A few days ago, PrintNightmare – Microsoft’s Print Spooler vulnerability (CVE-2021-34527), which was classified ‘Low’ in its criticality level, got upgraded to be classified as ‘critical’. The reason for this is a POC that was published at GitHub that can potentially be leveraged by attackers for gaining access to Domain Controllers.
Microsoft already published a patch in June 2021, but it is not enough for full exploit protection. Attackers can still leverage Print Spooler when connecting remotely. This article contains all you need to know about this vulnerability and what you can do (and you can), to mitigate it.
Few words about what is Print Spooler:
Print Spooler is Microsoft’s service used for managing and monitoring files printing. It is one of Microsoft’s oldest services and had low maintenance updates since it was published. The Print Spooler is enabled by default in every Microsoft machine (servers and endpoints).
An attacker gaining minimal user access can connect to the Print Spooler (directly or remotely). Since Print Spooler has direct access to the kernel, the attacker can leverage it to gain access to the operating system, run remote code with system privileges and eventually attack the Domain Controller.
The best thing you can do to mitigate this vulnerability is to disable your Print Spooler on every server and/or sensitive workstation (such as administrators workstations, direct internet-facing workstations, and workstations that are not using printing capabilities).
From our experience, 90% of the servers don’t need Print Spooler to operate. Therefore, disabling it shouldn’t have any impact on your production! This is an immediate action you can take that will solve 90% of your problem.
Finding where Print Spooler is being used is not so easy in large and complex infrastructures.
Here are few examples where Print Spooler is required for operations:
- When using Citrix services.
- Fax servers.
- Any application that requires virtual or physical printing of PDFs, XPSs, etc. For example, billing services, and wages applications.
Few examples where Print Spooler is not needed but enabled by default:
- Domain Controller and Active Directory – the main risk in this vulnerability can be neutralized by practicing basic cyber hygiene. There shouldn’t be a reason to have Print Spooler enabled in DCs and AD servers.
- Member Servers such as SQL, File System, and Exchange servers.
- Any kind of machine that doesn’t need to print.
It’s easy to see why you should immediately disable Print Spooler in most of your machines. But is there anything to do to minimize the attack surface in machines that requires Print Spooler to operate? Yes!
How to minimize Print Spooler’s attack surface:
- Consider using non-Microsoft Print Spooler services to replace the vulnerable protocol.
- Restrict users’ and drivers’ access to the Print Spooler only to groups that must use it, by changing ‘Allow Print Spooler to accept client connections’.
- Disable Print Spooler caller in Pre-Windows 2000 compatibility group.
- Make sure that Point&Print is not configured to No Warning – check registry key SOFTWAER/Policies/Microsoft/Windows NT/Printers/PointAndPrint/NoElevationOnInstall for DWORD value 1.
- Turn off EnableLUA – check registry key SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/System/EnableLUA for DWORD value 0.
What should you do next to make sure your organization is secure:
- Mapp your network to where Print Spooler is in use.
- Mapp your network for machines that must use Print Spooler.
- For machines that don’t use Print Spooler – Disable it.
- For machines that use Print Spooler – configure it to minimize its attack surface.
We strongly recommend using a hardening automation tool to implement those recommendations. Otherwise, you will invest hours in trying to implement them and can find yourself still vulnerable at the end of the process, or cause machines downtime.
A Hardening automation tool will discover where you have Print Spooler enabled, where you really need them and will disable or reconfigure it automatically after you choose your course of action.