In the last 24 hours, an emerging threat has come to my attention that we have been investigating.  Microsoft discovered a vulnerability in a central part of their operating system, in the printing subsystem.  This subsystem is necessary for any computer that needs to print, whether to a printer connected locally to the computer, or to a printer on the network.  The threat has been dubbed “PrintNightmare”.

This vulnerability can allow bad actors to gain elevated access to the computer and take full control of the computer.  Obvious implications are that the bad actor would gain access to any data on the computer, any passwords stored on the computer, any access the computer / logged in user may have to other computers on the network, capture whatever is typed on the computer, view emails, etc.

Working with experts in the industry, we have identified steps that anyone can take to prevent this from affecting them, while Microsoft works on a fix to this vulnerability.

1. If you do not need to print on a computer, especially servers, and that computer isn’t providing print access to other computers on the network, you can disable the Print Spooler service on the computer by running the following script in PowerShell:

Stop-Service -Name Spooler -Force

Set-Service -Name Spooler -StartupType Disabled

2. Alternatively, if printing is necessary on the computer, you can run the following script in PowerShell to protect the folder where affected printing subsystem files are located, effectively preventing the malicious code from taking root:

$Path = "C:\Windows\System32\spool\drivers"

$Acl = (Get-Item $Path).GetAccessControl('Access')

$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("System", "Modify", "ContainerInherit, ObjectInherit", "None", "Deny")

$Acl.AddAccessRule($Ar)

Set-Acl $Path $Acl

If you need to undo this second script to install new printer drivers, or once Microsoft has pushed out a fix, you can run this same script, changing the second to last line from:

$Acl.AddAccessRule($Ar)

to: $Acl.RemoveAccessRule($Ar)

If you are one of our managed clients, we've got you covered and have already taken these steps on your behalf, in addition to the existing protections and precautions we have in place. We will continue to monitor the situation, and take additional steps as needed.

If you are not one of our managed clients, you can take these steps on your own, you can reach out to whoever is taking care of your IT currently.  We’ll gladly take care if it for you if that’s what you’d prefer.

As more information is made available, we’ll share anything important or actionable.