Today, the news reached me that CVE-2021-1675 is weaponized to compromise Domain Controllers. This is actually already happening in the real world, leading to a ‘zero day’ vulnerability event.
Luckily, the vulnerability can be easily thwarted with a simple configuration change on Domain Controllers; disabling the Print Spooler service. Not a big change, but there may be some negative impact in your specific scenario.
Why disable the Print Spooler service
Disabling the Print Spooler service provides additional an additional layer to defense in depth approaches. It changes the default behavior of products and services to make them more resilient to unauthorized changes and compromise. In this case, the Print Spooler service can be abused to compromise a fully patched Windows Server 2019-based Domain Controller from a regular domain user’s account giving full system privileges.
Possible impact – What could go wrong?
In your specific Active Directory environment, though, you may experience impact of this configuration change. This is only true when:
- Printers are published in Active Directory, and
- The Allow pruning of published printers Group Policy setting is configured as enabled on the Domain Controllers Organizational Unit (OU).
Searching for printers in Active Directory is pretty straightforward. The following line of Windows PowerShell on a device that runs the Windows PowerShell Module for Active Directory will list the published printers:
Get-AdObject –filter 'objectCategory –eq "printqueue"'
If you have any printers published in Active Directory, use the steps below to see if the Allow pruning of published printers Group Policy setting is enabled:
- Sign in interactively to a Domain Controller.
- Open Resultant Set of Policy (rsop.msc)
- In the left navigation menu, expand the Computer Configuration node, then the Administrative Templates node and finally the Printers node.
- In the main menu, locate the Allow pruning of published printers setting and check the State column.
Note:
If the Printers node is not present, than there is no Group Policy targeting settings in this node, All relevant settings are Not configured.
The Allow pruning of published printers setting determines whether the Domain Controller can prune (that is, delete from Active Directory) the printers that are published by this computer. By default, the pruning service on the Domain Controller prunes printer objects from Active Directory if the computer that published them does not respond to contact requests. When the computer that published the printers restarts, it republishes any deleted printer objects.
If the Allow pruning of published printers setting is Enabled or Not configured, Domain Controllers in your networking environment prune published printers from this print server. When you disable the Print Spooler service on the Domain Controllers, printers will no longer be automatically pruned.
As a consequence, Active Directory admins will manually have to delete published printers at the end of the lifecycle of these printers.
Getting Ready
To disable the Printer Spooler service on Domain Controllers, make sure to meet the following requirements:
System Requirements
Make sure the Windows Server installations are installed with the latest cumulative Windows Updates.
Privilege Requirements
Make sure to sign in with an account that has privileges to create and/or change and link Group Policy objects to the Domain Controllers Organizational Unit (OU).
How to disable the Print Spooler service
The best way to disable the Print Spooler service is through Group Policy.
Perform these steps:
- Sign in with an account that is a member of the Domain Admins group, or with an account that is delegated to create and link Group Policy objects (GPOs) to Organizational Units (OUs).
- Open the Group Policy Management console (gpmc.msc).
- In the left navigation pane, navigate to the Domain Controllers OU.
- Right-click the OU and select Create a GPO in this domain, and Link it here….
- In the New GPO pop-up, provide a name for the Group Policy Object, corresponding to the naming convention for Group Policy objects in the environment.
- Click OK
- Back in navigation pane of the Group Policy Management console, expand the OU and click on the Group Policy object link.
- Click OK in the Group Policy Management Console pop-up, explaining You have selected a link to a Group Policy Object (GPO). Except for changes to link properties, changes you make here are global to the GPO, and will impact all other location where this GPO is linked.
- Right-click the Group Policy object and select Edit… from the context menu.
The Group Policy Management Editor window appears. - In the left navigation pane, under Computer Configuration, expand the Policies node.
- Expand the Windows Settings node.
- Expand the Security Settings node.
- Select System Services.
- In the main pane, for the Print Spooler service, double-click the service, and then select the Define this policy setting option and select the Disabled service startup mode.
- When done, close the Group Policy Management Editor window.
- Close the Group Policy Management Console window.
- Sign out.
Concluding
Compromise of Domain Controllers is highly undesirable. Disable the Print Spooler service on your Domain Controllers, today. If you publish printers in Active Directory and use default settings, you may need to perform manual tasks at the end of the lifecylces of these published printers.
It's also worth noting that having an active print spooler contributes to possible compromise for any attacker who can leverage an account with unconstrained delegation rights.
I've disabled print spool to avoid being hacked. Now how do I print?
You don’t (on Domain Controllers).