How to block Network Printing in Endpoint Protection (SEPM)
search cancel

How to block Network Printing in Endpoint Protection (SEPM)

book

Article ID: 202628

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

How to a block Network Printing when using Symantec Endpoint Protection Manager (SEPM)?

Environment

14.x

Resolution

  1. In the SEPM console, browse under Policies > Firewall > and double-click (or select and choose edit) on the active Firewall Policy.
  2. Click on Rules and click the Add button.
  3. Provide a name for the policy such as Block Network Printing and click Next.
  4. Select Block connections and click Next.
  5. Leave the radial selection on All Applications and click next.
  6. Leave the radial selection on all computers or select which group of computers you wish the rule to apply to and click Next.
  7. Select the radial for "only the connections selected below" and check "network neighborhood sharing" and "network neighborhood browsing".
  8. Click Next, choose whether to log or not, and click Finish.
  9. Move the new rule to near the top of the list of rules.

 

Alternate solution

If the above method fails to resolve the issue and block desired printers, try the following steps to completely block the Print Spooler service.

  1. In the SEPM console, browse under Policies > Application and Device Control > and double-click (or select and choose edit) on the active Application and Device Control policy.
  2. Click on Application Control and click the Add button.
  3. Provide a name for the rule set and the rule within the set, such as Block Print Spooler and click the Add button next to the "Apply this rule to the following processes:" field.
    • Select the "Process name to match" and "Use wildcard matching (* and ? supported)" radio buttons and type an asterisk ("*") in the dialog box. Click OK.
  4. Make sure the "Enable this rule" and "Sub-process inherit conditions" fields are checked.
  5. Click on Add button in the "Rules" panel and select Add Conditions > Load DLL Attempts
  6. Provide a name for the condition and click the Add button next to the "Apply to the following DLLs:" field.
    • Select the "DLL name to match" and "Use wildcard matching (* and ? supported)" radio buttons and type "%windir%\system32\spoolss.dll" in the dialog box. Click OK.
  7. Make sure the "Enable this rule" field is checked. 
    •    
  8. Click on the Actions tab and select "Block access" radio button under Load DLL Attempt. You may set up logging and a user notification at each blocking event if desired.
  9. Click on OK to save the policy. Move the new rule to near the top of the list of rules and enable when desired.
  10. Upon the first re-load of the Print Spooler Service, each printing attempt will end up in a following dialog, without the possibility to install a printer.

Additional Information

This rule blocks discovery of network printers. It may not block printing to a device that is already known to the system.

If you are trying to block printing to printers that use Internet Printing Protocol (IPP) you can do this with a rule blocking port 80 (TCP and UDP)  on private networks.  This should be carefully tested before implementation, however, as port 80 is used for many services.

 

The alternate method completely blocks all printing services, including network, local and virtual printers.

Powered by Wolken Software