Lately, security technologists far and wide rushed to perform an out-of-band patch for a Microsoft zero day vulnerability dubbed PrintNightmare (CVE-2021-34527) affecting all versions of Windows. Windows has a vast footprint, accounting for 73% of operating systems on desktop PCs, according to Statista data.
PrintNightmare affects all users on supported versions of Windows, which has the print spooler service enabled by default to allow users to print, either locally or over a network. According to Microsoft, an attacker could exploit PrintNightmare to run arbitrary code with system privileges. This could allow them to install programs, view, change, or delete data and create new accounts with full user rights.
Windows client and server computers that aren't domain controllers can be affected if Point and Print is enabled or the Authenticated Users group is nested within another group in the mitigation section.
What you can do if your organization is affected
We recommend applying the following manual solutions suggested by Microsoft:
Solution 1. Disable the Print Spooler service
If your company can properly disable the printer spooler service, use the following PowerShell command:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Disabling the print spooler service disables local and remote printing features.
Solution 2. Disable Inbound Remote Printing via Group Policy
You can configure the setting to disable inbound remote printing through group policy as follows:
- Computer Configuration/ Administrative Templates/ Printers
- Disable the ‘Allow Print Spooler to accept client connections:’ policy to block remote attacks
- Restart the print spooler service for group policy to take effect
This policy blocks inbound remote printing operations, blocking remote attack vectors. The system no longer functions as a print server. However, local printing to directly connect the device is still available.