The bad guys are at it again. There is a vulnerability within the Windows Print Spooler service that a bad actor could exploit and gain the ability to install programs, view, change or delete data, and create new accounts with full user rights.
First, determine if the Print Spooler service is running by running the following script in PowerShell: get-service -name Spooler.
Microsoft has released updates for this vulnerability. If you are unable to install these patches, there is a workaround.
From Microsoft’s notice:
In order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.):
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
- NoWarningNoElevationOnUpdate = 0 (DWORD) or not defined (default setting)
The links to the updates are at the bottom of the page, which you can access here.
Once the updates are applied, you may have to re-configure settings regarding the installation of new printer drivers. Check out Microsoft’s KB article.
If updates are not possible for you at this time, here’s the workaround Microsoft published:
Option 1 – Disable the Print Spooler service
If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.
Option 2 – Disable inbound remote printing through Group Policy
You can also configure the settings via Group Policy as follows:
Computer Configuration / Administrative Templates / Printers
Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.
You must restart the Print Spooler service for the group policy to take effect.
Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.