Syntax Bearror

Top Menu

  • Home
  • PowerShell Resource
  • SpiceWorld 2019 Resources
  • Contact Us
  • About Us

Main Menu

  • Home
  • Blog
  • IT Guides
  • How-To’s
  • IT Fixes
  • Cybersecurity
  • Reviews
  • Home
  • PowerShell Resource
  • SpiceWorld 2019 Resources
  • Contact Us
  • About Us

logo

Header Banner

Syntax Bearror

  • Home
  • Blog
  • IT Guides
  • How-To’s
  • IT Fixes
  • Cybersecurity
  • Reviews
Blog
Home›Blog›Disable Print Spooler on Domain Controllers (If You Can)

Disable Print Spooler on Domain Controllers (If You Can)

By Christopher
June 30, 2021
2893
0
Share:
Picture of Service Listing with Print Spooler in Center

While it’s always generally best to leave domain controllers to carry their primary job of being a domain controller, some administrators end up having to tack on additional applications or services that can increase the attack surface of the system. One such service is the print spooler. The print spooler is much like print drivers and printers, spawned from the depths of hell to haunt us for eternity, or until someone makes better printers, print services, and non-proprietary ink cartridges. Basically, it’s got a lot of legacy code around it and is ripe for being used as a way to go from user to system-level privileges.

So, unless you have to host print services on one of your DC’s, it’s time to disable the service.

Editors Note: Since this original posting, we have posted a Part II that outlines how it affects all versions of Microsoft Windows and how to mitigate or detect the use of the vulnerability, and a Part III that addresses the patch and things you need to do in order to ensure it protects your systems. Keep reading below to understand the basics of the vulnerability.

What’s Actually Going On?

CVE-2021-1675, or also dubbed PrintNightmare, is a vulnerability in the Windows Print Spooler service, that was originally considered a privilege escalation vulnerability. However, a Proof-of-Concept recently demonstrated that it also doubles as a remote code execution vulnerability, and even worse, Domain Controllers are still exploitable despite this month’s updates that intended to address this vulnerability.

The first example of the positive exploitation we were able to witness came yesterday from @gentilkiwi on Twitter. You can see a video sample of one of the three working PoC’s here.

How Do I Protect Myself?

Unless you need print services on your Domain Controller, disable the service by running the following commands in PowerShell:

Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

If you have to keep print services on because let’s say you are using your domain controller as a print server, then read on.

I Have to Keep Print Services Going. How Can I Monitor For Exploitation?

If you are unable to disable print services, you can enable PrintService-Operational event logging, which is not enabled by default. To do this, run the following commands in PowerShell on the target systems.

$logDeets = Get-LogProperties ‘Microsoft-Windows-PrintService/Operational’
$logDeets.Enabled = $true
Set-LogProperties -LogDetails $logDeets
Get-LogProperties ‘Microsoft-Windows-PrintService/Operational’

You can check the status of the log at any time by using the following command in PowerShell:

Get-LogProperties ‘Microsoft-Windows-PrintService/Operational’

You can then review this log and look for Event ID 316 which will notate additions or updates to printer drivers, which includes any malicious loads based on testing.

You can also use Process Monitor to view running processes and check the path and names of EXE’s and DLL’s loaded up.

Thanks to @MalwareJake for posting this useful detail!

For even more technical detail on this, Azure Sentinel and Defender queries and more, check out Kevin Beaumont’s blog on it! Zero day for every supported Windows OS version in the wild

TagsPrint SpoolerPrivilege EscalationRCE
Previous Article

Bear Security – Security News for Week ...

Next Article

New Posting Schedule for Bear Security

Share:

Christopher

Christopher Clai is a Senior Security Engineer, IT Generalist, and Developer from Chicago, IL with over 20 years of experience in Information Technology ranging from small businesses to Fortune 500's. Chris loves the Pacific Northwest, Sushi, Invader Zim, Rugby, World of Warcraft, raves, and is an avid user of Microsoft and Linux-based technologies.

Related articles More from author

  • Green Code on Laptop Screen with Hand on Keyboard
    Bear Security

    Bear Security – Security News for Week of June 19th, 2021

    June 20, 2021
    By Christopher
  • Blog

    PrintNightmare Part II – Print Spooler Remains Vulnerable Across Windows

    July 3, 2021
    By Christopher
  • Colorado Flag Waving
    Bear Security

    Bear Security – Security News for the Week of July 19th, 2021

    July 19, 2021
    By Christopher
  • Blog

    PrintNightmare Part III – Patching and Remediation Updates

    July 9, 2021
    By Christopher
  • Blog

    What I’ve Learned From 20 Years in IT

    October 20, 2019
    By Christopher
  • Blog

    The Dangers of Non-Disparagement Agreements on the Tech Industry

    March 7, 2021
    By Christopher

Leave a reply Cancel reply

  • Microsoft Defender ATP Logo
    IT Fixes

    Fixing Sudden Loss of SIEM Synchronization with Windows Defender ATP

  • Colorado Flag Waving
    Bear Security

    Bear Security – Security News for the Week of July 19th, 2021

  • Bear Security

    Bear Security – Security News for Week of May 1st, 2021

Follow Us on Social

See the Syntax at These Events

All appearances for 2020 have been cancelled due to COVID-19. Stay safe out there and see you all at events in 2021!

Like This Content?

Help Sytnax Bearror create more content, videos, podcasts, scripts, and more by contributing to our caffiene and technology addictions.

Subscribe to our Patreon

Buy Us a Coffee

Most Popular

IT Fixes

Dell Laptops Showing “Press Power Button and Volume Down to Login”

  • How to Root AT&T Samsung S5 G900A (Up to Lollipop 5.0)

    By Christopher
    May 21, 2015
  • Fixing APC PowerChute Personal Edition Not Detecting UPS on Windows 10

    By Christopher
    March 15, 2021
  • Windows 10 Locking Up Intermittently with File Operations

    By Christopher
    October 24, 2015
  • PrintNightmare Part II – Print Spooler Remains Vulnerable Across Windows

    By Christopher
    July 3, 2021

Latest Tweets

  • My time on this social network has come to an end. Fair winds my friends. Find me at: https://t.co/G1ygbdZ5Cd:… https://t.co/qEwtgbJlJm

    Nov 20, 2022
  • Midterms must not have been loud enough. Millennials and Gen Z, get louder.

    Nov 14, 2022
  • Given the direction of things, I'll likely be leaving the bird app. Let's connect via other platforms!… https://t.co/4bl04V46mz

    Oct 31, 2022
  • If you are a member of ISC2, this is a good thread to read on the upcoming vote. I agree with the author, these are… https://t.co/O1dFGUbQQG

    Oct 17, 2022
  • Maybe unpopular opinion? Microsoft needs to make Threat Explorer a part of the Defender for 365 P1 License. Threat… https://t.co/1x0qnoMRrb

    Oct 12, 2022

Categories

Bear Security Blog Cybersecurity How To's IT Fixes Reviews

Copyright Statement

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
©2014 - 2021 - SyntaxBearror.io. All rights reserved unless otherwise noted.