5.1 Security Considerations for Implementers
The Print System Asynchronous Notification Protocol treats the print server and print queues as securable resources in its security model. See section 2.1 for relevant security specifications; basic concepts of the security model are described in [MS-WPO] section 9; and security considerations for implementers of print clients that use authenticated RPC are specified in [MS-RPCE] section 3.
The print server and print queues each has an associated security descriptor that contains the security information for that printing resource. The security descriptor identifies the owner of the resource, and it contains a discretionary access control list (DACL). The DACL contains access control entries (ACEs) that specify the security identifier (SID) of a user or group of users and whether access rights are to be allowed, denied, or audited. For resources on a print server, the ACEs specify operations including printing, managing printers, and managing documents in a print queue.
Each RPC client has an associated access token that contains the SID of the user making the RPC call. The print server checks the client's access to resources by comparing the security information of the caller against the security descriptor of the resource. Prior to allowing a user to monitor and receive notifications, security and privacy contexts are considered. IRPCAsyncNotify_RegisterClient (section 3.1.1.4.1) specifies the security and privacy checks performed by the server before it allows the registration of the client to succeed.
There is the risk of an AsyncUI client being used to execute arbitrary client-resident code, as identified by an entrypoint attribute within an executable driver file that is identified by a dll attribute (sections 2.2.7.2.1, 2.2.7.5.1, and 2.2.7.7.1). By enforcing the character restrictions specified for the entrypoint attribute, the client can ensure that the driver-file name refers to a constituent file of a printer driver. An AsyncUI client can further reduce risk of execution of arbitrary code by minimizing the active permissions when calling an entrypoint.