Windows Print Spooler Vulnerability: 6 Questions to Assess Third-Party Exposure

A Microsoft zero-day exploit enables attackers to gain full admin privileges. Use this questionnaire to assess potential third-party exposure to the “PrintNightmare” vulnerability.

Personnel de Mitratech July 20, 2021

Researchers at Sangfor recently accidentally published a proof-of-concept (PoC) exploit of an unpatched critical flaw in the Microsoft Windows Print Spooler service. The vulnerability, called PrintNightmare, allows attackers to remotely execute code with system-level privileges. Although the PoC was quickly deleted by Sangfor after its publication was discovered, the damage was done – it was already on GitHub.

While Windows Print Spooler is an old component, it is still ubiquitous. And since this exploit opens the door for bad actors to install programs, modify data, and create new admin accounts, you may want to assess the response of any third parties with access to your company’s systems and data.

6 Questions to Ask Third Parties About the Windows Print Spooler Vulnerability

Prevalent has prepared six critical questions to ask third parties to determine their exposure and response to this zero-day flaw. See the table below.

Questions	Réponses potentielles
1) Has the organization identified whether it is impacted by the recent Windows Print Spooler Remote Code Execution Vulnerability? (Veuillez en choisir un.)	a) The organization has reviewed and identified that it is impacted by the recent Windows Print Spooler Remote Code Execution Vulnerability. b) The organization has reviewed and identified that it is not impacted by the recent Windows Print Spooler Remote Code Execution Vulnerability.
2) Between July 1 – 7, 2021, security updates were released for Windows Server 2012, Windows Server 2016, Windows 7, Windows 8 and Windows 10 systems. Has the organization applied necessary security updates for its Windows systems? (Veuillez en choisir un.)	a) Yes, the organization has downloaded and applied patches. b) No, the organization is unable to apply security patches to its systems. c) No, the organization has not yet applied security patches to its systems.
3) Does the organization continue to run the Print Spooler service? (Veuillez en choisir un.)	a) Yes, the organization requires the Print Spooler service to run. b) The organization requires that the Print Spooler service is not set to disabled. c) No, the Print Spooler service is set to disabled.
4) Where the organization requires the Print Spooler service to continue, have the following actions been taken? Option 1: Disabling the Print Spooler service disables the ability to print both locally and remotely. Option 2: Disabling inbound remote printing will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible. (Veuillez sélectionner toutes les réponses qui s'appliquent.)	a) Disabling the Print Spooler service has been identified as appropriate for the organization, and PowerShell commands to stop the Spooler service and disable the Spooler service startup have been implemented. b) The organization has disabled inbound remote printing through Group Policy. c) The organization has not yet disabled the Spooler service or inbound remote printing.
5) In line with Microsoft guidance, have the following registry settings been reviewed and updated? (Veuillez sélectionner toutes les réponses qui s'appliquent.)	a) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint b) NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting) c) UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
6) In line with Microsoft guidance, and if the organization has identified itself as being impacted by the vulnerability, has the Point and Print Restrictions Group Policy been changed to a secure configuration? (Veuillez sélectionner toutes les réponses qui s'appliquent.)	a) Point and Print Restrictions Group Policy settings have been configured to “Enabled.” b) “Show warning and elevation prompt” has been selected as a security prompt to the option “when installing drivers for a new connection.” c) “Show warning and elevation prompt” has been selected as a security prompt to the option “when updating drivers for an existing connection.” Next Steps for Third-Party Incident Response and Breach Monitoring

Questions

Réponses potentielles

1) Has the organization identified whether it is impacted by the recent Windows Print Spooler Remote Code Execution Vulnerability?

(Veuillez en choisir un.)

a) The organization has reviewed and identified that it is impacted by the recent Windows Print Spooler Remote Code Execution Vulnerability.

b) The organization has reviewed and identified that it is not impacted by the recent Windows Print Spooler Remote Code Execution Vulnerability.

2) Between July 1 – 7, 2021, security updates were released for Windows Server 2012, Windows Server 2016, Windows 7, Windows 8 and Windows 10 systems. Has the organization applied necessary security updates for its Windows systems?

(Veuillez en choisir un.)

a) Yes, the organization has downloaded and applied patches.

b) No, the organization is unable to apply security patches to its systems.

c) No, the organization has not yet applied security patches to its systems.

3) Does the organization continue to run the Print Spooler service?

(Veuillez en choisir un.)

a) Yes, the organization requires the Print Spooler service to run.

b) The organization requires that the Print Spooler service is not set to disabled.

c) No, the Print Spooler service is set to disabled.

4) Where the organization requires the Print Spooler service to continue, have the following actions been taken?

Option 1: Disabling the Print Spooler service disables the ability to print both locally and remotely.

Option 2: Disabling inbound remote printing will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

(Veuillez sélectionner toutes les réponses qui s'appliquent.)

a) Disabling the Print Spooler service has been identified as appropriate for the organization, and PowerShell commands to stop the Spooler service and disable the Spooler service startup have been implemented.

b) The organization has disabled inbound remote printing through Group Policy.

c) The organization has not yet disabled the Spooler service or inbound remote printing.

5) In line with Microsoft guidance, have the following registry settings been reviewed and updated?

(Veuillez sélectionner toutes les réponses qui s'appliquent.)

a) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint

b) NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)

c) UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

6) In line with Microsoft guidance, and if the organization has identified itself as being impacted by the vulnerability, has the Point and Print Restrictions Group Policy been changed to a secure configuration?

(Veuillez sélectionner toutes les réponses qui s'appliquent.)

a) Point and Print Restrictions Group Policy settings have been configured to “Enabled.”

b) “Show warning and elevation prompt” has been selected as a security prompt to the option “when installing drivers for a new connection.”

c) “Show warning and elevation prompt” has been selected as a security prompt to the option “when updating drivers for an existing connection.”

Next Steps for Third-Party Incident Response and Breach Monitoring

Prevalent helps to rapidly identify and mitigate the impact of vulnerabilities like PrintNightmare by offering a platform to centrally manage vendors, conduct targeted event-specific assessments, score identified risks, and access remediation guidance. The Third-Party Incident Response Service is a managed service to enable your team to offload the collection of critical response data so they can focus on remediating risks instead.

Complementing the Incident Response Service is Prevalent’s continuous cyber and business breach monitoring solution, which provides regular updates on breach disclosures, adverse news events, and cyber incidents such as malicious dark web activity about your vendors. Together, these solutions help to automate security incident discovery and accelerate response.

Note de l'éditeur : cet article a été publié à l'origine sur Prevalent.net. En octobre 2024, Mitratech a fait l'acquisition de la société Prevalent, spécialisée dans la gestion des risques liés aux tiers et basée sur l'IA. Le contenu a depuis été mis à jour pour inclure des informations alignées sur nos offres de produits, les changements réglementaires et la conformité.

Personnel de Mitratech

Mitratech se consacre à la promotion d'une communauté d'apprentissage et de partage des connaissances dans le domaine des technologies juridiques, des risques et des ressources humaines. Suivez-nous pour entendre des experts technologiques expérimentés, spécialisés dans les solutions de gestion de la conformité. Avec une compréhension approfondie des subtilités de l'IA, de l'automatisation et des logiciels d'entreprise, leur passion pour la technologie et leur engagement envers l'excellence les poussent à explorer continuellement des solutions innovantes qui permettent aux organisations de gérer leurs questions de conformité de manière plus efficace.

Connectez-vous avec Mitratech sur LinkedIn pour vous tenir au courant des dernières tendances et idées.

Solutions pour l'industrie

6 Questions to Ask Third Parties About the Windows Print Spooler Vulnerability

Prevalent has prepared six critical questions to ask third parties to determine their exposure and response to this zero-day flaw. See the table below.