]
* '''[[#windows| Windows]]'''
* '''[[#macos| MacOS]]'''
* '''[[#ios| iOS]]'''
* '''[[#android| Android]]'''
* '''[[#chromeos|
ChromeOS]]'''
[+[[#printer|
Print server to printers]]+]
Added line 26:
[[#windows]]
Changed line 32 from:
Once you think no one is using SMB1, you can be sure about this by double checking and running the following command on your server:
to:
Once you think no one is using SMB1, you can be sure about this by double checking and running the following command on your server:\\
Changed line 35 from:
Finally, let’s pull the trigger and switch off SMB1 with this command:
to:
Finally, let’s pull the trigger and switch off SMB1 with this command:\\
Added lines 40-62:
[[#macos]]
!!![=MacOS=] clients
[=MacOS=] computers print to Windows print servers on one of the following protocols:
* '''LPR/LPD'''
* '''SMB'''
* '''IPPS''' (recommended)

'''LPR/LPD'''\\
[=LPR/LPD is not encrypted, and if you’ve made it this far through this article, it would appear that security is important to you so let’s just skip this one and not use it. =]

'''SMB'''\\
[=In all honesty, managing SMB printers on a Mac, whether it is BYOD or a managed device is often not worth it. I recommend you go straight for IPPS. But, if you do go for SMB, at least your print jobs will be encrypted over the network.=]

'''IPPS'''\\
[=IPPS is IPP over an HTTPS connection. Inherently it uses the same level of encryption you would get on an HTTPS web page. [=MacOS=] computers do accept self-signed certificates, read more about considerations under iOS clients.=] 

You have two options to deploy IPPS:

# Deploy Mobility Print. Mobility Print works extremely well in a mixed environment where some devices are managed, and others are BYOD or even mobile devices.  Both are able to connect to the Mobility Print server and authenticate securely.

Mobility Print can be deployed on a Windows server, so an additional [=MacOS=] server is not required. Mobility Print will use HTTPS for client connections.

# Deploy a [=MacOS=] server. With a [=MacOS=] server, you can deploy additional tools such as Kerberos if you want your users to avoid entering their credentials when printing. The additional overhead and cost required to configure and manage the additional server and clients often prompts organizations to use Mobility Print instead.
February 19, 2018, at 01:10 AM by Willem Groenewald -
Added lines 26-39:
!!!Windows clients
There is good news! Out of the box, Windows printing system uses Server Message Block (SMB) to print spool files to the server, which is the same protocol used for file sharing. SMB is encrypted, well that is since SMB2, which was made even more secure with the introduction of SMB3.

Recommended practice: consider switching off SMB1 on your server. BUT… if you have clients running Windows 98/ME, Windows 2000, Windows XP and Windows 2003 on your network, then printing and copying files to this server will stop working. You may need to go through the necessary change management processes of your organization to get those users moved over to newer machines and/or operating systems. Don’t worry, they will love you for it - who doesn’t like a new laptop anyway? That is rhetorical, you don’t have to comment their name if you know someone.

Once you think no one is using SMB1, you can be sure about this by double checking and running the following command on your server:
[@Get-SmbSession | Select Dialect,ClientComputerName,ClientUserName | Where-Object {$_.Dialect –lt 2.00}@]

Finally, let’s pull the trigger and switch off SMB1 with this command:
[@Set-SmbServerConfiguration –EnableSMB1Protocol $false@]

More information about SMB security on Windows is covered in this [[https://blogs.technet.microsoft.com/filecab/2012/05/03/smb-3-security-enhancements-in-windows-server-2012/|article]].

February 19, 2018, at 01:07 AM by Willem Groenewald -
Changed lines 12-15 from:
TODO add page content here.

!!Subheading
to:
!Apply 

This article promised to be a “comprehensive guide” so let’s get into the detail and get your print jobs secure
. Here is a quick summary of areas that we’ll be covering, so you can jump to a specific one if you wish to:

!![[#server| Client to print server]]
!!!* Windows
!!!* MacOS
!!!* iOS
!!!* Android
!!!* ChromeOS
!!Print server to printers

[[#server]]
!!Client to print server

Changed line 30 from:
''Categories:'' [[Category.TODOFirstCategory|+]], [[Category.TODOSecondCategoryIfNeeded|+]]
to:
''Categories:'' [[Category.Security|+]], [[Category.Encryption|+]]
Changed line 32 from:
[-Keywords: TODO keywords here if needed-]
to:
[-Keywords: security, encryption, end-to-end encryption-]
February 19, 2018, at 12:53 AM by Willem Groenewald -
Changed line 1 from:
(:title Comprehensive guide to end-to-end print security Title:)
to:
(:title Comprehensive guide to end-to-end print security:)
February 19, 2018, at 12:52 AM by Willem Groenewald -
February 19, 2018, at 12:52 AM by Willem Groenewald -
February 19, 2018, at 12:51 AM by Willem Groenewald -
Added lines 1-21:
(:title Comprehensive guide to end-to-end print security Title:)

It doesn’t take much to convince organizations nowadays on the importance of security and protecting sensitive information that is stored digitally, in mid-transit, or being printed from the printer. Just take a moment and think about all the security measures you’ve put in place in the last 10 years, and then compare that to how much you know about the security of your print jobs.

This article specifically focuses on securing print jobs in transit, and how they can be protected from snooping eyes. In other words, end-to-end encryption of print jobs on the network. For additional information about securing your print environment in general, refer to our [[https://www.papercut.com/kb/Main/SecurityWhitepaper|security whitepaper]].

Security is not a set and forget activity. To ensure protection for today and for the future, we’ll guide you through how to:
* '''Apply''',
* '''Validate''', and
* '''Maintain''' encryption of print jobs on your network.

TODO add page content here.

!!Subheading

TODO link your page here: https://www.papercut.com/kb/Main/Miscellaneous

----
''Categories:'' [[Category.TODOFirstCategory|+]], [[Category.TODOSecondCategoryIfNeeded|+]]
----
[-Keywords: TODO keywords here if needed-]

Comments

Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.

Article last modified on September 13, 2019, at 12:50 AM
Printable View   |   Article History   |   Edit Article