question

RAMIC21-5865 avatar image
0 Votes"
RAMIC21-5865 asked RAMIC21-5865 commented

PrintNightmare Print Spooler vulnerability

Hi, please i need to know how to check that the vulnerability PrintNightmare of windows Print Spooler vulnerability is fixed after applying the GPO that disables "Allow Print Spooler to accept client connections"
So, after applying this workaround how to check that ths GPO is applied and the vulnerability is fixed.
kind regards

windows-server
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LeonLaude avatar image
0 Votes"
LeonLaude answered RAMIC21-5865 commented

Hi @RAMIC21-5865,

In order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint

  • NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)

  • UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.

Reference:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527


If the reply was helpful please don't forget to upvote and/or accept as answer, thank you!


Best regards,
Leon

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @LeonLaude,

Thank you too much for answer, but if I understood correctly, to fix the vulnerability I must implement one of the following workarounds:
1. disable print spooler service
2. disable inbound client connections : Disabling the "Allow Print Spooler to accept client connections" feature

I chose the second workaround which is more suitable for our environment so my question is after this action how to check that this is properly applied on servers.
In some documentations i found this solution whitch adds registry key "software\policies\microsoft\windows NT\Printers\RegisterSpoolerRemoteRpcEndPoint" with value equals to 2

best regards


0 Votes 0 ·

Disabling the Allow Print Spooler to accept client connections” policy should set the RegisterSpoolerRemoteRpcEndPoint value to 2, which is how you can verify that the policy has successfully disabled it.

You can for example script it by checking the value of the RegisterSpoolerRemoteRpcEndPoint key on each of your servers.

Here's also someone on the community who created a PowerShell script that sets the above registry value to 2:
https://github.com/JasonRBeer/PublicPowerShellScripts/blob/master/Remediate-PrintNightmare.ps1

0 Votes 0 ·

Thank you too much and what about the servers where that registry keys do not exist, because in the envionment in the most or all servers that registry keys do not exist, so by doing the test i don't have the registery key to check its value and confirm that the vulnerability is fixed.

0 Votes 0 ·
Show more comments
learn2skills avatar image
0 Votes"
learn2skills answered LeonLaude commented

Hi @RAMIC21-5865

To continue your answer...

If you don't have registry key you can use PowerShell command listed below.

Registry key doesn't exist, i used PowerShell command to disable Print Spooler service, below screenshot.

126319-image.png


Run the following in Windows PowerShell:

 Get-Service -Name Spooler

If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:

Option 1 - Disable the Print Spooler service

If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:

 Stop-Service -Name Spooler -Force
 Set-Service -Name Spooler -StartupType Disabled

Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.

Example output:

126355-image.png



If the Answer is helpful, please click Accept Answer and up-vote, so that it can help others in the community looking for help on similar topics.







image.png (24.1 KiB)
image.png (17.9 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I'm afraid your answer is not relevant here, if you read carefully what the OP has done is that he/she has not disabled the Print Spooler, he/she chose the second workaround which is disabling the Allow Print Spooler to accept client connections via Group Policy.

0 Votes 0 ·