My company is planning a Windows NTbased printer infrastructure. Because of budget constraints, departments must share the expensive printers. However, departments that handle confidential data (e.g., the human resources—HR—and research departments) are concerned about using printers outside their department's physical boundaries. What can I do from an NT-software standpoint to restrict print-job visibility so that departments can't view one another's data?
From an NT-software standpoint, you can limit print-job visibility in three ways: Tighten the Spool folder's ACL, point multiple logical printers to the same physical printer, and define specific separator pages.
Print jobs that users send to an NT logical printer reside in the Spool folder until the physical printer has finished printing them. The Spool folder's default location is \%systemroot%\winnt\system32\spool\printers. By default, the Printers folder's ACL gives the Everyone group Read access, which means that everyone can read everyone else's documents—clearly a concern when departments that handle sensitive information share a logical printer with other departments. To remedy the situation, change the Everyone group's permission from Read to List.
To leave the Spool folder under each department's control and away from unauthorized access, follow these steps to link multiple logical printers to the same physical printer:
- Set up a separate print server for every department (the server can physically be in the department).
- Create a logical printer on each department's print server, then point all the logical printers to the same physical printer.
The third solution is to generate special separator pages for the HR and research departments. These pages can contain text that warns of the material's confidentiality and of the disciplinary impact of viewing or compromising the data. You can define separator pages in each logical printer's properties.
