KB5005652, which fixes PrintNightmare vulnerabilities, causes some business users to be required to reinstall printer drivers or install new drivers, which they cannot do without administrator privileges.
Okay, Microsoft, we need to talk. Or rather, we have to print. We really do. We are not all paperless here in the business world; Many of us still have to click the Print button in our business applications and print things on a real sheet of paper or send something to a PDF printer. But in recent months, it has become almost impossible to stay completely correct and continue printing.
Case in point: August security updates.
Microsoft changed the way group policy printers are treated when it changed the default Point and Print behavior to address the «PrintNightmare» vulnerabilities that affect the Windows spooler service. As stated in KB5005652, “By default, non-administrator users will no longer be able to do the following using Point and Print without elevating administrator privilege:
- Install new printers using drivers on a remote computer or server
- Update existing printer drivers using drivers on a remote computer or server «
However, what we see in the PatchManagement.org list is that anyone with a V3-style print driver requires users to reinstall the drivers or install new drivers. Specifically, when the print server is on a Server 2016 server, the printers are removed through Group Policy and the vendor’s printer driver is a V3 driver, triggering the reinstallation of the printer drivers. We also see that when the patch is on the workstation and not on the server, it causes the printer drivers to be reinstalled.
Because companies will keep users without administrator rights to limit sideways movement (and honestly, because Microsoft has told us over the years that running administrator rights has been a bad thing), we must now decide to offer them to users. a local administrator. rights, perform a registry key adjustment that weakens security, or return to the patch until Microsoft finds out what went wrong.
Those wishing to change the register can open a high command prompt window and enter the following:
reg add «HKEY_LOCAL_MACHINE Software Policies Microsoft Windows NT Printers PointAndPrint» / v RestrictDriverInstallationToAdministrators / t REG_DWORD / d 0 / f
It gets to the heart of the matter
Microsoft privately acknowledged in a support case that «requesting the administration / installation of already installed drivers and already installed printers is an unexpected behavior.» He went on to say: “We have received new reports that this also affects customers where drivers / printers etc. they are already installed and are already under investigation, we do not yet have an estimated time for repairs, but we are working on it ”. But while the company may privately acknowledge that there is a problem with printing, it does not display it in the control panel of the health version of Windows.
Anthony J. Fontanez blogged here and here with an excellent discussion of what is happening. As you point out, one solution is to make sure you have V4 printer drivers installed on your network. But here’s a problem: It’s often extremely difficult to determine if the drivers are V3 or V4. For Hewlett Packard printers, PCL 6 denotes V3, while PCL-6 (note the dash) denotes V4. You may need to deploy the drivers in a virtual test machine to determine exactly which printer driver you have.
If your printer provider does not have a V4 version of the printer driver, be sure to contact your provider, especially if they have active leases, and ask them to send a revised driver. As Fontanez wrote, “V4 drivers use a model-specific driver on the print server side. When customers connect to a printer on a server using a V4 driver, they do not download any drivers. Instead, it uses a generic, preloaded driver called «Microsoft Enhanced Point and Print.» However, some network administrators have indicated that V4 drivers are not the solution either.
But even if you could install the August updates on your network, that doesn’t mean you’re completely protected against spooler vulnerabilities. There is another CVE (CVE-2021-36958) for which we have no patch and the only solution is to disable the print queue. All we know at this point is that “There is a vulnerability to run remote code when Windows Print Spooler incorrectly performs privileged file operations. An attacker who has successfully exploited this vulnerability could execute arbitrary code with system privileges. Then an attacker could install programs; view, edit, or delete data; or create new accounts with all user rights. The solution to this vulnerability is to stop and disable the spooler service. «
If you are a consumer, the problem is not so bleak. I haven’t seen a home user or consumer who has problems printing or scanning after installing updates in August. That being said, we are still vulnerable to CVE-2021-36958. If you already have the August updates installed and have no print or scan side effects, leave the August security updates installed.
So what can you do right now if you have a business and need to print?
Check which servers and computers absolutely need to print. Clearly, the fundamental security issues with the print server code have not yet been resolved and do not appear to be fixed any time soon.
Consider printing a specific right that you grant only to those in your network who really need it, rather than automatically activating the spooler service across the entire network.
Disable the service on all domain controllers and keep it that way until further notice.
Limit servers on your network that have print server roles.
Try to limit your servers as much as possible to monitor and limit traffic to these machines.
Disable the print server feature on workstations unless you need to print.
Reevaluate your workflow and processes and see if there are ways to move these business flows into web-based processes or something that doesn’t rely on paper, toner, and printers.
One last word for Microsoft
Microsoft needs to do better than it does now. Because we still print. And in the last year, you’ve stopped printing too many times. I realize that you may be out of paper and move on to all things electronic, but be a little more aware that your business customers have not yet succeeded.
Your customers should not make the painful decision to remove the update to work for their business, or worse, however, they need to make a registry change that allows the company to print but exposes the business to vulnerabilities as a result.
We’ve been repairing the systems for over 20 years, and if the best thing we can say to a company right now is «uninstall the update to keep it running,» we haven’t fixed anything in 20 years. Update. Businesses still can’t patch right away, as you urge us to do. We still have to wait and see if there are any side effects and deal with the side effects.
So, Microsoft? If you want to make patches right away, you need to realize that many of us still need to print.