A Microsoft publicly disclosed remote code execution zero-day vulnerability (CVE-2021-34527), now known as “PrintNightmare”, could allow attackers to run code, including malware or ransomware, and take full control of impacted vulnerable systems. Microsoft is urging Administrators to deploy the proper patches as quickly as possible or disable inbound remote printing until the patches can be applied. There are two generally accepted and known ways to address or workaround that you can find at the bottom of this article”.
Checking which Server is Print Spooler enabled
The hardest part of the efforts for workarounds would be to know which server is “Print Spool enabled” and need to be “fixed” versus which ones are not. While checking every single server individually is a possibility, talk about time consuming.
One of our Chef community members, Nicholas Lee from Singapore, suggested through a blog post how organizations can consider using Chef InSpec to detect which servers are impacted and using a Cookbook to remediate it.
For those not familiar, Chef InSpec provides a human readable language for describing security and compliance rules that automate tests that can be run against traditional servers, containers and even cloud APIs, ensuring enforced consistent standards in every managed environment.
From Lee’s blog post where he shows that a Chef InSpec profile can be written to scan all servers to determine which is affected.
describe powershell(“(Get-Service -Displayname \”Print Spooler\”| select -Property *).startType”).stdout.strip do it{ should eq “Disabled”}
end
describe powershell(“(Get-Service -Displayname \”Print Spooler\”| select -Property *).status”).stdout.strip do it{ should eq "Stopped"}
end
And Lee further suggested a cookbook that once the impacted servers have been identified, they can be used to remediate the server.
windows_service ‘spooler’ do
action [ :disable, :stop ]
end
In contrast, here are the manual workarounds that are currently being suggested.
Manual Option 1: Disable Print Spooler
Print Spooler is a native, built-in service default-enabled on Windows machines used to manage printers and print servers. This service in prevalent throughout enterprise IT estates. As long as disabling Print Spooler is appropriate, which can have unwanted side effects in some situations, it turns out to be fairly easily done with PowerShell commands.
- Open a PowerShell prompt
- Run the command: Stop-Service -Name Spooler -Force
- Then run the command: Set-Service -Name Spooler -StartupType Disabled
Impact: This will disable the ability to print both locally and remotely
Manual Option 2: Create Group Policy
Group Policy, a feature of Microsoft Windows operating systems, controls the working environment of user and computer accounts. Group policy provides centralized management and configuration of applications, and users’ settings in an Active Directory environment. And this also is not very complicated to implement.
- Open Group Policy
- Go to Computer Configuration/Administrative Templates/Printers
- Disable the setting to “Allow Print Spooler to accept client connections”
- Restart the Print Spooler service for the group policy to take effect
Impact: System will no long function as a print server, but local printing to attached device is still possible.
As a parting thought we would like to offer one last suggestion: to use Chef InSpec to validate that all of your impacted servers have been properly remediated by doing a last check. Here is a sample code.
describe service('spooler') do
it { should_not be_enabled }
it { should_not be_running }
end
describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers') do
its('RegisterSpoolerRemoteRpcEndPoint') { should eq 2 }
end
describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint') do
its('RestrictDriverInstallationToAdministrators') { should eq 1 }
its('NoWarningNoElevationOnInstall') { should eq 0 }
its('NoWarningNoElevationOnUpdate') { should eq 0 }
its('UpdatePromptSettings') { should eq 0 }
end
A good best practice to put in place are periodic audits for CVEs on a regular automated interval.
Administrators of Chef InSpec do have the ability to implement “continuous compliance” by periodically running the following to audit their environments at scale:
control 'CVE-2021-34527 (patched)' do
impact 1.0
title 'Windows Print Spooler Remote Code Execution Vulnerability'
describe windows_hotfix('KB5004945') do
it { should be_installed }
end
For more information or help in using Chef InSpec please make sure to reach out to your Customer Success Manager or reach out to the Chef Community on Chef’s Discourse channel.