Hey checkyourlogs.net fans!
On June 8th, 2021 Microsoft published a patch to a Print Spooler vulnerability known as CVE-2021-1675. Unfortunately, the patch didn’t completely address the issue and on July 1st, 2021 Microsoft published CVE-2021-34527 aka PrintNightmare. This vulnerability enables remote attackers to execute code on systems, including those with the June 8th patch installed. An attacker leveraging this vulnerability on an Active Directory Domain Controller could gain control over and organizations entire identity management system. Imagine being locked out from all accounts or having SYSVOL encrypted? All IT Pros I know shudder at the thought!
Most organizations don’t need print capability from Domain Controllers. Protecting Domain Controllers from CVE-2021-34527 and CVE-2021-1675 is straightforward and only takes a few minutes.
First and foremost, make sure the latest Windows Updates are installed. With that done, logon to an Active Directory Domain Controller. Right-click Start, click Run, type gpmc.msc, then click OK.
When the Group Policy Management Console opens, expand Forest, expand Domains, expand your domain name, then expand Domain Controllers.
Right-click Default Domain Controllers Policy, then click Edit from the drop-down menu.
When the Group Policy Management Editor opens, expand Computer Configuration, Preferences, Control Panel Settings. Right-Click Services, hover over New, then click Service.
The New Service Properties Window opens. Drop-down the Startup listbox, then click Disabled. Click in the Service name textbox, then type Spooler. Drop-down the Service action listbox, then click Stop service.
Click OK. The Group Policy Management Editor now displays a Spooler Entry for Services.
The next stage of defending against the PrintNightmare (CVE-2021-34527) and CVE-2021-1675 vulnerabilities disables incoming client connections from connecting to the spooler service. This ensures that even if the Spooler Service is started, remote attackers can’t exploit the service.
In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Administrative Templates. Click Printers. In the displayed list of settings, find and double-click “Allow Print Spooler to accept client connections. Click the Disabled radio button, then click OK.
There are other methods of disabling the service. Techniques from using the Services GUI to PowerShell. I prefer this GPO method. If someone ever happens to reenable the Spooler on one of the domain controllers, it will get disabled again the next time group policy applies. Plus, with our belt and suspenders approach, even with the Spooler enabled, the disabled accept client connections setting prevents remote attackers gaining access.