Forum Discussion
PrintNightmare for administrators: Trying to sum up the current knowledge for decision-making:
But note:
1: Not all supported Windows versions have a patch yet, but they will come soon.
2: Currently, the fix only protects against Remote Code Execution, not against the Local Privilege Escalation bug.
So, keep Print Spooler disabled on all systems, that doesn't need it.
And keep the Group Policy:
Computer Configuration\Administrative Templates\Printers\Allow Print Spooler to accept client connections - Setting: Disabled
On systems that don't have to function as a print server.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
You talk to yourself like me - we are both mad - welcome to the club 🙂
There are articles you need to read here and here.
https://amp.thehackernews.com/thn/2021/07/microsofts-emergency-patch-fails-to.html
https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7
I have two thirds of my Windows 10 machines with the patch installed although M365 security portal says otherwise. The patch bumps the Windows 10 version to 10.0.x.1083 so I know they are patched.
The second link has a key that can be activated to remove the remaining vulnerability so taking Thijs Lecomte work I modified his code to create a proactive remediation script (that I am still testing).
Detection
#
Code sourced from here: https://thecollective.eu/blog/implement-workarounds-for-pinter-nightmare-with-mem/
Code copyright of THIJS LECOMTE
Code modified from here : https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7
Detection script for Printnightmare KB5005010
Code not used but under investigation.
#>
$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
$RegKey = "RestrictDriverInstallationToAdministrators"
$RegValue = 1
try{
if(!(Test-Path $RegPath -ErrorAction Stop)){
Write-Host "Path doesn't exist"
Exit 1
}
$key = Get-ItemProperty -Path $RegPath | Select-Object -Property $RegKey -ErrorAction Stop
if($key."$RegKey" -eq $RegValue){
Write-Host "Key has correct value"
Exit 0
}
else{
Write-Host "Key has incorrect value or doesn't exist"
Exit 1
}
}
catch{
Write-Host "Key doesn't exist"
Exit 1
}
Remediation
#
Code sourced from here: https://thecollective.eu/blog/implement-workarounds-for-pinter-nightmare-with-mem/
Code copyright of THIJS LECOMTE
Code modified from here : https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7
Remediation script for Printnightmare KB5005010
Code not used but under investigation
#>
$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
$RegKey = "RestrictDriverInstallationToAdministrators"
$RegValue = 1
if(!(Test-Path $RegPath -ErrorAction Stop)){
New-Item $RegPath
Write-Host "Created path"
}
try{
Set-ItemProperty -Path $RegPath -Name $RegKey -Value $RegValue
Write-Host "Key has been set"
Restart-Service -Name "Spooler" -force
Write-Host "Spooler has been reset"
}
catch{
Write-Error "Error setting key"
}
Since I am waiting on the M365 portal to determine the status of my machines and are not at this point looking at the Streaming API or the use of PowerBi (its a test tenant and I am trying to control costs. I am going to wait another 12 hours before I upload the proactive remediation which will take another 24 hours in M365 portal to see the results (really annoying Microsoft).
Be warned I am a hobbyist and in training. I am not responsible for a production environment.
If you have a DC and access to group policy you have more abilities than me. I am pure Intune.
Any feedback is better than no feedback.
Sincerely.
Leon Scott.