PrintNightmare — Windows Print Spooler (CVE-2021–34527) Remediation (How to fix)
Technical Details
A remote code execution vulnerability exists wherein the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploits this vulnerability can run arbitrary code with SYSTEM privileges and could then install programs, view, change, or delete data or create new accounts with full user privileges.
MITRE Technique Alignment (2)
PrintNightmare — Windows Print Spooler RCE/LPE CVE-2021–34527
A remote code execution vulnerability exists in the Windows Print Spooler service (spoolsv.exe) where in the service improperly performs privileged file operations. An attacker who successfully exploits this vulnerability can run arbitrary code with SYSTEM privileges. An attacker could then install programs, view, change, or delete data or create new accounts with full user privileges.
Detection
To check if the print spooler is running in the remote machine:
rpcdump.py @IPaddress| egrep ‘MS-RPRN|MS-PAR’
Remediations
1- Windows update
If your machine is running a lower version than 20H2 in Windows server / Windows 10 you are vulnerable to the Print Spooler Nightmare. An update is required to the latest version of Windows (If applicable).
2- Disable Domain Controller Print Spooler Service
Disabling the print spooler service on the Domain Controller prevents Spooler service attacks.
To disable print spooler service, follow these steps:
- Connect to the DC via RDP.
- Run
services.msc
as administrator. - Locate the
Print Spooler
service. - Stop the service.
- Open the properties, and make the startup type
Disabled
.
3- Disable inbound remote printing through Group Policy
Disable inbound remote printing through Group Policy
Configure the settings via Group Policy as follows:
- Computer Configuration / Administrative Templates / Printers
- Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
- You must restart the Print Spooler service for the group policy to take effect.
- On the domain controller, select Start, select Administrative Tools, and then select Group Policy Management. Or, select Start, select Run, type
GPMC.MSC
, and then press Enter. - Expand the forest and then domains.
- Under your domain, select the OU where you want to create this policy.
- Right-click the
Organizational Unit
, and then select Create aGroup Policy
in this domain, and link it here. - Give the
GPO
a name, and then select OK. Right-click the newly createdGroup Policy Object
, and then select Edit to openGroup Policy Management Editor
. - In
Group Policy Management Editor
, expand the following folders:
- Computer Configuration
- Policies
- Administrative Templates
- Control Panel
- Printers
7. Reboot the Print Spooler service Restart-Service -Name Spooler -Force