Internet Printing and Resulting Internet Communication in Windows 7 and Windows Server 2008 R2
Applies To: Windows 7, Windows Server 2008 R2
In this section
Benefits and purposes of Internet printing
Overview: Using Internet printing in a managed environment
How Internet printing communicates with Internet sites
Controlling Internet printing to prevent the flow of information to and from the Internet
Procedures for controlling Internet printing
This section describes how Internet printing features in Windows 7 or Windows Server 2008 R2 communicate across the Internet, and it explains steps to take to limit, control, or prevent that communication in an organization with many users.
Benefits and purposes of Internet printing
Internet printing makes it possible for computers running Windows® 7 or Windows Server® 2008 R2 to use printers that are located anywhere in the world. The computers send print jobs by using Hypertext Transfer Protocol (HTTP).
Additionally, computers running Windows Server 2008 R2 can use Microsoft® Internet Information Services (IIS) to create a Web page that provides information about the printers and provides the transportation for printing over the Internet.
Overview: Using Internet printing in a managed environment
Internet printing has server and client aspects. The following list describes these aspects:
- Server: The administrator of a server running Windows Server 2008 R2 can install the Web Server (IIS) role, the Print Services role, and the Internet Printing role service in the Print Services role. When these roles and role service are installed, you can enable Internet printing on the server.
Important
To remotely manage a print server that is running Windows Server 2008 R2, we recommend that you use interfaces such as the Print Management snap-in, Remote Desktop, or the command-line tools. This provides a lower security risk than installing IIS and the Internet Printing role service on a computer that is used as a print server and not as a Web server.
- Client: A computer running Windows 7 or Windows Server 2008 R2 can be used as a client computer if you install an Internet printer by using a Web browser, the Add Printer Wizard, or the Run dialog box.
How Internet printing communicates with Internet sites
The Internet printing process is as follows:
From a client computer that is running Windows 7 or Windows Server 2008 R2, a user types the URL for a printing device.
The HTTP request is sent over the Internet to the print server.
The print server requires the client to provide authentication information. This ensures that only authorized users print documents on the print server.
After the server authenticates the user, the server presents status information to the user by using Active Server Pages (ASP), which contain information about currently available printers.
When the client first tries to connect to any of the printers on the Internet, the client attempts to find a driver for the printer locally. If an appropriate driver cannot be found locally, the print server generates a cabinet file (.cab file, also known as a setup file) that contains the appropriate printer driver files. The print server downloads the .cab file to the client computer. The user on the client computer is prompted to download the .cab file.
The client computer downloads the printer driver and connects to the printer by using Internet Printing Protocol (IPP) or a remote procedure call (RPC), depending on the security zone where the printer is shared. (The security zone is configured on the client computer through Internet Options in Control Panel.) With a Medium-high or Medium security zone, IPP is used, and with a Medium-low security zone, RPC is used.
After the user connects to an Internet printer, documents can be sent to the print server.
Communication for Internet printing uses IPP or RPC with HTTP (or HTTPS) over any port that the print server has configured for this service. Because the service is using HTTP or HTTPS, this is typically port 80 or port 443. Because Internet printing supports HTTPS traffic, communication can be encrypted, depending on the user’s Internet browser settings.
By default, a computer running Windows 7 or Windows Server 2008 R2 can act as a client computer that uses Internet printing. Users who make print requests must be authenticated by the print server, however, before they can use any of the printers connected to that server. To enable a computer running Windows Server 2008 R2 to act as a server that supports Internet printing, you must install the Web Server (IIS) role, the Print Services role, and the Internet Printing role service in the Print Services role.
The print server can use IIS and other technologies to collect and log extensive data about the user, the computer that sends the printing request, and the request itself. It is beyond the scope of this document to describe Web site operations and the specifics about the information that can be collected. For more information about IIS, see the resources listed in Internet Information Services and Resulting Internet Communication in Windows 7 and Windows Server 2008 R2 in this document.
Controlling Internet printing to prevent the flow of information to and from the Internet
A computer being used as a printing client
To prevent the use of Internet printing from a computer running Windows 7 or Windows Server 2008 R2, you can use Server Manager on an individual computer or configure Group Policy settings.
A computer being used as a server
To control Internet printing on a server running Windows Server 2008 R2, you can avoid installing the Internet Printing role service in the Print Services role. Another alternative is to allow printing to a limited set of user identifications.
Procedures for controlling Internet printing
The following procedures explain how to:
Ensure that the Internet printing feature for the client computer is not installed on a computer running Windows Server 2008 R2.
Disable the client side of Internet printing on computers running Windows 7 or Windows Server 2008 R2 by using Group Policy.
Prevent downloading print drivers over HTTP by using Group Policy. (During the process of Internet printing, print drivers might be downloaded to a client, as described in How Internet printing communicates with Internet sites earlier in this section. You can prevent this type of print driver download by using Group Policy.)
To ensure that the Internet printing feature for the client is not installed on a computer running Windows Server 2008 R2
If Server Manager is not running, click Start, click Administrative Tools, and then click Server Manager. (If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.)
Make sure Features Summary is expanded, and under it, Features is expanded.
In the list of features, look for Internet Printing Client. If it is not an installed feature, skip the rest of this procedure.
If Internet Printing Client is in the list of features, under Features Summary, click Remove Features (on the right).
In the Remove Features Wizard, clear the check box for Internet Printing Client.
Follow the instructions in the wizard to complete the removal.
To disable Internet printing from computers running Windows 7 or Windows Server 2008 R2 by using Group Policy
As needed, see Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2, and then edit an appropriate Group Policy object (GPO).
If you want the Group Policy setting to apply to all users of a computer and to come into effect when the computer starts or when Group Policy is refreshed, expand Computer Configuration. If you want the Group Policy setting to apply to users and to come into effect when users log on or when Group Policy is refreshed, expand User Configuration.
Expand Policies (if present), expand Administrative Templates, expand System, expand Internet Communication Management, and then click Internet Communication settings.
In the details pane, double-click Turn off printing over HTTP, and then click Enabled.
Note
This policy setting controls whether a request for Internet printing can be made, but it does not control whether a computer can act as an Internet print server.
Important
You can also restrict Internet access for this and a number of other features by applying the Restrict Internet communication Group Policy setting. This setting is located in Computer Configuration or User Configuration, under Policies (if present), in Administrative Templates\System\Internet Communication Management. For more information about this Group Policy setting and the policies that it controls, see Appendix C: Group Policy Settings Listed Under the Internet Communication Management Category in Windows 7 and Windows Server 2008 R2.
To prevent downloading print drivers over HTTP to computers running Windows 7 or Windows Server 2008 R2 by using Group Policy
As needed, see Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2, and then edit an appropriate GPO.
If you want the Group Policy setting to apply to all users of a computer and to come into effect when the computer starts or when Group Policy is refreshed, expand Computer Configuration. If you want the Group Policy setting to apply to users and to come into effect when users log on or when Group Policy is refreshed, expand User Configuration.
Expand Policies (if present), expand Administrative Templates, expand System, expand Internet Communication Management, and then click Internet Communication settings.
In the details pane, double-click Turn off downloading of print drivers over HTTP, and then click Enabled.
Important
You can also restrict Internet access for this and a number of other features by applying the Restrict Internet communication Group Policy setting. This setting is located in Computer Configuration or User Configuration, under Policies (if present), in Administrative Templates\System\Internet Communication Management. For more information about this Group Policy setting and the policies that it controls, see Appendix C: Group Policy Settings Listed Under the Internet Communication Management Category in Windows 7 and Windows Server 2008 R2.
Additional references
For links to more information about Group Policy, see Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2.
For more information about the use of IIS in a controlled environment, see Internet Information Services and Resulting Internet Communication in Windows 7 and Windows Server 2008 R2 in this document.
For more information about downloading drivers (including printer drivers) in Windows Server 2008 R2, see Device Manager, Hardware Wizards, and Resulting Internet Communication in Windows 7 and Windows Server 2008 R2 and Plug and Play and Resulting Internet Communication in Windows 7 and Windows Server 7 in this document.