Table of Contents
July 9, 2021
|8m
How To Mitigate The Print Spooler Vulnerability – PringNightmare CVE-2021-34527
Initially, Microsoft has set the criticality of the print spooler vulnerability (also known as ‘PrintNightmare’), to ‘low’, later it was upgraded to ‘critical’ this week after the Proof of Concept was published on GitHub. In response to that, Microsoft released a patch in June 2021. Unfortunately, the patch didn’t provide protection against the vulnerability. Attackers could still exploit the vulnerability after installing the patch too. We are going to cover most of the things you need to know about the print spooler vulnerability, including how to mitigate the print spooler vulnerability (PringNightmare CVE-2021-34527) in the article.
What Is Print Spooler Service?
Print spooler is a Microsoft Windows service used to manage and monitor files printing. This service is one of the oldest services, which could be found on pretty much all the versions of Microsoft Windows. This service is enabled by default on all the Microsoft servers and endpoints machines.
What Is Print Spooler Vulnerability Or PrintNightmare Vulnerability?
According to Microsoft, ” This is a remote code execution vulnerability that exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
This vulnerability allows an attacker to connect the print spooler service directly or remotely if he has limited access to the network. The attacker can get access to the operating system through the print spooler service since the Print Spooler has direct access to the kernel of the operating system. By exploiting the PrintNightmare vulnerability, the attackers can run remote code with SYSTEM privileges and ultimately attack the Domain Controller.
The print spooler vulnerability or PrintNightmare vulnerability is tracked under the CVE-2021-34527 ID.
Summary Of CVE-2021-34527:
| CVE-2021-34527 | Windows Print Spooler Remote Code Execution Vulnerability |
| Executive Summary | A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. |
| Impact | Remote Code Execution |
| Severity | Critical |
| Publicly Disclosed? | Yes |
| Known Exploits? | Yes |
| Exploitability | Exploitation detected |
| CVSS Score Metrics | 8.8 |
| Privileges Required | Low |
| Confidentiality | High |
| User Interaction | None |
| Integrity | High |
| Scope | Unchanged |
| Availability | High |
| Attack Complexity | Low |
| Attack Vector: | Network |
| Affected Software | All versions of Windows |
| More Information | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 |
How To Mitigate The Print Spooler Vulnerability Or PrintNightmare Vulnerability?
The print spooler vulnerability is considered very important for two main reasons: the vulnerability is considered critical. It affects all versions of Windows, including servers & workstations. It is highly important to mitigate this flaw. Let’s see how to mitigate the print spooler vulnerability in this section.
Install The Patches For Print Spooler Vulnerability Or PrintNightmare Vulnerability:
On July 7th, Microsoft has rolled out a patch for all the client and server operating systems. Microsoft recommends installing the patch on all the machines.
Windows Server 2012 R2
Monthly Rollup
Security Only
Windows Server 2012
Monthly Rollup
Security Only
Windows Server 2016
Monthly Rollup
Windows Server 2019
Monthly Rollup
Windows 10 (Different versions)
Monthly Rollup (Locate the respective version in the link to download and apply)
The best option to mitigate the print spooler vulnerability is to disable the print spooler service on the server and/or workstation on which the service is barely used. You can disable the service in two ways: PowerShell & Services App.
Registry Settings To Mitigate The Print Spooler Vulnerability Or PrintNightmare Vulnerability:
In order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.)
The following registry keys are not present by default. Verify that the keys are not present or change the following registry values to 0 (zero):
Deploy using GPO Preferences to implement registry key additions
Registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
Value: NoWarningNoElevationOnInstall
Data type: REG_DWORD
Data: 0 or not defined (default setting)
Note: Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.
Registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
Value: NoWarningNoElevationOnUpdate
Data type: REG_DWORD
Data: 0 or not defined (default setting)
After installing these and later Windows updates
In addition, optionally configure the RestrictDriverInstallationToAdministrators registry value to prevent non-administrators from installing printer drivers on a print server.
Registry subkey: HKEY_LOCAL_MACHINE \Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
Value: RestrictDriverInstallationToAdministrators
Data type: REG_DWORD
Data: 0: or leaving the value undefined allows non-administrators to install signed drivers and allows administrators to install signed and unsigned printer drivers to a print server. This is the default value.
Disable The Print Spooler Service Using PowerShell:
Disabling the Print spooler service would disable the ability to print both locally and remotely.
Either right-click on the Start Menu or press Windows+X.
Click on the ‘Windows PowerShell (Admin)‘
Disable the print spooler service with this command:
Disable for one time: > Stop-Service -Name Spooler -Force
Disable the print spooler service from the autostart: > Set-Service -Name Spooler -StartupType Disabled
Close PowerShell window.
Picture #1: Run Windows PowerShell (Admin)
Picture #2: Disable the Print spooler service using PowerShell
Enable The Print Spooler Service Using PowerShell:
The command to enable the print spooler service: > Set-Service -Name Spooler -StartupType Automatic
The command to restart Print service: > Start-Service -Name Spooler
Check The Status Of The Print Spooler Service Using PowerShell:
The command to enable the print spooler service: > Get-Service -Name Spooler
Picture #3: Check the status of the Print spooler service using PowerShell
Disable The Print Spooler Service Using Services App:
Type ‘services‘ on the taskbar to open the services app.
Double-tap on the ‘Print spooler‘ service.
Set the Startup type to ‘Disabled‘.
Click on ‘Stop‘
Picture #4: Disable the Print spooler service using Services App
Disable The Print Spooler Service On Using Group Policy Editor:
When the service is disabled through the group policy, the spooler will automatically reject the client connections and prevent users from sharing printers. However, the printers currently in share will continue to be shared.
Follow these steps to disable the printer spooler service using the group policy editor.
Search ‘gpedit.msc‘ in the taskbar to open the group policy editor.
Navigate to the path: Computer Configuration > Administrative Templates > Printers
Double-tap the Allow Print Spooler to accept client connections policy.
Select the Disabled option, then hit OK.
Picture #5: Disable the Print spooler service on using Group Policy editor
Picture #6: Disable the Print spooler service on using Group Policy editor
The print spooler service must to restarted to save the changes in the policy.
Enable The Print Spooler Service Using Group Policy Editor:
Follow these steps to enable the printer spooler service using the group policy editor.
Search ‘gpedit.msc’ in the taskbar to open the group policy editor.
Navigate to the path: Computer Configuration > Administrative Templates > Printers
Double-tap the Allow Print Spooler to accept client connections policy.
Select the Not configured or Enabled option.
Tap on the Apply button and select OK.
Picture #7: Enable the Print spooler service using Group Policy editor
Why Do You Need The Print Spooler Service?
All most 90% of servers don’t require Print spooler service. Disabling the service can solve 90% of your problem with little impact on production. However, it is quite challenging to disable the service on the whole network in large and complex infrastructures. There are some cases where Print spooler is required. The print spooler services could be needed when you run Fax servers, Citrix services, and any application services which require virtual or physical printing of PDFs, XPSs, etc.
Why Do You Disable The Print Spooler Service?
These are some of the servers & workstations where print spooler services may not require.
SQL servers, File servers, Exchange servers, Domain Controller, and Active Directory
Any other machines that do not require printing.
Administrators’ workstations, internet-facing workstations, and non-printing workstations.
Countermeasures Against Print Spooler Vulnerability Or PrintNightmare Vulnerability (CVE-2021-34527):
Replace the service with non-windows services.
Restrict Print spooler access to the users’, drivers’, groups that only need the service.
Disable Print spooler in Pre-Windows 2000 compatibility group.
Set the following registry keys are to 0 (zero)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
Turn off EnableLUA:
registry key: SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/System/EnableLUA for DWORD value 0 and change it to 1.
Thanks for reading the post. We tried to cover all the possible things required to know how to mitigate the print spooler vulnerability (PringNightmare) in the article. Please share with those who need this information.
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- April 18, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 18, 2024
