Disabling Print Spooler Service or inbound remote printing through Group Policy

PrintNightMare

PrintNightmare is the most recent zero-day vulnerability impacting the Windows print spooler, and the vulnerability can enable an attacker to remotely control an affected system. The service that allows the spooling of documents in print has become a recurring nightmare for Microsoft. This flaw was found as indicated “CVE-2021-1675 “and classified as low risk since it only allows attacks based on escalation of privileges conducted locally with human input. Microsoft issued a patch for CVE-2021-1675, described as a “Windows Print Spooler Elevation of Privilege Vulnerability” last Tuesday (Patch Tuesday). The acknowledgment comes after researchers from Hong Kong-based cybersecurity company Sangfor published a technical deep-dive of a Print Spooler RCE flaw to GitHub, along with a fully working PoC code, before it was taken down just hours after it went up.

System administrators are being advised to disable the Windows print spool service on domain controllers Windows servers running as domain controllers from where attackers can pivot to entire internal networks. Although the problem affects non-domain systems and it is currently not known when the PrintNightmare will be patched. To do this, we will first determine if the Print Spooler service is running by running the following command:Get-Service -Name Spooler. You can also check this via services.msc as shown below.

If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:

Option 1: Disable the Print Spooler service: If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands. Just ensure you run each command one after the other on the Domain Controller (DC).

Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

Alternatively, you could also disable this on the fly via the Windows Services as shown below..

Screenshot-2021-07-02-at-23.07.55

If you wish to start this in the future, kindly launch Windows Services and right-click on the Print Spooler service, and select properties.
– Select a startup type and click on start as shown below.

Screenshot-2021-07-02-at-23.08.52

Option 2 – Disable inbound remote printing through Group Policy: You can also configure the settings via Group Policy as shown below. Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.

Computer Configuration / Administrative Templates / Printers

To launch the local group Policy console, open the run dialog box, search for “gpedit.msc” or from Windows Search as shown below

Screenshot-2021-07-02-at-23.21.12

Each of the methods above will launch the “Local Group Policy Console” as shown below. Navigate through “Computer Configuration / Administrative Templates / Printers”.
– To disable this in the future, kindly follow the same steps and select “Not Configured”.

If you wish the policy to take effect immediately without waiting for the default settings, please run any of the following commands discussed in this hyperlink: GPUpdate and GPUpdate /force. Group policy on Windows 10 periodically refreshes the Registry at certain intervals to keep the Registry values in check at all times which is an interval of 90 minutes.

You may want to roll this setting domain-wide to your internal systems. To launch Group Policy from the Domain controller,
– Launch the Server Manager. (Note: you can also use the Windows Administrative Tools for this).
– Under Tool,
– Search for Group Policy Management. This will open up the Group Policy Management Console. You can also use the “Advanced Group Policy Management (AGPM)”.

Screenshot-2021-07-02-at-23.31.56

Create a new group policy object and follow the same steps by navigating through “Computer Configuration / Administrative Templates / Printers” and have it disabled.
– When you are done, you can either apply it to the domain or an OU as you wish. If you wish to see how similar settings are configured from start to finish.

Screenshot-2021-07-02-at-23.34.35

Impact of workaround: This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

Leave a Reply

0 Comments
Inline Feedbacks
View all comments