Last time I blogged about Windows printers I said that printers are strange beasts. Nowadays these beasts are causing nightmares for Windows admins! PrintNightmare is the name of a recently publicized vulnerability involving the Windows print spooler service. It initially came in two variants, one allowing for remote code execution (CVE-2021-34527), the other enabling privilege escalation (CVE-2021-1675). An attacker can compromise a Windows machine through the print spooler service, which runs on most Windows machines unless it has been manually stopped and disabled. This enables attackers to move more easily throughout your network once inside.
Microsoft's Response
Due to the severity of these vulnerabilities, Microsoft released patches outside their normal monthly patch release schedule. PrintNightmare has turned out to be a nightmare of the recurring sort, Microsoft has released multiple patches, and recently warned of another related vulnerability, CVE-2021-36958, see CERT's Vulnerability note on mitigations.
Best Practices
It's best practice to apply Microsoft security patches as soon as possible, but for true protection from PrintNightmare, you must stop and disable the print spooler service on domain controllers and other systems that do not print. Helpful guidance from CERT includes instructions on how to stop and disable the print spooler service via PowerShell. They also include a nice flowchart you can use to determine if a system is exploitable, which points out the quickest route to safety is to stop and disable the print spooler service.
People still need to print of course! However, changes must be made to enhance security. Oftentimes businesses that use Windows have a print server or servers that they use to share their printers, and users will connect to download drivers and send and manage print jobs. Windows calls these printers "shared printers." Using a print server gives you a measure of centralized control over printing which is helpful, but it means you have at least one server running the print spooler service, which we've learned is rife with vulnerabilities. Is there a better way?
How do we balance security needs with users needing to print?
One solution to this problem is to take the print server(s) out of the picture and set users up to print via IP. Windows refers to printers set up in this manner as "TCP/IP printers." Systems using TCP/IP printers send print jobs directly to the printer without going through a print server. This can be harder to manage for various reasons: print jobs must be managed via each printer's interface, you don't have a server providing the same print drivers to everyone, and you are unable to use advanced Windows print management features, etc. But criminals are already using PrintNightmare in their attacks. Large enterprises may want or need to stick with using print servers, in which case they should make sure to patch all their systems, investigate other mitigations, and confirm they have successfully mitigated PrintNightmare. For small businesses where centralized print management is not as much of a concern, eliminating the print server(s) entirely and setting people up to print via IP is the more secure way to go.
Approaches to consider
In a typical Windows domain with a print server, printers are deployed to user's systems via a Group Policy Object (GPO)*. The GPO auto-maps the printers on user's systems, so they do not need to add them manually. To switch people over to print via IP, create a new GPO and include each printer as a TCP/IP printer rather than as a shared printer. Here's a helpful step-by-step guide (scroll down to the "How to Install Printers Using Group Policy Preferences" section). Make sure to test your new GPO to confirm it works. Then unlink the old GPO, apply your new one, and confirm users can print without issues. Retire your old print server, or if it was being used for another purpose, make sure to stop and disable the print spooler service.
*One item to note with this approach, when new systems are brought online the printer drivers will need to be manually installed on the computer before the GPO printer connection is made. We recommend having the printer driver installation included as part of the standard build process.
Every IT professional that has seen the movie Office Space and worked on printers has probably thought back to this scene, for me it comes to mind on a regular basis:
Check back soon for the second part of this blog, where I will cover deploying printers via Intune! Do you need help securing your corporate systems? Contact iuvo Technologies today!