How to Tackle PrintNightmare Vulnerabilities

PrintNightmare has been plaguing Microsoft users with printing vulnerabilities for over 6 months now. Despite multiple patches aimed at fixing PrintNightmare, users are still reporting vulnerabilities that are forcing them to choose between efficiently printing or keeping their organization secure. Let's take a look at how to mitigate these vulnerabilities and how virtual print drivers can help solve PrintNightmare.

What is PrintNightmare?

The first announcement regarding PrintNightmare was made on June 30^th, 2021, where Microsoft labeled the issue as a “critical remote code execution and local privilege escalation vulnerability”. This vulnerability allows attackers to use regular accounts to gain system level privileges on Windows computers. For attackers to be effective they need to get code on the system but once it is, potentially through a DLL that is placed on the spool folder, it can leverage vulnerabilities that were discovered in the point and print feature within the Windows print spooler. An attacker could then access the domain controller and place code on there further worsening a business’s security issues.

3 Vulnerabilities to Address with PrintNightmare

• Preventing local privilege escalation goes hand in hand with preventing local code execution. The fact that a DLL can run as an escalated privilege even as a basic user is something that needs to be addressed and closed for security purposes.

• If something were to happen on a local machine, you need to be sure that you can prevent remote code execution. This will allow you to ensure that it is contained and not running on your most important systems and servers.

• The key thing to keep in mind is that you need to allow printing for all your users within the organization that require access.

Minimizing PrintNightmare Issues

One possible solution that we have seen suggested online was to disable the print spooler. While this will eliminate the vulnerability caused by PrintNightmare, it will also impact your ability to print locally. In addition to this solution, some GPOs came out to allow the print spooler to accept client connections as they were being denied because of PrintNightmare. Admins can also change the security settings on the spool folder to help minimize the vulnerability.

Virtual Print Drivers Fixing PrintNightmare

Virtual print drivers, like those offered with Tricerat’s ScrewDrivers^®, can circumvent the vulnerabilities caused by PrintNightmare. ScrewDrivers contains a single virtual driver on the system for the print server printers that is installed and managed by the admin. The Tricerat solution doesn’t use Windows printer sharing but instead uses communication between the session agent and ScrewDrivers print server agent to achieve successful printing.

ScrewDrivers can also manage direct network printers installed by service with system permissions and handles all types of printing scenarios including local printers, print server printers, network printers, and mobile printing. With the installation of ScrewDrivers layered on top of your environment you can leverage GPO options to restrict the print spooler but still maintain control of print driver management. The implementation of ScrewDrivers will also allow you to stay up to date with new Microsoft patches. To learn more about the functionality of ScrewDrivers and how it can fit into your environment, check out our quick demo below.