BLOG 6 July 2021
Unless you have been living underneath a rock these last few days, you probably have heard of the ‘Printer Nightmare’ vulnerability. This is an unpatched exploit which affects all version of Windows. On July 6th, an out-of-band update was released by Microsoft that fixes the issue on all Operating System, except Windows Server 2012 and 2016. This fixed the remote execution vulnerability, but doesn’t fix the local privilege escalation.
Unless you have been living underneath a rock these last few days, you probably have heard of the ‘Printer Nightmare’ vulnerability. This is an unpatched exploit which affects all version of Windows. On July 6th, an out-of-band update was released by Microsoft that fixes the issue on all Operating System, except Windows Server 2012 and 2016. This fixed the remote execution vulnerability, but doesn’t fix the local privilege escalation.
Pushing the update through MEM
If you are managing updates through Microsoft Endpoint Manager, you will be using Windows Update for Business. Depending on your current update settings, it might take a while before the update is installed on all your clients.
Next up, we can configure the specific settings for the quality updates policy. There are two important settings here:
Workarounds
If you cannot deploy the patch, there are still workarounds available.
These workarounds are valid when:
Disabling the print spooler on clients will mean that they cannot print to local printers anymore (which is not recommended when you have a big chunk of your workforce working from home). When you are using Microsoft Endpoint Manager, you might notice that the ‘Allow Print Spooler to accept client connection’ setting is available in ADMX templates or in Settings Catalog. Unfortunately, this will not have an effect on most endpoints as this is using a Windows CSP that is only available for Windows Insiders Builds.
Applying this setting to regular Windows 10 machines will result in a ‘Not Applicable’ state (although I have seen mixed results where the system account applies). The policy is available through GPO, but a lot of our customers are AAD Joined or trying to get away from GPO’s. I backtracked the policy to the following registry key:
HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RegisterSpoolerRemoteRpcEndPoint. If this is set to a value of 2, this will disable remove connections.
Enter proactive remediations
Within MEM, we can use proactive remediations to set the right value for this registry key. Before the policy is active, the print spooler needs to be restarted. To do so, setup a new proactive remediation with the following detection script:
$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\"
$RegKey = "RegisterSpoolerRemoteRpcEndPoint"
$RegValue = 2
try{
if(!(Test-Path $RegPath -ErrorAction Stop)){
Write-Host "Path doesn't exist"
Exit 1
}
$key = Get-ItemProperty -Path $RegPath | Select-Object -Property $RegKey -ErrorAction Stop
if($key."$RegKey" -eq $RegValue){
Write-Host "Key has correct value"
Exit 0
}
else{
Write-Host "Key has incorrect value or doesn't exist"
Exit 1
}
}
catch{
Write-Host "Key doesn't exist"
Exit 1
}
Within the remediation script, we’ll update the reg key and restart the print spooler to active the setting.
$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\"
$RegKey = "RegisterSpoolerRemoteRpcEndPoint"
$RegValue = 2
if(!(Test-Path $RegPath -ErrorAction Stop)){
New-Item $RegPath
Write-Host "Created path"
}
try{
Set-ItemProperty -Path $RegPath -Name $RegKey -Value $RegValue
Write-Host "Key has been set"
Restart-Service -Name "Spooler" -force
Write-Host "Spooler has been reset"
}
catch{
Write-Error "Error setting key"
}
After assigning these script, the proactive remediation will run to check if the reg key has been configured correctly. If it hasn’t it will update it to correct value.
Microsoft 365 Consultant
Focus
Bio
The Collective is a highly-skilled Microsoft partner with expertise in security, compliance, endpoint management, messaging, and Microsoft Teams voice and meetings.
© The Collective - BE 0726.449.826 - Privacy Policy