Forum Discussion

Martin Jeppesen's avatar
Martin Jeppesen
Copper Contributor
Jul 05, 2021

PrintNightmare for administrators: Trying to sum up the current knowledge for decision-making:

Hi guys, I wrote this blog post in the hope of making it possible to make decisions on how to mitigate PrintNightmare, while waiting for an official patch from Microsoft. I hope it's useful 🙂 htt...
martinj's avatar
martinj
Brass Contributor
Jul 08, 2021

Hello Leon braedachau ,

 

Ha ha, yes isn't it great to be mad :lol:

 

Yes, I'm actually about to update my blog post about the most recent discoveries.

 

However, I think you might have confused two things here.

 

KB5005010 describes how you can further enhance your security posture after applying the patch.

But it is not the one, that determines, whether the machine is still susceptible to Remote Code Execution attacks after the patch.

 

This is what KB5005010 is about:

  • Before the July patch, if you were in for example Print Operators group but not a local administrator, you could install unsigned drivers on a print server.
  • After the July patch, a Print Operator can only install signed drivers.
  • If you set the RestrictDriverInstallationToAdministrators reg value, Print Operators cannot even install signed drivers, only Administrators can.

 

What makes the machine still vulnerable to Remote Code Execution attacks even after installing the July patch is if the "NoWarningNoElevationOnInstall" value is set to 1 under the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint key

 

Which maps to this (vulnerable) GP configuration:

Computer Configuration\Administrative Templates\Printers\Point and Print Restrictions is enabled and has the setting:

Security Prompts:

When installing drivers for a new connection = Do NOT show warning and elevation prompt

 

https://twitter.com/wdormann/status/1412813044279910416?s=20 

braedachau's avatar
braedachau
Brass Contributor
Jul 10, 2021
Okay looking again and reviewing code.