September 21 2021 

The “PrintNightmare” Continues In The Tech World

Imagine not being able to reinstall print drivers or install new drivers due to not having access to admin privileges

Everyone’s question lately is what’s going on with Microsoft? Many of us still need to print, we aren’t all paperless in the business world. We still need to click the print button and print things out on actual paper. However, over the last couple of months Microsoft has made it nearly impossible to print!

What happened?

Modifications were made to Microsoft’s Group Policy printers on how they are handled when it altered the default point and print behaviour to address “PrintNightmare” vulnerabilities affecting the Windows Print Spooler service. Let’s pause for a second, for those of you that do not know what a “PrintNightmare” is we’ve got you covered:

PrintNightmare is the name of a set of vulnerabilities that allow a standard user on a Windows network to execute arbitrary code on an affected machine (including domain controllers) as SYSTEM, allowing them to elevate their privileges as far as domain admin. Users trigger the flaw by simply feeding a vulnerable machine a malicious printer driver.

As cited in KB5005652, “By default, non-administrator users will no longer be able to do the following using Point and Print without an elevation of privilege to administrator:

• Install new printers using drivers on a remote computer or server

• Update existing printer drivers using drivers from remote computer or server”

It has been said that anyone with a V3 style of print driver is having this issue where their users are being prompt to reinstall an existing driver or install a new driver. Crazy right! In other words, when the print server is on a server driver from the vendor is a V3 driver, it is prompting the reinstallation of print drivers. We’re also seeing that when the patch is on the workstation and not on the server, it’s prompting a reinstallation of the print drivers.

Throughout the years we have been told by Microsoft and the likes to limit administration rights to employees to ensure data security is tight and unbreachable. However, we are now at a crossroad where we need to decide whether to give employees access to the administration rights which goes against most businesses data security policy, create a registry key adjustment that will weaken security, or roll back the patch until Microsoft figures out what went wrong.

But what if there was a better solution?

With PrinterLogic’s Managed Direct IP Printing solution, print jobs are always spooled locally using the local print spooler on the originating workstation. Since PrinterLogic does not use RPC to access the Windows Print Spooler, a PrinterLogic Managed Direct IP print environment is entirely unaffected when the mitigation steps detailed in the CVE (option 2) are followed as recommended by Microsoft. This ensures that the attack vector is closed on all machines running the Windows Print Spooler, while allowing users to continue to safely print using PrinterLogic’s Managed Direct IP solution.

Microsoft has released a patch for this vulnerability. PrinterLogic highly recommends all customers install the July 2021 Out-of-band update on all Windows systems. For details, see KB5004945 and KB5004946.

What about Point and Print?

According to Microsoft documentation, Point and Print is a term that refers to the capability of allowing a user on a Windows 2000 and later client to create a connection to a remote printer without providing disks or other installation media. All necessary files and configuration information are automatically downloaded from the print server to the client.

This specifically applies to print queues installed from a Windows print server and does not impact a user’s ability to install print queues from the PrinterLogic Self-Service Portal.

As part of the July 2021 Out-of-band update, a registry setting is checked that will restrict the installation of new unsigned printer drivers to Administrators only. Since PrinterLogic only allows signed Type 3 drivers to be used, and since the PrinterLogic Client is solely responsible for managed print driver installation, this setting will not adversely affect PrinterLogic customers.

While this registry setting does not impact a PrinterLogic Managed Direct IP environment, in accordance with security best practices, PrinterLogic still recommends that all customers enable this registry setting as recommended by Microsoft:

Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint

Value: RestrictDriverInstallationToAdministrators

Type: REG_DWORD

For more information on how PrinterLogic can help put network printing issues to bed click here.