What is point and print
Point and Print is a Windows feature that simplifies the process of connecting to a network printer by letting a user automatically discover and connect to printers on a network. It also facilitates the automatic downloading and installation of necessary drivers to use these printers from the print server, without the need for administrative rights.
What do point and print restrictions do
The point and print restrictions setting determines whether a user can automatically install printer drivers when connecting to a new printer. When restrictions are applied, only trusted drivers from a specific list or trusted servers can be installed or updated without requiring additional permissions. By setting specific criteria, administrators can approve and manage drivers reducing the risk of malicious software being installed.
Why restrictions are important
Although convenient, automatically downloading and installing drivers poses a major security risk opening up a system to malicious attacks such as PrintNightmare (CVE-2021-34527).
This vulnerability exploits the Windows Print Spooler service, allowing attackers to execute remote code and escalate privileges by bypassing security checks in the Point and Print functionality. Doing so could potentially allow attacks to take control of a system remotely by tricking a system into adding a malicious printer.
How restrictions work
Point and print restrictions work through a step approach: additional warnings and administrator permissions. By adding additional prompts, the users are warned before connecting to a new printer allowing them the chance to pause and consider if the printer is safe or not. Additionally, by requiring administrator permission to install drivers it makes it harder for attackers to automatically install malicious drivers on a system.
How to change point and print restrictions via GPO
To change point and print restriction via Group Policy, set the following UI path to Enabled:
Show warning and elevation prompt:
| Computer Configuration\Policies\Administrative Templates\Printers\Point and Print Restrictions: When installing drivers for a new connection |
Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
Or use the following procedure:
- Open the Group Policy Management Console (GPMC).
- In the GPMC console tree, navigate to the domain or organizational unit (OU) that stores the user accounts for which you want to modify printer driver security settings.
- Right-click the appropriate domain or OU, click Create a GPO in this domain, and Link it here, type a name for the new GPO, and then click OK.
- Right-click the GPO that you created, and then click Edit.
- In the Group Policy Management Editor window, click Computer Configuration, click Policies, click Administrative Templates, and then click Printers.
- Right-click Point and Print Restrictions, and then click Edit.
How to permit users to connect only to specific print servers that you trust
- In the Point and Print Restrictions dialog box, click Enabled.
Computer Configuration\Policies\Administrative Templates\Printers: Point and Print Restrictions
Setting: Enabled - Click to select the Users can only point and print to these servers check box if it’s not already selected.
- In the text box, type the fully qualified server names to which you want to allow users to connect. Separate each name by using a semicolon (;).
- In the When installing drivers for a new connection box, select Do not show warning or elevation prompt.
- In the When updating drivers for an existing connection box, select Show warning only.
- Click OK.
Default value
Enabled. (Windows computers will show a warning and a security elevation prompt when users create a new printer connection using Point and Print.)
Recommended setting
The recommended state for this setting is: Enabled: Show warning and elevation
prompt.
Point and print best practices
Understanding and properly configuring Point and Print Restrictions is crucial for maintaining a secure Windows environment. Regular updates and adherence to best practices in security configurations can help mitigate potential risks associated with known potential vulnerabilities.
Implementing server hardening practices is essential to mitigating these risks. Server hardening configures systems to minimize vulnerabilities by reducing attack surfaces, applying security patches, disabling unnecessary services, and enforcing strict authentication mechanisms. Server hardening not only protects systems against potential threats but enables IT teams to focus on critical tasks with confidence in their security posture.
Subscribe to Email Updates
- Posts by Topic
- Center for Internet Security (20)
- Compliance (26)
- Configuration Settings (102)
- Domain Controller (3)
- IIS (5)
- NIST (10)
- NTLM (8)
- PCI (3)
- PowerShell (7)
- Remote Desktop Protocol (4)
- Security Account Manager (5)
- Security Guides (16)
- Server Message Block (1)
- SQL (8)
- System Hardening (20)
- TLS SSL (4)
- Vulnerabilities (23)
