Last time I blogged about Windows printers I said that printers are strange beasts. Nowadays these beasts are causing nightmares for Windows admins! PrintNightmare is the name of a recently publicized vulnerability involving the Windows print spooler service. It initially came in two variants, one allowing for remote code execution (CVE-2021-34527), the other enabling privilege escalation (CVE-2021-1675). An attacker can compromise a Windows machine through the print spooler service, which runs on most Windows machines unless it has been manually stopped and disabled. This enables attackers to move more easily throughout your network once inside.
Microsoft's Response to PrintNightmare Vulnerabilities
In response to the severity of the PrintNightmare vulnerabilities, Microsoft took immediate action by releasing patches outside of their regular monthly patch release schedule. This highlights the significance of the issue at hand and the urgency to address it promptly. PrintNightmare has proven to be a recurring nightmare, prompting Microsoft to release multiple patches to mitigate the vulnerabilities.
Moreover, Microsoft recently issued a warning regarding another related vulnerability, known as CVE-2021-36958. This serves as a reminder that the threat landscape is constantly evolving, and organizations must remain vigilant in implementing necessary security measures. For detailed information on mitigations, it is advisable to refer to CERT's Vulnerability note.
By proactively releasing these patches and providing timely warnings, Microsoft is demonstrating its commitment to addressing and resolving the PrintNightmare vulnerabilities. It is essential for all Windows administrators and users to prioritize the installation of these patches to ensure the security of their systems.
As the threat landscape continues to evolve, it is crucial for organizations to stay updated with the latest security patches and advisories. Regularly monitoring and implementing necessary security measures can help mitigate the risk of potential vulnerabilities and protect sensitive data from malicious actors.
Best Practices
It's best practice to apply Microsoft security patches as soon as possible, but for true protection from PrintNightmare, you must stop and disable the print spooler service on domain controllers and other systems that do not print. This is because the print spooler service has been identified as a potential entry point for attackers to compromise Windows machines. By disabling this service on systems that do not require printing functionality, you can significantly reduce the attack surface and mitigate the risk of exploitation.
However, the need for printing still remains in many organizations. In these cases, changes must be made to enhance security while still meeting user requirements. Traditionally, businesses that use Windows have relied on print servers to share printers, allowing users to download drivers and manage print jobs. These printers are known as "shared printers" in the Windows ecosystem and provide a level of centralized control over printing.
While using a print server may be convenient, it also introduces security vulnerabilities, as the print spooler service is running on the server. As we've seen with the PrintNightmare vulnerabilities, this service can be exploited by attackers to gain unauthorized access to the network. To address this issue, it is essential to explore alternative approaches that prioritize security without compromising printing functionality.
One such approach is to set up printers as "TCP/IP printers" instead of shared printers. With TCP/IP printers, print jobs are sent directly to the printer without going through a print server. This eliminates the reliance on the print spooler service and reduces the attack surface. However, managing print jobs and drivers becomes more challenging with this approach, as each printer needs to be managed individually through its interface.
For large enterprises where centralized print management is a priority, it may be necessary to continue using print servers. In these cases, it is crucial to apply the necessary patches, explore additional mitigations, and ensure that PrintNightmare vulnerabilities have been successfully addressed. Small businesses, on the other hand, can benefit from eliminating print servers entirely and transitioning to TCP/IP printers. This provides a more secure printing solution, although it may require additional effort in managing print jobs and drivers.
When implementing TCP/IP printers, organizations can leverage Group Policy Objects (GPOs) to deploy printers to user systems. By creating a new GPO and configuring each printer as a TCP/IP printer, users can continue printing without relying on a print server. However, it's important to note that when new systems are brought online, the printer drivers will need to be manually installed on the computer before the GPO printer connection is made. Including the printer driver installation as part of the standard build process can streamline this setup.
In conclusion, while it's crucial to apply Microsoft security patches promptly, disabling the print spooler service on non-printing systems provides an additional layer of protection against PrintNightmare vulnerabilities. Businesses should assess their printing needs and consider alternative approaches such as TCP/IP printers to enhance security while still meeting user requirements. By staying proactive and implementing necessary security measures, organizations can mitigate the risk of potential vulnerabilities and protect sensitive data from malicious actors.
How do we balance security needs with users needing to print?
One solution to this problem is to take the print server(s) out of the picture and set users up to print via IP. Windows refers to printers set up in this manner as "TCP/IP printers." Systems using TCP/IP printers send print jobs directly to the printer without going through a print server. This can be harder to manage for various reasons: print jobs must be managed via each printer's interface, you don't have a server providing the same print drivers to everyone, and you are unable to use advanced Windows print management features, etc. But criminals are already using PrintNightmare in their attacks. Large enterprises may want or need to stick with using print servers, in which case they should make sure to patch all their systems, investigate other mitigations, and confirm they have successfully mitigated PrintNightmare. For small businesses where centralized print management is not as much of a concern, eliminating the print server(s) entirely and setting people up to print via IP is the more secure way to go.
Approaches to consider
In a typical Windows domain with a print server, printers are deployed to user's systems via a Group Policy Object (GPO)*. The GPO auto-maps the printers on user's systems, so they do not need to add them manually. To switch people over to print via IP, create a new GPO and include each printer as a TCP/IP printer rather than as a shared printer. Here's a helpful step-by-step guide (scroll down to the "How to Install Printers Using Group Policy Preferences" section). Make sure to test your new GPO to confirm it works. Then unlink the old GPO, apply your new one, and confirm users can print without issues. Retire your old print server, or if it was being used for another purpose, make sure to stop and disable the print spooler service.
*One item to note with this approach, when new systems are brought online the printer drivers will need to be manually installed on the computer before the GPO printer connection is made. We recommend having the printer driver installation included as part of the standard build process.
Every IT professional that has seen the movie Office Space and worked on printers has probably thought back to this scene, for me it comes to mind on a regular basis:
Resolving PrintNightmare with iuvo
Check back soon for the second part of this blog, where I will cover deploying printers via Intune! Do you need help securing your corporate systems? Contact iuvo today!