Microsoft Printer Vulnerability - FYI
-
@mr-jones said in Microsoft Printer Vulnerability - FYI:
Literally have to remote in and UAC admin credentials to install printers for each user,
Glad I already have a powershell script for this process anyway.
-
The mindset is that company devices should only be connecting to trusted print servers in the first place.
The recent KB that was released that you're referencing KB5005033, forces a UAC prompt. This is actually the best security posture you can have.
Except it doesn't account for constant change and that in businesses many people aren't admins on their workstations, thus UAC prompt Hell.
Adding
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 0 /fWould disable the UAC prompt, but unless you're forcing connections to only trusted print servers, it simply reopens you to be vulnerable.
Like with most recent patches from Microsoft it's still a shitshow...
-
Would disable the UAC prompt, but unless you're forcing connections to only trusted print servers, it simply reopens you to be vulnerable.
I would think even then, you're open. Print-serv gets hit, and now it's pushing driver updates out willy-nilly that aren't driver updates. Or is that not a thing? I know a mile wide and an inch deep about Security.
-
You had to what? Reinstall all drivers even for printers that were already installed?
Glad I haven’t seen that hit me! -
@dashrender said in Microsoft Printer Vulnerability - FYI:
You had to what? Reinstall all drivers even for printers that were already installed?
Glad I haven’t seen that hit me!Oh yeah. It was a "oh today is going to be fun" moment. Initially I thought, because I had recently migrated to Serve 2019 for my print server, that I had messed something up. Just a coincidence though. One might argue that since I was using v3 drivers, I did in fact mess something up, but I remember having issue with them previously, and took to Xerox Tech Support to ensure I was using the drivers they recommend for the new build. Not to mention, some manufacturers don't even supply V4 drivers yet, and some OS's don't like em, from what I'm reading.
I don't often mess with the print server, it's just one of those things you set up initially and only ever look at when something isn't working right. Seems like each time I do have to, it's a whole day of learning. In this instance, I'll be learning about V4 drivers.
V4 drivers loaded on the Print Server have corrected this issue for the most part so far. I'm still reading into the "PrintNightmare" vulnerability though. Doesn't seem like Microsoft really has a handle on it yet.
-
@mr-jones said in Microsoft Printer Vulnerability - FYI:
@dashrender said in Microsoft Printer Vulnerability - FYI:
You had to what? Reinstall all drivers even for printers that were already installed?
Glad I haven’t seen that hit me!Oh yeah. It was a "oh today is going to be fun" moment. Initially I thought, because I had recently migrated to Serve 2019 for my print server, that I had messed something up. Just a coincidence though. One might argue that since I was using v3 drivers, I did in fact mess something up, but I remember having issue with them previously, and took to Xerox Tech Support to ensure I was using the drivers they recommend for the new build. Not to mention, some manufacturers don't even supply V4 drivers yet, and some OS's don't like em, from what I'm reading.
I don't often mess with the print server, it's just one of those things you set up initially and only ever look at when something isn't working right. Seems like each time I do have to, it's a whole day of learning. In this instance, I'll be learning about V4 drivers.
V4 drivers loaded on the Print Server have corrected this issue for the most part so far. I'm still reading into the "PrintNightmare" vulnerability though. Doesn't seem like Microsoft really has a handle on it yet.
Well - it seems like the "Vulnerable by design" is the handle they have on it.
i.e. allowing non admins to install print drivers - if we think about it, really is a vulnerability.The part that really just shreds my brain is the ability to install drivers on a Print Server (i.e. a Window Server, not a client machine), but I shouldn't be surprised because they share a same base code.
-
I'm wondering if moving away from MS print servers is the thing to do. But then - how do you manage print drivers on an business network? Start deploying them the same way you deploy software packages?
-
@dashrender said in Microsoft Printer Vulnerability - FYI:
I'm wondering if moving away from MS print servers is the thing to do. But then - how do you manage print drivers on an business network? Start deploying them the same way you deploy software packages?
This is why I
wrotemade Jennifer write the powershell script. -
@dashrender said in Microsoft Printer Vulnerability - FYI:
I'm wondering if moving away from MS print servers is the thing to do. But then - how do you manage print drivers on an business network? Start deploying them the same way you deploy software packages?
Doesn't CUPS also manages print drivers and can provide them to workstations?
-
@mr-jones said in Microsoft Printer Vulnerability - FYI:
@dashrender said in Microsoft Printer Vulnerability - FYI:
You had to what? Reinstall all drivers even for printers that were already installed?
Glad I haven’t seen that hit me!Oh yeah. It was a "oh today is going to be fun" moment. Initially I thought, because I had recently migrated to Serve 2019 for my print server, that I had messed something up. Just a coincidence though. One might argue that since I was using v3 drivers, I did in fact mess something up, but I remember having issue with them previously, and took to Xerox Tech Support to ensure I was using the drivers they recommend for the new build. Not to mention, some manufacturers don't even supply V4 drivers yet, and some OS's don't like em, from what I'm reading.
With the MS Aug Update, two of my v3 drivers no longer work on 2019. Been working on finding an updated driver that will work. A few v4 have issues, then there are a few v3/v4 drivers (using Windows Update for MS Digitally signed drivers only) that won't install because it keeps telling me access denied.
Setup a Windows 2016 server print server to test, all updates and all is fine so these issues are related to Windows 2019 as far as I can tell.
