PrintNightmare: Understand and Overcome
In June of 2021, Microsoft issued a warning entitled “Windows Print Spooler Remote Code Execution Vulnerability.” This vulnerability, known as PrintNightmare, leaves the print spooler open for a hacker to attack by allowing anyone to remotely install a printer ‘driver’ with the ability to execute malicious code and take complete control of a PC. The attacker could access data, create new accounts, and destroy users’ accessibility to their devices.
This is an ongoing issue. While there has been a security update from Microsoft addressing this vulnerability, it is not perfect, and many devices are still at risk. We will discuss ways to mitigate the problem and keep devices safe from this vulnerability. By following the steps in this post, you will be better equipped to handle these attacks and reduce the probability of becoming the next victim.
What is the Print Spooler?
The print spooler service is a software program that manages any print jobs that need to be sent to a printer server. In many cases, Microsoft relies on this program for the organization and control of its devices. It is an essential program for anyone needing to print, and it keeps the print jobs organized and in order. While the print spooler is a practical and often necessary tool, it can also be dangerous if it falls into the wrong hands.
Some of the most basic functions of a print spooler include:
- Managing the files that are in the process of printing on the device
- Monitoring the files that are in the process of printing on the device
- Keeping everything in order and organized as the items print
Most Microsoft machines have the print spooler system automatically enabled, and many do not think twice about it when activating their device for the first time. After all, when hackers are not attempting to break into it, it can be a very beneficial (and often necessary) tool.
Since its original release, there have been few maintenance updates on the print spooler. It was this lack of improvement that could have left it vulnerable to hackers and attackers. However, in July 2021, Microsoft issued a security update addressing this vulnerability. They are recommending that users install these updates immediately. After all, you do not want to be the next company with a data security breach.
Understanding the PrintNightmare Vulnerability
The PrintNightmare vulnerability first appeared in a June 2021 release by two research teams. It was so named because of the versatile nature of this weakness across a variety of different products. Recently, the PrintNightmare shifted from ‘low’ severity to ‘critical’ severity. Users need to be aware of this as it grows worse.
To fully understand this vulnerability, it is important to be familiar with the print spooler and how attackers can use it to their advantage. This issue is a critical flaw that may need to be handled in-house while Microsoft works towards finding a permanent solution for all users. Otherwise, the system could be taken over by hackers.
What Are the Vulnerabilities in the System?
Two central vulnerabilities lie inside of the print spooler system. Each serves as a different attack point for a hacker trying to find a way into vulnerable devices. It is critical to understand each of them so that you know the weak points that they target.
The core vulnerabilities include:
- Local privilege escalation, ensuring that a hacker who gets into a computer with low privilege can elevate to an admin level on the device
- Remote code execution, which can allow the systems to be weaponized either locally or by using a domain controller
These vulnerabilities can offer power to the attackers that allow them to take over many systems at once.
How Can Hackers Use This to Their Advantage?
It can be a little bit difficult to understand what hackers can do with access to a print spooler. This device’s only job is to manage printing items and does not seem like it would be very threatening. It is a program that many people overlook, yet hackers can pose a massive threat if they gain access to this software.
This threat includes:
- Hackers gaining access to sensitive information
- Manipulating private and personal data to their advantage
- Installing malicious programs onto the device
These are just a few of the things that can happen if an attacker gains control of a system through the print spooler. It can be a massive invasion of privacy.
How to Mitigate PrintNightmare
Since the security update addressing this issue was released in July 2021, the best practice for mitigating the problem of PrintNightmare is to install this update. However, this update may not completely eliminate the threat of PrintNightmare. Some systems are not able to install the update, and it can cause issues with some printing devices. Because this update is not perfect, there are other options that can reduce the threat, depending on the devices operating system.
Option 1: Disable the print spooler service on your device.
Taking this action will stop hackers from being able to access the print spooler, and therefore stop them from being able to access data. However, this action would also disable to ability to print completely.
Option 2: Disable the option for print spooler to accept client connections.
Taking this action will prevent remote printing operations, which will remove the attack vector. This means that remote printing will no longer be possible (though printing locally to a directly attached device would still be possible).
These workarounds are not ideal, because the print service will not be able to be used in the way it was intended, if at all. However, the alternative could be losing access to the device altogether due to an extensive attack. Again, the best practice would still be to install Microsoft’s security update addressing this issue. However, because this isn’t an option on all devices, we will go over how to implement these workarounds.
Disable the Print Spooler on Windows 10 Home Edition
If unable to install the security update, the print spooler on every single vulnerable item in the workspace can be disabled. Any device that has a print spooler can be hacked into and potentially pushed into other devices. Follow each of these steps carefully so that you don’t have to start over again.
Once all of the items are prepared, you should enact the following steps:
- Open the Start Menu
- Type ‘PowerShell’
- Pick ‘Run as Administrator’
- When asked if you want to allow the app to make changes to the device, answer yes
- Type ‘Stop-Service-Name Spooler – Force’ and push enter
- Type ‘Set-Service-Name Spooler -StartupType Disabled’ and push enter. This will keep the spooler from starting up again when the computer is rebooted.
This sequence should disable the print spooler on devices containing the Windows 10 Home Version and a few other varieties. If you have the Windows 10 Pro or the Enterprise edition, there are a different set of steps to follow to disable the print spooler.
Disable the Print Spooler on Windows 10 Pro and Enterprise Edition
If you have Windows 10 Pro or the Enterprise edition, the print spooler will need to be disabled using the group policy editor. This method only works for those two systems.
To disable the print spooler, you will need to:
- Open the run box by using ‘Win + R’
- Type gpedit.msc
- Press enter
- Wait for the Local Policy Editor to open
- Type ‘Computer Configuration > Administrative Templates > Printers
- Click ‘Allow print spooler to accept client connections’
- Click ‘Disabled’
- Press ‘Apply’ and ‘OK’
These steps should effectively disable the print spooler on the printer and other devices that operate under these programs. If it doesn’t work, double-check that you have followed all the instructions completely.
Can You Enable the Print Spooler If Needed?
Enabling the print spooler again might become necessary if a print job is required. This action might seem intimidating, as it could potentially reopen the systems to hackers. However, enabling it for a short period of time should be relatively low risk.
Enabling for Windows 10 Home Edition
To enable the print spooler again after it has been disabled, there are a few steps that can be followed. On the device:
- Open the Start Menu
- Type in ‘PowerShell’
- Pick the option ‘Run as Administrator’
- When asked if you want to allow the app to make changes to the device, answer yes
- Type ‘Set-Service-Name Spooler-Startup Type Automatic’ then hit enter
- Then type ‘Start-Service-Name Spooler’ then hit enter
This sequence should enable the print spooler again. If the security update has already been installed, this can remain enabled. If it was disabled temporarily for the ability to print, it can be disabled as soon as the printing process is finished to ensure the device is protected.
Enabling for Windows 10 Pro and Enterprise Edition
Just like with disabling the print spooler, a group policy editor is needed to enable the print spooler on Windows 10 Pro and Enterprise Edition. This specification is critical to note, as this will not work for other versions.
To re-enable the print spooler on these devices, these steps should be followed:
- Open the run box using ‘Win + R’
- Type gpedit.msc
- Hit enter
- Type ‘Computer Configuration > Administrative Templates > Printers
- Click to allow the print spooler to accept client connections
- Pick ‘Not Configured’
- Press ‘Apply’ and then ‘OK’
This process should successfully enable the print spooler on these devices. As with the other method, this can remained enabled if the security update has already been installed. If not, it can be disabled until the next time it is necessary to print.
Will this security update completely eliminate the PrintNightmare problem?
As previously mentioned, the best practice for reducing the PrintNightmare issue is to install the security update. However, the update is not flawless. There is a long way to go until PrintNightmare is completely eliminated.
The July Emergency update:
- Only worked on a few select devices, leaving the others just as vulnerable as before
- Caused issues for users attempting to print to various printers
- Affected receipt and label printers that connected with USB
This update has its flaws, which can affect any Microsoft device. Future patches in development will likely be able to fix the issues that the current update has. Hopefully, this comes in the next few months. Until then, users that are still vulnerable should disable the print spooler for the safest results.
This is just one of many ways that your company can be targeted and data can be lost. If you’re looking to be more proactive in your cybersecurity, we’ve created an outline of five critical components your incident response plan should have. Read more about it below.
Moving Past PrintNightmare
The PrintNightmare situation is a wake-up call for those unaware of how vulnerable the print spooler can be. Hackers can easily lock themselves into the system and change data belonging to the user. They can then make use of the device remotely or through a computer elsewhere.
This is dangerous for users who are not aware of this problem. With the knowledge you read here, you should understand how to mitigate the issue until the issue is completely resolved. If you’re unsure of whether or not your network is secure, take our free, self-guided IT Security Risk Assessment, or contact us today for a free, 30-minute consultation.
For all you Star Wars fan out there – this is a meme summary of the seriousness of the attack.
