There is a new severe vulnerability out called Print Nightmare. It has a Common Vulnerability Score (CVSS) of 8.8. While Microsoft released the update yesterday and today, it does not clean up all attack vectors at this time. Below are some steps we have compiled to help your team mitigate this vulnerability risk.
Entirely disable the print spooler service on all security-sensitive servers (domain controllers, SQL servers, Exchange servers, for instance), ideally via GPO. Note that if performed on endpoints or Print Servers, this can disrupt local printing operations, as well as print-to-PDF and local printing. We recommend to only executing on infrastructure servers (Computer Configuration > Policies > Windows Settings > Security Settings > System Services > Print Spooler Service).
Create a GPO limited to your print servers and set the “Allow Print Spooler to accept client connections” policy setting to Enabled. (Computer Configuration > Administrative Templates > Printers).
Create a GPO for all security-sensitive servers (For example: domain controllers, SQL servers, Exchange servers) and set the “Allow Print Spooler to accept client connections” policy setting to Disabled. (Computer Configuration > Administrative Templates > Printers).
Set RestrictDriverInstallationToAdministrators to 1 on Print Servers by GPO, located under HKEY_LOCAL_MACHINE \Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint.
Create a GPO to affect all servers and endpoints that configures the “Point and Print Restrictions” option (Computer Configuration > Administrative Templates > Printers > Point and Print Restrictions).
Patching to the latest security update does not seal all attack vectors
We build security into every layer of our service. Contact us if you need some security help at your business!