How to Mitigate the Print Nightmare Printer Security Risk

Jul 9, 2021 | Bob Secord

There is a new severe vulnerability out called Print Nightmare. It has a Common Vulnerability Score (CVSS) of 8.8. While Microsoft released the update yesterday and today, it does not clean up all attack vectors at this time. Below are some steps we have compiled to help your team mitigate this vulnerability risk.

Steps to Mitigate the Print Nightmare Vulnerability Risk

Step 1

Entirely disable the print spooler service on all security-sensitive servers (domain controllers, SQL servers, Exchange servers, for instance), ideally via GPO. Note that if performed on endpoints or Print Servers, this can disrupt local printing operations, as well as print-to-PDF and local printing. We recommend to only executing on infrastructure servers (Computer Configuration > Policies > Windows Settings > Security Settings > System Services > Print Spooler Service).

Reference Articles

Step 2

Create a GPO limited to your print servers and set the “Allow Print Spooler to accept client connections” policy setting to Enabled. (Computer Configuration > Administrative Templates > Printers).

Reference articles

Step 3

Create a GPO for all security-sensitive servers (For example: domain controllers, SQL servers, Exchange servers) and set the “Allow Print Spooler to accept client connections” policy setting to Disabled. (Computer Configuration > Administrative Templates > Printers).

Reference articles

Download our 2023 Managed Security Services Trends Guide

Step 4

Set RestrictDriverInstallationToAdministrators to 1 on Print Servers by GPO, located under HKEY_LOCAL_MACHINE \Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint.

Reference articles

Step 5

Create a GPO to affect all servers and endpoints that configures the “Point and Print Restrictions” option (Computer Configuration > Administrative Templates > Printers > Point and Print Restrictions).

Reference articles

Additional Information

Patching to the latest security update does not seal all attack vectors 

Need Some Security Help?

We build security into every layer of our service. Contact us if you need some security help at your business!

Privacy Policy
Copyright © 2023 Coretek Services | Website by NYN Website Design + Marketing | Powered by Web OS