question

thenewmessiah-5920 avatar image
3 Votes"
thenewmessiah-5920 asked Fredo-9176 commented

Microsoft's PrintNightmare update is causing a lot of problems with network printers mapped on a print server

Dears,
the latest Windows updates is causing a lot of problems with network printers mapped on a print server.

Reference:
KB5005652—Manage new Point and Print default driver installation behavior (CVE-2021-34481)
Managing deployment of Printer RPC binding changes for CVE-2021-1678 (KB4599464)

The two recent patches (KB5004945, KB5004760, or KB5003690) causes these two main problems:
1) unable for users without administrative rights to install new print drivers.
The end user receive this error
136678-image.png

2) unable to use the print server with the new registry key RpcAuthnLevelPrivacyEnabled
The system logs reports this error: 0x0000011b

The two workarounds that you have to apply to survive and allow corporate users to be able to use the print server are:
1) Even if you have a GPO with "Point and Print Restrictions=disabled", you have to apply this registry key to allow non administrative users to install the latest print drivers from the print server

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
RestrictDriverInstallationToAdministrators = 0

2) Apply this registry key to disable the new default settings related to the print spooler vulnerabilities

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print
RpcAuthnLevelPrivacyEnabled = 0


The above workarounds are only a temporary solution to survive and allow users to print.
What is unclear to me is what should be the right way to manage these settings in a corporate environment without any end user interaction.
So, if I want to be protected and apply the recent security fixes without asking the end users to do something, what should I do?

Microsoft states that you need to set "RpcAuthnLevelPrivacyEnabled" to "1" on both Client and Print Server in order to be protected, but if you do this, you can't print.
So, what should we do in a Corporate environment to be secure and print without any end user interaction about "driver installation" etc.?

Thanks in advance


windows-server-print
image.png (151.6 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

8 Answers

Robert-932 avatar image
1 Vote"
Robert-932 answered RicardoPedersoli-6277 commented

I would like to know the answer to this as well.

The only way that I have been able to print from a client computer is to set RpcAuthnLevelPrivacyEnabled = 0 on the server. This allows me to install the printer from the server.

RpcAuthnLevelPrivacyEnabled setting on the client's computer has no effect.

I have also attempted to enable Point and Print Restrictions to limit the client computers to specific servers, but it has no effect on the machines. I can still download printers from any server. I'm not sure what I am missing to make that GPO configuration work.

Does anyone have any ideas or suggestions?

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RicardoPedersoli-6277 avatar image RicardoPedersoli-6277 ·

Hi
I found a solution at least in my environment. That is, the user name in the client computer must exist in the server side, and also must have a passworwd assigned. Thats solve de issue. Remember, today the security is a must!
I hope this be helpfull for you too.

0 Votes 0 ·
Gino-7794 avatar image
0 Votes"
Gino-7794 answered Gino-7794 published

is there a fix for a corporate environment ?
we have had the same issue - but it seems we need to change the key back n forth just to get the printer installed.
there has to be a fix without adding users security to the printer itself.

thank you

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Robert-932 avatar image
0 Votes"
Robert-932 answered Fredo-9176 commented

The only thing that I have found that works is to set RpcAuthnLevelPrivacyEnabled = 0 on the print server found here HKLM\SYSTEM\CurrentControlSet\Control\Print.

From my testing, it appears that this option tells the connecting computer to use Administrative Credentials. I do not see how this would be a fix to the PrintNightmare vulnerability because the connecting computer could still add a printer from another print server that is compromised.

We still run into the issue that unsigned drivers require administrator privileges to install or update the driver. Luckily, we do not have many printers that are using unsigned drivers.

· 9
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JorgeHernandez-7004 avatar image JorgeHernandez-7004 ·

so far in my environment the only thing that has been able to halfway-work was to uninstall from the client PC the (KB5006670) security update. im now able to open my print server via \\printservername and manually map a printer on the client PC. Before the removal i was unable to map as i was getting the strange 0000007c error.

so far testing on 2 printers the client normally is able to print fine but one. The problematic printer is a HP laserjet 700 m712 and when i print anything to it i now get a message that says : JOB ABORTED: Failure in UIO CreateAddressFromIPAddress and fails to print.

Im really scratching my head on this one.

I guess what i would like to know like everyone here is how to keep the update and not break the printing process. if there is a new method to deploy printers i would like to know. is there anybody out there!! sorry for the dramatics.


144278-image.png





0 Votes 0 ·
image.png (237.9 KiB)
DanielLoughlin-4372 avatar image DanielLoughlin-4372 JorgeHernandez-7004 ·

JorgeHernandez-7004, did you have any luck with the JOB ABORTED: Failure in UIO CreateAddressFromIPAddress error? We're now getting the same thing and have no idea why it has started!

2 Votes 2 ·
Lily-6039 avatar image Lily-6039 JorgeHernandez-7004 ·

We are also getting the JOB ABORTED: Failure in UIO CreateAddressFromIPAddress error.

Anyone have any luck fixing this?

0 Votes 0 ·
knallidge913 avatar image knallidge913 Lily-6039 ·

Saw the JOB ABORTED: Failure in UIO CreateAddressFromIPAddress error on a HP printer that was using the latest HP Universal Print Driver v7.0.1. but changed it to v7.0.0 and don't see the issue anymore. Could it be driver related?

2 Votes 2 ·
Show more comments
Fredo-9176 avatar image Fredo-9176 JorgeHernandez-7004 ·

Hi JorgeHernandez-7004. The "Job Aborted" appears to be a know issue in the HP UPD version 7.0.1 documented in the release notes, which you can find here:
http://h10032.www1.hp.com/ctg/Manual/c03635717.pdf

According to the release notes HP is investigating the issue, and it offers some workarounds. If you have the possibility of going back to a previous version of the UPD that would resolve your issue in the meantime.

0 Votes 0 ·
TheAlanMorris avatar image
0 Votes"
TheAlanMorris answered

@thenewmessiah-5920

The new Windows default for Point an Print connections to shared printers is admin rights.

You can work through this with the registry setting on the client system.

The "RpcAuthnLevelPrivacyEnabled" set to 1 prevents the client systems, and the print server, from connecting to Linux machines pretending to be Windows print servers. Do you have Linux in your environment where you may have concerns?

To work through no administrative requirements for connections to Windows shared printers, then you can use a print driver on the server which is never downloaded to the client system. These drivers are known as Type 4 print drivers. You can find these on Windows update and from printer vendors. Type 4 print drivers have existed for nine years. More than 10 if you used Windows 8 in preview versions.

Since there is no software copied making the printer connection, then the attack service is gone.

There are group policies to specifically provide access to only print servers you control and if you manage all the Windows clients I also suggest closing down the remote spooler RPC endpoint on the client systems. Disable the Computer policy which Allow clients to connect to spooler . If the client is actually sharing a printer, the RPC endpoint is open but how many Windows clients are sharing a printer in your organization?

If you obtain your Type 4 drivers from Windows Update or if you are running 2012R2 you can use the drivers provided with the operating system. The client can get the driver from WU if a Type 4 driver is up there.

Admin rights for printer connection when software is downloaded from the server. It's the new world of Windows and it will not be changing.

Thanks

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RafaelAdam-6538 avatar image
0 Votes"
RafaelAdam-6538 answered

In my case RpcAuthnLevelPrivacyEnabled = 0 on the Windows 10 clients running Windows 2019 LTSC helped. Server is older windows thus it do not have RpcAuthnLevelPrivacyEnabled settings att all.

Hope it was helpful

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FreddyGCalderon-8574 avatar image
0 Votes"
FreddyGCalderon-8574 answered

Where do you enter this RpcAuthnLevelPrivacyEnabled = 0 in WIndows 10 registering path?

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JeremyBroxterman-0449 avatar image
0 Votes"
JeremyBroxterman-0449 answered JeremyBroxterman-0449 edited

After updating to the Universal HP print Driver v7.0.1 I am getting the following. This can be resolved by each user going into the Job storage tab and clicking the Radio button to Off. The issue with this is that my print server already has this as defaulted to Off and Off is selected when the client goes to "Select" the radio button again

173234-screenshot-2022-02-10-100641.png



screenshot-2022-02-10-100641.png (44.1 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TheAlanMorris avatar image
0 Votes"
TheAlanMorris answered

@FreddyGCalderon-8574

Normally folks have been adding this setting to the machine sharing the printer.

If you wish to connect Windows to a Linux system over SAMBA, then setting this on the Win 10 system is correct,

Add a new registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\RpcAuthnLevelPrivacyEnabled (type DWORD)
Set the new key value to 0.
Restart the Print Spooler service.


Thanks

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.