RemotePrint Disable Mitigation for Printnightmare vulnerability
Log In or Register to download the BES file, and more.

0 Votes

Description

Optionally configure the RegisterSpoolerRemoteRpcEndPoint registry value to disable remote printing
Sets "[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers]" "RegisterSpoolerRemoteRpcEndPoint"=dword:00000002


Property Details

ID26862
StatusAlpha - Code that was just developed
TitleRemotePrint Disable Mitigation for Printnightmare vulnerability
DomainBESC
SourceInternal
Source Release Date7/8/2021 12:00:00 AM
Keywordsprintnightmare test vulnerability spooler print RegisterSpoolerRemoteRpcEndPoint
Added by on 7/8/2021 1:34:33 PM
Last Modified by on 7/8/2021 1:34:33 PM
Counters 368 Views / 15 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

Used in 363 fixlets   * Results in a true/false
Show indented relevance
(if( name of operating system starts with "Win" ) then platform id of operating system != 3 else false) AND (if exists property "in proxy agent context" then ( not in proxy agent context ) else true )
isWindows (Relevance 1172)
Used in 1135 fixlets and 535 analyses   * Results in a true/false
Show indented relevance
windows of operating system
Used in 1 fixlet   * Results in a true/false
Show indented relevance
not exists (keys "HKLM\Software\Policies\Microsoft\Windows NT\Printers" of native registry) whose (exists (value "RegisterSpoolerRemoteRpcEndPoint" of it) whose (it as string = "2" as string))
Used in 1 fixlet   * Results in a true/false
Show indented relevance
exists service "spooler" whose (start type of it != "disabled")

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
//gracefully stop spooler
if {exists running service "spooler"}
wait sc.exe stop spooler

//wait 60 seconds for the service to stop gracefully
parameter "startTime"="{now}"
pause while {exists running service "spooler" OR (now-time(parameter "startTime") < 60*second) }
endif

//if it is still running, terminate the spooler service forecefully
if {exists running service "spooler"}
wait taskkill /pid {pid of process "spoolsv.exe"} /f
endif
//Add the registry key
if {x64 of operating system}
regset64 "[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers]" "RegisterSpoolerRemoteRpcEndPoint"=dword:00000002
else
regset "[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers]" "RegisterSpoolerRemoteRpcEndPoint"=dword:00000002
endif
//start the spooler back up.
wait sc.exe start spooler
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.

Action 2

Action Link Click here to read more from Microsoft.
Script Type URL
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
    

Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!