PrintNightmare: What You Need to Know…

by

July 7, 2021

PrintNightmare: What You Need to Know...

A brand new Microsoft Windows vulnerability has been discovered! It’s called PrintNightmare and it can cause quite a mess via remote code execution (RCE).

Microsoft has labeled the vulnerability CVE-2021-34527. Microsoft’s website says that an attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges as well as install programs; view, change, or delete data; or create new accounts with full user rights on a victim’s endpoint or server.

They issued a patch in June for a similar issue, CVE-2021-1675, which a similar vulnerability.

The discovery was disclosed publicly by QiAnXin Technology, a Chinese-based cybersecurity company via Twitter late last month. Following shortly thereafter, two additional cybersecurity researchers published code that allows attackers to leverage the vulnerability on GitHub, though they later deleted it.

As for right now, there’s no patch for CVE-2021-34527, but there is a way to mitigate the risk associated. The vulnerability uses a legacy Windows printing service (Windows Print Spooler) that can be disabled. Thank God, right?

How do you Disable Windows Print Spooler?

I’m glad you asked! It’s surprisingly easy. Here are the steps you need to follow:

Disabling Print Spooler

  1. Open Start.
  2. Search for PowerShell, right-click the top result, and select the Run as administrator problem.
  3. Type the following command to stop the Print Spooler service and press Enter:

    Stop-Service -Name Spooler -Force

  4. Type the following command to prevent the service from starting back up again during restart and press Enter:

    Set-Service -Name Spooler -StartupType Disabled

Once you complete the steps, the device should be protected against the PrintNightmare attack, but you will no longer be able to print locally or remotely.

Re-enable Print Spooler

If you need to print temporarily or a permanent fix has been released, you can enable the feature again. Here’s how:

  1. Open the Start Menu.
  2. Search for PowerShell, right-click the top result, and select the Run as administrator problem.
  3. Type the following command to prevent the service from starting back up again during restart and press Enter:

    Set-Service -Name Spooler -StartupType Automatic

  4. Type the following command to stop the Print Spooler service and press Enter: Start-Service -Name Spooler

After you complete the steps, the printer should start working normally.

How to disable Print Spooler service via Group Policy on Windows 10

If you have Windows 10 Pro (or Enterprise), the easiest way to mitigate the printing vulnerability is to use Local Group Policy Editor.

To disable the Print Spooler with Group Policy, use these steps:

  1. Open Start.
  2. Search for gpedit.msc and click OK to open the Local Group Policy Editor.
  3. Browse the following path: Computer Configuration > Administrative Templates > Printers
  4. On the right side, double-click the Allow Print Spooler to accept client connections: policy.
  5. Select the Disabled option.
  6. Click the Apply button 
  7. Click the OK button.

Once you complete the steps, disabling the external network connections will prevent the vulnerability from being exploited. If you have Windows 10 configured as a printer server, users will no longer be able to print, but the printer directly connected to the device will continue to work.

Re-enable Print Spooler

To enable the Print Spooler with Group Policy, use these steps:

  1. Open Start.
  2. Search for gpedit.msc and click OK to open the Local Group Policy Editor.
  3. Browse the following path:
  4. Computer Configuration > Administrative Templates > Printers
  5. On the right side, double-click the Allow Print Spooler to accept client connections: policy.
  6. Select the Not Configured option.
  7. Source: Windows Central
  8. Click the Apply button 
  9. Click the OK button.

After you complete the steps, the print server should start working normally.

Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.

Carl Keyser is the Content Manager at Integris.

Keep reading

Strong Cybersecurity Postures: How to Unleash their Power

Strong Cybersecurity Postures: How to Unleash their Power

In the vast digital landscape where virtual dragons and sneaky trolls roam a strong cybersecurity posture has never been more important. Imagine a band of modern-day knights led by our protagonist, Alex. Armed with a trusty laptop and a cup of coffee, Alex navigates...

How to Spot a Phishing Attack in 2023

How to Spot a Phishing Attack in 2023

In 2023 cyber threats lurk behind every tree trunk in today's digital jungle, and cybersecurity awareness is more critical than ever. Among the craftiest of these threats are phishing attacks. Phishing attacks are cunningly engineered with social manipulation at their...

How to Choose an IT Consultant in Boulder, CO

Regardless of industry size or type, Boulder IT consultants play a massive role in the way companies in the Boulder area do business. While most companies may have their own in-house IT department, many of these departments are small and cannot handle all the...