PRINTNIGHTMARE – POINT AND PRINT MITIGATION

In a previous post I explained how you can configure Point and Print via the registry so that adding printers from trusted print servers would not prompt for elevation. However the recently discovered vulnerability dubbed PrintNightmare means that this configuration is no longer secure.

The current state of things means that even with the latest patches installed, Microsoft are also recommending that elevation for printer driver installation is necessary to mitigate the problem. This applies to both signed and unsigned printer drivers.

We recommend that you immediately install the latest Windows updates released on or after July 6, 2021 on all supported Windows client and server operating systems, starting with devices that currently host the print spooler service.

Next, set the “When installing drivers for a new connection” and “When updating drivers for an existing connection” in the Point and Print Restrictions Group Policy setting to “Show warning and elevation prompt”.

Specifically, the settings shown below NoWarningNoElevationOnInstall and UpdatePromptSettings must be set to 0 (zero) in the registry or otherwise not exist, which is the default configuration.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint

"NoWarningNoElevationOnInstall"=dword:00000000
"UpdatePromptSettings"=dword:00000000

I am personally hoping this will not be a permanent configuration as it is likely to cause a lot of pain for organisations who suddenly find their non-admin users may be unable to install network printers without assistance.

Update 14/07/21

After a bit more research into this it seems the best solution is to update any printer driver on the print server to ensure a V3 or V4 packaged version is available to the client as such drivers will not prompt for UAC. Not ideal but this has been a thing since 2016 so hopefully most printers should have updated drivers available by this point!

Featured photo by Max Bender on Unsplash