- Microsoft has started testing a new Windows Protected Print Mode (WPP) to prevent security risks (such as PrintNightmare) on Windows PCs.
- Windows Protected Print Mode (WPP) improves security by restricting third-party driver installations and blocking malicious code.
- Microsoft has rolled support for WPP to Windows Insiders in the Canary Channel.
Microsoft is planning to introduce a new Windows Protected Print Mode in Windows 11. The new feature eliminates the need for third-party printer drivers and brings several security enhancements for Windows PCs.
The Microsoft Offensive Research & Security Engineering (MORSE) team has collaborated with the Windows Print team to make the built-in printing experience more secure on Windows machines. The company has acknowledged that the Windows Print System has been vulnerable to attacks by threat actors (such as PrintNightmare and other Print Spooler vulnerabilities) for a long time. It’s challenging to secure the print stack mainly due to the reliance on third-party drivers.
There are certain compatibility issues between legacy drivers and modern security mitigations, including Control-Flow Enforcement Technology (CET), Control Flow Guard (CFG), and Arbitrary Code Guard (ACG). Microsoft depends on printer manufacturers to update these drivers, making the print service vulnerable to modern exploits.
Microsoft recommends organizations to switch to Internet Printing Protocol (IPP) based printing, which operates in conjunction with driverless printing. It offers several advantages, such as built-in encryption, access control, simplification of code, and authentication. However, it’s worth noting that IPP-based printing currently still runs alongside driver-based printing, which can limit the implementation of security enhancements.
Microsoft explained that Windows Protected Print Mode enhances the IPP mechanism by exclusively allowing Mopria-certified printers and blocking third-party drivers completely. WPP prevents hackers from abusing Dynamic Link Library (DLL) to load malicious code. Microsoft has also implemented a restriction to allow only Microsoft-signed binaries necessary for IPP to be loaded.
“WPP builds on the existing IPP print stack where only Mopria certified printers are supported, and disables the ability to load third-party drivers,” Microsoft explained. “Our goal is to ultimately provide the most secure default configuration and provide the flexibility to revert back to legacy (driver-based) printing at any time, if users find their printer is not compatible.”
Microsoft will no longer allow the installation of third-party drivers for Point and Print. In addition, WPP will notify users when their traffic is encrypted and recommend enabling encryption if it is not already enabled. XPS rendering will now leverage “user” privileges instead of “SYSTEM” to minimize the risk of memory corruption vulnerabilities.
Microsoft notes that support for Windows Protected Print is currently rolling out to Insiders in the Canary Channel. However, there’s no word on when this feature will become generally available for all Windows users. Windows Insiders can enable the feature via Local Group Policy Editor, and you can find more details on Microsoft’s official blog post.