Print Spooler Best Practices and Hardening Configurations

The Windows Print Spooler exploits, such as PrintNightmare and SpoolFool, escalate privileges and execute code remotely. Understanding the risks and applying the proper hardening measures is essential to protect your systems from this persistent threat.

What You Learn

• What is the Windows Printer Spooler
• How it works
• Critical print spooler vulnerabilities
• Recommended security guidelines
• Security best practices

What is the Windows Print Spooler?

The Print Spooler holds print jobs in the computer’s memory until the printer is ready, creates files (in PDF format), and clears the print queue.

The Print Spooler is required for using:

• Citrix services
• Fax servers
• Applications that print/save files (PDFs, XPSs, etc)

By default, the print spooler executable file (spoolsv.exe) is loaded on system startup.

Print Spooler Vulnerabilities

The Print Spooler poses a significant risk, serving as a potential entry point for attackers to compromise systems by exploiting weaknesses in print job management. Let’s investigate the most well-known vulnerabilities.

SpoolFool (CVE-2022-21999)

To create folders within the printer spool driver directory and load DLL files arbitrarily, the SpoolFool vulnerability alters the path of a printer port. This bypasses security checks present in previous print spool privilege escalation vulnerabilities.

Elevation of Privilege (CVE-2022-38028)

CVE-2022-38028 is marked as critical by Microsoft. If this vulnerability is exploited, then an unknown component of Windows Print Spooler is affected. In return, there is a loss of integrity, availability, and confidentiality. To mitigate this critical vulnerability, a patch must be applied immediately.

Print Nightmare

The Print Spooler Nightmare is a vulnerability that exists, wherein a domain user, following authentication on the remote system, can execute code remotely on a Microsoft Windows system with the privileges of the local SYSTEM user. This issue, along with the corresponding patches and solutions released by Microsoft, is collectively identified as “PrintNightmare.” Print nightmare CVE is CVE-2021–1675, CVE-2021–34527, and CVE-2021–34481.

Remote Code Execution (CVE-2021-36958 )

It is labeled as a Remote Code Execution threat, encompassing both Remote Code Execution (RCE) and Local Code Execution (LCE) vulnerabilities. This means that code must be fetched from a remote server before it can be executed on the local workstation.

Print Spooler Security Recommendations

Ensuring the safety of your systems is like putting a digital shield around your printer empire. With the Print Spooler service in Windows managing the print jobs, hardening the Print Spooler service is crucial to mitigating the above vulnerabilities. Here are several hardening security configurations from the CIS Benchmarks:

• Disable if not needed: If printing functionality is unnecessary on a system, consider disabling the Print Spooler service to reduce the potential attack surface. This can be accomplished using either the Services Management Console or Group Policy settings.
• Restrict access: By default, limit access to the Print Spooler service, as all users, including authenticated users, possess the capability to install print drivers and control print jobs. This precaution helps mitigate a security risk that attackers might exploit to gain unauthorized access to your system.
• Harden Point and Print settings: The Point and Print feature allows users to automatically install print drivers, eliminating the need for administrator privileges. However, this convenience poses a security risk, as it potentially allows attackers to install malicious drivers. Strengthen Point and Print settings by utilizing Group Policy or Local Security Policy to mandate administrator approval for driver installations, enhancing overall system security.
• Disable remote printing: While enabling inbound remote printing offers convenience, insufficient configuration can introduce security vulnerabilities, potentially opening the door to malicious attacks. Furthermore, it can result in performance issues such as slower printing and dropped jobs.

Best Practices

Here are our recommended print spooler best practices and procedures.

Restarting the printer spooler

Here are three simple steps that will demonstrate restarting the print spooler, which could help resolve printer spooler errors:

1. Hover the cursor and on Windows, click on the start icon and type ‘services’, then click the Services app.

2. Locate ‘Printer spooler’ in the list and right-click it. Then click ‘stop’ and wait for 30 – 60 seconds.

3. Right-click ‘printer spooler’ again and click ‘start’

Clearing the Print Spooler

Critical Reminder: When executing on a server, verify that no other print jobs are in progress simultaneously.

To clear the print spooler:

1. Go to Start. 
2. Click the Control Panel and look for Administrative Tools.
3. Double-click the Services icon.
4. Scroll down and select the Print Spooler service.
5. Select Stop.
   Important Note: Ensure you are logged in as the administrator.
6. Go to the following directory: C:WINDOWSSystem32spoolPRINTERS. As an alternative option in case the C drive isn’t configured as the default Windows partition, you can also type it into the address bar on your Internet browser.
7. Delete all the files in this folder. This step will clear all print queues.

Disabling the Print Spooler

The Cybersecurity and Infrastructure Security Agency (CISA) recommends that administrators deactivate the Windows Print Spooler service on Domain Controllers and systems that do not require printing.

To minimize attack surface:

1. Consider using non-Microsoft Print Spooler services as an alternative to the vulnerable protocol.
2. Restrict users’ and drivers’ access to the Print Spooler only to groups that must use it by changing ‘Allow Print Spooler to accept client connections’.
3. Disable the Print Spooler caller in the Pre-Windows 2000 compatibility group.
4. Ensure that Point&Print is not configured to ‘No Warning’ – check the registry key SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint\NoElevationOnInstall for a DWORD value of 1.
5. Turn off EnableLUA – check registry key SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/System/EnableLUA for DWORD value 0.

Windows Security Policies

Ensuring the safety of your systems is like putting a digital shield around your printer empire. With the Print Spooler service in Windows managing the print jobs, hardening the Print Spooler service is crucial to mitigating the above vulnerabilities. Here are several hardening security configurations from the CIS Benchmarks:

• Ensure ‘Print Spooler (Spooler)’ is set to ‘Disabled’ (DC only) (Automated): This service spools print jobs and handles interaction with printers.
• Ensure ‘Print Spooler (Spooler)’ is set to ‘Disabled’ (MS only) (Automated): This service spools print jobs and handles interaction with printers.
• Ensure ‘Allow Print Spooler to accept client connections’ is set to Disabled. This policy setting controls whether the Print Spooler service accepts client connections.

Key Takeaways

• The Windows Print Spooler is a high-risk feature.
• Security bodies, such as CISA and CIS, recommend disabling it.
• Hardening is essential if printing is required.
• Complete disablement is the safest option.
• Print Spooler vulnerabilities highlight broader risks of misconfiguration.

CalCom Protect Your Servers Beyond Print Spooler Vulnerabilities

Misconfigurations, such as the Print Spooler, are just one of many hidden risks that can expose your systems to privilege escalation and remote code execution attacks. A hardening automation tool identifies locations with the Print Spooler enabled, highlights areas requiring security configuration, and automatically disables or reconfigures them based on your chosen course of action. With the CalCom Hardening Suite (CHS), you can automatically enforce security baselines, reduce your attack surface, and maintain continuous compliance with CIS Benchmarks, PCI DSS, HIPAA, and more.