Free TPRM tools: Get a free maturity assessment, a free risk report, or business & financial monitoring for 20 vendors!

Windows Print Spooler Vulnerability: 6 Questions to Assess Third-Party Exposure

A Microsoft zero-day exploit enables attackers to gain full admin privileges. Use this questionnaire to assess potential third-party exposure to the “PrintNightmare” vulnerability.
By:
Alastair Parr
,
Senior Vice President, Global Products & Risk
July 20, 2021
Share:
Blog windows print spooler vulnerability 0721

Researchers at Sangfor recently accidentally published a proof-of-concept (PoC) exploit of an unpatched critical flaw in the Microsoft Windows Print Spooler service. The vulnerability, called PrintNightmare, allows attackers to remotely execute code with system-level privileges. Although the PoC was quickly deleted by Sangfor after its publication was discovered, the damage was done – it was already on GitHub.

While Windows Print Spooler is an old component, it is still ubiquitous. And since this exploit opens the door for bad actors to install programs, modify data, and create new admin accounts, you may want to assess the response of any third parties with access to your company’s systems and data.

6 Questions to Ask Third Parties About the Windows Print Spooler Vulnerability

Prevalent has prepared six critical questions to ask third parties to determine their exposure and response to this zero-day flaw. See the table below.

Questions Potential Responses

1) Has the organization identified whether it is impacted by the recent Windows Print Spooler Remote Code Execution Vulnerability?

(Please select one.)

a) The organization has reviewed and identified that it is impacted by the recent Windows Print Spooler Remote Code Execution Vulnerability.

b) The organization has reviewed and identified that it is not impacted by the recent Windows Print Spooler Remote Code Execution Vulnerability.

2) Between July 1 - 7, 2021, security updates were released for Windows Server 2012, Windows Server 2016, Windows 7, Windows 8 and Windows 10 systems. Has the organization applied necessary security updates for its Windows systems?

(Please select one.)

a) Yes, the organization has downloaded and applied patches.

b) No, the organization is unable to apply security patches to its systems.

c) No, the organization has not yet applied security patches to its systems.

3) Does the organization continue to run the Print Spooler service?

(Please select one.)

a) Yes, the organization requires the Print Spooler service to run.

b) The organization requires that the Print Spooler service is not set to disabled.

c) No, the Print Spooler service is set to disabled.

4) Where the organization requires the Print Spooler service to continue, have the following actions been taken?

Option 1: Disabling the Print Spooler service disables the ability to print both locally and remotely.

Option 2: Disabling inbound remote printing will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.

(Please select all that apply.)

a) Disabling the Print Spooler service has been identified as appropriate for the organization, and PowerShell commands to stop the Spooler service and disable the Spooler service startup have been implemented.

b) The organization has disabled inbound remote printing through Group Policy.

c) The organization has not yet disabled the Spooler service or inbound remote printing.

5) In line with Microsoft guidance, have the following registry settings been reviewed and updated?

(Please select all that apply.)

a) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint

b) NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)

c) UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

6) In line with Microsoft guidance, and if the organization has identified itself as being impacted by the vulnerability, has the Point and Print Restrictions Group Policy been changed to a secure configuration?

(Please select all that apply.)

a) Point and Print Restrictions Group Policy settings have been configured to "Enabled."

b) "Show warning and elevation prompt" has been selected as a security prompt to the option "when installing drivers for a new connection."

c) "Show warning and elevation prompt" has been selected as a security prompt to the option "when updating drivers for an existing connection."

Free Guide: 8 Steps to a Third-Party Incident Response Plan

When one of your critical vendors is breached, being ready with a prescriptive incident response plan is essential to preventing your company from becoming the next victim.

Read Now
White paper incident response 0421

Next Steps for Third-Party Incident Response and Breach Monitoring

Prevalent helps to rapidly identify and mitigate the impact of vulnerabilities like PrintNightmare by offering a platform to centrally manage vendors, conduct targeted event-specific assessments, score identified risks, and access remediation guidance. The Third-Party Incident Response Service is a managed service to enable your team to offload the collection of critical response data so they can focus on remediating risks instead.

Complementing the Incident Response Service is Prevalent’s continuous cyber and business breach monitoring solution, which provides regular updates on breach disclosures, adverse news events, and cyber incidents such as malicious dark web activity about your vendors. Together, these solutions help to automate security incident discovery and accelerate response.

Contact us today to learn how Prevalent can help deliver visibility into third-party security controls and processes.

Tags:
Leadership alastair parr
Alastair Parr
Senior Vice President, Global Products & Risk
Alastair Parr is responsible for ensuring that the demands of the market space are considered and applied innovatively within the Prevalent portfolio. He joined Prevalent from 3GRC, where he served as one of the founders, and was responsible for and instrumental in defining products and services. He comes from a governance, risk and compliance background; developing and driving solutions to the ever-complex risk management space. He brings over 12 years’ experience in product management, consultancy and operations deliverables. Earlier in his career, he served as the Operations Director for a global managed service provider, InteliSecure, where he was responsible for overseeing effective data protection and risk management programs for clients. Alastair holds a university degree in Politics and International Relations, as well as several information security certifications.
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo