Windows 10|Windows 11|Windows 2000|Windows Client OS|Windows Server|Windows Server 2003|Windows Server 2008|Windows Server 2012|Windows Server 2016|Windows Server 2019|Windows Server 2022

How to Fully Patch the PrintNightmare Vulnerability

Image Credit: Microsoft

If you are an admin and have been scrambling the past week to patch the PrintNightmare vulnerability, you are not alone. The messaging around this zero-day has been confusing with Microsoft saying they have a solution, industry experts saying it’s not effective, and now Microsoft saying “you’re patching it wrong”.

Microsoft isn’t quite saying that you are patching wrong but what they are providing is additional guidance about making changes to your registry that may not have been changed after installing the latest update. In this guide, we will walk through multiple paths and options to securing your infrastructure against PrintNightmare.

[toc]

Background

On July 6th, Microsoft released an out-of-band patch known as KB5004945. At the heart of the issue is a remote code vulnerability that would allow an attacker to use Windows Print Spooler to perform elevated file operations. An attacker who is able to successfully exploited this vulnerability would be able to view, change, or delete data; or create new accounts with full user rights.

Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.

In the following days after the release, researchers have uncovered a way to bypass the patch that Microsoft released. As it turns out, according to Microsoft, installing the patch is not the only step that you need to take to fully protect your environment and in some scenarios, you will need to make a change to your registry as well.

Printspooler check
Check your system to see if Print Spooler is running

Protecting your Environment without a Patch

Not everyone can install the patch that Microsoft has released. It is being reported that customers with Zebra printers are finding that the patch is disabling the printers entirely. In this scenario, the patch may protect your environment but at the cost of disabling all printers entirely.

The first step you need to take is to determine if you are running the PrintSpooler service, you can determine this by taking the following steps:

  1. Hit Windows Key and type PowerShell
  2. Enter the following command: Get-Service -Name Spooler
  3. If you see the words “running” this means the service is running.
Option 1 – Disable the Print Spooler service
  1. If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:
  2. Stop-Service -Name Spooler -Force
  3. Set-Service -Name Spooler -StartupType Disabled
  4. Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.
Option 2 – Disable inbound remote printing through Group Policy
  1. Computer Configuration / Administrative Templates / Printers
  2. Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
  3. You must restart the Print Spooler service for the group policy to take effect.

Protecting your Environment with a Patch

If you have determined that installing the patch is safe for your environment, these are the steps you need to take to fully mitigate the PrintNightmare vulnerability.

After applying the patch, CVE-2021-34527, you will need to check the registry for specific values. To do this, follow these steps:

  1. Hit the Windows Key
  2. Type Registry Editor, hit enter
  3. Navigate to HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
  4. If this registry key does not exist on your system, no further action is needed
  5. If this registry key does exist on your system,set NoWarningNoElevationOnInstall = 0 (DWORD) or not defined
  6. Also change UpdatePromptSettings = 0 (DWORD) or not defined

After following these steps, Microsoft says that your environment will be protected against the PrintNightmare vulnerability. These are important steps to follow as this will protect your environment from an actively exploited zero-day.

Conclusion:

Given the pervasiveness of ransomware spreading across the IT industry and new reports of attacks popping up weekly, it is imperative that IT admins figure out faster and more effective ways to manage their environments.

In years past, it was acceptable to wait a couple of weeks before applying updates to see if they caused more harm than good. But with recent security updates, malicious actors are moving faster and doing more damage in shorter periods of time than we have ever seen before.

If you haven’t done so already, making sure you have resilient backup and recovery processes are more important with each passing week. If you haven’t planned to test a recovery scenario, add that to your ever-growing task list.

 

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

Brad Sams has more than a decade of writing and publishing experience under his belt including helping to establish new and seasoned publications From breaking news about upcoming Microsoft products to telling the story of how a billion dollar brand was birthed in his book, Beneath a Surface, Brad is a well-rounded journalist who has established himself as a trusted name in the industry.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by: