In early July, a new issue was discovered with Microsoft print servers. PrintNightmare, documented in CVE-2021-34527, is a remote code execution vulnerability in the Windows Print Spooler. This vulnerability is exposed through specific inbound Remote Procedure Calls (RPC), which fails to properly restrict the administration of printers and related drivers. This can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system. In layman’s terms, that means an entire network could have been compromised.
See the PrinterLogic technical response to the Print Nightmare vulnerability.
Millions of Customers Were Exposed
For those using print servers, this vulnerability is just another in a long line of issues that have occurred. In just 2021, six different potential vulnerabilities have been found for Windows Print Spooler. That’s a lot of exposure to risk.
So what can you do to protect your company from these continued issues?
- Minimize Risk by Eliminating Print Servers
In the past, many companies relied on print servers to manage printing permissions throughout their company. However, the reality of having multiple servers that must be patched, updated, and secured at all times drains resources. As companies scale up in our ever-changing world, that means more users, more servers, and more work to keep it all running smoothly.
To make matters worse, your attack surface gets larger with every print server you add to your network. That puts your organization more at risk of an attack with every vulnerability and causes significant man-hours to patch and mitigate vulnerabilities like Print Nightmare. Since nearly every line of business still depends on printing, this risk should worry all companies.
By eliminating print servers, you can reduce your attack surface and protect your company from any future issues that are discovered. For example, DHS was able to remove 400 print servers when they moved to PrinterLogic. By doing so, they were able to avoid the Print Nightmare vulnerability issues for all of the networks originally connected to those servers.
- Remove the Centralized Exploration Point
Print servers are a high-value target for hackers. Why? Because they are a central point of access for a lot of unencrypted data. Anything being printed that passes through the print server is potentially exposed if a hacker gains access. That could mean exposing a lot of sensitive information in easy-to-read formats.
Even as companies patch these potential risk factors, hackers will continue to target print servers specifically because of the wealth of information they potentially expose. The best way to avoid that risk is to move to serverless printing. A network using PrinterLogic is protected from this single point-of-attack. For hackers to gain the same level of access in a direct IP print environment, they would need to compromise every printing source or print destination. This decentralized system is far easier for your company to protect and greatly mitigates your exposure.
- Decrease Risk With Limited Permissions
With a print server, any user that needs to print must have access to the print spooler. Because access needs to be universal, a print server uses permissions to determine how to handle print jobs, installing drivers, and other tasks. With Print Nightmare, it was possible to exploit the fact that drivers could be installed by a non-administrator. This left the server vulnerable to a hacker. Once the server was compromised, the hacker had access to a “trusted” resource (the server) and could continue to attack anything connected to it.
Unlike print servers, the PrinterLogic serverless printing environment does not share print spooling services across the network. Access and authentication are segmented and restricted at the workstation level. This keeps permissions locked down since most end users will not have administrative access to other network devices…even for printing! If a print spooler is hacked, the vulnerability will be contained to that specific device.
- Segment and Segregate Your Network Services
Very few companies can afford to run dedicated machines for print services. To keep costs down and make management easier, print services are often installed on servers performing multiple responsibilities. In fact, it’s not uncommon for Microsoft Print Service to be installed on Domain Controllers, DNS servers, or file servers.
The chances are high that anyone who is able to compromise a print server will gain access to these other high-value services. That’s why hackers will continue to seek out and exploit printing services. It is safe to assume that even if you patched your print servers today, there most likely will be a vulnerability that affects them tomorrow. The most secure way to protect your company from Print Server vulnerabilities is to just get rid of them!