What is PrintNightmare Vulnerability ?
PrintNightmare: As per reports Windows Print Spooler service is vulnerable to remote code executions when the Windows Print Spooler service improperly performs privileged file operations. An attacker can exploit this vulnerability and can run arbitrary code with elevated privileges. This could enable the attacker to install programs or view, change, or delete data or create new accounts with full user rights.
How to mitigate or temporarily prevent your system from PrintNightmare attack ?
1. Restrict Printer Driver installation only to Administrator
- Open command prompt (cmd.exe) as Administrator
- Copy and paste the following command to Command Prompt and press enter key to add this registry key and change the value to 1.
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 1 /f
Check Print Spooler service status
Open PowerShell as Administrator and execute this command given below.
Get-Service -Name Spooler
2. Disable The Print Spooler Service
After disabling print spooler service you may not be able take printout locally or and remotely.
Command To Stop Spooler Service
Execute this command given below in PowerShell to stop Spooler service (run as administrator)
Stop-Service -Name Spooler -Force
Command : Change StartupType to Disabled
Set-Service -Name Spooler -StartupType Disabled
3. Group Policy : Disable Remote Printing
Disable “Allow Print Spooler to accept client connections” in group policy (gpedit.msc) to prevent/block remote attacks
Open RUN -> type “gpedit.msc” ->Press enter key
Group Policy Editor will open, navigate to Computer Configuration > Administrative Templates > Printers
In the right pane, scroll down to “Allow Print Spooler to accept client connections:”, double click to open the policy and then select “Disabled”.
Now restart the Print Spooler service .
4. How to restart Printer Spooler service ?
Enter these commands in PowerShell to restart the Printer Spooler service.
Stop-Service -Name Spooler -Force
Start-Service -Name Spooler
Refer: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527