Brother Scanning: MFC2700 / MFC 8480

handsofqwerty

Oh, and it's the MFC-L2700DW I'm assuming, right? You can tell it's a new model from Brother because they prefaced all their new model numbers (for lasers) with an L.

A Former User

Is this scanning to a file server to to the local device?

What you could try doing is pushing out a GPP to modify preferences of says My Documents\Scans or similar. so the permissions are less restrictive. You'd want to encourage them to remove the files from there though.

Personally I've always setup an SFTP server on the file server with virtual directory that point to their folder on the file server. This way the FTP server can only see the scans and is less of an issue of something gets mess up, and the FTP server technically has admin rights to the folders it since since it runs in a domain service account, but you can only access the virtual directories setup.

handsofqwerty

@thecreativeone91 said:

Is this scanning to a file server to to the local device?

What you could try doing is pushing out a GPP to modify preferences of says My Documents\Scans or similar. so the permissions are less restrictive. You'd want to encourage them to remove the files from there though.

Personally I've always setup an SFTP server on the file server with virtual directory that point to their folder on the file server. This way the FTP server can only see the scans and is less of an issue of something gets mess up, and the FTP server technically has admin rights to the folders it since since it runs in a domain service account, but you can only access the virtual directories setup.

It's not a permissions issue on the folder, but the software. I've seen this before, and while the CC software is great in non-domain environments, or where people are local admins, in this type of situation it falls short...

A Former User

I wouldn't give it admin rights, I'd find a work around. Use Process Monitor to see what it needs. https://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

handsofqwerty

@thecreativeone91 said:

I wouldn't give it admin rights, I'd find a work around. Use Process Monitor to see what it needs. https://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

What's the harm of giving a single program like this admin rights? All it can do is scan, basically. What threat would that pose to the computer or network?

A Former User

@handsofqwerty said:

@thecreativeone91 said:

I wouldn't give it admin rights, I'd find a work around. Use Process Monitor to see what it needs. https://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

What's the harm of giving a single program like this admin rights? All it can do is scan, basically. What threat would that pose to the computer or network?

Privilege escalation, running a program or service with more rights and it needs as how people are able to do it in most cases. It also will give the user access (full control) to any files through the file dialog box inside the program as it will be running with admin rights as well.

handsofqwerty

@thecreativeone91 said:

@handsofqwerty said:

@thecreativeone91 said:

I wouldn't give it admin rights, I'd find a work around. Use Process Monitor to see what it needs. https://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

What's the harm of giving a single program like this admin rights? All it can do is scan, basically. What threat would that pose to the computer or network?

Privilege escalation, running a program or service with more rights and it needs as how people are able to do it in most cases. It also will give the user access (full control) to any files through the file dialog box inside the program as it will be running with admin rights as well.

Yeah, that's technically true. But for this software, you setup the directory to scan to and they hit a button and it scans. Besides, if you knew these users...

Dashrender

@handsofqwerty said:

Yeah, that's technically true. But for this software, you setup the directory to scan to and they hit a button and it scans. Besides, if you knew these users...

THIS ^^ This right here is what I hear every day - my users will never do anything they aren't supposed to, so I don't need to worry about security issues...

and that's true.. until you do need to worry about it! A different person sits down there and starts messin' around... or a virus gets on there and takes advantage.. etc.

The whole idea of fixing it only after it breaks just drives me insane!

MattSpeller

eesh, I despise that kinda stuff. Make em' scan to email. Safer, traceable, no permissions garbage, etc.

handsofqwerty

@Dashrender said:

@handsofqwerty said:

Yeah, that's technically true. But for this software, you setup the directory to scan to and they hit a button and it scans. Besides, if you knew these users...

THIS ^^ This right here is what I hear every day - my users will never do anything they aren't supposed to, so I don't need to worry about security issues...

and that's true.. until you do need to worry about it! A different person sits down there and starts messin' around... or a virus gets on there and takes advantage.. etc.

The whole idea of fixing it only after it breaks just drives me insane!

I get where you're coming from, but flip it over. Why create additional issues for yourself when a solution is available in the name of what might happen? It's all a balancing act. Will the potential side effects of granting normal users admin rights to one program result in a greater cost to the client than trying to figure out the perfect solution that might not exist?

handsofqwerty

@MattSpeller said:

eesh, I despise that kinda stuff. Make em' scan to email. Safer, traceable, no permissions garbage, etc.

Yeah, I've become a big fan of scan-to-email, although for large documents, this can be MUCH slower and doesn't always work with attachment size limitations.

MattSpeller

@handsofqwerty said:

doesn't always work with attachment size limitations.

Thats when you scan to USB stick, but it's gotta be a monster or the printer has really weak compression algorithms.

Dashrender

@handsofqwerty said:

@Dashrender said:

@handsofqwerty said:

Yeah, that's technically true. But for this software, you setup the directory to scan to and they hit a button and it scans. Besides, if you knew these users...

THIS ^^ This right here is what I hear every day - my users will never do anything they aren't supposed to, so I don't need to worry about security issues...

and that's true.. until you do need to worry about it! A different person sits down there and starts messin' around... or a virus gets on there and takes advantage.. etc.

The whole idea of fixing it only after it breaks just drives me insane!

I get where you're coming from, but flip it over. Why create additional issues for yourself when a solution is available in the name of what might happen? It's all a balancing act. Is the potential side effects of granting normal users admin rights to one program result in a greater cost to the client than trying to figure out the perfect solution that might not exist?

This is probably one of the best arguments I've ever seen you make!

That said, it's definitely a case by case issue. and I'd personally spend at least 30 mins trying to make this work correctly before just tossing in the towel.

Dashrender

@handsofqwerty said:

@MattSpeller said:

eesh, I despise that kinda stuff. Make em' scan to email. Safer, traceable, no permissions garbage, etc.

Yeah, I've become a big fan of scan-to-email, although for large documents, this can be MUCH slower and doesn't always work with attachment size limitations.

Scanning to network often solves this problem then!

Dashrender

It sounds like this printer/scanner is connected directly to a computer - but if it's not, I'd definitely setup both Scan to email and scan to network and ditch the local scanning software from the machine.

gjacobse

There are about four scanners in the office, and about 20 users.

It is not currently set to scan to the server, but to the local users computer. Each scanner is on the network, separate IP address.

Again, some computers are the issue,.. not all. many work fine with no issues. Pulling the same GPO and User rights.

A Former User

@g.jacobse said:

There are about four scanners in the office, and about 20 users.

It is not currently set to scan to the server, but to the local users computer. Each scanner is on the network, separate IP address.

Again, some computers are the issue,.. not all. many work fine with no issues. Pulling the same GPO and User rights.

Same version of windows? Do all have UAC enabled?

coliver

@thecreativeone91 said:

@g.jacobse said:

There are about four scanners in the office, and about 20 users.

It is not currently set to scan to the server, but to the local users computer. Each scanner is on the network, separate IP address.

Again, some computers are the issue,.. not all. many work fine with no issues. Pulling the same GPO and User rights.

Same version of windows? Do all have UAC enabled?

This, UAC being disabled has cause no end of grief to me on a few computers, I had a Canon MFP that refused to scan to the local disk without UAC enabled.

Dashrender

@coliver said:

@thecreativeone91 said:

@g.jacobse said:

There are about four scanners in the office, and about 20 users.

It is not currently set to scan to the server, but to the local users computer. Each scanner is on the network, separate IP address.

Again, some computers are the issue,.. not all. many work fine with no issues. Pulling the same GPO and User rights.

Same version of windows? Do all have UAC enabled?

This, UAC being disabled has cause no end of grief to me on a few computers, I had a Canon MFP that refused to scan to the local disk without UAC enabled.

Wow.. not that just seems backwards.

handsofqwerty

@Dashrender said:

@handsofqwerty said:

@Dashrender said:

@handsofqwerty said:

Yeah, that's technically true. But for this software, you setup the directory to scan to and they hit a button and it scans. Besides, if you knew these users...

THIS ^^ This right here is what I hear every day - my users will never do anything they aren't supposed to, so I don't need to worry about security issues...

and that's true.. until you do need to worry about it! A different person sits down there and starts messin' around... or a virus gets on there and takes advantage.. etc.

The whole idea of fixing it only after it breaks just drives me insane!

I get where you're coming from, but flip it over. Why create additional issues for yourself when a solution is available in the name of what might happen? It's all a balancing act. Is the potential side effects of granting normal users admin rights to one program result in a greater cost to the client than trying to figure out the perfect solution that might not exist?

This is probably one of the best arguments I've ever seen you make!

That said, it's definitely a case by case issue. and I'd personally spend at least 30 mins trying to make this work correctly before just tossing in the towel.

Oh I totally agree that totally not trying is a bad idea. However, balance is required. Thank you for the kind words.