Home Windows How to HOW TO – Mitigate Windows Print Spooler Remote Code Execution Vulnerability

HOW TO – Mitigate Windows Print Spooler Remote Code Execution Vulnerability

210

What is PrintNightmare Vulnerability ?

PrintNightmare: As per reports Windows Print Spooler service is vulnerable to remote code executions when the Windows Print Spooler service improperly performs privileged file operations. An attacker can exploit this vulnerability and can run arbitrary code with elevated privileges. This could enable the attacker to install programs or view, change, or delete data or create new accounts with full user rights.

How to mitigate or temporarily prevent your system from PrintNightmare attack ?

1. Restrict Printer Driver installation only to Administrator

Open command prompt (cmd.exe) as Administrator
Copy and paste the following command to Command Prompt and press enter key to add this registry key and change the value to 1.

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 1 /f

Check Print Spooler service status

Open PowerShell as Administrator and execute this command given below.

Get-Service -Name Spooler

Windows 10 PowerShell - Check Print Spooler service status — Windows 10 PowerShell – Check Print Spooler service status

2. Disable The Print Spooler Service

After disabling print spooler service you may not be able take printout locally or and remotely.

Command To Stop Spooler Service

Execute this command given below in PowerShell to stop Spooler service (run as administrator)

Stop-Service -Name Spooler -Force

Windows 10 PowerShell Stop Printer Spooler Service

Command : Change StartupType to Disabled

Set-Service -Name Spooler -StartupType Disabled

Windows 10 PowerShell Change Printer Spooler StartupType — Windows 10 PowerShell Change Printer Spooler Startup Type

3. Group Policy : Disable Remote Printing

Disable “Allow Print Spooler to accept client connections” in group policy (gpedit.msc) to prevent/block remote attacks

Open RUN -> type “gpedit.msc” ->Press enter key

Group Policy Editor will open, navigate to Computer Configuration > Administrative Templates > Printers

In the right pane, scroll down to “Allow Print Spooler to accept client connections:”, double click to open the policy and then select “Disabled”.

Now restart the Print Spooler service .

4. How to restart Printer Spooler service ?

Enter these commands in PowerShell to restart the Printer Spooler service.

Stop-Service -Name Spooler -Force
Start-Service -Name Spooler

Refer: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527