Microsoft Windows Print Spooler Remote Code Execution Vulnerability Issue

Last week, Microsoft shared a new remote code execution vulnerability in Windows, that has been using the Windows Print Spooler. A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The vulnerability is actively removed and Microsoft published two workarounds to protect systems from being attacked.

Microsoft have provided two suggestions: to disable the Print Spooler service or to disable inbound remote printing using the Group Policy.

Determine if the Print Spooler service is running

Run the following:

Get-Service -Name Spooler

If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:

Option 1 - Disable the Print Spooler service

If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

Impact of workaround Disabling the Print Spooler service disables the ability to print both locally and remotely.

Option 2 - Disable inbound remote printing through Group Policy

You can also configure the settings via Group Policy as follows:

Computer Configuration / Administrative Templates / Printers

Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks.

You must restart the Print Spooler service for the group policy to take effect.

Impact of workaround This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

To read the full Microsoft CVE article, click here, which also contains a handy FAQ. If you would like more support and assistance, click here to speak to one of our expert advisors.

London Head Office

Adepteq,
152 - 160 City Road,
London,
EC1V 2NX,
0203 805 4143

Aylesbury Development Centre

Adepteq,
7 Smeaton Close,
Brunel Park,
Aylesbury,
Buckinghamshire,
HP19 8SU
01296 323460

 
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram