What is the PrintNightmare Vulnerability?

What is the PrintNightmare Vulnerability?

The vulnerability exists on all devices running Windows 7 or higher. It resides in the Windows Print Spooler service and affects the Windows Print Queue. To be more precise, the Print Queue service doesn’t restrict access to the RpcAddPrinterDriverEx function, which enables an attacker to run malicious programs on a users’ device. An attacker who successfully exploits this vulnerability is able to perform operations with system-level privileges, which means they can access, edit and delete sensitive data, install programs and create new privileged accounts.

What Has Been Done to Fix the PrintNightmare Vulnerability?

Microsoft released a patch for the PrintNightmare vulnerability on the 1st of July 2021 and was last updated on the 16th of July 2021. As it currently stands, patches are available for Windows 10, Windows 8.1, Windows RT 8.1, Windows 7, and several versions of Windows Server, including 2019, 2012 R2, and 2008 releases. Updates for Windows Server 2012 and 2016 are coming soon, along with an update for Windows 10 version 1607. By the time this article is published, patches will likely be available for all versions of Windows.

Tips to Protect Yourself Against the PrintNightmare Vulnerability

If your computer is not directly connected to a printer, and you receive automatic updates, then simply disabling the Print Queue service will likely be enough to protect your device from the PrintNightmare vulnerability. Otherwise, there are a number of additional steps you should take.

1. Install the relevant updates

The most obvious first step towards mitigating the PrintNightmare vulnerability is to install the relevant patches/updates. If for whatever reason, you need to install the updates manually, you will need to go to Settings > Update & Security > Windows Update, and then restart your machine for the changes to take effect.

2. Disable the Print Spooler service

Disabling the Print Spooler service disables local and remote printing features. This is particularly relevant for devices, applications, and services, that do not require the ability to print. For example, domain controller servers don’t need access to a printer, and so you should make sure that the Print Spooler service is disabled on all domain controllers. You can disable the Print Spooler service using the following PowerShell command:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

3. Disable inbound remote printing via Group Policy

You can also configure Group Policy to block inbound remote printing by disabling the ‘Allow Print Spooler to accept client connections’ option in Computer Configuration > Administrative Templates > Printers. You will need to restart the Print Spooler service for Group Policy in order for the changes to take effect. Even though your server will no longer accept inbound remote printing operations, it can still connect to a local printer.

4. Use a reliable endpoint security solution

After installing updates and disabling features that introduce security threats, we should think about how to minimize the likelihood of a future incident. We shouldn’t overlook the importance of endpoint security solutions, which are designed to protect endpoints (desktops, laptops, and mobile devices) from being exploited by adversaries. Modern endpoint protection platforms (EPP) use deep packet inspection (and other techniques) to detect, analyze, block and quarantine threats as they arise.

An EPP can be used to detect and respond to a multitude of security threats, including ransomware attacks, fileless malware, polymorphic attacks, and, in the context of protection against the PrintNightmare vulnerability, remote code execution attacks. An EPP provides administrators with a centralized dashboard, which they can use to control how endpoints on the network are used. Via this dashboard, administrators can control which programs a user can run, as well as push updates/patches to endpoints when necessary.

5. Monitor user account creation and access to sensitive data

As mentioned already, were an attacker to successfully exploit the PrintNightmare vulnerability, they will be able to access data and create user accounts with system-level privileges. In which case, you will need a solution that can detect, alert and respond to both unauthorized user account creation and unauthorized access to sensitive data.

Of course, trying to determine which technologies to use, and for what purpose, can be a headache for security teams. After all, there is a large number of terms and acronyms that are used to describe them, such as EPP/EDR, IPS/IDS, SIEM, UBA, DCAP, DLP, and more.

To make matters worse, many threat detection technologies will incorporate a mix of some, or all, of the above.

In the context of monitoring accounts and data, the two terms that are most relevant are; User Behavior Analytics (UBA) and Data-Centric Auditing & Protection (DCAP). Most sophisticated UBA/DCAP solutions use machine learning algorithms to detect and respond to suspicious user behavior, such as anomalous privileged account creation when files are accessed for the first time by a given user or other types of behavior that deviate from what would be considered “normal”. Ensuring that administrators receive real-time alerts when suspicious changes are made will help you respond to the PrintNightmare vulnerability attacks (and other similar attack vectors) in a timely manner.

Conclusion

The Lepide Data Security Platform is a data-centric audit and protection solution designed specifically to give you visibility over the behavior of your users in relation to your sensitive data. It also provides complete visibility over any changes being made to users, computers, permissions, configurations and much more.

If you’d like to see how the Lepide Data Security Platform can help give you more visibility over your sensitive data and protect you from security threats, schedule a demo with one of our engineers or start your free trial today.