By: Alessandra Descalso on October 7th, 2021
PrintNightmare Workarounds: How to Print Documents without Getting Hacked
The PrintNightmare vulnerability in Windows spooler has been dragging on for months without a proper security fix. This has impacted the ability of most offices to print their documents and activate their printers. If you’ve been wondering if there’s a workaround for the issue though, you’re in luck because our resident experts have the solutions to your problem. Read this article to learn more about the PrintNightmare workarounds that you can do without exposing yourself to further security risks.
If you've been following developments—or the lack thereof—on PrintNightmare, then you must know by now that there's still no end in sight for the vulnerability.
In the latest Patch Tuesday, Microsoft issued another vulnerability fix for PrintNightmare, resulting in another issue. During the past few months, patches to PrintNightmare have resulted in a remote code execution vulnerability or elevation of privilege.
However, the recent update has led to unexpected behaviors in legacy applications and problems with network printing. According to Windows Central, several errors have come up, and many kinds of printers were affected by the fix, such as HP and Canon printers.
Here at Intelligent Technical Solutions, we've been taking proactive steps in cushioning the impact of PrintNightmare for our clients and have advised them to follow our recommendations. As a managed service provider, it's our responsibility to ensure that our client's systems are fully working and maximized.
In this article, we'll talk about some of the workarounds that we recommend to our clients, so they can use their printers without having to worry about PrintNightmare impacting their systems. But first, let's have a recap of what the PrintNightmare vulnerability was about and what patches have been issued so far.
PrintNightmare in a Nutshell
The PrintNightmare vulnerability refers to two vulnerabilities relating to the Windows Print Spooler service: CVE 2021-675 and CVE 2021-34527. These vulnerabilities involve a remote code execution (RCE) and a local privilege escalation flaw.
With an RCE vulnerability, a threat actor can execute their malicious code and take over machines connected to a network. Meanwhile, an elevation of privilege vulnerability allowed users with limited access to a system to lift their privilege level.
In June, Microsoft patched the EoP vulnerability, then released a consequent patch for the RCE flaw. Unfortunately, security researchers still found loopholes that could enable attackers to exploit fully patched machines. The issues were alarming that it warranted a warning from the Cybersecurity and Infrastructure Security Agency (CISA).
In August, threat actors in South Korea were found to be exploiting the PrintNightmare bug. Another security patch was also released during the same month, but security researchers found yet another zero-day vulnerability where attackers can gain SYSTEM privileges.
How to Print with Print Spooler Turned Off
The only workaround for PrintNightmare at the moment is to turn off the Print Spooler service in Windows across all of your servers. The spooler should only be re-enabled on your actual print server (if you have one). Here are some ways that your users can go around centralized printing:
Direct IP Printing
Direct IP printing is a common alternative to print servers. In this scenario, users send print jobs from their machines directly to a printer. This setup is ideal for companies with small users or a decentralized setting where having a resource-intensive print server is unnecessary.
In addition, a direct IP configuration allows users to manage their printers and profiles. Print jobs are spooled locally, which means the printer drivers and settings are saved on the computer. The print jobs are then directly sent to the printers from the workstation, which reduces the burden on the network. In other words, it won't impact the wide-area network (WAN).
Another advantage of direct IP printing is that a driver issue or a print job stuck in a queue will not affect everyone on the same network. It also saves money as you don't need additional print management hardware to purchase or maintain.
The only downside to direct IP printing is that installing printer drivers on every workstation could be time-consuming. This can ultimately impact productivity, but the efficiency of direct IP printing cannot be ignored. It is also one of the few workarounds available, so users are left with not a lot of options.
Segregate Your Print Server
Separating your print server is one of the workarounds to prevent further risks from PrintNightmare. It makes sense as segregating roles can prevent more significant problems and keep the attack surface as small as possible.
Using a different server exclusively as a print server is the practice of some larger organizations. Sharing roles should not be a problem in a small environment, but there's an advantage in separating the print server from the file server so that issues on one role don't impact the other.
Bad printer drivers installed on a file server can either slow it down or even cause it to go down. It can be disruptive to fix a "do-it-all" server when a printer driver causes some issues, and it's not worth the trouble. However, a dedicated printer server will allow you to install new drivers, find issues beforehand, reboot, or do whatever you have to without affecting file and application servers that keep your business running.
Print via USB (But Make Sure Your PC Is Compliant)
Another way is to disable inbound remote printing so that computers can only print to a local printer. In this scenario, client computers would need to have a printer attached via USB. However, the desktop computer would have to be compliant and fully patched so that it is not vulnerable to risks presented by the PrintNightmare bug.
Note, however, that the issue still impacts some printers that connect via USB. For instance, some receipt or label printers that have to be connected via USB may still not work. The same can be said for other models of USB printers.
Monitoring PrintNightmare Developments
PrintNightmare will go on until an effective patch can put it all behind us. Here at Intelligent Technical Solutions, rest assured we'll keep you in the loop about the latest news regarding PrintNightmare.
Our blog is dedicated to answering the most pressing questions our clients have about technology and managed IT. Be sure to visit our Learning Center for the latest news and information on cybersecurity, cloud computing, data security, and managed IT services.