There has been some recent news of a serious zero day named PrintNightmare.
One mitigation is to stop and disable the printer spooler service, especially on Domain Controllers.
There is an existing Fixlet in BES Support site to Stop a Service that could be leveraged to stop the Spooler service.
I have uploaded an Alpha Fixlet to BigFix.me, in case you want a jump start on this one. https://bigfix.me/fixlet/details/26860
(Note - disabling the print spooler service will stop your users from printing…)
*** Update - MS has released some OOB patches last night. HCL Content team is working on your Fixlets ***
*** Update - FIXLETS ARE LIVE for the subset of patches that were released by Microsoft ***
*** Update - MS just released the rest of the Patches - We are working on the Fixlets to match ***
*** Update - All Fixlets are now available ***
For those who still have Windows 2008 or Windows 7, MS released patches for those who are entitled to the MS ESU program. Fixlets for the Windows 2008 and Windows 7 patches are now live the ESU Patching Add on Fixlet sites.
If you are not entitled to the MS ESU patch streams, but still have some Windows 2008 or Windows 7, please consider stopping and disabling the print spooler on these systems, or explore some of the other mitigating controls
Can confirm if it is not obvious. Disabling “Spooler” will disable print services. Just stopping the service will not stop a user/app from calling it.
Currently running analysis on my systems using your relevance. Thanks
Welcome, @Meydey.
Please keep us updated if you discover edge cases or unexpected results.
Also note that I excluded non-server OS in my relevance but you may want to be more aggressive in your mitigations by removing that clause. Also, if you run this on one of your Print Servers, you will stop your users from Printing, which might be more disruptive to your business than waiting for the Out of Band patch to come out.
Yeah I’m still at analysis stage. Not disabling anything until we get directive from the InfoSec folks (big org, too many teams)
FYI it looks like spooler is in a non-disabled state by default on Win iso’s. We actively harden our images regularly, but have never disabled the print spooler. I hope Microsoft releases the oob patch asap.
Just providing a another answer other than disable.
When “Spooler” is disabled there is no Print to PDF or other functions.
I have some apps on servers that use the “spooler” to format and print to file
Option is to update local group policy to disable remote client connection to spooler
== This has been edited slightly to remove my local server or IP
begin prefetch block
add prefetch item name = LGPO.exe sha1=bacfef8c102b1791ebe3229324cdf75da3171952 size=481144 url=http://BIGFIXREPO/repo/LGPO/LGPO.exe sha256=0c97f29543418b30340c4ff5d930d31e6196dd59c2cc74b6b890fa7b90c910c7
end prefetch block
// Create new batch file to update GPO
// The actual policies to change are below in a seperate file created on the fly
delete "__createfile"
createfile until ENDOFFILE
@echo About to load Local GPOs
@Echo.
cd __Download\
@Echo.
LGPO.exe /b c:\Windows\Temp /n "Backup" /v > lg_output.txt
LGPO.exe /t .\local_policy_spooler.txt /v >> lg_output.txt
@Echo.
@Echo.
@echo About to load Local GPOs
@Echo.
@Echo.
C:\windows\system32\GPupdate /force >> lg_output.txt
@echo.
@echo.
ENDOFFILE
delete "__Download\gpupdate_spooler.bat"
move "__createfile" "__Download\gpupdate_spooler.bat"
// Create a new GPO policy file with settings to update
delete "__createfile"
createfile until ENDOFTHIS
Computer
Software\Policies\Microsoft\Windows NT\Printers
RegisterSpoolerRemoteRpcEndPoint
DWORD:2
ENDOFTHIS
delete "__Download\local_policy_spooler.txt"
move "__createfile" "__download\local_policy_spooler.txt"
waithidden "__Download\gpupdate_spooler.bat "
// After the Policy is updated the Service needs to be restarted
delete start_win_update.bat
delete __appendfile
appendfile @ECHO OFF
appendfile sc config spooler start= auto
appendfile net stop spooler
appendfile net start spooler
move __appendfile start_win_update.bat
waithidden start_win_update.bat
One thing I’d suggest is to use the public downloads for LGPO.zip, along with downloading our hosted copy of unzip.exe to extract it. This could replace the prefetch block:
begin prefetch block
add prefetch item name=LGPO.zip sha1=0c74dac83aed569607aaa6df152206c709eef769 size=815660 url=https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/LGPO.zip sha256=6ffb6416366652993c992280e29faea3507b5b5aa661c33ba1af31f48acea9c4
// Download UnZip utility
add prefetch item name=unzip.exe sha1=e1652b058195db3f5f754b7ab430652ae04a50b8 size=167936 url=http://software.bigfix.com/download/redist/unzip-5.52.exe sha256=8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a
collect prefetch items
end prefetch block
// Add LGPO.zip to the client utility cache for future reuse
utility __Download\LGPO.zip
// Add unzip.exe to the client utility cache for future reuse
utility __Download\unzip.exe
waithidden __Download\unzip.exe -o "{pathname of client folder of current site}\__Download\LGPO.zip" -d "{pathname of client folder of current site}\__Download"
Citrix Servers are one type of server you may wish to exclude from stopping the print spooler. Here’s an attempt to exclude desktop and app Citrix servers actually used for printing from other servers where the spooler is not required - suggestions welcome!
not exists services whose (set of ("cpsvc";"BrokerAgent") contains service name of it)
Microsoft just released the out of band patch, please be sure to read and test - there is a potential reg key you may want to set in addition to the patch.
I know this is simple, but I’m not 100 percent on the right way to do this… how do you reverse this action relevance, so i can set it back to automatic and running. (I’ve already set the commands, just need the relevance right)
((windows of operating system) AND (product type of operating system != nt workstation product type /optionally avoids desktops/)) AND (exists services “spooler” whose (state of it = “Running” OR start type of it != “disabled”))