PrintNightmare is the name given to a vulnerability in the Windows Print Spooler service that is responsible for sending print jobs to a print device. The vulnerability could be exploited by an attacker allowing them to remotely run code on a compromised system. It is worth noting that while this vulnerability should be taken seriously it can only be exploited if the attacker has already authenticated against the remote system.
What Operating Systems are affected?
All versions of Windows client and Server Operating Systems are affected.
What should I do?
Microsoft has released KB5005010 as an out of band security update to patch the Print Nightmare vulnerability. Apply this patch to all affected systems.
This patch is also part of Security Rollup KB5004954.
We also recommend that the spooler be disabled on Domain Controllers and member servers that do not provide print services.
Additional remediation for Print Servers
For systems operating as print servers you will also need to manually apply the following changes;
Check the Point & Print settings
NoWarningNoElevationOnInstall = 0 (DWORD) or not defined
UpdatePromptSettings = 0 (DWORD) or not defined
Check that the Point and Print Restrictions Group Policy is not enabled.
If the above registry entries are present and the Point and Print Restrictions Group Policy is not enabled then there are no additional requirements. The server is now patched and not vulnerable to PrintNightmare.
If either of the above conditions are not present, then you can secure Point & Print restrictions by following the below steps.
- Open the group policy editor tool and go to Computer Configuration > Administrative Templates > Printers.
- Configure the Point and Print Restrictions Group Policy setting as follows:
- Set the Point and Print Restrictions Group Policy setting to “Enabled”.
- “When installing drivers for a new connection”: “Show warning and elevation prompt”.
- “When updating drivers for an existing connection”: “Show warning and elevation prompt”.
Restrict installation of print Drivers on the server to Administrators
An additional security measure is to prevent non Administrators from installing print drivers on the print server.
To restrict the installation of new printer drivers, manually set the RestrictDriverInstallationToAdministrators registry value as follows:
Registry location: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
DWord name: RestrictDriverInstallationToAdministrators
Value Data: 1
The net effect of these changes is that end users can only install signed print drivers when connecting to the shared print queue on this server. If the end user tries to install a non-signed driver from the server they will be prompted for local admin credentials on their PC to allow the installation to continue.
On the print Server, only accounts with Administrator privileges or above will be allowed to install print drivers.
Our preferred print drivers for both Canon and Ricoh devices are both packaged and signed and have been certified by the Windows Hardware Quality Lab. This will ensure that end users are not prevented from installing printer drivers shared from a fully patched print server.