PrintNightmare: How to Mitigate Microsoft Print Spooler Vulnerability

PrintNightmare: How to Mitigate Microsoft Print Spooler Vulnerability | Loffler

Every single Windows computer that’s currently connected to the internet is at an increased risk for a cyber-attack.

A severe security bug, dubbed ‘PrintNightmare’, exploits a major vulnerability in Windows Print Spooler service. By exploiting this flaw, hackers are able to gain access to your network and grant themselves admin-level privileges using remote code execution.

Print Spooler is the Microsoft service responsible for managing and monitoring the printing process on Windows devices. This feature is enabled by default on all Microsoft machines, including servers and endpoints.

In short, hackers that exploit this vulnerability can gain full access to your systems making it easy to deploy a ransomware attack or corrupt important business data.

What is PrintNightmare?

PrintNightmare is a critical bug in the Windows Print Spooler service that can result in attackers being able to perform remote code execution on a Windows system as the local SYSTEM user. An attacker could then install malicious programs, mess with company data, or create new user accounts with full user rights.

Using compromised credentials hackers can gain full access to a domain controller and take over the whole system. A well-crafted phishing attack could give attackers the info they need to get their foot in the door. From there they can take advantage of the bug to rapidly spread throughout an organization’s system.

Note: An attack must involve an authenticated user calling RpcAddPrinterDriverEx().

The Print Spooler vulnerability (CVE-2021-34527) has been upgraded by Microsoft from low to important severity.

Microsoft began pushing out patches the first week of July, but the issue is yet to be fully resolved.

Zebra, most known for label printers, has been directly impacted by this bug. The emergency patches pushed out by Microsoft have left many Zebra users unable to print. While security is a top priority, there are still plenty of organizations for whom printing is a critical business function. This issue should be resolved in Microsoft’s next update.

What Should You Do?

Disclaimer: Here is some advice we have to offer, however guidance to protect from this  vulnerability is still changing. These are recommended best practices and don't guarantee protection from this vulnerability.*

The first thing you need to do is update your Windows device. The update should be downloaded and installed automatically from Windows Update. To manually check for updates, follow these steps:

  1. Select the Start (Windows) button
  2. Go to Settings
  3. Select the Update & Security icon
  4. Choose the Windows Update tab
  5. Click the Check for Updates button

Updating your device should be enough to protect your personal computer. If you're concerned about your organization's network security and want to ensure that you've taken the right steps to mitigate the risk presented by this bug, please reach out to us anytime. Our IT security engineers will help you work through applying the patches and the recommended security steps as we wait for Microsoft to push out a long-term fix via software updates. 

Currently, not all versions of Windows have an update available. If your system doesn’t have an update available yet, here are a few options to mitigate risk:

Note: Options 1 & 2 should be viewed as 'last resort' solutions because your organization's ability to print will be disabled. Although, it may be necessary to disable printing until your organization can apply the patches.

Option 1: Disable the Windows Print Spooler service

  1. Use the Windows start menu to search for Powershell
  2. Right-click Powershell and select Run as administrator
  3. In the Powershell prompt, run the following command to disable Windows Print Spooler:
    Stop-Service -Name Spooler -Force
  4. Then run this command to prevent Windows from re-enabling Print Spooler at startup:
    Stop-Service -Name Spooler -StartupType Disabled
  5. Keep your Print Spooler disabled until Microsoft’s patch is verified and installed on your device.
  6. Once your device is safely patched, you can re-enable Print Spooler in Powershell using:
    Start-Service -Name Spooler and Set-Service -Name Spooler -StartupType Automatic

Impact: This will disable your ability to print locally and remotely

Option 2: Disable inbound remote printing through Group Policy

  1. Open the Group Policy Editor
  2. Go to Computer Configuration / Administrative Templates / Printers
  3. Disable the Allow Print Spooler to accept client connections policy

Impact: This will prevent inbound remote printing operations, but also block the remote attack vector.

Option 3: Work with a Managed Service Provider (MSP)

Outsourcing your IT needs to an MSP relieves the burden from you and/or your IT team. When you work with a reliable service provider, all system updates and maintenance are handled for you. Your organization's IT security should not be left on the back burner. If you need help securing your network or you just don't have the time to play internal IT, then outsourcing some or all of your IT needs can be a great choice.

Impact: A managed IT services provider can give your organization the IT ecosystem it needs and provide 24/7 threat detection and monitoring to make sure your systems are secure.

Microsoft has made it clear the current patch they have available for this bug is a temporary solution. New security patches that will permanently fix the Print Spooler vulnerability will be pushed out in the near future.

It’s no secret that the world is now digital. Your organization’s data and network are your most important assets and if you’re not taking the right approach to IT security, you’re taking a huge risk.

At Loffler, we offer IT security services to help keep your entire IT ecosystem protected. From the start, our engineers will work with you to develop a tailored security strategy that fits the needs of your organization. Plus, ongoing threat detection and response give you some much-needed peace of mind.

Ready to get started on the road toward improving the IT security posture at your organization?

Schedule a time to talk now

*We'll continue to update this blog as we learn more; check back in the future for more information.
 

Read Next: No Cybersecurity Plan? The Real Cost of Network Downtime

Jessica Nead

Jessica is an account executive for the IT Solutions Group at Loffler. She has been with Loffler since 2010 and works closely with clients to understand their business needs and objectives, with the goal of helping them identify the best IT and phone solutions to improve their workplace.