Internet Printing and Resulting Internet Communication in Windows Server 2008
Applies To: Windows Server 2008
In This Section
Benefits and Purposes of Internet printing
Overview: Using Internet Printing in a Managed Environment
How Internet Printing Communicates with Sites on the Internet
Controlling Internet Printing to Prevent the Flow of Information to and from the Internet
Procedures for Controlling Internet Printing
Benefits and Purposes of Internet printing
Internet printing makes it possible for computers running Windows Server 2008 to use printers located anywhere in the world by sending print jobs using Hypertext Transfer Protocol (HTTP).
Additionally, computers running Windows Server 2008 can use Microsoft Internet Information Services (IIS) to create a Web page that provides information about printers and provides the transport for printing over the Internet.
Overview: Using Internet Printing in a Managed Environment
Internet printing has both server and client aspects:
- Server: The administrator of a server running Windows Server 2008 can install the Web Server (IIS) role, the Print Services role, and the Internet Printing role service in the Print Services role. With these roles and role service, Internet printing can be enabled on the server.
Important
For remote management of a print server that is running Windows Server 2008, we recommend that you use interfaces such as the Print Management snap-in, Remote Desktop, or command-line tools. This carries a lower security risk than installing IIS and Internet Printing on a computer that is used as a print server and not as a Web server.
- Client: A computer running Windows Server 2008 can be used as a client computer if you install an Internet printer on it by using a Web browser, the Add Printer Wizard, or the Run dialog box.
How Internet Printing Communicates with Sites on the Internet
The Internet printing process is as follows:
A person connects to a print server over the Internet by typing the URL for the print device.
The HTTP request is sent over the Internet to the print server.
The print server requires the client to provide authentication information. This ensures that only authorized users print documents on the print server.
After the server authenticates the user, the server presents status information to the user by using Active Server Pages (ASP), which contain information about currently available printers.
When the user connects to any of the printers on the Internet printing Web page, the client (running, for example, Windows Vista or Windows Server 2008) first tries to find a driver for the printer locally. If an appropriate driver cannot be found, the print server generates a cabinet file (.cab file, also known as a setup file) that contains the appropriate printer driver files. The print server downloads the .cab file to the client computer. The user on the client computer is prompted for permission to download the .cab file.
The client computer downloads printer drivers and connects to the printer using either Internet Printing Protocol (IPP) or a remote procedure call (RPC), depending on the security zone that the printer share is in. The security zone is configured on the client computer through Internet Options in Control Panel. With a Medium-high or Medium security zone, IPP is used, and with a Medium-low security zone, RPC is used.
After users connect to an Internet printer, they can send documents to the print server.
Communication for Internet printing uses IPP or RPC with HTTP (or HTTPS) over any port that the print server has configured for this service. Because the service is using HTTP or HTTPS, this is typically port 80 or port 443. Because Internet printing supports HTTPS traffic, communication can be encrypted, depending on the user’s Internet browser settings.
By default, a computer running Windows Server 2008 can act as a client computer that uses Internet printing. Users of the computer who make print requests must be authenticated by the print server, however, before they can use any of the printers connected to that server. To enable a computer running Windows Server 2008 to act as a server supporting Internet printing, you must install the Web Server (IIS) role, the Print Services role, and the Internet Printing role service in the Print Services role.
The print server can use IIS and other technologies to collect and log extensive data about the user, the computer that sends the printing request, and the request itself. It is beyond the scope of this white paper to describe Web site operations and the specifics of what type of information can be collected. For more information about IIS, see the resources listed in Internet Information Services and Resulting Internet Communication in Windows Server 2008 in this white paper.
Controlling Internet Printing to Prevent the Flow of Information to and from the Internet
A Computer Being Used as a Printing Client
To prevent the use of Internet printing from a computer running Windows Server 2008, you can use Server Manager on an individual computer, or configure Group Policy.
A Computer Being Used as a Server
To control Internet printing on a server running Windows Server 2008, you can avoid installing the Internet Printing role service of the Print Services role. Another alternative, if you choose to configure the server so it provides Internet printing, is to allow printing to a limited set of user IDs only.
Procedures for Controlling Internet Printing
The following procedures explain how to:
Ensure that the Internet printing client feature is not installed on a computer running Windows Server 2008.
Disable the client side of Internet printing on computers running Windows Server 2008 by using Group Policy.
Prevent the downloading of print drivers over HTTP by using Group Policy.
During the process of Internet printing, print drivers might be downloaded to a client, as described in How Internet Printing Communicates with Sites on the Internet, earlier in this section. You can prevent this type of print driver download by using Group Policy.
To Ensure that the Internet Printing Client is Not Installed on a Computer Running Windows Server 2008
If Server Manager is not running, click Start, click Administrative Tools, and then click Server Manager. (If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.)
Make sure Features Summary is expanded and, under it, Features is expanded.
In the list of features, look for Internet Printing Client. If it is not an installed feature, skip the rest of this procedure.
If Internet Printing Client is in the list of features, under Features Summary, click Remove Features (on the right).
In the Remove Features Wizard, clear the check box for Internet Printing Client.
Follow the instructions in the wizard to complete the removal.
To Disable Internet Printing from Computers Running Windows Server 2008 by Using Group Policy
As needed, see Appendix B: Resources for Learning About Group Policy for Windows Server 2008, and then edit an appropriate Group Policy object (GPO).
If you want the policy setting to apply to all users of a computer and to come into effect when the computer starts or when Group Policy is refreshed, expand Computer Configuration. If you want the policy setting to apply to users and to come into effect when users log on or when Group Policy is refreshed, expand User Configuration.
Expand Policies (if present), expand Administrative Templates, expand System, expand Internet Communication Management, and then click Internet Communication settings.
In the details pane, double-click Turn off printing over HTTP, and then click Enabled. Note that this policy setting controls whether a request for Internet printing can be made, but does not control whether a computer can act as an Internet print server.
Important
You can also restrict Internet access for this and a number of other features by applying the Restrict Internet communication policy setting. This setting is located in either Computer Configuration or User Configuration, under Policies (if present), in Administrative Templates\System\Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C: Group Policy Settings Listed Under the Internet Communication Management Category in Windows Server 2008.
To Prevent the Downloading of Print Drivers over HTTP to Computers Running Windows Server 2008 by Using Group Policy
As needed, see Appendix B: Resources for Learning About Group Policy for Windows Server 2008, and then edit an appropriate GPO.
If you want the policy setting to apply to all users of a computer and to come into effect when the computer starts or when Group Policy is refreshed, expand Computer Configuration. If you want the policy setting to apply to users and to come into effect when users log on or when Group Policy is refreshed, expand User Configuration.
Expand Policies (if present), expand Administrative Templates, expand System, expand Internet Communication Management, and then click Internet Communication settings.
In the details pane, double-click Turn off downloading of print drivers over HTTP, and then click Enabled.
Important
You can also restrict Internet access for this and a number of other features by applying the Restrict Internet communication policy setting. This setting is located in either Computer Configuration or User Configuration, under Policies (if present), in Administrative Templates\System\Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C: Group Policy Settings Listed Under the Internet Communication Management Category in Windows Server 2008.
Additional References
For links to more information about Group Policy, see Appendix B: Resources for Learning About Group Policy for Windows Server 2008.
For more information about the use of IIS in a controlled environment, see Internet Information Services and Resulting Internet Communication in Windows Server 2008 in this white paper.
For more information about the downloading of drivers (including printer drivers) in Windows Server 2008, see Device Manager, Hardware Wizards, and Resulting Internet Communication in Windows Server 2008 and Plug and Play in Windows Server 2008 in this white paper.