PrintNightmare: What You Need to Know…

by

July 7, 2021

PrintNightmare: What You Need to Know...

A brand new Microsoft Windows vulnerability has been discovered! It’s called PrintNightmare and it can cause quite a mess via remote code execution (RCE).

Microsoft has labeled the vulnerability CVE-2021-34527. Microsoft’s website says that an attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges as well as install programs; view, change, or delete data; or create new accounts with full user rights on a victim’s endpoint or server.

They issued a patch in June for a similar issue, CVE-2021-1675, which a similar vulnerability.

The discovery was disclosed publicly by QiAnXin Technology, a Chinese-based cybersecurity company via Twitter late last month. Following shortly thereafter, two additional cybersecurity researchers published code that allows attackers to leverage the vulnerability on GitHub, though they later deleted it.

As for right now, there’s no patch for CVE-2021-34527, but there is a way to mitigate the risk associated. The vulnerability uses a legacy Windows printing service (Windows Print Spooler) that can be disabled. Thank God, right?

How do you Disable Windows Print Spooler?

I’m glad you asked! It’s surprisingly easy. Here are the steps you need to follow:

Disabling Print Spooler

  1. Open Start.
  2. Search for PowerShell, right-click the top result, and select the Run as administrator problem.
  3. Type the following command to stop the Print Spooler service and press Enter:

    Stop-Service -Name Spooler -Force

  4. Type the following command to prevent the service from starting back up again during restart and press Enter:

    Set-Service -Name Spooler -StartupType Disabled

Once you complete the steps, the device should be protected against the PrintNightmare attack, but you will no longer be able to print locally or remotely.

Re-enable Print Spooler

If you need to print temporarily or a permanent fix has been released, you can enable the feature again. Here’s how:

  1. Open the Start Menu.
  2. Search for PowerShell, right-click the top result, and select the Run as administrator problem.
  3. Type the following command to prevent the service from starting back up again during restart and press Enter:

    Set-Service -Name Spooler -StartupType Automatic

  4. Type the following command to stop the Print Spooler service and press Enter: Start-Service -Name Spooler

After you complete the steps, the printer should start working normally.

How to disable Print Spooler service via Group Policy on Windows 10

If you have Windows 10 Pro (or Enterprise), the easiest way to mitigate the printing vulnerability is to use Local Group Policy Editor.

To disable the Print Spooler with Group Policy, use these steps:

  1. Open Start.
  2. Search for gpedit.msc and click OK to open the Local Group Policy Editor.
  3. Browse the following path: Computer Configuration > Administrative Templates > Printers
  4. On the right side, double-click the Allow Print Spooler to accept client connections: policy.
  5. Select the Disabled option.
  6. Click the Apply button 
  7. Click the OK button.

Once you complete the steps, disabling the external network connections will prevent the vulnerability from being exploited. If you have Windows 10 configured as a printer server, users will no longer be able to print, but the printer directly connected to the device will continue to work.

Re-enable Print Spooler

To enable the Print Spooler with Group Policy, use these steps:

  1. Open Start.
  2. Search for gpedit.msc and click OK to open the Local Group Policy Editor.
  3. Browse the following path:
  4. Computer Configuration > Administrative Templates > Printers
  5. On the right side, double-click the Allow Print Spooler to accept client connections: policy.
  6. Select the Not Configured option.
  7. Source: Windows Central
  8. Click the Apply button 
  9. Click the OK button.

After you complete the steps, the print server should start working normally.

Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.

Carl Keyser is the Content Manager at Integris.

Keep reading

What Are Best Practices for Managing IT Projects?

What Are Best Practices for Managing IT Projects?

What Are Best Practices for Managing IT Projects? The Quick Take Managing IT projects effectively is crucial for ensuring success and maximizing ROI. Here are the best practices to follow: Define Clear Objectives and Scope: Set specific, measurable, achievable,...

What Is The Future of Managed IT Services?

What Is The Future of Managed IT Services?

What Is the Future of Managed IT Services? The Quick Take: The future of managed IT services for small and medium-sized businesses is bright, with the market expected to grow from $1.735 trillion to $2.173 trillion by 2028. Key trends driving this growth include:...

The Regulatory Outlook for 2025 and What That Means for Banking IT

The Regulatory Outlook for 2025 and What That Means for Banking IT

With a new administration coming in, 2025 promises to be a year of change. But will it significantly impact banking regulation and your bank’s cybersecurity? No one has a crystal ball, of course, but recent global outlooks for the banking industry seem to point to two...