Microsoft Printer Vulnerability - FYI
-
So this update happened:
Literally have to remote in and UAC admin credentials to install printers for each user, or print drivers for already added printers on client machines, unless you want to change the registry or a few other work-arounds that make you vulnerable.
I really hope this isn't permanent.
Microsoft: "This change may impact Windows print clients in scenarios where non-elevated users were previously able to add or update printers. However, we strongly believe that the security risk justifies this change. While not recommended, customers can manually disable this mitigation with a registry key, which is outlined in the following KB Article:
KB5005652 How to manage new Point and Print default driver installation behavior
Disabling this mitigation will expose your environment to the publicly known vulnerabilities in the Windows Print Spooler service and we recommend administrators assess their security needs before assuming this risk."source: https://msrc-blog.microsoft.com/2021/08/10/point-and-print-default-behavior-change
EDIT: V4 drivers seem to remedy this so far. I have more reading to do on the matter though, still not sure if v4 is just a workaround or if they are still susceptible to whatever vulnerability they mentioned.
-
@mr-jones said in Microsoft Printer Vulnerability - FYI:
Literally have to remote in and UAC admin credentials to install printers for each user,
Glad I already have a powershell script for this process anyway.
-
The mindset is that company devices should only be connecting to trusted print servers in the first place.
The recent KB that was released that you're referencing KB5005033, forces a UAC prompt. This is actually the best security posture you can have.
Except it doesn't account for constant change and that in businesses many people aren't admins on their workstations, thus UAC prompt Hell.
Adding
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0 /f
Would disable the UAC prompt, but unless you're forcing connections to only trusted print servers, it simply reopens you to be vulnerable.
Like with most recent patches from Microsoft it's still a shitshow...
-
Would disable the UAC prompt, but unless you're forcing connections to only trusted print servers, it simply reopens you to be vulnerable.
I would think even then, you're open. Print-serv gets hit, and now it's pushing driver updates out willy-nilly that aren't driver updates. Or is that not a thing? I know a mile wide and an inch deep about Security.
-
You had to what? Reinstall all drivers even for printers that were already installed?
Glad I haven’t seen that hit me! -
@dashrender said in Microsoft Printer Vulnerability - FYI:
You had to what? Reinstall all drivers even for printers that were already installed?
Glad I haven’t seen that hit me!Oh yeah. It was a "oh today is going to be fun" moment. Initially I thought, because I had recently migrated to Serve 2019 for my print server, that I had messed something up. Just a coincidence though. One might argue that since I was using v3 drivers, I did in fact mess something up, but I remember having issue with them previously, and took to Xerox Tech Support to ensure I was using the drivers they recommend for the new build. Not to mention, some manufacturers don't even supply V4 drivers yet, and some OS's don't like em, from what I'm reading.
I don't often mess with the print server, it's just one of those things you set up initially and only ever look at when something isn't working right. Seems like each time I do have to, it's a whole day of learning. In this instance, I'll be learning about V4 drivers.
V4 drivers loaded on the Print Server have corrected this issue for the most part so far. I'm still reading into the "PrintNightmare" vulnerability though. Doesn't seem like Microsoft really has a handle on it yet.
-
@mr-jones said in Microsoft Printer Vulnerability - FYI:
@dashrender said in Microsoft Printer Vulnerability - FYI:
You had to what? Reinstall all drivers even for printers that were already installed?
Glad I haven’t seen that hit me!Oh yeah. It was a "oh today is going to be fun" moment. Initially I thought, because I had recently migrated to Serve 2019 for my print server, that I had messed something up. Just a coincidence though. One might argue that since I was using v3 drivers, I did in fact mess something up, but I remember having issue with them previously, and took to Xerox Tech Support to ensure I was using the drivers they recommend for the new build. Not to mention, some manufacturers don't even supply V4 drivers yet, and some OS's don't like em, from what I'm reading.
I don't often mess with the print server, it's just one of those things you set up initially and only ever look at when something isn't working right. Seems like each time I do have to, it's a whole day of learning. In this instance, I'll be learning about V4 drivers.
V4 drivers loaded on the Print Server have corrected this issue for the most part so far. I'm still reading into the "PrintNightmare" vulnerability though. Doesn't seem like Microsoft really has a handle on it yet.
Well - it seems like the "Vulnerable by design" is the handle they have on it.
i.e. allowing non admins to install print drivers - if we think about it, really is a vulnerability.The part that really just shreds my brain is the ability to install drivers on a Print Server (i.e. a Window Server, not a client machine), but I shouldn't be surprised because they share a same base code.
-
I'm wondering if moving away from MS print servers is the thing to do. But then - how do you manage print drivers on an business network? Start deploying them the same way you deploy software packages?
-
@dashrender said in Microsoft Printer Vulnerability - FYI:
I'm wondering if moving away from MS print servers is the thing to do. But then - how do you manage print drivers on an business network? Start deploying them the same way you deploy software packages?
This is why I
wrotemade Jennifer write the powershell script. -
@dashrender said in Microsoft Printer Vulnerability - FYI:
I'm wondering if moving away from MS print servers is the thing to do. But then - how do you manage print drivers on an business network? Start deploying them the same way you deploy software packages?
Doesn't CUPS also manages print drivers and can provide them to workstations?
-
@mr-jones said in Microsoft Printer Vulnerability - FYI:
@dashrender said in Microsoft Printer Vulnerability - FYI:
You had to what? Reinstall all drivers even for printers that were already installed?
Glad I haven’t seen that hit me!Oh yeah. It was a "oh today is going to be fun" moment. Initially I thought, because I had recently migrated to Serve 2019 for my print server, that I had messed something up. Just a coincidence though. One might argue that since I was using v3 drivers, I did in fact mess something up, but I remember having issue with them previously, and took to Xerox Tech Support to ensure I was using the drivers they recommend for the new build. Not to mention, some manufacturers don't even supply V4 drivers yet, and some OS's don't like em, from what I'm reading.
With the MS Aug Update, two of my v3 drivers no longer work on 2019. Been working on finding an updated driver that will work. A few v4 have issues, then there are a few v3/v4 drivers (using Windows Update for MS Digitally signed drivers only) that won't install because it keeps telling me access denied.
Setup a Windows 2016 server print server to test, all updates and all is fine so these issues are related to Windows 2019 as far as I can tell.