STIGQter STIGQter: STIG Summary: Microsoft Windows Server 2012/2012 R2 Domain Controller Security Technical Implementation Guide Version: 3 Release: 2 Benchmark Date: 04 May 2021:

Nonadministrative user accounts or groups must only have print permissions on printer shares.

DISA Rule

SV-226244r569184_rule

Vulnerability Number

V-226244

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

WN12-GE-000012

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Configure the permissions on shared printers to restrict standard users to only have Print permissions. This is typically given through the Everyone group by default.

Check Contents

Open "Devices and Printers" in Control Panel or through Search.
If there are no printers configured, this is NA.(Exclude Microsoft Print to PDF and Microsoft XPS Document Writer, which do not support sharing.)

For each configured printer:
Right click on the printer.
Select "Printer Properties".
Select the "Sharing" tab.
View whether "Share this printer" is checked.

For any printers with "Share this printer" selected:
Select the Security tab.

If any standard user accounts or groups have permissions other than "Print", this is a finding.
Standard users will typically be given "Print" permission through the Everyone group.
"All APPLICATION PACKAGES" and "CREATOR OWNER" are not considered standard user accounts for this requirement.

Vulnerability Number

V-226244

Documentable

False

Rule Version

WN12-GE-000012

Severity Override Guidance

Open "Devices and Printers" in Control Panel or through Search.
If there are no printers configured, this is NA.(Exclude Microsoft Print to PDF and Microsoft XPS Document Writer, which do not support sharing.)

For each configured printer:
Right click on the printer.
Select "Printer Properties".
Select the "Sharing" tab.
View whether "Share this printer" is checked.

For any printers with "Share this printer" selected:
Select the Security tab.

If any standard user accounts or groups have permissions other than "Print", this is a finding.
Standard users will typically be given "Print" permission through the Everyone group.
"All APPLICATION PACKAGES" and "CREATOR OWNER" are not considered standard user accounts for this requirement.

Check Content Reference

M

Target Key

4217

Comments