I don't have this key in registry >> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
Since I had recently disabled Print Spooler (in Services); can I re-enable Print Spooler now, so that I can safely print things? Or do I need to keep Print Spooler disabled. Can't print anything now.
thanks
Since you dont' have the key in registry, you can safely enable "Print Spooler" in "Services.msc". Put it on "Automatic" after enabling it. You are good to go according to the notes in first page.I don't have this key in registry >> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
Since I had recently disabled Print Spooler (in Services); can I re-enable Print Spooler now, so that I can safely print things? Or do I need to keep Print Spooler disabled. Can't print anything now.
thanks
----updated----
Not exactly in the first page of this thread, but here we go:
In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
- UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
https://msrc.microsoft.com/update-gu...CVE-2021-34527
Yes you are correct every printer's driver will install to one of the spool folder subfolders. Which is where the spool service is located as well. And that is why the patch was released.Do be aware anytime you print - whether printing to paper or to a document such as PDF, you're invoking (using) the Print Spooler. Bottom line is if you "print" you're using the print spooler which is the risk
BTW, if you find you can't print (and provided the printer is good) look to the print spooler service.
Anyway, I print all the time and am not about to stop now, so...
Also some HP printers install with a point and print driver by default.
Interestingly, when you edit the "Point and Print Restriction", it states, quote:
Based on the options available within this GP, it does not seem to do much for PCs assigned to a "Workgroup". Knowing that the majority SMBs and home users computers are not members of a domain, policy/registry change as advised by MS for them may not result in the desired protection.This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
If you enable this policy setting:
-Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made.
-You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.
If you do not configure this policy setting:
-Windows Vista client computers can point and print to any server.
-Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print.
-Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated.
-Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.
If you disable this policy setting:
-Windows Vista client computers can create a printer connection to any server using Point and Print.
-Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print.
-Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated.
-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print.
-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs)..
With Windows Pro edition, you could also run the command "gpedit" to update the local policy, once the policy changed; no need to be admin:
I should have highlighted it. I was merely pointing to this fact:
Clarified Guidance CVE-2021-34527 Windows Print Spooler VulnerabilityIf the registry keys documented do not exist, no further action is required
There have been lots of articles out there about the security patch issued by MS with regard to this vulnerability in Printers, as if the patch didn't have the desired effect. Notwithstanding, MS was adamant and sure about their patch when they say:
Our investigation has shown that the OOB security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.
"This quote is from the same link as above"
All in all, I was not thinking for a second about going to GP editor and all the description about Server Message block (SMB) which could be the topic for another discussion.
One thing that caught my attention from the get-go was that I didn't have the mentioned keys or sub-keys in the registry and according to MS it was a good thing after applying the Patch. So I didn't go any further or pay attention to the GP Editor part. And thank you for taking the time to post back.
I think I know the answer to this question, but want to confirm before I take a risk.
The first Printnightmare vulnerability, the one that's already been addressed by a patch, involved REMOTE access via the print spooler process.
The new vulnerability, as yet unpatched, also involves the print spooler, but is a LOCAL vulnerability that can only be exploited on-site -- not remotely.
Since ONLY my wife and I have physical access to Windows 10 Home systems connected to our home network, I believe I can safely re-enable print spooler and be safe from the currently unpatched vulnerability. It's a pain trying to print anything right now and, additionally, saving files in PDF format has proved problematic.
Thanks in advance for either confirming my understanding or correcting my understanding so I don't make a dumb mistake that puts us at risk.
If I am not mistaken, you are referencing CVE-2021-3438. In which case, you may want to check for updated drivers referenced in the link.The printer drivers for HP, Samsung and Xerox had been updated; other printers, Brother, Canon, etc., are not impacted by this vulnerability. At least for now....
Local exploit doesn't mean much nowadays, where it could be chained together with other, remote exploits. At the moment, there's no known "chained together" package floating around, but we always get to know about it afterwards.
Once you apply the updates for your printers, if applicable, you are about at the same level of risk as prior to this vulnerability. After all you are connected to the internet...
Last edited by Cr00zng; 26 Jul 2021 at 08:23. Reason: Clarity...
Quote
