{"id":15547,"date":"2021-07-12T05:00:45","date_gmt":"2021-07-12T12:00:45","guid":{"rendered":"https:\/\/www.zubairalexander.com\/blog\/?p=15547"},"modified":"2021-10-04T17:50:22","modified_gmt":"2021-10-05T00:50:22","slug":"protecting-your-windows-servers-and-clients-from-the-printnightmare-vulnerability","status":"publish","type":"post","link":"https:\/\/www.zubairalexander.com\/blog\/protecting-your-windows-servers-and-clients-from-the-printnightmare-vulnerability\/","title":{"rendered":"Protecting Your Windows Servers &#038; Clients from the PrintNightmare Vulnerability"},"content":{"rendered":"<button id=\"listenButton1\" class=\"responsivevoice-button\" type=\"button\" value=\"Play\" title=\"ResponsiveVoice Tap to Start\/Stop Speech\"><span>&#128266; Listen to Post<\/span><\/button>\n        <script>\n            listenButton1.onclick = function(){\n                if(responsiveVoice.isPlaying()){\n                    responsiveVoice.cancel();\n                }else{\n                    responsiveVoice.speak(\"The United States Cybersecurity & Infrastructure Security Agency (CISA), CERT Coordination Center (Cert CC), and Microsoft have issued an urgent security warning about a flaw in the Windows Print Spooler service, known as PrintNightmare. By default, the Print Spooler service runs on all Windows servers and clients, so you can only imagine why CISA and Microsoft are freaking out. The flaw allows a standard user to control any Windows computer that\\'s running the Print Spooler service. The attack can be absolutely devastating. What is Print Spooler Service? The Print Spooler service is responsible for printing\u00a0 jobs and handles the interaction with the printer on Windows servers and clients. If this service is disabled, you won\u2019t be able to print a document or see your printers. To manage the Print Spooler service on a Windows computer, go to the Services Console (services.msc). On the General tab, you can start, stop, pause, or resume a a paused service. You can also change the service Startup type to Manual, Automatic, Automatic (Delayed Start), or Disable. You will also find several additional options on Log On and Recovery tabs. Usually there is no need to configure additional options, but it\\'s useful to know what they are, in case you need them. What is PrintNightmare? The remote code execution exploit in the Windows Print Spooler service is called PrintNightmare. According to Microsoft, \\\"An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\\\" This is a serious flaw and it applies to all versions of Windows computers. There are many ways an attacker can take advantage of this flaw. For example, an attacker can use phishing to gain access to a Windows 10 computer on your internal network and then use the remote execution code exploit in Windows Print Spooler on a Domain Controller running Active Directory to potentially take over your entire network. Using PrintNightmare for cyberattack is relatively easy because it requires low level of privileges before successfully exploiting the vulnerability and it requires no user interaction. Didn\\'t Microsoft Issue a Patch for PrintNightmare in June? No, on June 8, 2021 Microsoft issued CVE-2021-1675 and updated it on July 2, 2021. For PrintNightmare, Microsoft issued CVE-2021-34527 on July 1, 2021 and updated it on July 8, 2021. It\\'s easy to get confused because one was released on June 8 and the other was updated on July 8. Having the exact same tittle \\\"Windows Print Spooler Remote Code Execution Vulnerability\\\" also adds to the confusion. What Should You Do? Install the July 2021 Cumulative Update on all your Windows computers ASAP. Yes, all Windows computers are vulnerable so make sure you install the update on Windows 10 (and other) clients as well as all your Windows servers. Verify You Have the Correct Security Update It\\'s important to verify that you have the correct Microsoft security update installed on your Windows server or client. These instructions apply to Windows server and Windows 10 clients. In the Windows search box type Settings\u00a0and press Enter. In the Settings app, select Update & Security. In the Windows Update section select View update history. Depending on your computer (Windows Server 2019, Windows 10, etc.) you will see the 2021-07 Cumulative Update installed under Quality Updates section as follows. Other Workarounds If for some reason you\\'re unable to apply July 2021 Cumulative Update on your computer(s), Microsoft recommends the following options as a workaround. Disable the Print Spooler service. Disable inbound remote printing. Option #1:\u00a0Disable Print Spooler Service If you disable the Print Spooler service on a computer, your computer would be more secure because of the security issues associated with the Print Spooler service. The consequences of this action are as follows: You won\\'t be able to print from your computer to a locally attached printer or to a remote printer. If this computer is configured as a print server, no one else will be able to print to the printers you\\'ve shared on this computer. You won\\'t be able to print to a PDF file. You won\\'t be able to see the printers installed on your computer. If you chose option #1, you can disable the Print Spooler service either using the graphical user interface (GUI) or the Windows PowerShell. Use GUI to Disable the Service Start the Services Console (services.msc) on your computer. In the Startup type dropdown box select Disabled\u00a0and then Stop the service to prevent other computers from using the Print Spooler service and exploit any vulnerabilities. Click OK to close the box. CAUTION! If you disable the Print Spooler service on a Windows computer by changing the Startup type to Disable, make sure you also stop the service. Otherwise, the service will continue to run and may be exploited by an attacker. The Startup type will only come into play when the computer is restarted. Use Windows PowerShell to Disable the Service Windows PowerShell can come handy in a business environment where you want to disable Print Spooler service on a large number of computers. Use the following commands to first stop the service and then disable the Startup type of the service. Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled Option #2: Disable Inbound Remote Printing If you disable the inbound remote printing on a computer, your computer would be more secure because you\\'re not allowing anyone else to access your computer and use it as a print server. However, you will be able to print to a printer that\\'s attached to your local computer because your Print Spooler service is still running. This option requires configuring Group Policy. Here\\'s how. On your Windows server, use Start -greater than Run -greater than gpedit.msc to start the Group Policy Editor console. You can also use the Windows search box to search for gpedit. Go to Computer Configuration -greater than Administrative Templates -greater than Printers. Double-click the entry Allow Print Spooler to accept client connections. Select the Disabled radio button and then click OK. This will prevent the print server from accepting inbound remote printing connections from other computers and make your server more secure. Restart the Print Spooler service so the Group Policy change can take effect. Thanks for reading my article. If you are interested in IT consulting & training services, please reach out to me. Visit ZubairAlexander.com for information on my professional background. Copyright \u00a9 2021 SeattlePro Enterprises, LLC. All rights reserved.\", \"US English Male\");\n                }\n            };\n        <\/script>\n    \n<p>The United States Cybersecurity &amp; Infrastructure Security Agency (CISA), CERT Coordination Center (Cert CC), and Microsoft have issued an urgent security warning about a flaw in the Windows Print Spooler service, known as <strong>PrintNightmare<\/strong>. By default, the Print Spooler service runs on all Windows servers and clients, so you can only imagine why CISA and Microsoft are freaking out. The flaw allows a standard user to control any Windows computer that&#8217;s running the Print Spooler service. The attack can be absolutely devastating.<\/p>\n<h4><span style=\"font-size: 18pt;\"><strong>What is Print Spooler Service?<\/strong><\/span><\/h4>\n<p>The Print Spooler service is responsible for printing\u00a0 jobs and handles the interaction with the printer on Windows servers and clients. If this service is disabled, you won\u2019t be able to print a document or see your printers. To manage the Print Spooler service on a Windows computer, go to the Services Console (services.msc). On the General tab, you can start, stop, pause, or resume a a paused service. You can also change the service <em>Startup type<\/em> to Manual, Automatic, Automatic (Delayed Start), or Disable. You will also find several additional options on<em> Log On<\/em> and <em>Recovery<\/em> tabs. Usually there is no need to configure additional options, but it&#8217;s useful to know what they are, in case you need them.<\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-15549\" src=\"https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2021\/07\/print-spooler-service.png\" alt=\"Windows Print Spooler Service\" width=\"411\" height=\"473\" srcset=\"https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2021\/07\/print-spooler-service.png 411w, https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2021\/07\/print-spooler-service-261x300.png 261w\" sizes=\"(max-width: 411px) 100vw, 411px\" \/><\/p>\n<h4><span style=\"font-size: 18pt;\"><strong>What is PrintNightmare?<\/strong><\/span><\/h4>\n<p>The remote code execution exploit in the Windows Print Spooler service is called <em>PrintNightmare<\/em>. According to <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-34527\" target=\"_blank\" rel=\"noopener\">Microsoft<\/a>, &#8220;An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.&#8221; This is a serious flaw and it applies to all versions of Windows computers. There are many ways an attacker can take advantage of this flaw. For example, an attacker can use phishing to gain access to a Windows 10 computer on your internal network and then use the remote execution code exploit in Windows Print Spooler on a Domain Controller running Active Directory to potentially take over your entire network. Using PrintNightmare for cyberattack is relatively easy because it requires <strong>low level<\/strong> <strong>of privileges<\/strong> before successfully exploiting the vulnerability and it requires <strong>no user interaction<\/strong>.<\/p>\n<h4><span style=\"font-size: 18pt;\"><strong>Didn&#8217;t Microsoft Issue a Patch for PrintNightmare in June?<\/strong><\/span><\/h4>\n<p>No, on June 8, 2021 Microsoft issued <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-1675\" target=\"_blank\" rel=\"noopener\">CVE-2021-1675<\/a> and updated it on July 2, 2021. For PrintNightmare, Microsoft issued <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-34527\" target=\"_blank\" rel=\"noopener\">CVE-2021-34527<\/a> on July 1, 2021 and updated it on July 8, 2021. It&#8217;s easy to get confused because one was released on June 8 and the other was updated on July 8. Having the exact same tittle &#8220;Windows Print Spooler Remote Code Execution Vulnerability&#8221; also adds to the confusion.<\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-15551\" src=\"https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2021\/07\/cve-2021-1675-vs-cve-2021-34527.png\" alt=\"CVE-2021-1675 vs CVE-2021-34527\" width=\"1155\" height=\"348\" srcset=\"https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2021\/07\/cve-2021-1675-vs-cve-2021-34527.png 1155w, https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2021\/07\/cve-2021-1675-vs-cve-2021-34527-300x90.png 300w, https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2021\/07\/cve-2021-1675-vs-cve-2021-34527-1024x309.png 1024w, https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2021\/07\/cve-2021-1675-vs-cve-2021-34527-768x231.png 768w\" sizes=\"(max-width: 1155px) 100vw, 1155px\" \/><\/p>\n<h4><span style=\"font-size: 18pt;\">What Should You Do?<\/span><\/h4>\n<p>Install the <em>July 2021 Cumulative Update<\/em> on all your Windows computers <span style=\"color: #ff0000;\">ASAP<\/span>. Yes, all Windows computers are vulnerable so make sure you install the update on Windows 10 (and other) clients as well as all your Windows servers.<\/p>\n<p><strong>Verify You Have the Correct Security Update<\/strong><\/p>\n<p>It&#8217;s important to verify that you have the correct Microsoft security update installed on your Windows server or client. These instructions apply to Windows server and Windows 10 clients.<\/p>\n<ol>\n<li>In the Windows search box type <strong>Settings<\/strong>\u00a0and press <strong>Enter<\/strong>.<\/li>\n<li>In the Settings app, select <strong>Update &amp; Security<\/strong>.<\/li>\n<li>In the Windows Update section select <strong>View update history<\/strong>.<\/li>\n<li>Depending on your computer (Windows Server 2019, Windows 10, etc.) you will see the <strong>2021-07 Cumulative Update<\/strong> installed under Quality Updates section as follows.<br \/>\n<img decoding=\"async\" class=\"alignnone size-full wp-image-15556\" src=\"https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2021\/07\/view-update-history-windows-server-2019.png\" alt=\"View update history - Windows Server 2019\" width=\"669\" height=\"323\" srcset=\"https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2021\/07\/view-update-history-windows-server-2019.png 669w, https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2021\/07\/view-update-history-windows-server-2019-300x145.png 300w\" sizes=\"(max-width: 669px) 100vw, 669px\" \/><img decoding=\"async\" class=\"alignnone size-full wp-image-15557\" src=\"https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2021\/07\/view-update-history-windows-10.png\" alt=\"View update history - Windows 10\" width=\"698\" height=\"357\" srcset=\"https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2021\/07\/view-update-history-windows-10.png 698w, https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2021\/07\/view-update-history-windows-10-300x153.png 300w\" sizes=\"(max-width: 698px) 100vw, 698px\" \/><\/li>\n<\/ol>\n<h4><span style=\"font-size: 18pt;\"><strong>Other Workarounds<\/strong><\/span><\/h4>\n<p>If for some reason you&#8217;re unable to apply <em>July 2021 Cumulative Update<\/em> on your computer(s), Microsoft recommends the following options as a workaround.<\/p>\n<ol>\n<li>Disable the Print Spooler service.<\/li>\n<li>Disable inbound remote printing.<\/li>\n<\/ol>\n<p><span style=\"font-size: 14pt;\"><strong>Option #1:\u00a0Disable Print Spooler Service<\/strong><\/span><\/p>\n<p>If you disable the Print Spooler service on a computer, your computer would be more secure because of the security issues associated with the Print Spooler service. The consequences of this action are as follows:<\/p>\n<ol>\n<li>You won&#8217;t be able to print from your computer to a locally attached printer or to a remote printer.<\/li>\n<li>If this computer is configured as a print server, no one else will be able to print to the printers you&#8217;ve shared on this computer.<\/li>\n<li>You won&#8217;t be able to print to a PDF file.<\/li>\n<li>You won&#8217;t be able to see the printers installed on your computer.<\/li>\n<\/ol>\n<p>If you chose option #1, you can disable the Print Spooler service either using the graphical user interface (GUI) or the Windows PowerShell.<\/p>\n<p><strong>Use GUI to Disable the Service<\/strong><\/p>\n<ol>\n<li>Start the Services Console (services.msc) on your computer.<\/li>\n<li>In the Startup type dropdown box select <strong>Disabled<\/strong>\u00a0and then <strong>Stop<\/strong> the service to prevent other computers from using the Print Spooler service and exploit any vulnerabilities.<br \/>\n<img decoding=\"async\" class=\"alignnone size-full wp-image-15554\" src=\"https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2021\/07\/disable-print-spooler-service.png\" alt=\"Disable Print Spooler Service\" width=\"412\" height=\"471\" srcset=\"https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2021\/07\/disable-print-spooler-service.png 412w, https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2021\/07\/disable-print-spooler-service-262x300.png 262w\" sizes=\"(max-width: 412px) 100vw, 412px\" \/><\/li>\n<li>Click <strong>OK<\/strong> to close the box.<\/li>\n<\/ol>\n<table style=\"border-collapse: collapse; width: 100%; height: 48px;\" border=\"1\">\n<tbody>\n<tr style=\"height: 48px;\">\n<td style=\"width: 100%; height: 48px; background-color: #f0f0f0; text-align: left; vertical-align: top;\"><span style=\"color: #ff0000;\"><strong>CAUTION!<\/strong><\/span> If you disable the Print Spooler service on a Windows computer by changing the <em>Startup type<\/em> to Disable, make sure you also stop the service. Otherwise, the service will continue to run and may be exploited by an attacker. The <em>Startup type<\/em> will only come into play when the computer is restarted.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>Use Windows PowerShell to Disable the Service<\/strong><\/p>\n<p>Windows PowerShell can come handy in a business environment where you want to disable Print Spooler service on a large number of computers. Use the following commands to first stop the service and then disable the Startup type of the service.<\/p>\n<p style=\"padding-left: 40px;\"><span style=\"color: #0000ff;\">Stop-Service -Name Spooler -Force<\/span><\/p>\n<p style=\"padding-left: 40px;\"><span style=\"color: #0000ff;\">Set-Service -Name Spooler -StartupType Disabled<\/span><\/p>\n<p><span style=\"font-size: 14pt;\"><strong>Option #2: Disable Inbound Remote Printing<\/strong><\/span><\/p>\n<p>If you disable the inbound remote printing on a computer, your computer would be more secure because you&#8217;re not allowing anyone else to access your computer and use it as a print server. However, you will be able to print to a printer that&#8217;s attached to your local computer because your Print Spooler service is still running. This option requires configuring Group Policy. Here&#8217;s how.<\/p>\n<ol>\n<li>On your Windows server, use Start -&gt; Run -&gt; gpedit.msc to start the Group Policy Editor console. You can also use the Windows search box to search for gpedit.<\/li>\n<li>Go to Computer Configuration -&gt; Administrative Templates -&gt; Printers.<\/li>\n<li>Double-click the entry <strong>Allow Print Spooler to accept client connections<\/strong>.<br \/>\n<img decoding=\"async\" class=\"alignnone size-full wp-image-15552\" src=\"https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2021\/07\/allow-printer-spooler-to-accept-client-connections.png\" alt=\"Allow Print Spooler to accept client connections\" width=\"691\" height=\"792\" srcset=\"https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2021\/07\/allow-printer-spooler-to-accept-client-connections.png 691w, https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2021\/07\/allow-printer-spooler-to-accept-client-connections-262x300.png 262w\" sizes=\"(max-width: 691px) 100vw, 691px\" \/><\/li>\n<li>Select the <strong>Disabled<\/strong> radio button and then click <strong>OK<\/strong>. This will prevent the print server from accepting inbound remote printing connections from other computers and make your server more secure.<br \/>\n<img decoding=\"async\" class=\"alignnone size-full wp-image-15553\" src=\"https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2021\/07\/disable-inbound-remote-printing.png\" alt=\"Disable inbound remote printing\" width=\"691\" height=\"641\" srcset=\"https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2021\/07\/disable-inbound-remote-printing.png 691w, https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2021\/07\/disable-inbound-remote-printing-300x278.png 300w\" sizes=\"(max-width: 691px) 100vw, 691px\" \/><\/li>\n<li>Restart the Print Spooler service so the Group Policy change can take effect.<\/li>\n<\/ol>\n<table>\n<tbody>\n<tr>\n<td style=\"background-color: #e3e3e3; text-align: left;\">Thanks for reading my article. If you are interested in IT consulting &amp; training services, please reach out to me. Visit <a href=\"https:\/\/www.zubairalexander.com\/\" target=\"_blank\" rel=\"noopener\">ZubairAlexander.com<\/a> for information on my professional background.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<p><span style=\"font-size: xx-small; font-family: Verdana;\">Copyright \u00a9 2021 <a href=\"https:\/\/www.seattlepro.com\/\" target=\"_blank\" rel=\"noopener\">SeattlePro Enterprises, LLC<\/a>. All rights reserved.<br \/>\n<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The United States Cybersecurity &amp; Infrastructure Security Agency (CISA), CERT Coordination Center (Cert CC), and Microsoft have issued an urgent security warning about a flaw in the Windows Print Spooler service, known as PrintNightmare. By default, the Print Spooler service runs on all Windows servers and clients, so you can only imagine why CISA and [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":8601,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[6,43,33,57,24,11],"tags":[],"class_list":["post-15547","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-active-directory","category-articles","category-remote-desktop","category-scripting","category-security","category-tips-tricks"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/www.zubairalexander.com\/blog\/wp-content\/uploads\/2017\/08\/Security2.jpg","_links":{"self":[{"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/posts\/15547","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/comments?post=15547"}],"version-history":[{"count":0,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/posts\/15547\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/media\/8601"}],"wp:attachment":[{"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/media?parent=15547"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/categories?post=15547"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.zubairalexander.com\/blog\/wp-json\/wp\/v2\/tags?post=15547"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}