Waking from Microsoft's PrintNightmare

Managed Service Provider offers network security advice

PrintNightmare (CVE—2021—34481) is a low-complexity, high-impact hacking vulnerability discovered and documented by security engineers. A miscommunication led to the exploit documentation being released prior to Microsoft developing an effective patch to prevent its misuse. Having a managed security provider or other network security expert on your side is critical to ensuring your company data is protected.

Here is some invaluable advice from the experts at EO Johnson Business Technologies and Locknet® Managed IT.

Immediate caution advised

Following Microsoft Update (KB5005652, 8/10/2021) — Installation of any print driver on an existing print server may cause existing printing using shared print queues to halt and popup notifications requiring Administrator Authentication to display.

By default, non-administrator users will no longer be able to do the following using Point and Print without an elevation of privilege to administrator:

Install new printers using drivers on a remote computer or server
Update existing printer drivers using drivers from remote computer or server

Temporary mitigation

During the initial period of self-mitigating the risk of the PrintNightmare vulnerability, Microsoft and third-party security experts recommended disabling the Print Spooler service on any non-print essential Windows PC and Server. On any system requiring print functionality, IT staff was encouraged to limit the permissions of the “System” account on the print driver directory within the Windows system files. These short-term efforts were effective in immediately blocking the attack vector but also limited the long-term functionality of the Operating System.

Microsoft’s permanent PrintNightmare solution — released August 10

On August 10, 2021, Microsoft released an update for Windows (KB5005652) to permanently block the PrintNightmare vulnerability. In doing so, permissions between Client/Print Server environment utilizing Point and Print connections have changed. Microsoft has created a Registry Key to toggle the behavior. By default, it's enabled following the installation of the Windows Update. Microsoft recommends keeping it enabled to eliminate the risk. However, a temporary rollback of the behavior is possible, via the Registry, to balance the functional impact on workflow versus the security risk of Print Nightmare.

Official Microsoft Documentation
https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872

How will this affect you?

By default, Microsoft will now require a non-administrator to elevate permissions to pull print drivers or print driver updates from a Print Server to a Client PC.

What will trigger the elevation prompt?

Any change to the print drivers on an existing print server can potentially update a shared driver file currently in use by existing print queues. If a Client PC sees a driver file has been updated on the host print server, printing will be blocked until the file is pulled from the print server and installed locally on the Client PC. This action will now require administrator elevation.

What printing is unaffected and potential workarounds

Locally installed print queues sending print jobs directly to print hardware
Locally installed print queues sending print jobs to a server via LPR/LPD protocol
EOJ Print solutions that have alternative methods of distributing drivers and queues — ask your sales contact for more information

Point and Print explained

Point and Print is Microsoft’s terminology for connecting a Windows client PC to a printer centrally managed on a Windows print server without requiring installation media at the client. When adding a printer hosted on a Windows print server (Start — Printers and Scanners — Add Printer) or (Start — Search <enter \\<print server name or IP > — double click printer name) a connection to the central print queue is made. The driver files and configuration of that central print queue are pulled from the print server and installed onto the client PC. A print job created on the client PC is generated using local print driver files and then relayed back to the print server’s central print queue for processing to the printer for output onto paper.

Official Microsoft Documentation
https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print

Having the right network security partner in place
is essential

Vulnerabilities, hacks, phishing, and other threats in the digital space continue to cause havoc for organizations of all sizes. Having a trusted network security partner in place is essential to ensuring the safety and integrity of your company data. For enterprise-sized entities, this can free up valuable IT resources to tend to daily business needs while also tapping the unparalleled expertise of IT security professionals who are knowledgeable about the quickly evolving threats to your data.

Contact us to learn more about how the professionals at EO Johnson Business Technologies and Managed Service Providers like Locknet Managed IT can ensure the proper mitigation measures are in place for PrintNightmare and other threats to your organization's network security.