PrintNightmare: How to Mitigate Microsoft Print Spooler Vulnerability
Update April 2022: Since the post was written, Microsoft has released a PrintNightmare patch, which solves the vulnerability described in this blog post, but caused some issues with print driver management. Read about the solution to these problems here.
Every single Windows computer that’s currently connected to the internet is at an increased risk for a cyber-attack.
A severe security bug, dubbed ‘PrintNightmare’, exploits a major vulnerability in Windows Print Spooler service. By exploiting this flaw, hackers are able to gain access to your network and grant themselves admin-level privileges using remote code execution.
Print Spooler is the Microsoft service responsible for managing and monitoring the printing process on Windows devices. This feature is enabled by default on all Microsoft machines, including servers and endpoints.
In short, hackers that exploit this vulnerability can gain full access to your systems making it easy to deploy a ransomware attack or corrupt important business data.
What is PrintNightmare?
PrintNightmare is a critical bug in the Windows Print Spooler service that can result in attackers being able to perform remote code execution on a Windows system as the local SYSTEM user. An attacker could then install malicious programs, mess with company data, or create new user accounts with full user rights.
Using compromised credentials hackers can gain full access to a domain controller and take over the whole system. A well-crafted phishing attack could give attackers the info they need to get their foot in the door. From there they can take advantage of the bug to rapidly spread throughout an organization’s system.
Note: An attack must involve an authenticated user calling RpcAddPrinterDriverEx().
The Print Spooler vulnerability (CVE-2021-34527) has been upgraded by Microsoft from low to important severity.
Microsoft began pushing out patches the first week of July, but the issue is yet to be fully resolved.
Zebra, most known for label printers, has been directly impacted by this bug. The emergency patches pushed out by Microsoft have left many Zebra users unable to print. While security is a top priority, there are still plenty of organizations for whom printing is a critical business function. This issue should be resolved in Microsoft’s next update.
What Should You Do?
Disclaimer: Here is some advice we have to offer, however guidance to protect from this vulnerability is still changing. These are recommended best practices and don't guarantee protection from this vulnerability.*
The first thing you need to do is update your Windows device. The update should be downloaded and installed automatically from Windows Update. To manually check for updates, follow these steps:
- Select the Start (Windows) button
- Go to Settings
- Select the Update & Security icon
- Choose the Windows Update tab
- Click the Check for Updates button
Updating your device should be enough to protect your personal computer. If you're concerned about your organization's network security and want to ensure that you've taken the right steps to mitigate the risk presented by this bug, please reach out to us anytime. Our IT security engineers will help you work through applying the patches and the recommended security steps as we wait for Microsoft to push out a long-term fix via software updates.
Currently, not all versions of Windows have an update available. If your system doesn’t have an update available yet, here are a few options to mitigate risk:
Note: Options 1 & 2 should be viewed as 'last resort' solutions because your organization's ability to print will be disabled. Although, it may be necessary to disable printing until your organization can apply the patches.
Option 1: Disable the Windows Print Spooler service
- Use the Windows start menu to search for Powershell
- Right-click Powershell and select Run as administrator
- In the Powershell prompt, run the following command to disable Windows Print Spooler:
Stop-Service -Name Spooler -Force
- Then run this command to prevent Windows from re-enabling Print Spooler at startup:
Stop-Service -Name Spooler -StartupType Disabled
- Keep your Print Spooler disabled until Microsoft’s patch is verified and installed on your device.
- Once your device is safely patched, you can re-enable Print Spooler in Powershell using:
Start-Service -Name Spoolerand
Set-Service -Name Spooler -StartupType Automatic
Impact: This will disable your ability to print locally and remotely
Option 2: Disable inbound remote printing through Group Policy
- Open the Group Policy Editor
- Go to Computer Configuration / Administrative Templates / Printers
- Disable the Allow Print Spooler to accept client connections policy
Impact: This will prevent inbound remote printing operations, but also block the remote attack vector.
Option 3: Use a Managed Service Provider (MSP)
Outsourcing your IT needs to an MSP relieves the burden from you and/or your IT team. When you work with a reliable service provider, all system updates and maintenance are handled for you. Your organization's IT security should not be left on the back burner. If you need help securing your network or you just don't have the time to play internal IT, then outsourcing some or all of your IT needs can be a great choice.
Impact: A managed IT services provider can give your organization the IT ecosystem it needs and provide 24/7 threat detection and monitoring to make sure your systems are secure.
Option 4: Manage Your Print Drivers with Cloud-Based Software
From an IT perspective, PrintNightmare has made installing print driver’s on work stations extremely challenging. A great way to print securely, save time for your IT Team, and work around this challenge is to implement cloud print driver software. With software such as uniFLOW there’s no need to install drivers on individual work stations, it's all done online. If a new printer needs to be added, the software allows for adding a new printer which automatically becomes available to end users the next time they log in. Cloud-based print driver management is also a great option to ensure remote workers are printing securely, and to track the number of prints if cost recovery is necessary. Cloud print driver management software works for copiers and printers manufactured by industry leaders such as Canon, Xerox, Hewlett Packard, Lexmark, Konica Minolta, Ricoh, Sharp and more.
Impact: Secure print, IT time savings and a work-around PrintNightmare challenges.
Microsoft has made it clear the current patch they have available for this bug is a temporary solution. New security patches that will permanently fix the Print Spooler vulnerability will be pushed out in the near future.
It’s no secret that the world is now digital. Your organization’s data and network are your most important assets and if you’re not taking the right approach to IT security, you’re taking a huge risk.
At Loffler, we offer IT security services to help keep your entire IT ecosystem protected. From the start, our engineers will work with you to develop a tailored security strategy that fits the needs of your organization. Plus, ongoing threat detection and response give you some much-needed peace of mind.
Ready to get started on the road toward improving the IT security posture at your organization?
Jessica is an account executive for the IT Solutions Group at Loffler. She has been with Loffler since 2010 and works closely with clients to understand their business needs and objectives, with the goal of helping them identify the best IT and phone solutions to improve their workplace.