UCF STIG Viewer Logo

Nonadministrative user accounts or groups must only have print permissions on printer shares.


Overview

Finding ID Version Rule ID IA Controls Severity
V-1135 WN12-GE-000012 SV-52213r1_rule ECCD-1 Low
Description
Windows shares are a means by which files, folders, printers, and other resources can be published for network users to access. Improper configuration can permit access to devices and data beyond a user's need.
STIG Date
Windows Server 2012 Domain Controller Security Technical Implementation Guide 2014-01-07

Details

Check Text ( C-46959r1_chk )
Open "Devices and Printers" in Control Panel or through Search.
If there are no printers configured, this is NA.

For each configured printer:
Right click on the printer.
Select "Printer Properties".
Select the "Sharing" tab.
View whether "Share this printer" is checked.

For any printers with "Share this printer" selected:
Select the Security tab.

If any standard user accounts or groups have permissions other than "Print", this is a finding.
Standard users will typically be given "Print" permission through the Everyone group.
"All APPLICATION PACKAGES" and "CREATOR OWNER" are not considered standard user accounts for this requirement.
Fix Text (F-45232r1_fix)
Configure the permissions on shared printers to restrict standard users to only have Print permissions. This is typically given through the Everyone group by default.