PrintNightmare Print Spooler vulnerability

RAMIC21 21 Reputation points
2021-08-25T09:58:10.287+00:00

Hi, please i need to know how to check that the vulnerability PrintNightmare of windows Print Spooler vulnerability is fixed after applying the GPO that disables "Allow Print Spooler to accept client connections"
So, after applying this workaround how to check that ths GPO is applied and the vulnerability is fixed.
kind regards

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,255 questions
0 comments No comments
{count} votes

Accepted answer
  1. Leon Laude 85,676 Reputation points
    2021-08-25T10:12:35.91+00:00

    Hi @RAMIC21 ,

    In order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):

    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
    • NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
    • UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

    Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.

    Reference:
    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

    ----------

    If the reply was helpful please don't forget to upvote and/or accept as answer, thank you!

    Best regards,
    Leon


1 additional answer

Sort by: Most helpful
  1. SUNOJ KUMAR YELURU 13,956 Reputation points MVP
    2021-08-25T11:54:28.903+00:00

    Hi @RAMIC21

    To continue your answer...

    If you don't have registry key you can use PowerShell command listed below.

    Registry key doesn't exist, i used PowerShell command to disable Print Spooler service, below screenshot.

    126319-image.png

    Run the following in Windows PowerShell:

    Get-Service -Name Spooler  
    

    If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:

    Option 1 - Disable the Print Spooler service

    If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:

    Stop-Service -Name Spooler -Force  
    Set-Service -Name Spooler -StartupType Disabled  
    

    Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.

    Example output:

    126355-image.png

    If the Answer is helpful, please click Accept Answer and up-vote, so that it can help others in the community looking for help on similar topics.