PrintNightmare is the most recent zero-day vulnerability impacting the Windows print spooler, and the vulnerability can enable an attacker to remotely control an affected system. The service that allows the spooling of documents in print has become a recurring nightmare for Microsoft. This flaw was found as indicated “CVE-2021-1675 “and classified as low risk since it only allows attacks based on escalation of privileges conducted locally with human input. Microsoft issued a patch for CVE-2021-1675, described as a “Windows Print Spooler Elevation of Privilege Vulnerability” last Tuesday (Patch Tuesday).
The acknowledgment comes after researchers from Hong Kong-based cybersecurity company Sangfor published a technical deep-dive of a Print Spooler RCE flaw to GitHub, along with a fully working PoC code, before it was taken down just hours after it went up. For other articles I have written on GPO, see the following link. See this guide if you ever wanted to know what group policies are enabled or analyze GPO computers, and how to fix Print Spooler Service not running. Kindly refer to the fix (patch) to remediate the PrintNightmare “Out-of-Band Security Update for PrintNightmare: Patch released for Windows Print Spooler Remote Code Execution Vulnerability“.
Security researchers recently leaked details of a critical Windows print spooler vulnerability referred to as the "PrintNightmare". The flaw is a Stuxnet-style zero-day and can be exploited to completely compromise a Windows system. As explained by Bleeping Computer, researchers from Chinese security firm QiAnXin published a video showing that they had been able to achieve privilege escalation and remote code execution with the vulnerability. Then researchers from Sangfor, another Chinese security firm got a little mixed up and published a technical write up of what they thought was the same bug, calling it PrintNightmare. - July 7th, 2021, the PrintNightmare security update for Windows Server 2012, 2016, and Windows 10, v1607 was released. But why are the Out-of-Band patches not effective for the Print Spooler vulnerability?
System administrators are being advised to disable the Windows print spool service on domain controllers Windows servers running as domain controllers from where attackers can pivot to entire internal networks. Although the problem affects non-domain systems and it is currently not known when the PrintNightmare will be patched. To do this, we will first determine if the Print Spooler service is running by running the following command:
Get-Service -Name Spooler. You can also check this via
services.msc as shown below.
If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:
Option 1: Disable the Print Spooler service: If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands. Just ensure you run each command one after the other on the Domain Controller (DC).
Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled
Alternatively, you could also disable this on the fly via the Windows Services as shown below..
If you wish to start this in the future, kindly launch Windows Services and right click on the Print Spooler service and select properties.
– Select a startup type and click on start as shown below.
Option 2 – Disable inbound remote printing through Group Policy: You can also configure the settings via Group Policy as shown below. Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks. You may want to see this guide before proceeding: What is GPO and how can it be launched in Windows.
Computer Configuration / Administrative Templates / Printers
To launch the local group Policy console, open the run dialog box, search for “gpedit.msc” or from Windows Search as shown below
Each of the methods above will launch the “Local Group Policy Console” as shown below. Navigate through “Computer Configuration / Administrative Templates / Printers”.
– To disable this in the future, kindly follow the same steps and select “Not Configured”.
If you wish the policy to take effect immediately without waiting for the default settings, please run any of the following commands discussed in this hyperlink: GPUpdate and GPUpdate /force. Group policy on Windows 10 periodically refreshes the Registry at certain intervals to keep the Registry values in check at all times which is an interval of 90 minutes.
You may want to roll this setting domain-wide to your internal systems. To launch Group Policy from the Domain controller,
– Launch the
Server Manager. (Note: you can also use the Windows Administrative Tools for this).
– Under Tool,
– Search for Group Policy Management. This will open up the Group Policy Management Console. You can also use the “Advanced Group Policy Management (AGPM)”.
Create a new group policy object and follow the same steps by navigating through “Computer Configuration / Administrative Templates / Printers” and have it disabled.
– When you are done, you can either apply it to the domain or an OU as you wish. If you wish to see how similar settings are configured from start to finish, please see “how to update central store for Group Policy Administrative Templates”.
Impact of workaround: This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.