Microsoft’s Patch Tuesday update last week aimed to fix printing vulnerabilities in Windows, but also halted network printing for many, with some admins disabling security or removing the patch to make it work.
The issue is complex and first surfaced in January, when Microsoft released this support note explaining that “a security bypass vulnerability exists in the way the remote procedure call binding of printer (RPC) manages authentication for the remote Winspool interface “.
Microsoft’s fix was in two phases, first to add a registry setting to increase the permission level for remote access to printers, and second, to notify administrators that “the version is moving to phase.” Enforce September 14, 2021. The Enforce phase applies changes to address CVE-2021-1678 by increasing the permission level without having to set the registry value. ”This September date was“ Patch Tuesday ”week last – although some admins have had issues with network printing in the past caused by other Microsoft mitigation efforts.
The printing nightmare escalated in June when researchers discovered that the Print Spooler Privilege Execution Vulnerability meant that compromising a desktop PC in a network could result in privileges being granted. administration by an attacker, because the print spooler is running by default on servers, including domain controllers.
This discussion on the Microsoft Question and Answer Forum for IT Professionals shows the issues that administrators are facing now. “It just hit us this morning too. 9/15/2021. Nobody can print to network printers. I deleted KB5005613 from our server and restarted the server and that fixed it,” said one. from them last week – but removing a security patch is not a good solution as it leaves a known vulnerability in place.
Another found a fix that “worked immediately” – a Group Policy Object (GPO) setting that applies to all targeted computers on a Windows network called RestrictDriverInstallationToAdministrators = 0. Unfortunately, this also overrides the security that Microsoft is trying to apply. This setting is not recommended.
Although Microsoft has released a number of information, it could do more in terms of advising administrators facing security concerns on the one hand, and users demanding the ability to print on the other. Others have offered their own tips, including this security post which includes a flowchart for analyzing print security in a network.
Windows Network Printing Security Analysis Unofficial Flowchart
It appears that Microsoft has so far been unable to fix vulnerabilities in Windows network printing by patching the code and has instead focused on tightening the security around it. A typical Windows network includes printers of varying ages, from various vendors, with varying levels of support. Relevant factors include how network printing is configured, printer drivers used on both client and server, Windows version and patch level, and GPOs applied to PCs.
The type of printer driver called V4 is preferred for security but must be installed on the client. In the case of older versions of Windows such as Windows Server 2008 R2, for which Extended Support has expired, “customers must purchase the Extended Security Update,” Microsoft said in the aforementioned support note. Given the complexity, it’s no surprise that some admins have complained about random behavior.
“I really don’t know if this breaks the PrinterNightmare fix. But our> 3,000 customers had to print again…” one admin said in the discussion. It’s not a great place to be and it looks like the PrintNightmare saga isn’t over yet. We have asked Microsoft for further comments and will report accordingly. ®
Microsoft’s Patch Tuesday update last week aimed to fix printing vulnerabilities in Windows, but also halted network printing for many, with some admins disabling security or removing the patch to make it work.
The issue is complex and first surfaced in January, when Microsoft released this support note explaining that “a security bypass vulnerability exists in the way the remote procedure call binding of printer (RPC) manages authentication for the remote Winspool interface “.
Microsoft’s fix was in two phases, first to add a registry setting to increase the permission level for remote access to printers, and second, to notify administrators that “the version is moving to phase.” Enforce September 14, 2021. The Enforce phase applies changes to address CVE-2021-1678 by increasing the permission level without having to set the registry value. ”This September date was“ Patch Tuesday ”week last – although some admins have had issues with network printing in the past caused by other Microsoft mitigation efforts.
The printing nightmare escalated in June when researchers discovered that the Print Spooler Privilege Execution Vulnerability meant that compromising a desktop PC in a network could result in privileges being granted. administration by an attacker, because the print spooler is running by default on servers, including domain controllers.
This discussion on the Microsoft Question and Answer Forum for IT Professionals shows the issues that administrators are facing now. “It just hit us this morning too. 9/15/2021. Nobody can print to network printers. I deleted KB5005613 from our server and restarted the server and that fixed it,” said one. from them last week – but removing a security patch is not a good solution as it leaves a known vulnerability in place.
Another found a fix that “worked immediately” – a Group Policy Object (GPO) setting that applies to all targeted computers on a Windows network called RestrictDriverInstallationToAdministrators = 0. Unfortunately, this also overrides the security that Microsoft is trying to apply. This setting is not recommended.
Although Microsoft has released a number of information, it could do more in terms of advising administrators facing security concerns on the one hand, and users demanding the ability to print on the other. Others have offered their own tips, including this security post which includes a flowchart for analyzing print security in a network.
Windows Network Printing Security Analysis Unofficial Flowchart
It appears that Microsoft has so far been unable to fix vulnerabilities in Windows network printing by patching the code and has instead focused on tightening the security around it. A typical Windows network includes printers of varying ages, from various vendors, with varying levels of support. Relevant factors include how network printing is configured, printer drivers used on both client and server, Windows version and patch level, and GPOs applied to PCs.
The type of printer driver called V4 is preferred for security but must be installed on the client. In the case of older versions of Windows such as Windows Server 2008 R2, for which Extended Support has expired, “customers must purchase the Extended Security Update,” Microsoft said in the aforementioned support note. Given the complexity, it’s no surprise that some admins have complained about random behavior.
“I really don’t know if this breaks the PrinterNightmare fix. But our> 3,000 customers had to print again…” one admin said in the discussion. It’s not a great place to be and it looks like the PrintNightmare saga isn’t over yet. We have asked Microsoft for further comments and will report accordingly. ®
