Mitigate Printer Nightmare with MEM

Unless you have been living underneath a rock these last few days, you probably have heard of the ‘Printer Nightmare’ vulnerability. This is an unpatched exploit which affects all version of Windows. On July 6th, an out-of-band update was released by Microsoft that fixes the issue on all Operating System, except Windows Server 2012 and 2016. This fixed the remote execution vulnerability, but doesn’t fix the local privilege escalation.

Pushing the update through MEM

If you are managing updates through Microsoft Endpoint Manager, you will be using Windows Update for Business. Depending on your current update settings, it might take a while before the update is installed on all your clients.

Next up, we can configure the specific settings for the quality updates policy. There are two important settings here:

• Specify quality update: Which update you want to install, in the PrintNightmare case this is the 2021.007 OOB update.
• Setup deadline: How fast should a device restart after this patch has been installed. This is independent of the deadline settings you have configured in your generic update rings.

Workarounds

If you cannot deploy the patch, there are still workarounds available.

• Disable the print spooler
• Disable the setting ‘Allow Print Spooler to accept client connection’

These workarounds are valid when:

• You want to protect against local abuse (by disabling the print spooler)
• You cannot deploy the patch (then both workarounds are valid)

Disabling the print spooler on clients will mean that they cannot print to local printers anymore (which is not recommended when you have a big chunk of your workforce working from home). When you are using Microsoft Endpoint Manager, you might notice that the ‘Allow Print Spooler to accept client connection’ setting is available in ADMX templates or in Settings Catalog. Unfortunately, this will not have an effect on most endpoints as this is using a Windows CSP that is only available for Windows Insiders Builds.

Applying this setting to regular Windows 10 machines will result in a ‘Not Applicable’ state (although I have seen mixed results where the system account applies). The policy is available through GPO, but a lot of our customers are AAD Joined or trying to get away from GPO’s. I backtracked the policy to the following registry key:

HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RegisterSpoolerRemoteRpcEndPoint. If this is set to a value of 2, this will disable remove connections.

Enter proactive remediations

Within MEM, we can use proactive remediations to set the right value for this registry key. Before the policy is active, the print spooler needs to be restarted. To do so, setup a new proactive remediation with the following detection script:

$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\"
$RegKey = "RegisterSpoolerRemoteRpcEndPoint"
$RegValue = 2

try{
    if(!(Test-Path $RegPath -ErrorAction Stop)){
        Write-Host "Path doesn't exist"
        Exit 1
    }
    $key = Get-ItemProperty -Path $RegPath | Select-Object -Property $RegKey -ErrorAction Stop
    if($key."$RegKey" -eq $RegValue){
        Write-Host "Key has correct value" 
        Exit 0
    }
    else{
        Write-Host "Key has incorrect value or doesn't exist"
        Exit 1
    }
}
catch{
    Write-Host "Key doesn't exist"
    Exit 1
}

Within the remediation script, we’ll update the reg key and restart the print spooler to active the setting.

$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\"
$RegKey = "RegisterSpoolerRemoteRpcEndPoint"
$RegValue = 2

if(!(Test-Path $RegPath -ErrorAction Stop)){
    New-Item $RegPath
    Write-Host "Created path"
}
try{
    Set-ItemProperty -Path $RegPath -Name $RegKey -Value $RegValue
    Write-Host "Key has been set"

    Restart-Service -Name "Spooler" -force
    Write-Host "Spooler has been reset"
}
catch{
    Write-Error "Error setting key"
}

After assigning these script, the proactive remediation will run to check if the reg key has been configured correctly. If it hasn’t it will update it to correct value.