For your security, please take this notice seriously.
A new 0-day exploit, dubbed PrintNightmare, has been discovered in the wild that is allowing attackers to gain access to Windows Domain Controllers (DC) and execute remote code.
Yes, authentication is still needed by the attacker, but this is not a deterrent because anyone with access to the print spooler (read: anyone who can print from the network) is at risk. Once the attacker has access, they can use this exploit to escalate privileges to full SYSTEM access from a Domain User account and execute remote code on the network.
Here are the steps to mitigate this vulnerability on your network:
Before you do anything else, apply the patch Microsoft sent out, it may not fix it completely, but it does help in lessening the attack surface.
Disable / turn off the print spooler service on all domain controllers by navigating to Computer Configuration > Administrative Templates > Printers > Allow Print Spooler to accept client connections > set this to Disabled - see image below for instructions on how to do this.
This vulnerability requires an authenticated user, so ensuring that all privileged users are using MFA is a compensating control that can reduce the risk.
There are known PoCs floating in the wild and are actively being shared by others that can be used as an attack method.
After applying the patch from Microsoft, if HKLM\SOFTWARE\Policies\Microsoft\WindowsNT\Printers\PointAndPrint\NoElevationOnInstall is 1, then the system is still vulnerable.
Alternatively, another workaround is to remove authenticated users from Pre-Windows 2000 Compatible Access as discovered by Dirk-jan.
Ensure the "Anonymous Logon" and "Everyone" groups are not members of the "Pre-Windows 2000 Compatible Access group". (By default, these groups are not included in current Windows versions.), in addition ensure that 'Authenticated Users' are also not a member as shown in the screenshot below there should be no members:
If in doubt as to how to do this, the following steps can be taken:
- Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc").
- Expand the domain being reviewed in the left pane and select the "Builtin" container.
- Double-click on the "Pre-Windows 2000 Compatible Access" group in the right pane.
- Select the "Members" tab.
- If the "Anonymous Logon", "Authenticated Users" or "Everyone" groups are members, select each and click "Remove".
You can read more about this PrintNightmare 0-day exploit here.
As always, feel free to reach out to us if you have any questions and please feel free to share this post with other colleagues and organizations who might be at risk.