Update: 08/09/21 – Microsoft have released KB5005652 which does remediate the collection of vulnerabilities known as PrintNightmare. The method in which it achieves this is to prevent non Admin users from installing printer drivers. A rather hasty move given that most users will not have local admin privileges on their computer, and we all need to print. This will likely become a support headache for IT departments as they will need to oversee the installation of all print drivers once the patch has been applied.
There are three possible ways to overcome this:
- IT Departments can push their print queues via Microsoft System Center or Endpoint Configuration Manager. This is now the only recommended way to distribute print queues across an organization.
- Print queues deployed via Group Policy are affected by the patch and will no longer work. The fix is to combine several policies to temporarily disable the registry key responsible for requiring admin consent. The printer policy can then install the print driver and finish up by re-enabling the registry key RestrictDriverInstallationToAdministrators=1. A bit of a messy solution which has yielded mixed results so far.
- The third option is to use V4 type print drivers as they are excluded from requiring Admin consent. Not an ideal solution either, as V4 drivers tend to be less feature rich and have been known to cause issues. Print management applications like Papercut and uniFLOW also don’t behave too well using V4 type drivers.
So, while Microsoft can say they have remediated this vulnerability they have also done nothing to assist organisations in providing a secure environment where users can safely and easily install a printer. So, still a Print Nightmare!
I expect there to be further updates and hopefully a solution that allows for the secure distribution of print drivers.
What is PrintNightmare?PrintNightmare is the name given to a vulnerability in the Windows Print Spooler service that is responsible for sending print jobs to a print device. The vulnerability could be exploited by an attacker allowing them to remotely run code on a compromised system. It is worth noting that while this vulnerability should be taken seriously it can only be exploited if the attacker has already authenticated against the remote system.
What Operating Systems are affected?
All versions of Windows client and Server Operating Systems are affected.
What should I do?
Microsoft has released KB5005010 as an out of band security update to patch the Print Nightmare vulnerability. Apply this patch to all affected systems.
This patch is also part of Security Rollup KB5004954.
We also recommend that the spooler be disabled on Domain Controllers and member servers that do not provide print services.
Additional remediation for Print Servers
For systems operating as print servers you will also need to manually apply the following changes;
Check the Point & Print settings
NoWarningNoElevationOnInstall = 0 (DWORD) or not defined
UpdatePromptSettings = 0 (DWORD) or not defined
Check that the Point and Print Restrictions Group Policy is not enabled.
If the above registry entries are present and the Point and Print Restrictions Group Policy is not enabled then there are no additional requirements. The server is now patched and not vulnerable to PrintNightmare.
If either of the above conditions are not present, then you can secure Point & Print restrictions by following the below steps.
- Open the group policy editor tool and go to Computer Configuration > Administrative Templates > Printers.
- Configure the Point and Print Restrictions Group Policy setting as follows:
- Set the Point and Print Restrictions Group Policy setting to “Enabled”.
- “When installing drivers for a new connection”: “Show warning and elevation prompt”.
- “When updating drivers for an existing connection”: “Show warning and elevation prompt”.
Restrict installation of print Drivers on the server to Administrators
An additional security measure is to prevent non Administrators from installing print drivers on the print server.
To restrict the installation of new printer drivers, manually set the RestrictDriverInstallationToAdministrators registry value as follows:
Registry location: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
DWord name: RestrictDriverInstallationToAdministrators
Value Data: 1
The net effect of these changes is that end users can only install signed print drivers when connecting to the shared print queue on this server. If the end user tries to install a non-signed driver from the server they will be prompted for local admin credentials on their PC to allow the installation to continue.
On the print Server, only accounts with Administrator privileges or above will be allowed to install print drivers.
Our preferred print drivers for both Canon and Ricoh devices are both packaged and signed and have been certified by the Windows Hardware Quality Lab. This will ensure that end users are not prevented from installing printer drivers shared from a fully patched print server.