13 Replies Latest reply on Apr 9, 2015 1:10 PM by Jason Pelletier

    What is the best practice to stop Rogue Computers directly printing.

    Joseph Polk Newbie

      We have computers set up to go through the Pharos Print Server, but there are those computer on our own network that have the availability to mount the printer directly.  What is the best practice to force all print jobs to go through the Pharos Print Server.

        • Re: What is the best practice to stop Rogue Computers directly printing.
          Timothy Grzeczka Pioneer

          What you can use is the built in Access Control in the devices. We have HP and Canon devices in our fleet here so I can speak for those brands:


          - The HPs have a setting under Networking -> Authorization -> Access Control. From here you can add your Pharos Print Server(s) so the only jobs from the servers are accepted. Make sure to leave the box checked so you can still remote into the printers to configure them.


          - The Canons were a bit more complicated but you can do it. Under Settings -> Network Settings -> Firewall Settings IPv4 Address Filter -> RX Settings. Here add each of your Print Servers. NOTE be sure to also add any IP ranges you plan to remote manage from. If you don't, only your print server can remote into the device. After some trial and error I found the needed ports for remote management so you can lock it down. They are 80, 443, 8000, and 8443.


          I'm sure you can do this with other vendor devices as well. Just poke around the Network and Security tabs on the devices. Also be sure you don't have any pre-Pharos queues floating around that can bypass cost acceptance / cost notification.


          This is also a great way to weed out users who don't have a Pharos printer package installed yet.

          3 of 3 people found this helpful
          • Re: What is the best practice to stop Rogue Computers directly printing.
            nbartolotti@pharos.com Tracker

            Hi Joseph,


            What is best really depends on the environment and requirements at your particular site.  You'll have to weigh the cost to manage/control access to the MFP versus the cost of output that occurs outside the context of the printing system.  The reality is there may always be output that is not tracked.  For example, a user could plug in directly with a USB cable and print, service techs generate sample prints, most service mode access procedures and default passwords are available with a quick Google search and can be used to reset an MFP to defaults bypassing anything in place to prevent unauthorized printing.


            From a machine point of view, you can limit access to MFPs using features already built into the MFP.  These tend to be easy to manage across a small fleet but as the fleet grows so does this effort.  Depending on the manufacturer a fleet management tool may be available to optimize this process.


            • Enable the Access Control List on the MFP so that it only accepts connections from the Pharos Print Server.
            • Disable all printing protocols on the MFP except the protocol that you want people to use.  For example, Novell, Apple, FTP, WebDAV, HTTP, LPD, IPP, Raw (port 9100), Telnet, and a few others, depending on the MFP, are generally all enabled by default.  Disable everything except the port to be use for printing -- Pharos uses LPD by default. 
            • Disable all ports (parallel, serial, USB, Wifi, Bluetooth) on the MFP except the network port.
            • Password protect the Admin console on the MFP.  This could be accomplished by changing the default password for the Admin account or creating a new account that has admin rights but disable the actual built-in admin account. YMMV depending on MFP manufacturer as some tools rely on the default account and password.
            • Implement access times on the MFP so it is unavailable during certain hours.


            Plan for it when setting the per copy cost. 

            • Estimate the amount of unpaid printing then spread the cost across the total prints increasing the price by a marginal amount.  I'm sure other institutions have taken this road and should have some input.  Pharos' consulting team does this kind of future state analysis and may be able to offer some guidance. 


            Network environment

            • Group policy could be leveraged to install specific printers on a workstation and limit the end user's ability to install another.


            User behavior

            • Incentive-ize and reinforce proper use of the system.




            5 of 5 people found this helpful
            • Re: What is the best practice to stop Rogue Computers directly printing.
              Nic Meadows Ranger

              Setting ACLs on the MFPs is a good option, but can be a real pain if you have a large fleet. The quickest method we have found to resolve this is put the printers on separate subnet that is only accesible from the print server (multi homed) . If the students can access the front panel and produce config pages they will still change the IP Address on their devices to one in the same subnet and try to print to the device, this is where setting the ACL is beneficial. However we have seen students running wireshark to determine the IP addresses of the print servers and then plugging straight into the device with a cross over cable.


              How much time and effort do you want to spend eliminating the small amount of "free printing"?


              As Nick mentioned above User behaviour can also be modified by incentivsing or punishing improper use of the system, after all printing for free when you should pay for it is technically stealing.What punishment would you meter out if they were caught stealing from the Campus shop?

              • Re: What is the best practice to stop Rogue Computers directly printing.
                Chris Axtell Navigator

                Depending on what type of printers are in your fleet the manufacture may have a management tool that can quickly and easily push out configuration settings. For instance HP offers their HP Web JetAdmin tool (www.hp.com/go/webjetadmin), not to be confused with the device's web interface, that works well. You can predefine ACL settings, as well as port settings (both physical & logical), as well as a host of other settings. Makes for deploying devices fairly quick and pain free.

                We've gone the multilayered approach and have our printers on dedicate private VLANs which do not have DHCP scopes defined and only "trust" the VLANs that print servers reside on, ACL's set on the printers, and disabling any ports/protocols that are unneeded/unused on the printer. This approach helps minimize the use cases where a patron unplugs a printer/print release station and connects their laptop to bypass the network security.

                Nothing is of course perfect, but its a balancing of how much effort do you put into managing the environment vs the risks/behavior you're trying to mitigate.

                1 of 1 people found this helpful
                • Re: What is the best practice to stop Rogue Computers directly printing.
                  Nail Cho Adventurer

                  I agree with many of the posts about going into the actual MFP device and setting ACLs if you don't have a large fleet of MFPs or printers. Our HP rep awhile back advised us to have the MFP or printer accept network packets only from our Uniprint server to cut down on rogue printing. As standard practice put a password on the MFP web interface. Disable printing from the MFP's USB ports, memory card slots, etc. We were having problems with students discovering the IP address or printing out the configuration pages and printing directly to the MFP or printer and doing the above steps cut down on the rogue printing tremendously. For a large fleet of MFPs or printers this would be cumbersome, so involving your network team and using the HP Web JetAdmin tool would be easier to streamline the process.

                  1 of 1 people found this helpful
                  • Re: What is the best practice to stop Rogue Computers directly printing.
                    Scott Perkins Wayfarer

                    We use the ACL in the device as well.  We have Xerox printers and can use their Centreware Web application to push out configurations to multiple printers.

                    1 of 1 people found this helpful
                    • Re: What is the best practice to stop Rogue Computers directly printing.
                      Joe Wilkerson Newbie

                      The only caveat to this is someone who cold resets the printer.  Other than that, solid advice.  It's also a reasonable suggestion to have the gateway (switch) configured for auto DHCP for that MAC address and to disallow TCP/UDP traffic from all IPs other than the print server itself.


                      In regards to the cold reset issue, if the network side is configured in the manner mentioned, at least the printers will come back online to the same IP so they can be "locked" down again remotely.  If the issue persists, physically disabling the down arrow button (so the choice to make the cold reset can never be made) is the last leg of that journey.

                      • Re: What is the best practice to stop Rogue Computers directly printing.
                        Jason Pelletier Tracker

                        There really are a lot of great options and I suppose tackling some of the larger offenses makes the most sense. We actually segment the network completely so our printers, across campus, are on their own network so no workstation can simply plug in and add a printer. Of course they could bypass that with USB or some other mehtod by connecting to the printer directly but we haven't seen that as an issue at all so haven't needed to put other measures in place.