February 28th, 2007, 09:13 PM
Good day friends,
I have many issues but this one you may help me alleviate. Windows XP clients, members of an Active Directory domain, servers are 2k and some old HP 8000 printers. I need to restrict these clients from printing anything except for documents that orignate from one application. Is their a way to restrict printing based on doc type?
February 28th, 2007, 10:07 PM
Where does this application reside? locally, or on a server?
Are you trying to restrict printing to specific devices or all printing other than that from the application you mention?
What filetype are the documents that you want to allow?
What stationery type do these application documents use?
Do you trust the users?
March 1st, 2007, 01:08 AM
The application is run on the client however it does pull data from a server.
I need all printing restricted with this one application being the exception.
I'll have to check the app to find out the doc type but I am fairly certain it would be fairly unique and not something along the line of .doc or .htm
The only stationery type I'm familiar with is monarch... but I don't think that is where your going with this...?
I don't trust users period... but these users are general public so my distrust is a whole new level.
Thanks for any direction you can give me.
March 1st, 2007, 02:00 AM
I have absolutely no clue why Nihil is asking you a bunch of useless questions.. because the answer is no. There is no way to restrict printing to only one application, or one type of document, that is being run in the context of the user that is logged in. Especially if that user has permissions to print to the printer.
March 1st, 2007, 09:10 AM
Hi stevel, thanks for your replies. Obviously this sort of control is common......... just ask yourself:
Can anyone print cheques (checks)?
Can anyone print purchase orders?
and so on.........................the answer is NO!
The way it is usually achieved is that the users are authorised to the applications, and the applications generate and submit the print jobs. If they go through an applications server they can only access the applications they are authorised to, and cannot submit a locally generated print job. That was the reason for my thin/thick client question it should also be possible to set the thick client up as the sole printing authority?
I have seen software that manages print queues. One of the options was to do it by document type, although I have only ever used this software for allocating overheads or charging costs to clients or projects.
Obviously if you knew this and could change the document type you could get round it in theory at least. You would need to know what the approved document types were though.
The reason I asked about stationery types is that a lot of applications can be set to prompt for a particular one............invoices, cheques, insurance policies etc. All that happens is that you are prompted to load the correct stationery.............. that is where the trust bit comes in
As I don't know your application I cannot say what would be possible, other than that you could at least look at print managers that allow control by document type?
March 1st, 2007, 09:25 AM
well, an obvious option is to simply pause the print queues and watch them yourself. I'm assuming you would rather just shoot yourself in the head.
I currently have two different print monitoring programs under evaluation. One is ranger print manager, but I very much doubt this will suit your needs. The other is the geneva logic print manager.
Both of these are pitched at schools, but they might solve your problem. I know ranger print manager can't restrict by doc type, but you can charge by page.
One option would maybe be to get any print charging software and setup that and your applications like this:
1) anything that can print set to A4 paper size
2) anything that can't print set to letter paper size
3) prevent users changing paper size
4) charge 10p for an A4 page, £10,000 for a letter page
5) set credit limit to £10
so if they try and print from a denied app, it comes as letter. The print manager says "not enough credit" and drops the job. They try and print from a valid app, they can print up to 100 pages. Obviously the precise numbers are up to you, but you get the idea.
If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.
March 1st, 2007, 10:19 AM
Yes, like Aardpsymon, I have seen this sort of software used for cost allocation, cost control and billing purposes.
Here is one I have seen:
It claims to support restriction by document type, but I don't know what parameters it lets you use. There is a free trial you could check out
March 1st, 2007, 01:32 PM
One little question not sure if it was asaked but who is printing? Is it the users of the application or is it the application itself that automatically prints out logs and other such things?
If it is the application I would just configure the printer directly on the application server and restrict access to the printer in the AD.
If it is users that start the print jobs it will depend on what restrictions you can put into place and how tightly you can lock down the workstations.
\"America is the only country that went from barbarism to decadence without civilization in between.\"
\"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
By scam4321 in forum Newbie Security Questions
Last Post: April 6th, 2004, 02:41 PM
By Agent_Steal in forum AntiOnline's General Chit Chat
Last Post: November 4th, 2003, 07:14 AM
By spools.exe in forum Microsoft Security Discussions
Last Post: October 4th, 2003, 11:54 PM
By faust in forum *nix Security Discussions
Last Post: May 8th, 2003, 11:22 AM
By ljchew in forum AntiOnline's General Chit Chat
Last Post: February 27th, 2002, 05:33 PM