Is remote printing secure?

Home » Windows » Windows Configuration

Summary: Several computers often share a printer that's connected to one. Printing activity can be logged, an in rare cases even documents exposed.

I use a printer at the office that is hooked to the network. Am I correct that there is a print job log that shows what each printer in the office prints? Or, can only a separate network server create print job logs. If any network automatically does show a print job by any of the office computers, what are some basic information shown in the log and can an administrator print a document that has been printed if they see it on a print job log?

Yes, there can be logs. No, previously printed documents are not saved in a way that they could be re-printed or viewed again later.

However (isn't there's always a "however"?), depending on your level of concern, printing may not be as secure as we casually assume.

•

First the log.

The computer that a printer is connected to can be configured to log all printing events to the System log. You can use Window's Event Viewer on that machine to see what documents have been printed, and by what user.

For example, I just printed a test document, and in the event log I found this:

That log can contain the name of your document, as well as the computer name and user name of the account printing it. If the printer is shared, of course the computer name would be the name of the remote computer accessing the shared printer.

So, yes, while logs aren't guaranteed to exist (mine was off by default), they certainly can be enabled, and can contain some interesting information.

Next we need to examine exactly how printing works.

When you print a document it invokes something called the "print spooler". Rather than printing directly to the printer, the information that would be sent to the printer is actually written to (or "spooled") to disk, and sent on from there. Your application writes the printed document to the print spooler where it's placed in the queue of documents waiting to be printed. As prior documents finish printing yours moves ahead in the list, and finally prints when its turn comes.

If the printer is remote - meaning that you're printing on machine A to a printer connected to and shared by machine B, then your document's print data is written to the spooler file on machine B.

Regardless of where the spooled file lives, once your document has been printed, that file is deleted. There's no record of its content kept, and there's no way to simply say "print it again".

Or is there?

This is where judicious paranoia might set in.

We all know by now that files aren't really deleted, the disk space they used is simply marked as "available to be overwritten". Until that disk space is overwritten - you guessed it - the data could be recovered. It wouldn't be easy, and on a busy system it might not even be likely, but there is a possibility.

(Note that I'm talking about printers "shared" through another Windows computer. Printers attached directly to a network may, or may not, contain a log, and may, or may not, spool the documents to internal storage in a way that might be recovered later. It all depends on their configuration and abilities.)

So, what can you do?

Nothing, really. When you send data to another computer, any other computer, you're ultimately entrusting the owner of that computer with the possibility of full access to your data and printing to a shared printer is no different.

This is one case where even encryption won't help; your printed document still needs to be decrypted on the remote computer in order to be printed.

If you really need to keep that data super secure and avoid even the slimmest chance of recovery by others, then the only real approach would be to print it only on a computer that you control. (And consider securely wiping the disk's free space when you're done, just in case.)

Related:

• Ask Leo! - What is the Event Viewer, and should I care?

Article 12308 | Posted March 26, 2008