PrintNightmare - What Shall I Do?
With Kaseya VSA currently underdoing the majority of the headlines, a vulnerability within the Microsoft OS is currently going relatively untalked about.
PrintNightmare as it is known, is an active exploit within the Windows Print Spooler, a service enabled by default within Windows.
More Information from the official Microsoft page is available here
What shall I do?
It is recommended that where possible, the Print Spooler service should be stopped. At the current time there is no patch available!
Assuming the device in question is not a print server, this usually is an acceptable task.
To stop the print spooler we have included some instructions below:
Method One
Open Powershell as Administrator and run:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Method Two
Disable the service via registry by running the below command/changing the below reg key:
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start " /t REG_DWORD /d "4" /f
If easier as we suspect for many MSPs, we have included below a script on changing the reg key, this can be copied and pasted into your RMM platform.
“reg add "HKLM\Software\Policies\Microsoft\Windows NT\Printers" /v RegisterSpoolerRemoteRpcEndPoint /t REG_DWORD /d 2
net stop spooler
net start spooler”