Client printing can,
potentially, let a user from one session use another user’s printer in a
different session. Unlike network printer connections, client printers
auto-created in a XenApp session are local printers managed by the local print
provider and Citrix spooler extensions. The local print provider maintains a
single shared namespace for all local printers on a server. This means that a
user’s client printers may be visible and potentially accessible to users from
other sessions on the server.
By default, the
XenApp printer naming convention helps combat this problem by avoiding the
potential for printers and ports to be shared between sessions. Printers
connected through a pass-through server use the session ID to identify the
printer uniquely, keeping the remainder of the name the same. This allows the
user to identify both the printer and client it is connected to, without
identifying which pass-through server through which it might have connected.
In addition, to
increase client printing security, access to the client printers is restricted
- The account that
the print manager service runs in (default: Ctx_cpsvcuser)
- Processes running
in the SYSTEM account such as the spooler
- Processes running
in the user’s session
blocks access to the printer from all other processes on the system.
Furthermore, requests for services directed to the print manager must originate
from a process in the correct session. This prevents bypassing the spooler and
communicating directly with CpSvc.exe.
As an administrator,
if you need to adjust security settings of a printer in another session, you
can do so through Windows Explorer.
Note: If you want to
control access to printers in other sessions, add the
AdminsCanManageClientPrinters bit flag to default
print flags in the system registry of your server. For more information, see
the Citrix Knowledge Center article
Printing Configuration in XenApp 6.x and XenDesktop 5.x.