Fix network printing or keep Windows secure? Admins would rather disable PrintNightmare patch Microsoft's Patch Tuesday update last week was meant to fix print vulnerabilities in Windows but also broke network printing for many, with some admins disabling security or removing the patch to get it working. The problem is complex and first surfaced in January, when Microsoft issued this support note explaining that "a …
One bit of information that seems to be hard to find is, what is the configuration necessary to allow this to happen?
Specifically, it sounds like this only applies to machines that have shared printing available. Most businesses now have printers with built-in networking capabilities, so there is no reason to be using the shared printer facilities in Windows, and so can (and should) be safely disabled. Am I misunderstanding something?
I’d like this to be more clear, myself. I suspect that network attached printers, including the big floor-standing copier-printer things, should be safe enough, and that setting up Linux or Mac systems to handle other types of print jobs should bypass this, but it’s not clear. I suspect that MS really doesn’t want it to become clear, as that would reveal the dimensions of the fuck-up, and who was completely to blame.
We use direct network printing (all network printers look after their own print jobs). None of the servers or PCs are set up to share printers. We also install the printers the users require, so no user needs local administration access or administration rights.
That makes management more fragmented, but given that we rarely have any problems or need to re-route printers temporarily, we can get away with it. Which means we can apply the patches and everything keeps working.
Others that rely on central Windows print server have a major problem, on the other hand.
We use something, forget what, that sits on top of Windows printer sharing to allow 'walk up to any device and swipe your ID card' printing, rather than having to set up individual printer mappings for every device someone might possibly want to print to especially when they haven't first checked their nearest is not churning out a few thousand pages already.
Printing direct from PC to network printer without a print queue sounds great until you want to handle the "follow me" printing that most users now expect. Or have load balancing of print queues. Or reporting on overall print volume and type.
This nightmare is probably the biggest Microsoft clusterfsck of my long and inglorious career, because months after the original problem they are still unable to offer a reliable patch.
For the past week or so the guys in this office have been trying to report problems with 'follow me' printing. The HellDesk's response to 'it's affecting most people here' has been 'we've had no reports'... despite the No1 and No2 most requested items on their intranet pages being 'how to fix 'follow me' printing' and 'how to remove 'follow me' printer' (No3 being the unimportant 'how to request a password reset').
For most it seems to be that the driver disappears for a few hours (so normally back by the time the HellDesk calls you back)... yesterday the printers were unable to get a list of print jobs from the server... today the printers either say no jobs to print, or the ones that show up are the ones you tried to print, but couldn't, yesterday
Oh, the HelDesk did manage to push firmware updates out to the printer, despite people pointing out that the problem was unlikely to be at the far end of the chain as they couldn't pick up prints from alternate printers
(did I mention the HellDesk was outsourced? did I need to?)
One issue for us is we still have a small number of clients hanging around on Windows 7 (pending hardware upgrades) and these are unable to receive the January update that allowed for the new encryption MS are using, so basically if you're still a Windows 7 house without Extended Support, you need to apply the registry fix ASAP.
Ah, so that's why my wife's primary school is unable to print anything out at the moment. Their IT support people said it was a Microsoft problem, but I thought they were joking.
Of course UK schools don't have enough money to buy glue sticks at the moment, so their IT infrastructure is, of course, decades old and held together with sellotape.
Please can we get a new government, that will reverse the Tory cuts? Soon?
Quote:
"Please can we get a new government, that will reverse the Tory cuts? Soon?"
good luck with that as labour will promise funding to outer mongolian duck making habits and make it compulsery that all schools carry a teacher qualified in that.
But no extra funding to sort the IT systems out(and no extra funding for the duck mating habits teacher either)
Whilst I understand where you are coming from there are more issues than underfunding.
Schools have had to waste hug amounts of resources bouncing between the initiative and that initiative. Then when money is available it is often squandered because of "Equal Opportunities" or the fear of something becoming elitist. This has resulted in huge sums of money just being blown trying to do whole-class teaching of something.
A classic example of this is the Music Wider Opportunities scheme. There is more money than ever going into music yet over the entire country, it is dying.
Music is classed as elitist and exclusive so the money is all being thrown at whole class teaching of ukulele of fife. There is zero benefit to anyone it is so rubbish. Schools orchestras are dead because few can afford to learn and unsurprisingly, those that do are down to parents funding everything. County groups are also dying because you cannot get people to turn up, again if they are good they don't because it is crap.
Where I live in Leicestershire we had a music service that was the envy of many. Yes it cost money but hundreds of kids go so much out of it. Over the last 15 years it has been utterly decimated and will never come back. Covid had been the final nail in the coffin and I really wonder how this is going to recover.
Everything to do with "State" schools is now a shambolic descent into mediocrity because nothing can be competitive, elitist or be striving for excellence. There is more to education than providing university fodder.
Then we have the entire Academy system where there is this notion that because something is a "Trust" there is some degree of respectability. You only have to look at the management food change to see where huge amounts of the funding is going.
This gives an interesting insight:
https://www.nga.org.uk/getmedia/96d3df9c-1e4f-4e62-976d-f68b128843a2/NGA-setting-exec-pay-considerations-for-trust-boards-Sept-2020.pdf
Just why the hell do you need a head, an executive head and all the support that it entails?
And what if you want to use GPOs to control/deploy them? Restructuring all the print functionality for every printer is not something which most organisations are going to do at short notice.
And drivers will still need to be installed, however you structure it.
Which is more expensive: an £80 laser printer for each such desk or allowing remote code execution?
The other thought is to treat it as increasing staff's exercise: they have to walk to a PC with a printer attached.
Why does a printer driver need to have kernel access to operate? Surely it's just a filter that takes in a stream of information (a document) and spits out another stream of information (the likely proprietary bytecode the specific printer model needs). Why isn't it running as 'nobody' with access to two sockets and nothing else? Fucking Windows piece of shit.
Why isn't it running as 'nobody' with access to two sockets and nothing else? Fucking Windows piece of shit.
That isn't a requirement and hasn't been for quite a while. That article was first published in 2007 and refers to kernel mode printer drivers as 'dinosaurs'.
The article also states:
"With the release of Windows 2000, the printer drivers moved back to user-mode."
Unfortunately some printer manufacturers are a bit slow to update their drivers. Probably the usual story of hardware manufacturers not investing in the supporting software.
The printer driver does more than act as an output. At the very least, it is the main mechanism that informs the OS of how WYSIWYG is supposed to operate/look, so affects display etc.
The issue here though, is the Print Spooler is capable of pulling a printer driver from *anywhere*, and that can be from (effectively) a malware repository, introducing nasties onto a machine in the process. This is especially bad when coupled with the auto-elevation required for installing most printer drivers automatically.
To get printing working again we did the following:
* Disable spooler on everything that doesn't need it
* Apply a GPO to block network printing across the board
* Apply another GPO to reverse this on the print servers
* Firewall SMB connections on the print servers to clients that are allowed to print
* Set the reg value RestrictDriverInstallationToAdministrators = 0 on the print servers to get things going again
* Set deny ACL on the spooler folder for the SYSTEM account (you need to reverse this whenever making print driver/queue changes, then put it back in place afterwards.)
* Monitor event logs for signs of attack
Hopefully a real fix will be along soon.
NO NO NO! Stop with your understanding and helpfullness!
We don't care that a decent Windows admin can configure around this, the article was made by scraping the internet for posts from other, less decent, admins that are finding this a terribly confusing mess.
Pointing out that you can configure Windows to pretty much eliminate this problem is not helpful.
Are you new here?
Yeah let me just completely reconfigure my printing stack for 1000 plus users at the drop of a hat.
Not like I had other work scheduled in.
Must be nice where you work that you're so free of tasks you can get that done in a morning, error free and perfect first time on the live network and have all obscure uses cases covered, accounted and mitigated while users are screaming and pulling their hair out.
What a hero you are.
Took about an hour to create the gpos and reconfigure everything. It's called doing my job. Reading security bulletins and working out the best way to keep the company working while trying to stay as secure as possible.
Security incidents like this take precedence over other tasks. The management trust me enough that when I say this is a major issue that needs immediate attention they listen.
What do you prefer? Being impaled or burnt at stake? That's the choice admins have now.
Some people _need_ to print or the company cannot work. If the company is attacked through this vulnerability, the company cannot work. In the first case, it's a certainty, in the second case a probability. Even if the second option can be much more serious in case of damage, I guess most will choice to enable users to work.
Thank you MS, I love you. Not.
"Some people _need_ to print or the company cannot work."
So you identify those people and plop a laser printer on their desk. This solves the security problems (don't share the printer on the network). It also addreses the 'need' issue. Some people will have to weigh the loss of a big chunk of desk space against the ability to print today's Dilbert strip out. And it keeps the 'must print' people at their desks.
Surely it's "If Windows, panic, else just keep on working", no?
"Follw me" is aptly named. Now, I promised myself I would not make any sheep comparisons so lemmings it is, although only as figure of speech (the alleged behaviour was apparently made up by Disney)..
It will print if the printer is directly connected to the computer. Apple had the same problems in the past. Look at the back of the printer and see what type of connection there is and plug one end of the cord in there and the other into the computer. It works flawlessly. Do not connect through Twatter, FaceBUTT or Gurgle, let alone Citrix AWS, or any other third party. It is much safer and likely to work.
Then have a pint
I can't help but think that a lot of the commenters on here have never actually managed a network! Suggestions such as directly connecting the computer with a USB cable, or going out and buying a load of desktop printers, are not an option whcih many companies will accept, or which would in many cases be realistically practical to implement.
This affected our ability to print shipping labels. It's compounded by the fact the information to this problem is multiple layers deep and split across different KB articles. Worse, they didn't bother to update GPO for this yet (or if they ever will), so its manual registry keys to be added depending how you attempt to tackle the mess.
So we have this article: https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7
Then they added a secret timebomb code to the patch that enforces a new RPC privacy protocol on Sept 14th: https://support.microsoft.com/en-us/topic/managing-deployment-of-printer-rpc-binding-changes-for-cve-2021-1678-kb4599464-12a69652-30b9-3d61-d9f7-7201623a8b25#bkmk_enforcement
So unless the server and clients are up to date on all patches (and no clients are running any EOL operating systems that can't be patched / using CUPS to the Windows print share), it will never work properly. I had to use that secret registry from the 2nd article that basically reverts all these changes back and leaves us vulnerable with the hope that Crowdstrike will protect us from this until Microsoft comes up with a better way of handling this mess. Their "fix" basically stops any older OS (including some versions of early Win10) from ever printing again.
And to the people saying use direct printing / give a user their own printer, it's not that simple when you have 20 different branch locations with over 2000 users and 100+ printers just to workaround something that Microsoft botched horribly.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
