This 7 days, PrintNightmare – Microsoft’s Print Spooler vulnerability (CVE-2021-34527) was upgraded from a ‘Low’ criticality to a ‘Critical’ criticality.
This is due to a Evidence of Principle released on GitHub, which attackers could likely leverage for attaining entry to Area Controllers.
As we described previously, Microsoft now introduced a patch in June 2021, but it was not more than enough to cease exploits. Attackers can nevertheless use Print Spooler when connecting remotely. You can locate all you need to know about this vulnerability in this report and how you can mitigate it (and you can).
Print Spooler in a nutshell: Print Spooler is Microsoft’s company for taking care of and monitoring information printing. This company is between Microsoft’s oldest and has had negligible servicing updates since it was launched.
Each Microsoft machine (servers and endpoints) has this aspect enabled by default.
PrintNightmare vulnerability: As before long as an attacker gains confined person entry to a community, he will be ready to connect (directly or remotely) to the Print Spooler. Considering that the Print Spooler has immediate obtain to the kernel, the attacker can use it to achieve accessibility to the working procedure, run distant code with procedure privileges, and ultimately assault the Domain Controller.
Your best solution when it arrives to mitigating the PrintNightmare vulnerability is to disable the Print Spooler on each individual server and/or sensitive workstation (this sort of as administrators’ workstations, direct world wide web-experiencing workstations, and non-printing workstations).
This is what Dvir Goren’s, hardening professional and CTO at CalCom Software program Alternatives, suggests as your initially transfer toward mitigation.
Follow these measures to disable the Print Spooler support on Home windows 10:
- Open Get started.
- Search for PowerShell, appropriate-simply click on it and pick the Operate as administrator.
- Variety the command and press Enter: Cease-Assistance -Title Spooler -Force
- Use this command to prevent the support from commencing back again up once again all through restart: Set-Assistance -Name Spooler -StartupType Disabled
According to Dvir’s practical experience, 90% of servers do not involve Print Spooler. It is the default configuration for most of them, so it is typically enabled. As a end result, disabling it can address 90% of your trouble and have minimal impression on production.
In substantial and advanced infrastructures, it can be complicated to track down exactly where Print Spooler is employed.
Here are a number of illustrations where by Print Spooler is required:
- When using Citrix services,
- Fax servers,
- Any software necessitating digital or physical printing of PDFs, XPSs, and so on. Billing services and wage purposes, for instance.
Right here are a several examples when Print Spooler is not wanted but enabled by default:
- Domain Controller and Energetic Listing – the primary risk in this vulnerability can be neutralized by working towards essential cyber cleanliness. It can make no feeling to have Print Spooler enabled in DCs and Ad servers.
- Member servers these types of as SQL, File Process, and Trade servers.
- Equipment that do not call for printing.
A couple other hardening ways instructed by Dvir for devices dependent on Print Spooler contain:
- Exchange the susceptible Print Spooler protocol with a non-Microsoft assistance.
- By shifting ‘Allow Print Spooler to acknowledge consumer connections’, you can prohibit users’ and drivers’ accessibility to the Print Spooler to teams that have to use it.
- Disable Print Spooler caller in Pre-Home windows 2000 compatibility group.
- Make certain that Place and Print is not configured to No Warning – verify registry vital Software package/Guidelines/Microsoft/Home windows NT/Printers/PointAndPrint/NoElevationOnInstall for DWORD value 1.
- Change off EnableLUA – check out registry vital Software program/Microsoft/Windows/CurrentVersion/Procedures/Method/EnableLUA for DWORD worth .
Here’s what you have to have to do upcoming to assure your firm is safe:
- Recognize exactly where Print Spooler is remaining employed on your community.
- Map your community to obtain the machines that ought to use Print Spooler.
- Disable Print Spooler on machines that do not use it.
- For equipment that involve Print Spooler – configure them in a way to reduce its assault surface.
Beside this, to come across opportunity proof of exploitation, you must also observe Microsoft-Home windows-PrintService/Admin log entries. There could possibly be entries with error messages that show Print Spooler cannot load plug-in module DLLs, while this can also happen if an attacker packaged a legitimate DLL that Print Spooler calls for.
The closing advice from Dvir is to implement these tips by way of hardening automation equipment. Without having automation, you will invest a great number of hrs making an attempt to harden manually and may possibly conclude up susceptible or resulting in methods to go down
After deciding on your program of motion, a Hardening automation software will discover wherever Print Spooler is enabled, where by they are in fact made use of, and disable or reconfigure them immediately.