PrintNightmare Patch and other mitigations

Owned by Mike Lohmiller (Unlicensed)
Last updated: 08 05, 2021 by Nick Lacenski

Patches needed along with Group Policies and registry entries needed to prevent security compromises from these issues. 


Applies To

Windows Server 2008 R2 through 2019

and

Windows 7 through current version of Windows 10


Resolution/Fix/Answer

There is a lot of confusion and many different sources and items necessary to protect your systems from the vulnerabilities all dubbed "PrintNightmare".  The following information explains our recommendations on how you can update your system to reduce your vulnerability the "PrintNightmare" exploit. 

To start, the simplest solution is to disable the print spooler on all systems that do not need printing and importantly on Active Directory Servers.  


With that said, there are going to be systems that need to print.  The Flow chart below will assist with guiding you through that but here is a break down of those items. 

#1 - Ensure the system has Microsoft Windows patch 2021-07 Cumulative Security Update. 

 #2 - Disable Remote printing via Group Policy at the domain or local policy. 

Here is the setting from Microsoft's KB:

Computer Configuration / Administrative Templates / Printers

Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.

#3 - Ensure the following registry entry is not present or set to 0

In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):

    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
    • NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
    • UpdatePromptSettings = 0 (DWORD) or not defined (default setting)



Source of this workflow is from the grc.com link below and supported by the Microsoft KB article that outlines the steps.


 

Cause 


https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

CVE-2021-1675 - Security Update Guide - Microsoft - Windows Print Spooler Remote Code Execution Vulnerability

(Less technical Explanation) 

https://krebsonsecurity.com/2021/07/microsoft-issues-emergency-patch-for-windows-flaw/comment-page-1/

(Very Technical Explanation and workflow diagram source)

https://www.grc.com/sn/SN-827-Notes.pdf