Security concerns about "Server mode"
14 views
Skip to first unread message
Boris ROYER-VINICIO
Oct 8, 2025, 6:46:57 AMOct 8
to qz-print
Hi QZ Industries,
I am currently evaluating the deployment options for QZ Tray within our organization and would appreciate your insights regarding the server mode configuration.
While the server mode offers centralized management, I have several concerns from a security standpoint that I would like to clarify:
- Printer rights bypass: Server mode allow users to circumvent local printer access controls
- Print traceability: Is there a mechanism to log and audit print requests centrally?
- Lateral movement risks: Exposing the print server increase the attack surface for lateral movement within the network
- Single point of failure: If the QZ Tray service crashes, it does block all printing operations across clients
Given these considerations, I would like to understand whether server mode is truly recommended over deploying QZ Tray individually on each client workstation.
Any documentation or best practices you could share would be greatly appreciated.
Best regards,
Boris Royer
CISO
Hôpital Saint Joseph Marseille
Tres Finocchiaro
Oct 8, 2025, 2:00:24 PMOct 8
to Boris ROYER-VINICIO, qz-print
On Wed, Oct 8, 2025 at 6:46 AM Boris ROYER-VINICIO <boris...@gmail.com> wrote:
Hi QZ Industries,
I am currently evaluating the deployment options for QZ Tray within our organization and would appreciate your insights regarding the server mode configuration.
While the server mode offers centralized management, I have several concerns from a security standpoint that I would like to clarify:
- Printer rights bypass: Server mode allow users to circumvent local printer access controls
What do you mean? What local printer access controls are bypassed? This reads as complete nonsense, but perhaps I'm misunderstanding the claim? Are you talking about printers with security PIN numbers or authentication? No, we don't offer impersonalization, this is quite technologically difficult to do from a WebSocket in a Java Application as a cross-platform offering, so this is likely to never happen.
- Print traceability: Is there a mechanism to log and audit print requests centrally?
Not currently, no. This is theoretically available through the log feed, but this would not be in any digestible format. Furthemore there's no identification associated with a print-request, so you'd have to bake any "whoami" code into your own print requests. This could theoretically be tracked as a client-side (JavaScript) style log, but this would be separate from QZ Tray. QZ Tray is open source, so if there's a particular log format you'd like to see in server mode, please feel free to file an enhancement here: https://github.com/qzind/tray/. Note that things like the %USERNAME% aren't exposed to a browser, so there will be caveats to this from an audit perspective.
- Lateral movement risks: Exposing the print server increase the attack surface for lateral movement within the network
This is the case for any newly exposed ports on your network that must be available via non-localhost-to-localhost connectivity. This is a risk with every single service ever. This seems like a glittering generality and not something specific to QZ Tray.
- Single point of failure: If the QZ Tray service crashes, it does block all printing operations across clients
Correct. We often warn implementers of this risk. We would advise any mission-critical printing to have a failover in the event of a crash. Having QZ Tray on each PC in a distributed fashion is better in nearly all deployments.
Given these considerations, I would like to understand whether server mode is truly recommended over deploying QZ Tray individually on each client workstation.
You left out "performance" as well. The single-point-of-failure scenario can also be a bottleneck scenario. The default install is per-workstation and that's by-design. The print-server offering has been tailored to companies that require it for various reasons.
Please make your own educated decision.
Boris ROYER-VINICIO
Oct 10, 2025, 4:19:45 AMOct 10
to qz-print
Hi, first sorry if my questions may have appeared negatives in part because of my english, but that was not the goal.
Concerning the "Printer rights bypass", I mean that in server mode the "user context" used is the one of the account executing QZ Tray. So it has to e an account with print priviledges (windows rights) on all our printers, whereas if QZ Tray is installed on users computers it will use only the printers visible by the user connected.
Ok for the print traceability, I understand, and you're right for the lateral movement my concern was just to compare local and server mode in OUR implementation ; In local mode the exposition is limited whereas in server mode the port is exposed with a global authentication which can be considered as sufficient in OUR local network furthermore protected by nac. I will file an enhancement as proposed to know if a windows authentication, or a computer certificate based authentication can be considered.
I retain the fact as you say it may be in our case a best slution to install QZ Tray on each PC.
Thanks again.
Concerning the "Printer rights bypass", I mean that in server mode the "user context" used is the one of the account executing QZ Tray. So it has to e an account with print priviledges (windows rights) on all our printers, whereas if QZ Tray is installed on users computers it will use only the printers visible by the user connected.
Ok for the print traceability, I understand, and you're right for the lateral movement my concern was just to compare local and server mode in OUR implementation ; In local mode the exposition is limited whereas in server mode the port is exposed with a global authentication which can be considered as sufficient in OUR local network furthermore protected by nac. I will file an enhancement as proposed to know if a windows authentication, or a computer certificate based authentication can be considered.
I retain the fact as you say it may be in our case a best slution to install QZ Tray on each PC.
Thanks again.
Tres Finocchiaro
Oct 10, 2025, 10:11:33 AMOct 10
to Boris ROYER-VINICIO, qz-print
I mean that in server mode the "user context" used is the one of the account executing QZ Tray. So it has to e an account with print priviledges (windows rights) on all our printers, whereas if QZ Tray is installed on users computers it will use only the printers visible by the user connected.
Right, but this is the nature of a shared-service without impersonation (which is many shared services that aren't Microsoft-created). Calling this a "bypass" is tremendously misleading, it's using the service as the user you designate, which may have more -- or may have less -- privileges on the host where QZ Tray is running. That's up to you.
Ok for the print traceability, I understand, and you're right for the lateral movement my concern was just to compare local and server mode in OUR implementation ; In local mode the exposition is limited whereas in server mode the port is exposed with a global authentication which can be considered as sufficient in OUR local network furthermore protected by nac.
This idea of "Global authentication" is such a misnomer. You can invoke QZ Tray on any PC in your environment and do the same. The only thing protecting QZ Tray on your PCs is the fact that localhost-localhost can still leverage the firewall to prevent outside connections. QZ Tray doesn't use authentication, it uses a private-key / cert combination and we allow the blocking of unsigned messages if design is still of concern, but this is identical between print-server and print-client implementations, minus the firewall abilities.
I will file an enhancement as proposed to know if a windows authentication, or a computer certificate based authentication can be considered.
I believe JAAS, Spring or JNA can be used. I'd prefer JAAS if possible. If you can provide a HelloWorld example in your bug report that would be greatly appreciated so that we have a starting point.
Note that impersonation brings with it its own security risks, so if all of a sudden the JVM has an unpated elevation exploit, you will be experiencing this "bypass" you speak of. :D
I retain the fact as you say it may be in our case a best slution to install QZ Tray on each PC.
Print-Server mode is very limited due to the single-port problem. If we offered some type of impersonation this would make the product much more scalable in shared environments. We'd be willing to pay a developer for R&D in this area.
if my questions may have appeared negatives in part because of my english, but that was not the goal.
To be honest, they appear as if you asked an AI chatbot, as if you asked the chatbot for questions and you just pasted the answers to us to answer rather than doing your own research or asking your own questions. We're happy to use translation services to answer questions, but well-formatted and bulleted AI copypasta is a bit off-putting.
--
You received this message because you are subscribed to the Google Groups "qz-print" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qz-print+u...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/qz-print/74b4500f-6432-409e-aaf2-45b4c9268246n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages