Previously on Windows Printer Spooler Security…
Ten years ago, an escalation of privilege bug in Windows Printer Spooler was used in Stuxnet, which is a notorious worm that destroyed the nuclear enrichment centrifuges of Iran and infected more than 45000 networks. In the past ten years, spooler still has an endless stream of vulnerabilities disclosed, some of which are not known to the world, however, they are hidden bombs that could lead to disasters.
Our days
Microsoft confirmed that a zero-day vulnerability known as PrintNightmare, which can be exploited to enable remote code execution on a target device, affects every version of Windows.
The vulnerability is found in code related to the Windows Print Spooler executable that handles pretty much every aspect of the process involved with printing something from a PC. Microsoft said that by default Windows Print Spooler launches alongside Windows and only closes when the operating system itself is shut down. That makes it an attractive target for attackers.
PrintNightmare is already being exploited in the wild and the security patches released on June 8 will not fully protect Windows devices from those attacks. That does not mean those patches should be avoided—they can still defend against other exploits, including those involving CVE-2021-1675. They just do not fully address exploits involving PrintNightmare.
Mitigations
To reduce the attack surface and as an alternative to disabling printing, check membership and nested group membership in the groups listed below. Attempt to reduce membership as much as possible, or completely empty the groups where possible. Due to legacy configurations and backwards compatibility, some of these groups may contain Authenticated Users or Domain Users, which would allow anyone in the domain to exploit the domain controller.
- Administrators
- Domain Controllers
- Read Only Domain Controllers
- Enterprise Read Only Domain Controllers
- Certificate Admins
- Schema Admins
- Enterprise Admins
- Group Policy Admins
- Power Users
- System Operators
- Print Operators
- Backup Operators
- RAS Servers
- Pre-Windows 2000 Compatible Access
- Network Configuration Operators Group Object
- Cryptographic Operators Group Object
- Local account and member of Administrators group
Note: Removing members from these groups may cause other compatability problems.
Workarounds
Determine if the Print Spooler service is running. Run the following in PowerShell:
Get-Service -Name Spooler
If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:
Option 1 - Disable the Print Spooler service
If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:
Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled
Note: Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.
Option 2 - Disable inbound remote printing through Group Policy
You can also configure the settings via Group Policy as follows:
Computer Configuration / Administrative Templates / Printers
Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
You must restart the Print Spooler service for the group policy to take effect.
Note: Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.
References
- Windows Print Spooler Remote Code Execution Vulnerability
- PrintNightmare (CVE-2021-1675): Remote code execution in Windows Spooler Service
CVE-2021-1675