All right, Microsoft, we require to communicate. Or somewhat, we have to have to print. We seriously do. We are not all paperless out right here in the business earth — many of us however have to have to simply click the Print button within our company purposes and print items out on an actual sheet of paper, or mail one thing to a PDF printer. But around the previous several months you have manufactured it in the vicinity of impossible to stay entirely patched and continue to keep printing.
Circumstance in issue: the August safety updates.
Microsoft manufactured a change in how Group Plan printers are managed when it adjusted the default Level and Print habits to tackle “PrintNightmare” vulnerabilities influencing the Windows Print Spooler provider. As mentioned in KB5005652, “by default, non-administrator users will no for a longer time be in a position to do the following applying Stage and Print with no an elevation of privilege to administrator:
- Put in new printers utilizing drivers on a distant laptop or server
- Update existing printer motorists working with motorists from remote computer or server”
Nevertheless, what we’re seeing about on the PatchManagement.org list is that everyone with a V3 style of print driver is getting their consumers be prompted to reinstall drivers or put in new drivers. More exactly, when the print server is on a Server 2016 server, the printers are pushed out by way of Group Policy, and the printer driver from the seller is a V3 driver, it is triggering the reinstallation of print drivers. We’re also viewing that when the patch is on the workstation and not on the server, it’s triggering a reinstallation of the print drivers.
Specified that firms are possible to retain users devoid of administrator legal rights to limit lateral movement (and rather frankly because Microsoft has explained to us in excess of the a long time that working with administrator rights was a negative issue), we’re now obtaining to make a decision to give users area administrator legal rights, make a registry essential adjustment that weakens stability, or roll back again the patch right up until Microsoft figures out what went improper.
All those who do want to make the registry modify can open a Command Prompt window with elevated permissions and enter the next:
reg include "HKEY_Area_MACHINESoftwarePoliciesMicrosoftWindows NTPrintersPointAndPrint" /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d /f
But performing so exposes you to publicly regarded vulnerabilities, and neither Microsoft nor I endorse it.
Acquiring to the heart of the print dilemma
Microsoft has privately acknowledged in a guidance circumstance that “the admin/set up prompt for presently-set up drivers and by now-put in printers is unexpected conduct.” It went on to say, “We have gained new reports that this is also influencing shoppers where by the drivers/printers, and so on. are presently mounted and it is presently beneath investigation, we do not have an believed time of correct however, but we are functioning on it.” But even though the company may possibly be privately acknowledging that there is a dilemma with printing, it is not showcasing it on the Windows health and fitness release dashboard.
Anthony J. Fontanez has blogged listed here and in this article with some good discussion of what is likely on. As he points out, 1 of the remedies is to guarantee you have V4 printer drivers deployed in your network. But therein lies a challenge — it’s often really tough to decide if motorists are V3 or V4. In the circumstance of Hewlett Packard printers, PCL 6 denotes V3, whilst PCL-6 (take note the hyphen) denotes V4. You could have to deploy the drivers on a examination virtual machine in buy to identify just what printer driver you have.
If your printer vendor does not have a V4 edition of the printer driver, make certain that you achieve out to your vendor — particularly if they are below energetic leases — and need that they occur out with a revised driver. As Fontanez wrote, “V4 drivers use a design-specific driver on the print server side. When shoppers link to a printer on a server making use of a V4 driver, they do not download any driver. As a substitute they use a generic preloaded driver named ‘Microsoft enhanced Point and Print.’” However, some network admins have indicated that the V4 drivers aren’t the answer possibly.
But even if you could get the August updates installed in your network, that doesn’t imply you are entirely safeguarded from print spooler vulnerabilities. There is nevertheless yet another CVE (CVE-2021-36958) for which we have no patch, and the only workaround is to disable the print spooler. All we officially know at this time is that “A remote code execution vulnerability exists when the Home windows Print Spooler company improperly performs privileged file operations. An attacker who properly exploited this vulnerability could operate arbitrary code with Method privileges. An attacker could then install systems check out, alter, or delete knowledge or build new accounts with complete user legal rights. The workaround for this vulnerability is halting and disabling the Print Spooler company.”
If you are a purchaser, the problem is not fairly as bleak. I have still to see a house or client user have difficulties with printing or scanning just after the August updates have been mounted. That said, we are however vulnerable to the unpatched CVE-2021-36958. If you presently have the August updates installed and you are not acquiring any aspect effects with printing or scanning, depart the August protection updates mounted.
So what can you do at this time if you run a enterprise and you have to print?
- Critique what servers and computers absolutely have to print. Evidently the foundational protection challenges with the print server code have nonetheless to be preset, and it doesn’t look they will be fastened soon.
- Contemplate printing a distinct right that you grant only to those in your network who truly require that ideal, as an alternative of obtaining the print spooler company instantly enabled all through your community.
- Disable the provider on all domain controllers and continue to keep it that way until additional detect.
- Limit the servers in your community that have print server roles.
- Test to restrict the servers as most effective as you can so you can watch and limit visitors to these equipment.
- Disable the print server position on workstations unless of course they have to print.
- Reevaluate your workflow and procedures and see if there are strategies to shift these company flows to world-wide-web-primarily based processes or a thing that won’t depend on paper, toner, and printers.
A final term to Microsoft
Microsoft, you will need to do superior than you are accomplishing now. Due to the fact we do nonetheless print. And around the past yr you’ve broken printing much too numerous periods. I understand that you might be paperless and transferring to electronic anything, but be a bit extra informed that your company prospects are not pretty there nevertheless.
Your buyers shouldn’t have to make the painful decision to remove the update in get to operate in their business, or worse nevertheless have to execute a registry tweak, which enables the business enterprise to print but exposes the agency to vulnerabilities as a end result.
I have been patching techniques for additional than 20 yrs, and if the best matter we can inform a business at this time is to “uninstall the update in buy to keep on to be in business,” we have not mounted a thing in 20 a long time of updating. Firms even now can’t immediately patch like you urge us to do. We still have to hold out to see if there are side consequences and deal with the right after effects.
So, Microsoft? If you want us to immediately patch, you will need to recognize that lots of of us continue to will need to print.
Copyright © 2021 IDG Communications, Inc.