Blog-S_Cloud-Compliance_100x385

A quick Chef way to detect and remediate PrintNightmare

A Microsoft publicly disclosed remote code execution zero-day vulnerability (CVE-2021-34527), now known as “PrintNightmare”, could allow attackers to run code, including malware or ransomware, and take full control of impacted vulnerable systems. Microsoft is urging Administrators to deploy the proper patches as quickly as possible or disable inbound remote printing until the patches can be applied. There are two generally accepted and known ways to address or workaround that you can find at the bottom of this article”.

Checking which Server is Print Spooler enabled 

The hardest part of the efforts for workarounds would be to know which server is “Print Spool enabled” and need to be “fixed” versus which ones are not. While checking every single server individually is a possibility, talk about time consuming. 

One of our Chef community members, Nicholas Lee from Singapore, suggested through a blog post how organizations can consider using Chef InSpec to detect which servers are impacted and using a Cookbook to remediate it.  

For those not familiar, Chef InSpec provides a human readable language for describing security and compliance rules that automate tests that can be run against traditional servers, containers and even cloud APIs, ensuring enforced consistent standards in every managed environment.  

From Lee’s blog post where he shows that a Chef InSpec profile can be written to scan all servers to determine which is affected.

describe powershell(“(Get-Service  -Displayname \”Print Spooler\”| select  -Property *).startType”).stdout.strip do it{  should eq “Disabled”}
end
describe powershell(“(Get-Service  -Displayname \”Print Spooler\”| select  -Property *).status”).stdout.strip do it{  should eq "Stopped"}
end 

And Lee further suggested a cookbook that once the impacted servers have been identified, they can be used to remediate the server.

windows_service ‘spooler’ do 
action [ :disable, :stop ] 
end 

In contrast, here are the manual workarounds that are currently being suggested. 

Manual Option 1: Disable Print Spooler 

Print Spooler is a native, built-in service default-enabled on Windows machines used to manage printers and print servers. This service in prevalent throughout enterprise IT estates. As long as disabling Print Spooler is appropriate, which can have unwanted side effects in some situations, it turns out to be fairly easily done with PowerShell commands.  

  1. Open a PowerShell prompt 
  2. Run the command: Stop-Service -Name Spooler -Force 
  3. Then run the command: Set-Service -Name Spooler -StartupType Disabled 

Impact: This will disable the ability to print both locally and remotely  

Manual Option 2: Create Group Policy 

Group Policy, a feature of Microsoft Windows operating systems, controls the working environment of user and computer accounts. Group policy provides centralized management and configuration of applications, and users’ settings in an Active Directory environment. And this also is not very complicated to implement.  

  1. Open Group Policy 
  2. Go to Computer Configuration/Administrative Templates/Printers 
  3. Disable the setting to “Allow Print Spooler to accept client connections” 
  4. Restart the Print Spooler service for the group policy to take effect 

Impact: System will no long function as a print server, but local printing to attached device is still possible.  

As a parting thought we would like to offer one last suggestion: to use Chef InSpec to validate that all of your impacted servers have been properly remediated by doing a last check. Here is a sample code. 

describe service('spooler') do 
it { should_not be_enabled } 
it { should_not be_running } 
end 

describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers') do
its('RegisterSpoolerRemoteRpcEndPoint') { should eq 2 } 
end 

describe registry_key('HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint') do its('RestrictDriverInstallationToAdministrators') { should eq 1 }
its('NoWarningNoElevationOnInstall') { should eq 0 } its('NoWarningNoElevationOnUpdate') { should eq 0 } 
its('UpdatePromptSettings') { should eq 0 } 
end 

A good best practice to put in place are periodic audits for CVEs on a regular automated interval. 

Administrators of Chef InSpec do have the ability to implement “continuous compliance” by periodically running the following to audit their environments at scale:  

control 'CVE-2021-34527 (patched)' do 
impact 1.0 
title 'Windows Print Spooler Remote Code Execution Vulnerability' 

describe windows_hotfix('KB5004945') do 
it { should be_installed } 
end 

For more information or help in using Chef InSpec please make sure to reach out to your Customer Success Manager or reach out to the Chef Community on Chef’s Discourse channel.

Alan Baptista

Alan is a Product Marketing Director at Chef, working remotely from Southern California. His career of over 20 years has been in product marketing, sales operations and international business roles for enterprise software, telecommunications and government space at organizations such as CA Technologies, Experian, InterVoice and US Commerce Department. When not helping customers tell their success stories he enjoys traveling and exploring Sous-Vide cooking and BGE Grilling.