{"id":172,"date":"2021-08-12T20:19:11","date_gmt":"2021-08-13T00:19:11","guid":{"rendered":"https:\/\/www.anthonyfontanez.com\/?p=172"},"modified":"2021-10-06T10:05:11","modified_gmt":"2021-10-06T14:05:11","slug":"printnightmare-point-and-print","status":"publish","type":"post","link":"https:\/\/anthonyfontanez.com\/index.php\/2021\/08\/12\/printnightmare-point-and-print\/","title":{"rendered":"PrintNightmare &#038; Point and Print"},"content":{"rendered":"\n<p><em>UPDATE: Part II here: <a rel=\"noreferrer noopener\" href=\"https:\/\/www.anthonyfontanez.com\/index.php\/2021\/08\/16\/printnightmare-point-and-print-part-ii\/\" target=\"_blank\">https:\/\/www.anthonyfontanez.com\/index.php\/2021\/08\/16\/printnightmare-point-and-print-part-ii\/<\/a><\/em><\/p>\n\n\n\n<p><em>UPDATE 2: Added additional information about Package Point and Print<\/em><\/p>\n\n\n\n<p><em>UPDATE 3: The Security Baseline for Windows 11 includes an updated SecGuide.admx template that can natively control the new registry item.<\/em><\/p>\n\n\n\n<p>Printers suck. We all know it. PrintNightmare has been through a few evolutions as of late. Now, as part of the 2021-08 Cumulative Update for Windows 10 (<a rel=\"noreferrer noopener\" href=\"https:\/\/support.microsoft.com\/topic\/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872\" target=\"_blank\">KB5005652\u2014Manage new Point and Print default driver installation behavior (CVE-2021-34481)<\/a>), unless you go and create\/set a specific registry item, Point and Print will now be locked down and require administrative rights to install drivers from any print server. My assumption is that this is to catch all of the Point and Print misconfigurations out there once and for all. While the vulnerabilities are still present on the system, this may help mitigate compromise, however, you may find yourself with many Help Desk tickets for printer installations. In this post, I&#8217;m going to go over a &#8220;proper&#8221; Point and Print configuration, that will allow you to continue to let users without admin rights install printers, along with some additional &#8220;best practices&#8221; that I would consider putting in place if not already.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Point and Print Configuration<\/h2>\n\n\n\n<p><\/p>\n\n\n\n<p>Point and Print allows users to install shared printers and drivers easily by downloading the driver from the print server. These settings can be found in Group Policy under &#8220;Computer Configuration\\Policies\\Administrative Templates\\Printers&#8221;.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"710\" height=\"694\" src=\"https:\/\/www.anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image.png\" alt=\"\" class=\"wp-image-173\" srcset=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image.png 710w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-300x293.png 300w\" sizes=\"auto, (max-width: 710px) 100vw, 710px\" \/><figcaption>Point and Print Restrictions Group Policy Setting<\/figcaption><\/figure><\/div>\n\n\n\n<p>The above shows how I have Point and Print configured in my lab.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Users can only point and print to &#8220;print.ad.ajf8729.com&#8221;<\/li><li>Elevation prompts are bypassed for driver installations\/updates<\/li><\/ul>\n\n\n\n<p>Seeing the values set in the registry via PowerShell:<\/p>\n\n\n\n<div class=\"wp-block-urvanov-syntax-highlighter-code-block\"><pre class=\"theme:plain-white lang:ps decode:true \">Get-ItemProperty -Path 'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\'\n\n\nRestricted                                 : 1\nTrustedServers                             : 1\nServerList                                 : print.ad.ajf8729.com\nInForest                                   : 0\nNoWarningNoElevationOnInstall              : 1\nUpdatePromptSettings                       : 2\nRestrictDriverInstallationToAdministrators : 0<\/pre><\/div>\n\n\n\n<p>This is typically seen as an insecure configuration, due to bypassing the UAC prompts. But since the trusted server list is configured, this will block any attempts to point and print to printers shared on an untrusted server with the following message, regardless of local admin privileges:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"352\" height=\"179\" src=\"https:\/\/www.anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-1.png\" alt=\"\" class=\"wp-image-174\" srcset=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-1.png 352w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-1-300x153.png 300w\" sizes=\"auto, (max-width: 352px) 100vw, 352px\" \/><figcaption>Attempting to connect to a printer on an untrusted server<\/figcaption><\/figure><\/div>\n\n\n\n<h2 class=\"wp-block-heading\">Enter the 2021-08 Cumulative Update&#8230;<\/h2>\n\n\n\n<p><\/p>\n\n\n\n<p>After installing the 2021-08 Cumulative Update for Windows 10, the above policy will get thrown out the window, due to the introduction of a new registry item. If this item is <strong>not created, set to 1, or undefined<\/strong>, the Point and Print policy is essentially ignored, and admin rights will be required to install any print drivers. In order to counter this, the new item must be created, and set to 0.<\/p>\n\n\n\n<div class=\"wp-block-urvanov-syntax-highlighter-code-block\"><pre class=\"theme:plain-white lang:ps decode:true \">if (-not (Test-Path -Path 'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint')) {\n    New-Item -Path 'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint' -Force\n}\nNew-ItemProperty -Path 'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint' -Name 'RestrictDriverInstallationToAdministrators' -PropertyType DWORD -Value 0 -Force<\/pre><\/div>\n\n\n\n<p>This item can easily be configured via Group Policy Preferences, ConfigMgr Configuration Item, or Intune Proactive Remediation:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"400\" height=\"455\" src=\"https:\/\/www.anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-2.png\" alt=\"\" class=\"wp-image-175\" srcset=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-2.png 400w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-2-264x300.png 264w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><figcaption>Group Policy Preference configuration<\/figcaption><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"654\" height=\"621\" src=\"https:\/\/www.anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-3.png\" alt=\"\" class=\"wp-image-176\" srcset=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-3.png 654w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-3-300x285.png 300w\" sizes=\"auto, (max-width: 654px) 100vw, 654px\" \/><figcaption>ConfigMgr Configuration Item<\/figcaption><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"606\" height=\"632\" src=\"https:\/\/www.anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-4.png\" alt=\"\" class=\"wp-image-177\" srcset=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-4.png 606w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-4-288x300.png 288w\" sizes=\"auto, (max-width: 606px) 100vw, 606px\" \/><figcaption>ConfigMgr Configuration Item Requirement<\/figcaption><\/figure><\/div>\n\n\n\n<p><strong>Intune Proactive Remediation<\/strong>: please see <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/windows-admins\/Intune\/tree\/main\/Proactive%20Remediations\/PrintNightmare\" target=\"_blank\">https:\/\/github.com\/windows-admins\/Intune\/tree\/main\/Proactive%20Remediations\/PrintNightmare<\/a> for sample scripts.<\/p>\n\n\n\n<p><strong>UPDATE<\/strong>: The Security Baseline for Windows 11 includes an updated SecGuide.admx that has a native setting to control this new registry item. It is located under &#8220;Computer Configuration\\Administrative Templates\\MS Security Guide&#8221;.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"686\" height=\"636\" src=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/10\/image.png\" alt=\"\" class=\"wp-image-412\" srcset=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/10\/image.png 686w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/10\/image-300x278.png 300w\" sizes=\"auto, (max-width: 686px) 100vw, 686px\" \/><figcaption>Limit print driver installation to Administrators<\/figcaption><\/figure><\/div>\n\n\n\n<p>Any of these configurations will allow the previously configured Point and Print policy to continue to function as expected after the 2021-08 Cumulative Update is installed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Package Point and Print<\/h2>\n\n\n\n<p><\/p>\n\n\n\n<p>After some additional troubleshooting with <a rel=\"noreferrer noopener\" href=\"https:\/\/twitter.com\/jgkps\" data-type=\"URL\" data-id=\"https:\/\/twitter.com\/jgkps\" target=\"_blank\">Johannes<\/a> in the <a href=\"https:\/\/winadmins.io\" data-type=\"URL\" data-id=\"https:\/\/winadmins.io\" target=\"_blank\" rel=\"noreferrer noopener\">WinAdmins Community<\/a>, we discovered that he did not have Package Point and Print settings configured, where I did (mentioned in the next section). While I was not 100% sure how that setting worked initially, I had configured it in tandem with the regular Point and Print settings. After doing some more research (<a rel=\"noreferrer noopener\" href=\"https:\/\/docs.microsoft.com\/windows-hardware\/drivers\/print\/point-and-print-with-packages\" data-type=\"URL\" data-id=\"https:\/\/docs.microsoft.com\/windows-hardware\/drivers\/print\/point-and-print-with-packages\" target=\"_blank\">Point and Print with Packages<\/a> &amp; <a rel=\"noreferrer noopener\" href=\"https:\/\/docs.microsoft.com\/windows-hardware\/drivers\/print\/package-aware-print-drivers\" data-type=\"URL\" data-id=\"https:\/\/docs.microsoft.com\/windows-hardware\/drivers\/print\/package-aware-print-drivers\" target=\"_blank\">Package-Aware Print Drivers<\/a>), it seems like it comes down a setting in the INF file. You can see which drivers are package-aware in the Print Management console, under Drivers -&gt; &#8220;Packaged&#8221; column:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"583\" src=\"https:\/\/www.anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-9-1024x583.png\" alt=\"\" class=\"wp-image-199\" srcset=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-9-1024x583.png 1024w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-9-300x171.png 300w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-9-768x437.png 768w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-9.png 1075w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Print Management Console &#8211; Drivers<\/figcaption><\/figure><\/div>\n\n\n\n<p>Combining the normal Point and Print settings with the Package Point and Print Settings is simple; it&#8217;s a single GPO setting to enable it and configured trusted servers:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"752\" height=\"710\" src=\"https:\/\/www.anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-10.png\" alt=\"\" class=\"wp-image-200\" srcset=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-10.png 752w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-10-300x283.png 300w\" sizes=\"auto, (max-width: 752px) 100vw, 752px\" \/><figcaption>Package Point and Print &#8211; Approved Servers<\/figcaption><\/figure><\/div>\n\n\n\n<p>Configuring this setting is highly recommended if you are configured regular Point and Print as I described earlier.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Additional &#8220;Best Practices&#8221;<\/h2>\n\n\n\n<p><\/p>\n\n\n\n<p>Along with the above configuration, there&#8217;s a few other settings I would include in your overall printer configuration policies as a baseline.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Harden your trusted print servers<\/h5>\n\n\n\n<p><\/p>\n\n\n\n<p>If you go the route of not requiring elevation to install printers from trusted servers, the print server itself becomes the sensitive target. Hardening the server becomes critical to protect your infrastructure.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Review who has administrative rights to these servers, how their firewalls are configured, and what is installed on them.<\/li><li>Enable print driver isolation on every driver possible to help prevent bad drivers from taking down the entire system.<\/li><li>Ensure the servers are as up to date as possible.<\/li><li>Utilize the <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/ask-the-performance-team\/migrating-print-queues-quickly-using-printbrm-configuration\/ba-p\/375052\" data-type=\"URL\" data-id=\"https:\/\/techcommunity.microsoft.com\/t5\/ask-the-performance-team\/migrating-print-queues-quickly-using-printbrm-configuration\/ba-p\/375052\" target=\"_blank\" rel=\"noreferrer noopener\">PrintBrm<\/a> utility to backup your print server configurations, and to move to a new operating system if necessary.<\/li><\/ul>\n\n\n\n<h5 class=\"wp-block-heading\">Additional settings under &#8220;Computer Configuration\\Policies\\Administrative Templates\\Printers&#8221;<\/h5>\n\n\n\n<p><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>&#8220;Allow Print Spooler to accept client connections&#8221;<ul><li>This should be set to Disabled on all endpoints that are not print servers, to ensure that clients cannot connect to printers shared from them. Ideally, inbound File\/Print sharing firewall rules are blocked\/disabled\/restricted on endpoints; but if not, this is an easy stopgap until endpoint firewall rules are better configured.<\/li><\/ul><\/li><li>&#8220;Package Point and print &#8211; Approved Servers&#8221;<ul><li>This is similar to the standard Point and Print setting, but for &#8220;packaged&#8221; drivers. Configure this to the same trusted server(s) as the standard Point and Print trusted server(s). See the above newly added section for further details.<\/li><\/ul><\/li><\/ul>\n\n\n\n<h5 class=\"wp-block-heading\">Disable the Print Spooler service on Domain Controllers\/Member Servers<\/h5>\n\n\n\n<p><\/p>\n\n\n\n<p>The Print Spooler service should ideally be disabled on all servers that do not require it. Disabling it on Domain Controllers will stop automatic pruning of stale printers published to the directory, so be prepared to do this manually or via script if necessary. Disabling the service can easily be done via Group Policy Preferences:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"400\" height=\"455\" src=\"https:\/\/www.anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-5.png\" alt=\"\" class=\"wp-image-178\" srcset=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-5.png 400w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-5-264x300.png 264w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><figcaption>Group Policy Preference to disable the Spooler service<\/figcaption><\/figure><\/div>\n\n\n\n<h5 class=\"wp-block-heading\">Firewall Rules<\/h5>\n\n\n\n<p><\/p>\n\n\n\n<p>In the long term, endpoint firewall rules should be configured to prevent File\/Print Sharing where necessary. While I intend to go into much more depth about firewall configurations in a later post, here is a quick glace at a bare-bones basic endpoint firewall policy for a client machine:<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"400\" height=\"455\" src=\"https:\/\/www.anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-6.png\" alt=\"\" class=\"wp-image-179\" srcset=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-6.png 400w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-6-264x300.png 264w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><figcaption>Windows Firewall configuration for the Domain Profile<\/figcaption><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"429\" height=\"464\" src=\"https:\/\/www.anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-7.png\" alt=\"\" class=\"wp-image-180\" srcset=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-7.png 429w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-7-277x300.png 277w\" sizes=\"auto, (max-width: 429px) 100vw, 429px\" \/><figcaption>Windows Firewall customization for the Domain Profile<\/figcaption><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"93\" src=\"https:\/\/www.anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-8-1024x93.png\" alt=\"\" class=\"wp-image-181\" srcset=\"https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-8-1024x93.png 1024w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-8-300x27.png 300w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-8-768x69.png 768w, https:\/\/anthonyfontanez.com\/wp-content\/uploads\/2021\/08\/image-8.png 1128w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Basic firewall policy for a user-facing endpoint<\/figcaption><\/figure><\/div>\n\n\n\n<p>The above policy only allows SMB access from one host, and RDP from a single subnet. Local firewall rules configured on the system itself are not applied, meaning everything must be configured in policy. This is a very secure configuration, and can take a bit of work to get to. Be on the lookout for a future post going into greater detail about this.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>UPDATE: Part II here: https:\/\/www.anthonyfontanez.com\/index.php\/2021\/08\/16\/printnightmare-point-and-print-part-ii\/ UPDATE 2: Added additional information about Package Point and Print UPDATE 3: The Security Baseline for Windows 11 includes an<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[9,7],"tags":[5,3],"class_list":["post-172","post","type-post","status-publish","format-standard","hentry","category-printing","category-security","tag-printing","tag-security"],"jetpack_featured_media_url":"","jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/posts\/172","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/comments?post=172"}],"version-history":[{"count":10,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/posts\/172\/revisions"}],"predecessor-version":[{"id":413,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/posts\/172\/revisions\/413"}],"wp:attachment":[{"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/media?parent=172"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/categories?post=172"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/anthonyfontanez.com\/index.php\/wp-json\/wp\/v2\/tags?post=172"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}