Resources Articles How to fix the PrintNightmare Vulnerability

How to fix the PrintNightmare Vulnerability

Update, Sept. 23rd, 2021:

Microsoft is in its third month of patching print spooler remote code execution vulnerabilities. The most recent patch being released in the September 2021 Windows update. An important detail to note about these patches is that Windows now requires admin-level permissions to update printer drivers so this may affect existing patch management processes.

What is the PrintNightmare Vulnerability?

In the last 48 hours, it seems a new vulnerability is shaking up the IT and Cybersecurity headlines. The vulnerability dubbed “PrintNightmare” has been assigned CVE-2021-1675 by CNA and allows for almost any “Domain User” on an Active Directory network to take over the network with little effort. Public exploit code has been published with clear instructions for use which allows anybody with general familiarity in exploitation of systems to execute this attack. As of the moment the exploit has been confirmed to work against at least a fully patched Windows 2019 Datacenter server, including one patched with an update Microsoft provided on June 8th, 2021 that was supposed to resolve this issue. It seems the fix was incomplete or incorrectly rolled into production.

The vulnerability exists within the Print Spooler Service in Windows Server and it is presumed for now most if not all modern versions of the Windows Server OS are impacted. The only major prerequisite for this attack to be successful is that an attacker has to already be on the network with a low privileged foothold on a regular Domain User account. This is the default level of access every Active Directory user who is created typically has. 

The service susceptible to this vulnerability is enabled by default on all Windows Servers including the business-critical Domain Controllers. 

Luckily, this is not hard to mitigate with some configuration changes!

How to Fix the PrintNightmare Vulnerability

If your organization doesn’t heavily rely on printing, you can simply disable the Print Spooler service via following the instructions below, on each server:

  • Press Windows key + R to invoke the Run dialog.
  • In the Run dialog box, type “cmd” and then press CTRL + SHIFT + ENTER to open Command Prompt in admin/elevated mode.
  • In the command prompt window, individually type the commands below and hit Enter to disable and stop the Print Spooler service.

 

sc config “Spooler” start=disabled

sc stop “Spooler”

 

For organizations who rely on printing heavily, there are other slightly more involved mitigations that can be put in place until Microsoft releases a proper patch for the vulnerability.

Need help with this vulnerability? Reach out to chat with a cybersecurity expert, here. 

Accomplish your security & compliance goals.
Easier.

Get Started