Forum Discussion
PrintNightmare for administrators: Trying to sum up the current knowledge for decision-making:
Hello Leon braedachau ,
Ha ha, yes isn't it great to be mad 
Yes, I'm actually about to update my blog post about the most recent discoveries.
However, I think you might have confused two things here.
KB5005010 describes how you can further enhance your security posture after applying the patch.
But it is not the one, that determines, whether the machine is still susceptible to Remote Code Execution attacks after the patch.
This is what KB5005010 is about:
- Before the July patch, if you were in for example Print Operators group but not a local administrator, you could install unsigned drivers on a print server.
- After the July patch, a Print Operator can only install signed drivers.
- If you set the RestrictDriverInstallationToAdministrators reg value, Print Operators cannot even install signed drivers, only Administrators can.
What makes the machine still vulnerable to Remote Code Execution attacks even after installing the July patch is if the "NoWarningNoElevationOnInstall" value is set to 1 under the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint key
Which maps to this (vulnerable) GP configuration:
Computer Configuration\Administrative Templates\Printers\Point and Print Restrictions is enabled and has the setting:
Security Prompts:
When installing drivers for a new connection = Do NOT show warning and elevation prompt
https://twitter.com/wdormann/status/1412813044279910416?s=20
Have you put the latest cumulative update under the microscope yet?? ver 10.0.x.1110
I updated my code to reflect your advise. Found no systems with the key enabled.
I don't twitter.
https://www.windowslatest.com/2021/07/14/windows-10-build-19043-1110-is-now-available-download-offline-installers/
Hello.
It is worth installing this update!- In general it's always worth installing Patch Tuesday patches 😎, and it seems that for some of the supported Windows versions this patch contains patches for PrintNightmare.
But this update isn't mentioned in MS's security advisory for CVE-2021-34527, so it doesn't seem to be important specifically for PrintNightmare.
I'd say that the patches from last week are the most important ones in combination with ensuring that Point and Print Restrictions are not configured in an insecure way.
My recommendations from the latest update of my blog post are:
* Disable Print Spooler service on any Windows device, that does not need to print.
* For devices, that need to do print jobs- like user workstations - but not to print on behalf of remote users: Set this in Group Policy Computer Configuration\Administrative Templates\Printers\Allow Print Spooler to accept client connections - Setting: Disabled
(Remember to restart the Print Spooler service for this mitigation to take effect!)
* If in any way possible: Apply the Microsoft patches and make sure Point and Print Restrictions are configured with the secure settings.
* If none of the above are options: You can consider the unofficial mitigations, like 0Patch or the “Deny-SYSTEM-in-ACL-mitigation”. But be careful not to cause outages or things breaking, especially regarding the “Deny-SYSTEM-in-ACL-mitigation”.Yes, but the setting that poses a threat = is human error.
But organizations often delay the update - i encourage quick deployments!
Thank you for the interesting topic!